New Zealand Law Commission
|
|
[Home]
[Databases]
[WorldLII]
[Search]
[Feedback]
New Zealand Law Commission |
|
[Database Search] [Name Search] [Previous] [Next] [Download] [Help]
24 Having explained what we mean by the term “computer misuse”, the next issue to be considered is whether computer misuse is a problem which deserves the attention of the criminal law. In our view, the answer is plainly “yes”,7 although the extent of the problem is often concealed. Often computer misuse will go undetected. In some situations, a company may decide, for publicity reasons, not to disclose that it has been subject to computer misuse.8 In the New Zealand context, companies may not report incidents of computer misuse as New Zealand currently does not have criminal offences dealing specifically with such conduct. Also, it may be perceived that the criminal offences which currently exist are inadequate to deal with computer misuse.9
25 Recently in New Zealand there have been two widely publicised incidents involving computer misuse. In November 1998, a computer hacker erased some 4,500 “Ihug” websites.10The Ihug server was based in California and the sites were hosted by Auckland-based Internet service provider, the Internet Group. There was no backup facility and, unless the owners of the websites made their own copies, the web pages were lost permanently (The Dominion, Hacker wipes out 4500 Web sites 19/11/98, 3). Recently it was reported that Telecom, New Zealand’s largest Internet service provider, is concerned that hackers might be gaining access to the Internet by using customer’s passwords and surfing the Internet at the customers’ expense (The Dominion, Telecom on alert after hacker threat 24/11/98, 1). Following these incidents, a survey was released which showed that only 45 percent of New Zealand information system managers who responded to the survey were satisfied that their business information was safe from external users (The Dominion, Survey casts doubt on information security 25/11/98, 14).
26 Gaining unauthorised access to a computer system is relatively easy (see Gripman 1997). Unauthorised access to computer material is becoming more prevalent, and more serious: in 1995 the United States’ General Account Office discovered that hackers using the Internet broke into the US Defence Department’s computer more than 160,000 times (Gringras 1997 211). In a 1995 survey of 200 businesses, 95 percent admitted to being victims of computer fraud (Gripman 1997 173).
27 Computer misuse can cause many problems. A computer network may be shut down by a virus, or a company’s computer system could be interfered with resulting in the company being unable to distribute its product. In addition to severe business losses, the service, repair and restoration costs caused as a result of computer misuse can be staggering. An organisation which has been subject to a hacker intrusion (or suspects it may have been) will have to go to a great deal of expense to ensure that such an attack does not occur again. This may include conducting an audit of the system and revamping the system’s security. In United States v Morris 928 F.2d 504, 505–06 (2d Cir. 1991) the damage caused by a virus was in the range of US$96 –186 million based upon the labour costs of eradicating the virus and monitoring the computer systems recovery.
28 Gripman notes that according to federal law enforcement estimates, thieves operating through computers steal more than US$10 billion worth of data in the United States annually, and also that the Senate’s Permanent Investigations Sub-committee reported that banks and corporations lost US$800 million from hackers in 1995 (1997 170, 173). A 1996 Information Systems Security survey of 236 security managers and executives concluded that 46 percent of the companies surveyed admitted insider abuse of their computer system. The losses were dramatic: 22 percent indicated losses between US$50,000.00 and US$200,000.00 and an additional 20 percent indicated losses between US$200,000.00 and US$500,000.00 (Gripman 1997 189).
29 Gripman also notes, and this has been confirmed by the Law Commission’s Advisory Committee, that virtually every technique a hacker needs to penetrate corporate computers is currently described on the Internet. There are “hacker” magazines available that provide step by step tips (1997 170). Also, there are many sites on the Internet which give instructions on how to “hack”. We have deliberately not referred to these sites to avoid giving them unnecessary publicity. We would invite the Ministry of Justice, as part of its work in this area, to consider whether it is necessary for New Zealand to create offences which will prevent such sites being posted from New Zealand. That is a matter outside the scope of this report.
30 From the information contained in paras 24–29 we are satisfied that computer misuse is a serious problem in today’s computer based society. The next issue is whether it is necessary to punish computer misuse with criminal sanctions.
31 The question of tortious liability for computer misuse was addressed in Electronic Commerce Part One (NZLC R50 1998). These issues were addressed in the context of a review of the law of torts and its applicability in the electronic environment. In Appendix C we reproduce for ease of reference the whole of chapter 4 of the Electronic Commerce report.
