[Home] [Databases] [WorldLII] [Search] [Feedback] South African Law Commission

You are here:  SAFLII >> Databases >> South African Law Commission >> Issue Paper >> 14 >> CHAPTER 4

[Database Search] [Name Search] [Previous] [Next] [Download] [Help]

• 4. Options For Reform
• Criminalisation Of Unauthorised Access To Computers
• United Kingdom
• Singapore
• Germany
• Unauthorised Modification Of Computer Data And Software Applications
• United Kingdom
• Singapore
• Germany
• Options To Consider

CHAPTER 4

4. OPTIONS FOR REFORM

4.1 Against the background of the issues identified in Chapter 3 the options for reform will now be discussed.

Criminalisation of unauthorised access to computers

United Kingdom

4.2 In the United Kingdom the Computer Misuse Act 1990 came into being as a result of investigations into computer crime by the Scottish Law Commission and the Law Commission for England and Wales.

4.3 The Computer Misuse Act 1990 provides for two offences relating to unauthorised access to computers. The first offence is "Unauthorised access to computer material":

1 Unauthorised access to computer material

(1) A person is guilty of an offence if–

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

4.4 This offence is committed when a person causes a computer to perform any function with the intent to secure unauthorised access to a computer program or data held in any computer.^[41] The required form of culpability for this offence is intent and the accused must have known the intended access is unauthorised. The important aspect to note about this offence is that the program or data to be accessed need not be located on the computer which performs the function referred to earlier.^[42]

4.5 The second offence is "Unauthorised access with the intent to commit a further offence":

2 Unauthorised access with intent to commit or facilitate commission of further offences

(1) A person is guilty of an offence under this section if he commits an offence under section 1 above ("the unauthorised access offence") with intent–

(a) to commit an offence to which this section applies; or

(b) to facilitate the commission of such an offence (whether by himself or by any other person);

and the offence he intends to commit or facilitate is referred to below in this section as the further offence.

4.6 This offence is committed when a person causes a computer to perform any function to secure unauthorised access to computer material with the intent to commit or to facilitate the commission of an offence for which the sentence is fixed by law or for which a term of imprisonment for five years can be imposed.^[43]

4.7 In a commentary on the Computer Misuse Act 1990 it is reported that there were nine known prosecutions for the above-mentioned offences until June 1995. All but one of these involved "internal" incidents where the unauthorised access was obtained by employees or ex-employees.^[44]

4.8 The Computer Misuse Act 1990 contains only one section dealing with powers of investigation:^[45]

14 Search warrants for offences under section 1

(1) Where a circuit judge is satisfied by information on oath given by a constable that there are reasonable grounds for believing–

(a) that an offence under section 1 above has been or is about to be committed in any premises; and

(b) that evidence that such an offence has been or is about to be committed is in those premises;

he may issue a warrant authorising a constable to enter and search the premises, using such reasonable force as is necessary.

4.9 "Premises" in this provision refers to a physical spaces such as land, buildings, movable structures, vehicles, vessels, aircraft and hovercraft.^[46] It is not intended to include the storage space of a computer. It seems therefore that although the search for computer in a physical location may be authorised by a search warrant it is doubtful whether the search for specific information on that computer will be covered by such a warrant.

4.10 The Police and Criminal Evidence Act 1984 provides for, among others, general powers of entry, search and seizure which can be executed after arrest:^[47]

18 Entry and search after arrest

(1) Subject to the following provisions of this section, a constable may enter and search any premises occupied or controlled by a person who is under arrest for an arrestable offence, if he has reasonable grounds for suspecting that there is on the premises evidence, other than items subject to legal privilege, that relates –

(a) to that offence; or

(b) to some other arrestable offence which is connected with or similar to that offence.

(2) A constable may seize and retain anything for which he may search under subsection (1) above.

