Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
2Activity
0 of .
Results for:
No results containing your search query
P. 1
Computer Crime in Ireland

Computer Crime in Ireland

Ratings: (0)|Views: 169 |Likes:
Published by TJ McIntyre

More info:

Published by: TJ McIntyre on Jan 24, 2012
Copyright:Traditional Copyright: All rights reserved

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/27/2013

pdf

text

original

 
 Irish Criminal Law Journal - Volume 15, No.1, 20051
Computer Crime in Ireland: A critical assessment of the substantive law
T.J. McIntyre
 
B.C.L., LL.M., B.L., Lecturer in Law, University College Dublin.
Introduction
Irish law on computer crime is an afterthought. The principaloffences in this area are contained in the Criminal DamageAct 1991 and the Criminal Justice (Theft and Fraud Offences)Act 2001: in both cases, the offences have been tacked onto an Act whose primary focus is elsewhere, and in bothcases the drafting reflects this lack of attention. In addition,the offences are beginning to show their age: recenttechnological developments have resulted in new threatsand responses which do not fit easily into the existing law.Some reform of the law is overdue, and in any event willbe necessary if Ireland is to implement the Council of Europe Convention on Cybercrime and the (proposed)Council Framework Decision on Attacks AgainstInformation Systems. This article looks at the substantivelaw relating to computer crime with a view to identifyingproblems which currently exist, flagging some developingissues and offering some suggestions for reform.
1
Background
“It appears an inevitable feature of technologicaldevelopment that criminal applications followlegitimate uses with very little time lag.”
2
Although computer misuse soon followed the developmentof computers, laws dealing specifically with computer crimetook somewhat longer to appear.
3
In part, this may bebecause many computer related crimes were essentiallyconventional crimes
4
which were merely facilitated by theuse of computers: as such, they could be prosecuted underexisting laws. As Kerr points out:“For the most part, traditional crimes committed usingcomputers raise few new issues for criminal law. Thebasic crimes remain the same regardless of whetherwrongdoers use computers or some other means tocommit them. For example, a death threat is still a deaththreat regardless of whether it is transmitted via emailor a telephone call.”
5
Difficulties arose, however, when courts began to facesituations involving issues unique to computers, particularlythe early hacking cases. In these cases, prosecutorsstruggled to fit defendants’ conduct within existingoffences.
6
Some success was achieved in conceptualising hackingas a form of criminal damage. In both
Cox v Riley
7
and
 R vWhitely
8
prosecutors in England succeeded in arguing thatchanges to programs or data could be considered to becriminal damage to the physical medium on which thatinformation was stored.The limitations of this approach were, however, exposedin
Whitely
, where the Court of Appeal noted that in orderfor criminal damage to be made out, the changes wouldhave to result in “an impairment of the value or usefulnessof the disc to the owner”. Changes of a lesser nature wouldnot suffice: “[if] the hacker’s actions do not go beyond, forexample, mere tinkering with an otherwise ‘empty’ disc, nodamage would be established”. In
Whitely
itself, thenecessary impairment was easily found, since thedefendant’s actions had led to the network slowing downand crashing. However, this logic led to the bizarreimplication that, had the defendant been a more skilledhacker and avoided disrupting the ordinary operation of the network, he would not have been guilty of an offencesince the value and usefulness of the system would nothave been impaired by his actions.
9
Another approach was to treat the use of falseusernames and passwords as a form of forgery. This wasadopted in the English case of 
 R v Gold.
10
Here, two computer journalists secured access to the British Telecom Prestelcomputer network by using the customer identificationnumbers and passwords of authorised users. They usedthis access to obtain information to which they were notentitled and to make changes to stored data, with the statedintention of exposing security flaws in the Prestel system.These changes notoriously included leaving messages inthe personal account of Prince Philip, the Duke of Edinburgh,a factor which led to some official embarrassment at thetime.The defendants were charged with a number of offencesunder the Forgery and Counterfeiting Act 1981, on thetheory that their use of others’ customer identificationnumbers and passwords constituted the making of falseinstruments, contrary to s.1 of that Act. At first glance, thisappeared to be adequate to deal with this type of hackingsince the 1981 Act expressly included in its scope falseinstruments which were “recorded or stored on disc, tape,soundtrack, or other device”,
11
and the defendants wereconvicted at trial. On appeal, however, the House of Lordstook the view that the passwords and customeridentification numbers entered by the defendants, even if they were “false instruments”, could not be said to be“recorded or stored” as was required by the act, since theywere held only temporarily to be checked for validity andwere deleted immediately afterwards.
 