32 Civil proceedings in tort take the form of an action for recovery of compensatory damages or other available remedies for injuries or loss caused by the acts or omissions of persons in breach of a right or duty imposed by the law. It is likely that a person who, without authority, intercepts a message containing confidential information or who obtains information by reprehensible means will be made subject to a duty of confidence: see paras 158–166 of the Electronic Commerce report reproduced in Appendix C. In this report we restrict consideration of computer misuse issues to the criminal sphere, as the question of civil liability for computer misuse will be addressed in the final report on electronic commerce (Electronic Commerce: Part 2).
33 The Law Commission has considered whether it is necessary to create criminal offences directed specifically at computer misuse or whether the problem of computer misuse can be adequately dealt with by the civil law. We are satisfied that criminal offences dealing specifically with computer misuse are required. The main arguments in favour of the creation of criminal offences for computer misuse are set out in paras 34–39.
34 There is an essential public interest in the use of computers. The use of computers should be encouraged. Computers allow information to be processed, recorded and transferred quickly and efficiently, and have revolutionised the way people learn, travel, interact and conduct business. Computers are now an accepted part of life in almost all parts of the world. Given the importance of computers in our society today, it is imperative that New Zealand keep pace with the rest of the world in the use of new technology. To give effect to the public interest factors identified, it is necessary both to facilitate the use of computer technology (including the removal of barriers from its use) and to provide strong sanctions against reprehensible conduct which, if unchecked, is likely to inhibit the use of computers.
35 It is necessary to ensure that computer systems are not used to cause harm to others. Computers are relied on to perform vital functions in many sectors of our society. They are used to administer banking and financial systems, transport control systems, communication systems, hospitals and a variety of other complex operations. A person who gains unauthorised access to a computer can cause major disruption. Computer misuse can cause extensive economic loss, not only to an individual company but also on a nation-wide scale; it can put lives in danger. Unauthorised interference with an airport control system or computers in a hospital are examples of the latter.
36 It is necessary to protect commercial information which may be of immense value.11For many businesses operating in this environment, the information which is stored on their computer system will be its most valuable commodity. It is important to recognise and protect the intellectual capital of information stored on a computer. The importance of information as a business asset in the knowledge economy may justify redefinition of information as a property right for both civil and criminal law purposes. In essence, it is both the information and the systems which we are proposing to protect in our recommendations in this report. The question of whether information should be regarded as a property right for civil law purposes will be addressed further in the second Electronic Commerce report to be published later this year.
37 It is desirable that New Zealand law develop in line with global developments and imperatives. Given the trans-border and jurisdictional nature of computer use, New Zealand should bring its legislation into line with other nations with which it has major trading relationships.
38 It is necessary to update our laws to reduce New Zealand’s vulnerability to computer misuse, both domestically and internationally. Without such laws in the Internet environment, there is a risk that New Zealand could become a ground for computer hacking experimentation. That risk could inhibit New Zealanders from obtaining lawful access to such information from abroad.
39 The law has a role to play in setting appropriate standards for computer use in general and that of the Internet in particular.
40 The main argument against creating criminal offences in relation to unauthorised access to data stored in a computer is that this would create an anomaly in terms of existing criminal law which does not punish unauthorised access to information.12Gaining unauthorised access to information is an offence only if, in the process of gaining access to the information, some other specified offence such as trespass or theft is committed. If unauthorised access is gained to information without committing a trespass or theft an offence will generally not have been committed (for example, taking a photograph of a document sitting on another’s desk from an adjacent building or reading a document over the shoulder of another passenger in an aeroplane).
41 If gaining unauthorised access to computer data is to be a criminal offence, the person who gains such access will be liable to criminal sanctions whereas the person who gains unauthorised access to exactly the same information without using a computer (and without committing a trespass or theft) will not have committed an offence.
42 The Law Commission is of the view that the public interest in encouraging the use of computers and in protecting the community from the misuse of computers outweighs the concern about this anomaly. Moreover there are important differences between unauthorised access to information achieved through the use of a computer, and access to information achieved by other means. These are set out in paras 43–46.