4.11 An investigating officer may furthermore make copies of anything which he or she has the power to seize.^[48]

4.12 These provisions apply to the section 2 offence of the Computer Misuse Act 1990 (unauthorised access with the intent to commit a further crime). However, these powers can only be executed once an offence has been committed. Furthermore, the word "premises" refers to a physical space or location:^[49]

23 Meaning of "premises" etc

In this Act -

"premises" includes any place and, in particular includes –

(a) any vehicle, vessel, aircraft or hovercraft;

(b) any offshore installation; and

(c) any tent or movable structure; and

"offshore installation" has the meaning given to it by section 1 of the Mineral Workings (Offshore Installations) Act 1971.

This interpretation clearly excludes the storage space of a computer from the meaning of a premises which may be entered and searched.

4.13 Another area of investigative powers is that of the interception of communication. The Computer Misuse Act 1990 contains no provisions to make this possible. The only legislation which provides for such powers is the Interception of Communications Act 1985:^[50]

2 Warrants for interception

(1) Subject to the provisions of this section and section 3 below, the Secretary of State may issue a warrant requiring the person to whom it is addressed to intercept, in the course of their transmission by post or by means of a public telecommunication system, such communications as are described in the warrant; and such a warrant may also require the person to whom it is addressed to disclose the intercepted material to such persons and in such a manner as are described in the warrant.

(2) The Secretary of State shall not issue a warrant under this section unless he considers that the warrant is necessary–

(a) in the interests of national security;

(b) for the purpose of preventing or detecting serious crime; or

(c) for the purpose of safeguarding the economic well-being of the United Kingdom.

4.14 Against the background of this provision which is aimed at protecting national security and the prevention or detection of serious offences it is unlikely that a warrant for the interception of communication will be authorised with a view to the detection and investigation of the offences under the Computer Misuse Act 1990.^[51] It is pointed out that the interception of communication is a potentially vital tool in the investigation and prosecution of unauthorised access to computers which cannot be effectively applied in respect of the Computer Misuse Act 1990.^[52]

4.15 Apart from the problems relating to the investigation of computer related offences there are also problems relating to the amounts and complexity, not to mention the admissibility, of the evidence that may be involved.^[53] The Computer Misuse Act 1990 does not contain any provisions regarding the admissibility of evidence and this will be determined in accordance with the Police and Criminal Evidence Act 1984. Coupled with the problems related to the formal admissibility of evidence there are also problems relating to the reliability of evidence to prove that intrusions occurred and that they were committed by the accused.^[54]

4.16 A factor pointed out in relation to the offences created in the Computer Misuse Act 1990 is that these provisions may not be fully appreciated by the judges, juries and magistrates who have to decide cases relating thereto.^[55] If the underlying danger relating to a particular action is not understood it may lead to the question of why it is wrong and why is it sufficiently serious to be an offence. If the scope of an offence is perceived to be too wide there will be a reluctance to apply the law with the result that it will become unworkable.

Singapore

4.17 In Singapore the Computer Misuse Act (Chapter 50A) (hereafter "the Singapore Act") came into being in 1993. This Act corresponds to a large extent with the Computer Misuse Act 1990 of the United Kingdom.

4.18 The Singapore Act contains an offence of unauthorised access to computer material which is similar to the offence contained in the Computer Misuse Act 1990:^[56]

3. Unauthorised access to computer material.

(1) Subject to subsection (2), any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $2,000 or to imprisonment for a term not exceeding 2 years or to both.

4.19 The Singapore Act also contains an offence of unauthorised access to commit or facilitate a further offence:^[57]

4. Unauthorised access with intent to commit or facilitate commission of further offences.

(1) Any person who causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer with intent to commit an offence to which this section applies shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both.

4.20 This offence applies where the further offence which is intended involves property, fraud, dishonesty or can cause bodily harm.^[58]

4.21 Apart from these offences the Singapore Act contains an offence of unauthorised use or interception of a computer service:^[59]

6. Unauthorised use or interception of computer service.

(1) Subject to subsection (2), any person who knowingly –

(a) secures access without authority to any computer for the purpose of obtaining, directly or indirectly, any computer service;

(b) intercepts or causes to be intercepted without authority, directly or indirectly, any function of a computer by means of an electromagnetic, acoustic, mechanical or other device; or

(c) uses or causes to be used, directly or indirectly, the computer or any other device for the purpose of committing an offence under paragraph (a) or (b),

shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $2,000 or to imprisonment for a term not exceeding 2 years or to both.

