New Zealand Law Commission
|
|
[Home]
[Databases]
[WorldLII]
[Search]
[Feedback]
New Zealand Law Commission |
|
[Database Search] [Name Search] [Previous] [Next] [Download] [Help]
180 COMPUTER MISUSE is a global issue. Statistics reveal that computer misuse has been occurring for several years and is a widespread problem. In 1995 the United States General Account Office discovered that hackers using the internet had broken into the US Defence Department’s computer more than 160,000 times.279 The Federal Bureau of Investigation reported that in 1997 there were 206 pending computer misuse cases. By 1998 that figure had increased to 480.280
181 The society in which we live is becoming increasing reliant on computers. In 1997 it was estimated that as many as 40 million people around the world were using the internet. It was predicted that this figure would rise to 200 million by 1999.281 As our reliance on computers increases so too does the potential for computer misuse. One of the areas where computer misuse could be acutely felt is in the area of commerce. As we noted in ECom 1282 business-to-business commerce over the internet reached an estimated US$8 billion in 1997, 10 times the 1996 total.283 It has been estimated that electronic commerce will be worth US$1 trillion by 2002.284 Massive financial losses have reportedly occurred overseas as a result of computer misuse. In 1995, the US Senate’s Permanent Investigations Sub-committee reported that banks and corporations lost US$800 million from hackers in 1995 alone. Also, federal law enforcement agencies have estimated that thieves operating through computers steal more than US$10 billion worth of data in the United States annually.285 Further, computers are relied on to perform vital functions in many sectors of our society. They are used to administer banking and financial systems, transport control systems, communication systems, hospitals and a variety of other complex operations. A person who gains unauthorised access to a computer can cause major disruption. Computer misuse can cause extensive economic loss, not only to an individual company but also on a nation-wide scale; it can put lives in danger.
182 In the late 1980s several countries investigated the need for the creation of criminal offences directed specifically at computer misuse as a result of concerns in relation to computer crimes. The Scottish Law Commission, the Attorney-General’s Department of Australia and the Law Commission of England and Wales286 recommended the adoption of criminal offences directed at computer misuse. These recommendations were followed and there is now legislation in the United Kingdom and Australia making computer misuse a criminal offence. Legislation has also been passed in Canada and Singapore.287
183 It has recently been brought home to New Zealanders that computer misuse is not just an overseas problem. In November 1998, a computer hacker erased some 4,500 “Ihug” websites. Shortly after the Ihug incident, it was reported that Telecom, New Zealand’s largest Internet service provider, was concerned that hackers might be gaining access to the internet by using customers’ passwords and surfing the internet at the customers’ expense. At the same time as these incidents were occurring, the Law Commission was in the process of receiving submissions from the public and private industry on ECom 1. Many of the submissions received recommended that the Law Commission should address the issue of electronic crime.
184 We decided late last year to address the issue of computer misuse. In May this year we published our report Computer Misuse and provided a copy to the Ministry of Justice. In September this year the Crimes Amendment Bill (No 6) received its first reading in Parliament. Two computer misuse offences are contained in the bill; accessing a computer system for a dishonest purpose and damaging or interfering with a computer system. The offences contained in the bill are narrower than the offences recommended by the Law Commission in our report Computer Misuse.
185 We deal briefly with the question of the criminal law in this report because, having regard to what we have learnt since publication of ECom 1 in October 1998, we adhere to our view that there is a real need for consistent and harmonious legislation dealing with both criminal and civil aspects of the law relating to electronically generated information. Also, we are raising the possibility of the creation of a statutory tort288 to provide compensatory remedies which may not exist under the current law. That discussion cannot take place sensibly without a brief reference to the criminal law. In addition, there is one point of elaboration which we wish to make on our Computer Misuse report.
186 Originally, we had intended to issue our Computer Misuse report as a preliminary paper. Ultimately, the report was issued as a final report because, about a month before publication, the Minister for Justice announced his proposal to introduce into the House of Representatives legislation which would create criminal offences for certain types of computer crime.289 Because of the imminence of the introduction of a Bill, we issued a final report which was confined to concepts and which did not include draft legislation. Our recommendations were intended to add to those made in December 1998 when we made recommendations which would enable Parliament to close a gap in the law exposed by the judgment of the Court of Appeal in R v Wilkinson.290
187 Since the issue of our Computer Misuse report we have had further discussions with our Electronic Commerce Advisory Committee. We have come to the view that a fifth offence is necessary; namely intentionally and without authority gaining access to data in a computer. That offence would be in addition to the access offence mentioned in Computer Misuse. For convenience, we state below the five new offences which we have recommended be created and add a short comment on questions of jurisdiction in relation to such offences.