43 Information stored on a computer system will not be protected by physical barriers to access or by the law of trespass or theft, as is information recorded on paper.
44 A person who obtains access to a computer can find in one place vast amounts of information which previously might have been stored in a multitude of locations. The facilities of the computer may be used to search for, select and process specific data at very high speeds.
45 The consequences of unauthorised access, in the digital age, go far beyond what is possible with paper-based or manual systems. Unlike access achieved by other means, where access is achieved by unauthorised computer access, the person who achieves access may use the computer to amend or otherwise use the information. The possible consequences of amending information stored on a computer are wide-ranging and serious. Such conduct could affect the country’s economy and the lives of many people. Also, a person who gains unauthorised access to information stored in a computer may be tempted to go on and commit more serious activities such as theft or destruction of data.
46 A knowledge based economy is particularly reliant on information stored on a computer.13
47 We are satisfied that there needs to be a powerful deterrent to those who would otherwise engage in computer misuse. We recommend that there should be criminal offences which deal with computer misuse.
48 We have explained our view that “computer misuse” is made up of four categories of activity: the unauthorised interception, accessing, use, and damaging of data stored in a computer. In the following paragraphs we consider whether the existing criminal law is adequate to deal with each of these activities.
49 The first category of computer misuse is unauthorised interception of electronic data (see paras 10, 17, 18). Both the Telecommunications Act 1987 and the Crimes Act 1961 deal, in a limited fashion, with the interception of private communications by members of the public.14
50 Section 6 Telecommunications Act 1987 provides:
No person shall, without the agreement of the network operator, connect any additional line, apparatus, or equipment to any part of a network or to any line, apparatus, or equipment connected to any part of a network owned by that operator.
51 Under s20C(1) the High Court may grant an injunction restraining a person from engaging in conduct that constitutes, or would constitute, a contravention of s 6. Under s20D(1) every person who engages in conduct that constitutes a contravention of s 6 is liable, at the suit of any person suffering any loss or damage as a result of that conduct, to damages as if that conduct constituted a tort.
52 In the Law Commission’s view, this section is inadequate to deal with the unauthorised interception of electronic data. First, the section requires something to be physically attached to a network. However, it is technically possible to intercept electronic data without having to physically attach anything to a network (for instance, it is possible to pick up electromagnetic emanations from various parts of a computer. This is commonly referred to as TEMPEST (Transient Electro Magnetic Pulse Emanation Standard)). 15 Secondly, the section prohibits attaching equipment to “any part of a network or to any line, apparatus, or equipment connected to any part of a network owned by that operator”. This section is not clearly drafted. An argument could be made that the “line, apparatus, or equipment” referred to in the section are the lines, apparatus and equipment “owned by that [network] operator”, in which case, the section would not be contravened if a person attaches an interception device to a computer owed by an individual or a company. Thirdly, a person who contravenes the section is only liable to pay damages to a person who has suffered a loss as a result of the conduct. Often, however, a person may not suffer a loss. For instance, a hacker may obtain a benefit without causing a loss to another.
53 Section 216B(1) Crimes Act 1961 provides that every one is liable to imprisonment for a term not exceeding two years who intentionally intercepts any “private communication” by means of a “listening device”. Every person who discloses a private communication which has been intercepted is liable to two years imprisonment (s216C(1)). “Intercept” includes hear, listen to, record, monitor, or acquire the communication while it is taking place. “Private communication” is defined as meaning any oral communication made under circumstances that may reasonably be taken to indicate that any party to the communication desires it to be confidential but does not include a communication occurring in circumstances in which any party ought reasonably to expect that the communication may be intercepted by some other person not having the express or implied consent of any party to do so. “Listening device” means any electronic, mechanical, or electromagnetic instrument, apparatus, equipment, or other device that is used or is capable of being used to intercept a private communication (s216A Crimes Act 1961). Sections 216A and 216B Crimes Act 1961 are limited to “oral communications”. The sections do not, therefore, apply to the interception of electronic data.
54 The Law Commission is of the view that the current criminal law is inadequate to deal with the unauthorised interception of electronic data. As discussed above, neither the Telecommunications Act 1987 nor the Crimes Act 1961 adequately covers unauthorised interception of electronic data. Having formed the view that the criminal law is inadequate to deal with unauthorised interception of electronic data, the next issue is: what is the best method of reforming the criminal law? This issue is considered in chapter 5.