4.22 In order to facilitate the investigation of these offences a police officer is entitled to have access to and inspect any computer which he or she has reasonable cause to suspect is used in connection with any of the offences created by the Singapore Act:^[60]

14. Powers of police officer to investigate and require assistance.

In connection with the exercise of his powers of investigations under the Criminal Procedure Code, a police officer –

(a) shall be entitled at any time to have access to, and inspect and check the operation of, any computer and any associated apparatus or material which he has reasonable cause to suspect is or has been in use in connection with any offence under this Act; and

(b) may require –

(i) the person by whom or on whose behalf the police officer has reasonable cause to suspect the computer is or has been so used; or

(ii) any person having charge of, or otherwise concerned with the operation of, the computer, apparatus or material,

to provide him with such reasonable assistance as he may require for the purposes of paragraph (a).

4.23 The Act also provides for the admissibility of evidence in the form of computer output if it is shown that there is no reasonable ground for believing that the output is inaccurate because of improper use of the computer and that no reason exists to doubt or suspect the truth or reliability of the output, and that at all material times the computer was operating properly.^[61]

Germany

4.24 The German Criminal Code contains an offence of "data spying". This offence is committed if a person procures data for himself or herself or for another to which he or she or such other person is not entitled and which is specially secures against unauthorised access.^[62] The data referred to here must be capable of being stored or transmitted electronically or magnetically or in any other manner that is not directly perceptible.^[63]

4.25 The German Criminal Code also contains a number of offences which protects confidential information against unauthorised disclosure. These offences prohibits the disclosure and exploitation of confidential industrial or business information or personal information which has become known to a person as a result of a specified relationship.^[64] These provisions are wide enough to include information stored on a computer.

Unauthorised modification of computer data and software applications

United Kingdom

4.26 The Computer Misuse Act 1990 provides for an offence of unauthorised modification of computer material:^[65]

3 Unauthorised modification of computer material

(1) A person is guilty of an offence if–

(a) he does any act which causes an unauthorised modification of the contents of any computer; and

(b) at the time when he does the act he has the requisite intent and the requisite knowledge.

(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing–

(a) to impair the operation of any computer;

(b) to prevent or hinder access to any program or data held in any computer; or

(c) to impair the operation of any such program or the reliability of any such data.

4.27 The required form of culpability is intent and the intent must be aimed at causing the modification and thereby to impair the operation of the computer, to prevent access to any program or data or to impair the operation of a program or the reliability of data. In a commentary on the Computer Misuse Act 1990 it is reported that there were ten known prosecutions for the above-mentioned offences until June 1995.^[66]

4.28 The comments made earlier in respect of the offences relating to the unauthorised access to computers also apply in respect of the offence of unauthorised modification of computer material. The problems in respect of the application of this offence relate mainly to the powers of investigation and the admissibility of evidence.

Singapore

4.29 The Singapore Act provides for an offence of unauthorised modification of computer material:^[67]

5. Unauthorised modification of computer material.

(1) Subject to subsection (2), any person who does any act which he knows will cause an unauthorised modification of the contents of any computer shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $2,000 or to imprisonment for a term not exceeding 2 years or to both.

4.30 This offence does not require the accused’s intent to be aimed at causing any impairment of a computer or any program or data contained on a computer nor to be aimed at causing any hindrance of access to any program or data.^[68]

Germany

4.31 The German Criminal Code contains an offence of alteration of data. This offence is committed if a person unlawfully deletes, suppresses, or alters data or renders such data useless.^[69] Data includes data capable of being stored or transmitted electronically or magnetically or in any other manner that is not directly perceptible.^[70]

Options to consider

4.32 The options to be considered for South Africa therefore seem to be a choice between legislative intervention to create certain offences on the one hand, or to leave the matter to the courts to punish such activities by way of extensions to existing common law offences on the other.