188 The first offence is one of unauthorised interception of data stored in a computer. This is where a person eavesdrops so as to pick up information in the course of being transmitted to, or received by, a computer or intercepts the emanations from a computer and transforms those emanations into a useable form. To establish this offence the prosecution would be required to show: first, that the accused obtained unauthorised interception of computer data, and secondly that the accused intentionally intercepted the computer data. In our view, those who accidentally intercept computer data should not be subject to prosecution. The offence would be expressed so as to include instances where the attacker physically attaches an interception device to a computer or transmission device (such as telephone wires) as well as instances where the attacker places a device in proximity to such equipment.
189 The second offence is unauthorised access to data stored in a computer. This is where a person without authority, whether through physical or electronic means, accesses data stored on a computer. It is not appropriate to punish with criminal sanctions a person who accidentally or even carelessly accesses data. For example, in some cases individuals may gain unauthorised access to data by mis-dialling or by opening a programme which they did not intend to open. Consequently, the prosecution should be required to establish: first, that the accused gained unauthorised access to data, and secondly that at the time of access the accused had an intention to cause loss or harm or gain a benefit or advantage. The requirement of such an intent would mean that those who gain access simply to achieve the prize of access would not be criminally liable for their actions. However, if a person obtained unauthorised access without such an intent but then went on to cause damage through careless conduct, that person would be liable for the offence of “damaging computer data”.291
190 The third offence is unauthorised use of data stored on a computer. The term “use” would cover two distinct types of activity. The first is where a person without authority gains access to data stored in a computer and then goes on to use that data in an unauthorised way (for example to commit fraud or theft). The second type of activity is where a person plays no part in gaining unauthorised access to data but, nevertheless, receives and uses the data in an unauthorised way. This second situation is akin to receiving rather than theft.
191 The fourth offence is unauthorised damaging of data stored in a computer. “Damage” would cover the entire continuum from denial of data through to modification through to destruction of that data. This category would cover both the “direct” and the “indirect” damaging of data. By “indirect” damaging we mean, for instance, writing a harmful “virus” on to a computer disk intending that someone else will use the disk and thereby introduce the virus into a computer or entering a password or otherwise blocking legitimate users from being able to access data. It would be sufficient to prove first, that the hacker gained unauthorised access and secondly, that data was damaged as a result of the hacker’s actions (whether intentional or careless).
192 The fifth offence, to which we refer in paragraph 187 above, is an alternative to the second offence which is concerned with unauthorised access to data stored in a computer.292 In our view, the elements of this fifth offence should be that a person intentionally and without authority gains access to data stored in a computer.293 Initially294 we took the view that the addition of an intent to cause loss or harm to the person entitled to data or to some third party or to gain some form of benefit or advantage either personally or for a third party, was needed to complete an offence of unauthorised access. That was why our “access” offence was framed the way it was in the Computer Misuse report. We are now persuaded that that view was too narrow. The offence we now propose would cover the situation where a hacker intentionally accesses a computer system without intending to obtain a benefit or cause a loss. Even if a hacker does nothing while in the system, such activity has the potential to cause massive financial losses to the computer owner who has to conduct a full audit on the system to determine where in the system the hacker had been and whether, in fact, any damage had resulted. It may well be necessary for the computer owner to shut down the system while performing an audit and this would cause further ongoing losses. The potential for harm in such circumstances, and the consequent need for deterrence, was underestimated by us in our earlier report. We now recommend that an additional offence be created. However, we see this offence as being less serious than the other four offences recommended in the Computer Misuse report and we take the view that it should have a maximum penalty of three years imprisonment.295
193 In relation to the penalties for the other four offences we recommended that a single maximum penalty of 10 years imprisonment should be set for all four categories of computer misuse. It would then be up to the court to exercise a discretion on sentencing to fit the circumstances of the particular case.296
194 In the Computer Misuse report we also recommended that a provision giving New Zealand courts jurisdiction in computer misuse offences wherever they are committed should be enacted. We are of the view that the existing jurisdiction provisions in the Crimes Act 1961 are inadequate to deal with computer misuse activities. Also, in many cases it will be impossible to determine where the hacker was at the time the computer misuse activities took place.
195 It is in the context of these recommendations that we discuss, in chapter 13, the question of whether there should be an additional statutory tort which would enable a person whose computer system had been entered illegally in one of the five ways set out above to sue for compensation for losses suffered or to receive back any profit gained by the person responsible for the hacking.297
196 While preparing our report on computer misuse, it became clear to the Commission that computer misuse is an international problem which has no regard for territorial boundaries. In our view it is inadequate that States deal with issues of computer misuse in an isolated and piecemeal fashion. Rather there is a need for international initiatives in this area to ensure that States legislate to criminalise computer hacking (i) affecting those within its borders (wherever it is committed) and (ii) committed within its borders (wherever its effects may be). The Law Commission has decided to undertake further work on the issue of international measures for computer misuse over the coming year.
NZLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.nzlii.org/nz/other/nzlc/report/R58/R58-12.html