55 The second category of computer misuse is unauthorised access to electronic data (see paras 10, 19). Section 248 Crimes Act 1961 provides that every person who “personates or represents himself or herself to be any person, living or dead, or the husband, wife, widower, widow, executor, administrator, or any relative of any such person, with intent to fraudulently obtain, for himself or any other person, possession of or title to any property, or any qualification, certificate, diploma, licence, or benefit” is liable to imprisonment for a term not exceeding 7 years.
56 Section 248 is inadequate to deal with unauthorised computer access. First, in most situations where unauthorised access is gained to a computer it will be doubtful that it could be said the case entails impersonation or representation as another. Examples are where an employee without authority accesses restricted information or where a hacker by-passes a security system and accesses information stored on a computer. Secondly, the section does not cover the case of a person impersonating another with the intention of causing a loss as distinct from acquiring a benefit. Also, the objects which the person must intend to obtain in order to infringe the section are very limited. Applying the ejusdem generis canon of statutory interpretation, the term “benefit”, as used in s248, would be limited by the words which precede it (“any property, or any qualification, certificate, diploma, licence”). We consider that the criminal law is inadequate to deal with unauthorised computer access and that reform of the law is required.16
57 Unauthorised use of data stored on a computer is the third category of computer misuse (see paras 10, 20, 21). In the following paragraphs we consider whether the criminal law, as it currently stands, is able to deal with a number of examples of unauthorised use of computer data.
58 A hacker may gain unauthorised access to data stored in a computer and use that data to commit theft, for instance, by accessing a bank’s computer and transferring funds from a third person’s account to their own account or downloading confidential information from a third person’s computer. Section 220 Crimes Act 1961 covers theft. However, s220 would not cover theft committed with the aid of a computer.
59 Theft is defined as the “act of fraudulently and without colour of right taking... anything capable of being stolen” (s220 Crimes Act 1961). Section 217 Crimes Act 1961 defines “things capable of being stolen” as being:
Every inanimate thing whatsoever, and every thing growing out of the earth, which is the property of any person, and either is or may be made movable, is capable of being stolen as soon as it becomes movable, although it is made movable in order to steal it.
60 There cannot be theft under s220 Crimes Act 1961 of an intangible thing. In the recent Court of Appeal case, R v Wilkinson [1999] 1 NZLR 403, the Court held that the definition in s217 is confined to choses in possession (ie tangible things) and does not extend to an intangible chose in action such as a credit in a bank account. (For a discussion of R v Wilkinson see Dishonestly Procuring Valuable Benefits (NZLC R51, 1998)). There cannot be theft of “a chose in action, a debt, a copyright, an idea, or confidential information... or any other incorporeal thing” (Robertson, para 217.05). As the law currently stands, therefore, s220 does not adequately deal with theft committed with the aid of a computer.
61 Section 218 provides that it is an offence fraudulently to abstract, consume, or use any electricity. This section would also be inadequate to deal with computer misuse. In the examples given in para 58, it is not electricity which is stolen but a chose in action and confidential information.
62 Forgery is defined as:
(1) Making a false document, knowing it to be false, with the intent that it shall in any way be used or acted upon as genuine, whether within New Zealand or not, or that some person shall be induced by the belief that it is genuine to do or refrain from doing anything, whether within New Zealand or not.
(2) For the purposes of this section, the expression “making a false document” includes making any material alteration in a genuine document, whether by addition, insertion, obliteration, erasure, removal, or otherwise ( s 264 Crimes Act 1961).
