Irish Criminal Law Journal - Volume 15, No.1, 20053
Will prosecutorial discretion ensure that a s.2(1) chargeis not brought in respect of “damage” which does not haveany harmful effect? Perhaps. But it is undesirable tocriminalise conduct so broadly that it is necessary to relyon such discretion to avoid injustice.In addition, the breadth of this offence brings about anundesirable overlap with the s.5 unauthorised accessoffence. In almost every case, access to a computer willbring about some changes to the data stored on thatcomputer. For example, simply by turning on a personalcomputer, a user generally causes the computer to generatea log file which records the startup process.
Under s.2(1),this log file is “damage”—it is an addition to the data storedon that computers—so that the user, in addition to the s.5offence, may also be guilty of criminal damage.
Thisundermines the legislative scheme, which was intended todifferentiate between the less serious offence of unauthorised access and the more serious offence of actualdamage.
The unauthorised access offence is created by s.5 of the1991 Act:“(1) A person who without lawful excuse operates acomputer—(a) within the State with intent to accessany data kept either within or outside theState, or(b) outside the State with intent to accessany data kept within the State,shall, whether or not he accesses any data,be guilty of an offence […](2) Subsection (1) applies whether or not the personintended to access any particular data or any particu-lar category of data or data kept by any particularperson.”It should be pointed out that, although universally referredto as the “unauthorised access” offence,
this is properlydescribed as an offence of operating a computer, without alawful excuse, with intent to access data. Unusually forIrish criminal law, this is, in effect, an attempt offence: theoffence is committed when a computer is used with aparticular purpose in mind, and the offence is completewhether or not the offender does in fact access any data.
The first difficulty with this offence is the use of the term“operate”. This appears to be unique to the Irishlegislation.
The Computer Misuse Act 1990, which wouldhave been looked to as an example by the drafters of the1991 Act, refers instead to “caus[ing] a computer to performany function”.What does “operate” mean? The term is left undefinedby the 1991 Act, suggesting that the drafter thought itstraightforward. However, in a computer context, even acursory examination reveals ambiguities.
We can take theOxford English Dictionary (OED) definition as our startingpoint—the relevant meaning of operate is defined as “tocause or direct the functioning of; to control the working of (a machine, boat, etc.)”
Suppose that A attempts to log in to a computer. Heencounters a username and password prompt. He entersseveral guesses at usernames and passwords, but all areunsuccessful and he gives up. Did A operate thatcomputer? On a narrow view, the answer would be “no”: itcould be argued that A did not in fact enjoy any controlover the machine (as required by the latter part of the OEDdefinition). By way of analogy, it might be said that a personwho attempted to steal a car but was defeated by animmobiliser did not operate that car.
On the other hand, by entering usernames andpasswords, A does cause the computer to execute programschecking those details: as such, A could be said to haveoperated the computer (in the wider OED sense of causingit to carry out a function).
This interpretation is supportedby the wording of s.5, which refers to operation with intentto access any data, and the crime being complete whetheror not the user does in fact access any data, suggestingthat the Legislature intended to criminalise preliminaryconduct even though access might have been thwarted bya security measure. Indeed, at Committee Stage before theSeanad the Minister of State suggested that:“The offence will be committed either when access isachieved or when the computer is being operated withthe objective of gaining access but no access isactually achieved. It will be committed even when thehacker merely looks around the system he haspenetrated. Depending on the level of security in thesystem, a hacker may not get beyond a look at a list of what the system contains.”
This wider interpretation would, in essence, be the same asthe Computer Misuse Act formula of “caus[ing] a computerto perform any function”. (Which prompts the question: if this was the intended result, why did the drafter of the 1991Act adopt a different wording?) This view will, no doubt,be attractive to prosecutors aiming to maximise the coverageof the 1991 Act. However, such an expansive interpretationwould create significant uncertainty.Suppose that A sends an email to B, which travels viaC’s computer. On the wide interpretation, A will haveoperated the computers belonging to B and C, since he willhave caused them to execute programs to deliver andprocess his email.
This result, although inevitable if wetake the wider meaning of operate, would come as a surpriseto most users. It would also expand further what is alreadyan overbroad offence.
If, for example, A were to send emailto B, after B had indicated that the email was unwelcome, Acould be said to have operated B’s computer without lawfulexcuse and could be guilty of an offence under this section.
Computer crime in Ireland