 Irish Criminal Law Journal - Volume 15, No.1, 20052
highlighted by R. v Gold, s.5 creates a separate offence of unauthorised access. We will look at these two offencesseparately.
Criminal damage to data and programs
The offence of criminal damage is created by s.2(1):“A person who without lawful excuse damages anyproperty belonging to another intending to damageany such property or being reckless as to whetherany such property would be damaged shall be guiltyof an offence.”Under s.1, “data” is defined to mean “information in a formin which it can be accessed by means of a computer and[including] a program”, while damage in respect of data isdefined to mean:“(i) to add to, alter, corrupt, erase or move to anotherstorage medium or to a different location in the storagemedium in which they are kept (whether or notproperty other than data is damaged thereby), or(ii) to do any act that contributes towards causingsuch addition, alteration, corruption, erasure or move-ment”.The combined effect of these provisions is to create anoffence which is remarkably broad and applies not just to“damage” in the ordinary sense of the word but to anymodification of any information stored on a computer,whether or not that has any adverse effect, or indeed anyact “contribut[ing] towards” such modification.
17
Incontrast, “damage” in respect of tangible property is definedin terms which require that such property be destroyed,defaced, dismantled, rendered inoperable or the like.
18
It is arguable whether innocuous changes or additionsto data should be defined as damage; the Act itself equatesdata with tangible property, which would suggest that onlyharmful changes or additions should be criminalised. Thiswas the approach taken in the United Kingdom: s.3 of theComputer Misuse Act 1990 creates a similar offence of unauthorised modification of computer material, but onlywhere the defendant has an intention to bring about aharmful result, such as impairing the operation of a computeror the reliability of data.It could be said that even seemingly harmless changescan involve substantial costs in investigating the extent of the security breach, restoring from backup systems, andtaking steps to secure a system against future incursion.These costs, it might be said, themselves constitute a formof damage which should merit the severe penaltiesassociated with the criminal damage offence. As againstthat, however, the same costs would be incurred in cleaningup after an unauthorised access offence, which carries amaximum penalty of six months. It is, therefore, difficult tosay that these costs justify more severe penalties in onecontext but not in the other.
19
More generally, the House of Lords strongly criticisedthis attempt to put new wine into old bottles:“The Procrustean attempt to force these facts into thelanguage of an Act not designed to fit them producedgrave difficulties for both judge and jury which wewould not wish to see repeated. The appellants’conduct amounted in essence … to dishonestlygaining access to the relevant Prestel data bank by atrick. That is not a criminal offence. If it is thoughtdesirable to make it so, that is a matter for thelegislature rather than the courts.” (
 per 
Lord Brandon)This case therefore exposed, in a very public way, thefact that existing criminal laws were not adequate to dealwith computer hacking and the rebuke delivered by theHouse of Lords, coupled with pressure from the computerindustry, led to the Law Commission Working Paper onComputer Misuse
12
, which in turn led to the ComputerMisuse Act, 1990.
13
This was a comprehensive piece of legislation which created three new offences of unauthorisedaccess to computer material, unauthorised access withintent to commit further offences and unauthorisedmodification of computer material.
The Criminal Damage Act 1991
In Ireland, however, a different approach was taken.Although the need for reform was acknowledged, ratherthan draft dedicated legislation the Government decided topiggyback on the Criminal Damage Bill 1990, by bringingcomputer crimes within its scope. That Bill, however, hadbeen drafted in order to implement the Law ReformCommission Report on Malicious Damage.
14
It had not beendesigned with computer crime in mind, nor had the LawReform Commission been asked to report on the matter. Assuch, the computer crime provisions appear to have beenstuffed rather inelegantly into the draft Bill. As was said atthe time by Senator Joe Costello:“[T]he Commission did not envisage that their reportwould be incorporated into another body of legislationwhich would include this new offence of computerhacking…[T]o incorporate as an update in the sameBill the offence of computer hacking makes the mindboggle. It seems as though somebody, somewhere,suddenly decided this was an opportunity, whetherby stealth or otherwise, to get legislation on the StatuteBook…That is a very bad way to producelegislation.”
15
In framing computer crime as a form of criminal damage, thedrafters adopted two separate approaches. First, tocircumvent the problem presented by
 R v Whitely,
16
 
i.e.
thatmere changes in stored information will not constitutedamage to tangible property, s.1 defines the term “property”to include data and gives an extended definition to “damage”in respect of data. It follows that the criminal damage offencescreated by the 1991 Act will apply equally to the deletion ormodification of data. Secondly, to deal with the difficulty
The
Computer crime in Ireland 
 