63 Section 264 is inadequate to deal with unauthorised use of data stored in a computer for a number of reasons. The first difficulty is that it is not clear that the word “document” includes data stored on a computer. “Document” is defined for the purpose of s264 as including any “disc” (s263 Crimes Act 1961). In R v Governor of Brixton Prison ex p Levin [1997] QB 65 the Court of Appeal considered the interpretation to be given to the word “instrument” in s8(1) Forgery and Counterfeiting Act 1981 (UK), which definition includes the word “disc”. The Court held that “disc”:
...embraces the information stored as well as the medium on which it is stored, just as a document consists both of the paper and the printing on it. (79)
64 It is likely that New Zealand courts would interpret “disc” in s263 Crimes Act 1961 to include data stored on a disc. Even so there are still difficulties with relying on s264 in cases where a hacker has altered data stored in a computer. Given the development of computer technology and the wide array of computer systems currently in use, it may not always be possible to argue that data has been stored on a “disc” in a computer. For instance, we have been advised by our Advisory Committee that often data is only modified in a computers memory and not in permanent storage. The term “false document” is narrowly defined in s263 Crimes Act 1961. Also, in many situations, it may be difficult to prove that a hacker who amended a computer document intended to defraud anyone or intended that the document should be used or acted upon as genuine. Lastly, if the process is wholly automated there is authority which suggests that there is no offence because a machine does not have a state of mind (see Kennison v Daire (1985) 38 SASR 404; on appeal (1986) 160 CLR 129, where the appellant was convicted of larceny for withdrawing money from an automatic teller machine (ATM) after he had closed his account and withdrawn the money from it. King CJ noted that “The crime of obtaining money by false pretences requires, in my opinion, the intervention of a human being who is induced by the false pretence to part with money. A machine cannot be deceived by a false pretence or other fraud” (p406)).
65 It is also unlikely that s229A Crimes Act 1961 will be an effective deterrent to unauthorised use of data stored in a computer. An offence under s229A is committed when a person, with intent to defraud :
(a) Takes or obtains any document that is capable of being used to obtain any privilege, benefit, pecuniary advantage, or valuable consideration; or
(b) Uses or attempts to use any such document for the purpose of obtaining, for himself or for any other person, any privilege, benefit, pecuniary advantage, or valuable consideration.
66 The difficulty with relying on this section is that it is not clear that the word “document” in s229A includes data stored on a computer. “Document” is defined for forgery offences and includes “discs”. However, “document” is not defined for the purposes of s229A. It has consequently been submitted that in the absence of any special extended definition of “document” (such as occurs in s263 Crimes Act 1961 and s3 Evidence Amendment Act (No 2) 1980) data held in an electronic form will not be included (Robertson para 229A.04).
67 The criminal provisions which we have considered above would have only a limited deterrent effect on those who would otherwise engage in unauthorised use of data stored on a computer. We consider how best to reform the criminal law to deal with the unauthorised use of computer data in chapter 5.
68 The final category of computer misuse is the unauthorised damaging of computer data (paras 10, 22, 23). In the following paras we consider whether the existing criminal law is adequate to deal with such activities.
69 Altering a document with intent to defraud occurs where a person “makes any alteration in any document, whether by addition, insertion, deletion, obliteration, erasure, removal, or otherwise” with intent to defraud (s266A Crimes Act 1961). This section could be used, for instance, where a hacker enters a competitor’s computer and amends or deletes valuable information.
70 There are a number of difficulties with relying on this section to deter unauthorised damaging of data stored on a computer. As with forgery, it is unclear whether “document” in s266A includes data stored on a computer. Also, s266A will only cover a limited range of conduct. The section will not cover a hacker who alters a document and causes loss to another but cannot be shown to have had an intention to defraud (for example, where the hacker carelessly alters data). In any event, conduct which results in denial of data will not be covered by these provisions.
71 A computer hacker may gain unauthorised access to confidential data stored on a competitor’s computer and delete that information. It will be difficult to prosecute a hacker successfully for such actions under s266A (see paras 69, 70). It will also be difficult to prosecute a hacker under s231 Crimes Act 1961. Section 231 provides:
Every one who destroys, cancels, conceals, or obliterates any document for any fraudulent purpose is liable to the same punishment as if he had stolen the document, or to imprisonment for a term not exceeding 3 years, whichever is the greater.
72 There are a number of difficulties with relying on s231 to deter unauthorised damaging of computer data. First, it is not clear that “document” in s231 includes data stored on a computer. Secondly, for there to be a successful prosecution under s231 the prosecution must establish, beyond reasonable doubt, that the hacker acted for a “fraudulent purpose”.17In many cases this will be difficult to establish. For example, a hacker may attempt to gain access to data stored in a computer simply as a test of personal computer expertise. In the process of doing this the hacker might, carelessly, destroy data stored in the computer. In such a case, it would be unlikely that the court would find that the hacker had acted with a “fraudulent purpose”. Thirdly, if a hacker was successfully prosecuted under s231 for fraudulently damaging data stored in a computer, the maximum penalty that could be imposed would be three years imprisonment (as we have seen, it is not possible to “steal” data contained on a computer; paras 59–60).