4.33 It has already been suggested earlier that there is no indication that an extension of the common law offences is likely. This possibility relates to level of appreciation of the dangers of the relevant activities among the judiciary. It is further dependant upon the willingness of the investigating and prosecuting authorities to prepare a case for prosecution in the hope of convincing a court that a common law offence should be extended to apply to a set of circumstances to which it did not apply hitherto.

4.34 This seems to indicate that the option of introducing new offences by way of legislation should be seriously considered. In this respect there seems to be a choice between two approaches: The approach followed in the legislation of the United Kingdom and Singapore is to protect the relevant information on a computer by targeting the function performed by a computer. In each of the various offences the actus reus entails to cause the computer to perform a certain function. In Germany a more direct approach is followed by protecting the information on the computer itself against unlawful procurement or alteration.

4.35 In respect of the offences relating to unauthorised access it needs to be considered whether unauthorised access and unauthorised access with the intent to commit a further offence should be created as two separate offences.

4.36 The scope of such offences should also be considered. It should not be so wide as to include trivial cases of misuse which were not intended to be included in the scope of the legislation.

4.37 In respect of the unauthorised modification of computer material it should be considered whether this offence should be the equivalent of the common law offence of malicious injury to property or whether it should also include negligent modifications to computer material or modifications made for a purpose other than to impair the operation of the computer or to compromise the data stored on a computer.

4.38 As a result of the ability to use computers to commit offences across international borders the issue of extradition should be considered. An "extraditable offence" is:^[71]

any offence which in terms of the law of the Republic and of the foreign State concerned is punishable with a sentence of imprisonment or other form of deprivation of liberty for a period of six months or more, but excluding any offence under military law which is not also an offence under the ordinary criminal law of the Republic and of such foreign State;

Any offences in respect of unauthorised access to computers and unauthorised modification of computer material should be formulated in such terms that the provisions of the Extradition Act 67 of 1962 will apply to them.

4.39 If the example of the Singapore Act is followed there is also the option of creating procedures for the detection, investigation and prosecution of these offences. This includes the introduction of search and seizure powers which are developed to be applied in relation to abstract concepts such as information stored on computers, and the admissibility as evidence of information gathered in this manner. A further option to be considered in this regard is that of the interception of computer communication.

[41] Section 1 of the Computer Misuse Act 1990.

[42] Section 1(2) of the Computer Misuse Act 1990.

[43] Section 2 of the Computer Misuse Act 1990.

[44] Battcock The Computer Misuse Act 1990: 5 years on.

[45] Section 14 of the Computer Misuse Act 1990.

[46] Section 14(5) of the Computer Misuse Act 1990.

[47] Section 18 of the Police and Criminal Evidence Act 1984.

[48] Section 21(5) of the Police and Criminal Evidence Act 1984.

[49] Section 23 of the Police and Criminal Evidence Act 1984.

[50] Section 2 of the Interception of Communications Act 1985.

[51] Battcock The Computer Misuse Act 1990: 5 years on.

[52] Ibid.

[53] Ibid.

[54] Ibid.

[55] Ibid.

[56] Section 3 of the Singapore Act.

[57] Section 4 of the Singapore Act.

[58] Section 4(2) of the Singapore Act.

[59] Section 6 of the Singapore Act.

[60] Section 14 of the Singapore Act.

[61] Section 10 of the Singapore Act.

[62] Section 202a(1) of the German StGB.

[63] Section 202a(2) of the German StGB

[64] Sections 203 and 204 of the German StGB.

[65] Section 3 of the Computer Misuse Act 1990.

[66] Battcock Computer Misuse Act 1990: 5 years on.

[67] Section 5 of the Singapore Act.

[68] Section 5(3) of the Singapore Act.

[69] Section 303a of the German StGB.

[70] Section 202a(2) of the German StGB

[71] Section 1 of the Extradition Act 67 of 1962.