[Home] [Databases] [WorldLII] [Search] [Feedback] New Zealand Law Commission

[Database Search] [Name Search] [Previous] [Next] [Download] [Help]

5 Recommendations

88 We are of the view that new offences dealing specifically with computer misuse should be created and that such offences should be located in a separate statute or in a distinct part of the Crimes Act 1961. We hold this view for the following reasons:

• it will enable a comprehensive code to be readily available to legal practitioners and to the public. This is a preferable approach to that which would involve practitioners and members of the public scouring various statutes to see whether any offence was likely to be, or had been, committed;
• computer related activities can be dealt with by legislation expressed in suitable (but preferably technologically neutral) language;
• the criminal law in relation to computer misuse would be rendered clear and certain. At present, we do not believe that the existing criminal law can adequately deal with all forms of computer misuse.

89 In the Law Commission’s view there should be four new offences dealing with computer misuse. These are set out in paras 90–93.

90 Unauthorised interception of data stored in a computer:²² To prove this offence the prosecution should be required to show; first, that the accused obtained unauthorised interception of computer data, and secondly that the accused intentionally intercepted the computer data. Those who accidentally intercept computer data should not be subject to prosecution under the section. The offence should also be expressed so as to include instances where the hacker physically attaches an interception device to a computer or transmission device (such as telephone wires) as well as instances where the hacker places a device in proximity to such equipment (see para 18 where electromagnetic emanations are discussed). If it was thought necessary to define the term “interception device” it may be appropriate to use the definition of “listening device” in s216A Crimes Act 1961 (as discussed in para 53).

91 Unauthorised access to data stored in a computer: This offence should be expressed in the manner specified in para 13. It is not appropriate to punish with criminal sanctions a person who accidentally or carelessly accesses data. For example, in some cases individuals may gain unauthorised access to data by mis-dialling or by opening a programme which they did not intend to open. The prosecution should be required to establish; first, that the accused gained unauthorised access to data, and secondly that at the time of access the accused had an intention to cause loss or harm or gain a benefit or advantage.

92 Unauthorised use of data stored on a computer: This offence should be expressed so as to cover both:

• those who have gained access to data stored in a computer and then go on to “use” that data (see paras 20 and 21); and
• those who receive and use data without authority (see paras 20 and 21).

As to the first, a hacker should be liable for unauthorised use irrespective of how access to the data was gained (whether intentionally or unintentionally). As to the second, a person who receives data from a person knowing that that person has obtained it through unauthorised means should also be liable for criminal sanctions.

93 Unauthorised damaging of data stored in a computer: This offence should cover the entire continuum from denial of data to complete destruction of data. It would be sufficient to prove that the hacker gained unauthorised access and that data was damaged as a result of the hacker’s actions (whether intentional or careless). This will ensure that those who gain unauthorised access without an intent to cause loss or harm or to derive some benefit or advantage, will be liable for the offence of damaging data whether the damage was caused deliberately or carelessly. It would also be sufficient that the defendant, without gaining access to the computer programme at all, nevertheless damaged data (see para 22 third bullet point).

94 We recommend that there be a single maximum penalty set for all four categories of computer misuse activity. It would then be for the court to exercise a discretion when sentencing depending on the gravity of the particular case. A case could involve a person intentionally gaining access to a computer system operated by a national security or law enforcement agency with major damage occurring through a careless or reckless act. Accordingly, we believe that the maximum penalty must be set at a high level. We would suggest a period of 10 years imprisonment. The court can reflect appropriate penalties to fit the circumstances of particular cases within that maximum limit.

95 We also recommend that the new legislation should expressly give New Zealand courts jurisdiction in international computer misuse cases in the manner set out in para 87.