73 Under s298(4) Crimes Act 1961 it is an offence punishable by up to 5 years imprisonment to “wilfully destroy” or “damage” any “property”. A person will have acted “wilfully” if she/he acted “recklessly”.18
74 It is likely that a computer hacker will be guilty of an offence of wilful damage under s298 if he or she wilfully or recklessly damages data in a computer. “Property” will most likely include information stored on a computer. The definition of “property” in the Crimes Act 1961 includes intangible property (“any debt, and any thing in action, and any other right or interest” (s2)). Also, two English cases under section 1(1) Criminal Damage Act 1971 (UK) have resulted in convictions for computer misuse, that section is similar to s298(4) Crimes Act 1961 (see para 75). The material difference between the two Acts is that in the UK Act “property” is confined to property of a tangible nature (s10(1)).
75 In Cox v Riley (1986) 83 Cr App R 54, the defendant had deliberately erased a computer programme from a plastic circuit card of a computerised saw so as to render the saw inoperable. It was held that the computer card was “property” and that the defendant had damaged the card as the card could not operate the saw until it had been re-programmed which would require time, effort and money. In R v Whiteley (1991) 93 Cr App R 25, the defendant had gained access to a computer network and had altered data contained on discs in the system. Evidence was given that the discs were so constructed as to contain upon them magnetic particles. The Crown’s case was that the defendant had caused damage to the discs by altering the state of the magnetic particles on the discs so as to delete and add files. The Court of Appeal held that the defendant had been rightly convicted. The Lord Chief Justice stated:
There can be no doubt that the magnetic particles upon the metal discs were part of the discs and if the appellant was proved to have intentionally and without lawful excuse altered the particles in such a way as to cause an impairment of the value or usefulness of the disc to the owner, there would be damage within the meaning of section 1. (28–29)
76 There are however two difficulties with relying on s298 to deter unauthorised destruction of computer data.
77 First, it appears that “damage” in s298 is confined to the situation where there has been lasting damage. “Damage” is not defined in the Crimes Act 1961. In Kathness v Police (Auckland HC, 31 October 1983, M 1291/83, Barker J), a case of wilful damage under s11 Summary Offences Act 1981,19 Barker J quoted with apparent approval the definition of “damage” given in Police v Consedine and Gillooly (1981) 1 D.C.R 267. In that case “damage” was defined as meaning “to do or cause damage to [or] to injure (a thing) so as to lessen or destroy its value. . . physical injury to a thing such as impairs its value or usefulness” (2). In Kathness it was held that spray painting a road had “damaged” the road as the spray painting had impaired the road’s value. The Judge stated that $47 had to be spent to restore the road to its original condition.
78 In Cox v Riley, R v Whiteley and Kathness there was a physical alteration to property which impaired the property’s value and which required work to return the property to its original state. Where there is only a temporary functional derangement of a computer (and then the computer is restored to its original condition) it would be difficult to argue that the computer had been “damaged” within the meaning of the Act. A temporary interruption of some computers could have serious consequences, for instance, a temporary interruption of an airport control system or a computer in a hospital.
79 Secondly, it is not clear that s298 would cover the “indirect” destruction of computer data such as the examples discussed at para 23. To be an effective deterrent against the unauthorised destruction of computer data, the Crimes Act 1961 needs to make it clear that “indirect” destruction is covered as well as direct destruction.
80 We conclude that the existing criminal law is inadequate to deal with computer misuse. However, it would be possible to redraft existing law to cover the types of computer misuse to which we have referred in this report. If an attempt is made to amend the existing provisions of the Crimes Act 1961 to make them fit the matters discussed in this paper, there is a grave risk of error either by imposing criminal liability where it should not be imposed or by omitting provisions that ought to be included. We have no doubt that the only neat and sensible solution is to either have a separate statute dedicated to crimes of computer misuse, or, to have a distinct part within the Crimes Act 1961 relating to computer misuse. Accordingly, in chapter 5 we proceed to make recommendations on the framework for a criminal law dealing with computer misuse.
NZLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.nzlii.org/nz/other/nzlc/report/R54/R54-3.html