 Irish Criminal Law Journal - Volume 15, No.1, 20053
Will prosecutorial discretion ensure that a s.2(1) chargeis not brought in respect of “damage” which does not haveany harmful effect? Perhaps. But it is undesirable tocriminalise conduct so broadly that it is necessary to relyon such discretion to avoid injustice.In addition, the breadth of this offence brings about anundesirable overlap with the s.5 unauthorised accessoffence. In almost every case, access to a computer willbring about some changes to the data stored on thatcomputer. For example, simply by turning on a personalcomputer, a user generally causes the computer to generatea log file which records the startup process.
20
Under s.2(1),this log file is “damage”—it is an addition to the data storedon that computers—so that the user, in addition to the s.5offence, may also be guilty of criminal damage.
21
Thisundermines the legislative scheme, which was intended todifferentiate between the less serious offence of unauthorised access and the more serious offence of actualdamage.
22
Unauthorised access
The unauthorised access offence is created by s.5 of the1991 Act:“(1) A person who without lawful excuse operates acomputer—(a) within the State with intent to accessany data kept either within or outside theState, or(b) outside the State with intent to accessany data kept within the State,shall, whether or not he accesses any data,be guilty of an offence […](2) Subsection (1) applies whether or not the personintended to access any particular data or any particu-lar category of data or data kept by any particularperson.”It should be pointed out that, although universally referredto as the “unauthorised access” offence,
23
this is properlydescribed as an offence of operating a computer, without alawful excuse, with intent to access data. Unusually forIrish criminal law, this is, in effect, an attempt offence: theoffence is committed when a computer is used with aparticular purpose in mind, and the offence is completewhether or not the offender does in fact access any data.
Defining “operate”
The first difficulty with this offence is the use of the term“operate”. This appears to be unique to the Irishlegislation.
24
The Computer Misuse Act 1990, which wouldhave been looked to as an example by the drafters of the1991 Act, refers instead to “caus[ing] a computer to performany function”.What does “operate” mean? The term is left undefinedby the 1991 Act, suggesting that the drafter thought itstraightforward. However, in a computer context, even acursory examination reveals ambiguities.
25
We can take theOxford English Dictionary (OED) definition as our startingpoint—the relevant meaning of operate is defined as “tocause or direct the functioning of; to control the working of (a machine, boat, etc.)”
26
Suppose that A attempts to log in to a computer. Heencounters a username and password prompt. He entersseveral guesses at usernames and passwords, but all areunsuccessful and he gives up. Did A operate thatcomputer? On a narrow view, the answer would be “no”: itcould be argued that A did not in fact enjoy any controlover the machine (as required by the latter part of the OEDdefinition). By way of analogy, it might be said that a personwho attempted to steal a car but was defeated by animmobiliser did not operate that car.
27
On the other hand, by entering usernames andpasswords, A does cause the computer to execute programschecking those details: as such, A could be said to haveoperated the computer (in the wider OED sense of causingit to carry out a function).
28
This interpretation is supportedby the wording of s.5, which refers to operation with intentto access any data, and the crime being complete whetheror not the user does in fact access any data, suggestingthat the Legislature intended to criminalise preliminaryconduct even though access might have been thwarted bya security measure. Indeed, at Committee Stage before theSeanad the Minister of State suggested that:“The offence will be committed either when access isachieved or when the computer is being operated withthe objective of gaining access but no access isactually achieved. It will be committed even when thehacker merely looks around the system he haspenetrated. Depending on the level of security in thesystem, a hacker may not get beyond a look at a list of what the system contains.”
29
This wider interpretation would, in essence, be the same asthe Computer Misuse Act formula of “caus[ing] a computerto perform any function”. (Which prompts the question: if this was the intended result, why did the drafter of the 1991Act adopt a different wording?) This view will, no doubt,be attractive to prosecutors aiming to maximise the coverageof the 1991 Act. However, such an expansive interpretationwould create significant uncertainty.Suppose that A sends an email to B, which travels viaC’s computer. On the wide interpretation, A will haveoperated the computers belonging to B and C, since he willhave caused them to execute programs to deliver andprocess his email.
30
This result, although inevitable if wetake the wider meaning of operate, would come as a surpriseto most users. It would also expand further what is alreadyan overbroad offence.
31
If, for example, A were to send emailto B, after B had indicated that the email was unwelcome, Acould be said to have operated B’s computer without lawfulexcuse and could be guilty of an offence under this section.
32
The
Computer crime in Ireland 

Activity (2)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->