Police v V.

Ramessur

2018 INT 140

IN THE INTERMEDIATE COURT OF MAURITIUS

(Criminal Division)
In the matter of :- C.No. 657/2012

Police v Vishaal RAMESSUR

JUDGMENT

Accused, who as per information is styled as having at the time of the offence on
20 March 2005 been a Senior Technician at Mauritius Telecom [ hereinafter referred to
as ‘MT’’] stands charged with having wilfully and without lawful authority or lawful
excuse done an act which caused directly or indirectly failure of a computer system,
namely, he accessed the MT computer system based at Line Barracks through his laptop
connected to his telephone line 2831379 [ hereinafter referred to as ‘’Accused’s home
line’’] and caused the operation system to collapse. And this in breach of section 7(a)
Computer Misuse and Cybercrime Act.

Accused has pleaded Not Guilty to the charge and is assisted in his defence by Mr
A.Radhakissoon and the Prosecution was led (at the end of the case) by Ms.A.Rawoah.

The gist of the case for the Prosecution is as follows :-

As an MT technical officer, it was part of Accused’s duties to check log files of the
MT system to curtail any malfunction and to take action if there ever was such
malfunction. Accused was granted remote access facilities to do so.

There is no dispute that Accused’s home line is indeed registered in his name and
that on Sunday 20 March 2005 at about 16.16 hrs [ hereinafter referred to as ‘the
material time’] there was an unusual, critical technical failure of MT’s computer system
which caused prejudicial disruption to its services.

The problem was solved on the next day/21 March 2005.

And as per Itemized bill/Doc E, on the material day between 15.43 hrs and 16.21
hrs, it is observed that Accused’s home line was used 5 times to remotely access the
toll-free Mauritius Telecom Data services whose Access code number 8000096 [
hereinafter referred to as ‘’ the MT Server number’’’] was known to selected MT
technicians - Accused being one of them. At the material time in 2005 a Dial-Up system
was in place.

It is the case for the Prosecution that Accused was authorized to access the MT
server number only during the course of his employment with MT. And that on the
material day, he was not so authorized in as much as Accused was considered as having
resigned from MT since the beginning of February 2005 and such (unlawful) access
directly or indirectly caused MT’s Operation System to collapse.

Accused’s laptop was secured and as part of the enquiry it was sent to the Digital
Evidence Recovery National Hi Tech Crime Unit in London for examination – see Doc C.
It is noted that the said report indicates that Accused’s laptop was switched on on the
material day during times 3:46:57 pm to 4:34:50 pm - with the lap top time being 5
minutes less than real time.

Hence, the Prosecution’s case being considered as proved, in as much as per the
Written Submissions, it was clear that on the material day via his home line Accused
remotely accessed MT’s server number (with his MT Access Code) whilst using his
operating laptop but had no authority to do so. And in so doing he directly or indirectly
brought the MT server down.

It is the case for the defence, as per the Written Submissions, that the
Prosecution had not proved that,
  Accused did not have lawful authority to do the complained-of act ,
 the latter had the necessary mens rea to wilfully cause the collapse of the
MT server.
 Accused in truth and in fact accessed the MT Server number via his home
telephone line and
 such unlawful access caused the MT Operation System to fail.

The relevant testimonies of the Prosecution’s witnesses are briefly referred to

overleaf :-

Mr Boodram, representing MT Personnel section deposed on Accused’s

employment history at MT – see pgs 1 to 3 of transcript dated 24 June 2014. Mr
Boodram confirmed Accused’s employment with MT since 1994, that Accused applied
for leave on 2 February 2005 which said application was declined by MT. Accused
stopped attending duty as from that date. He was paid upto 31 January 2005. Accused
then submitted his resignation via a letter dated 22 March 2005 but the effective date
of resignation was considered by MT as being the beginning of February 2005 – see
references in Doc D ( 2 pages)- Correspondence from MT to Commissioner of Police.

Mr V.Bissoonauth [see pgs 5 to 9 of transcript dated 24 June 2014] who at the

material time was Head of IT at MT deposed that albeit Doc E did not show whether on
the material day there was a data call from Accused’s home line number to the Data
Centre of MT, there was nevertheless a communication link established from Accused’s
home line to all the persons on the list. And he conceded that the MT Server number
was not to be seen thereon.

Doc E reveals that between 20 March 2005 from 15:43:03 hrs to 16:21:43 hrs
there were 5 incoming calls from the MT Server Number to Accused’s telephone line.

Witness Bundhoo, Senior Executive of MT’s Network Operations [ see

transcripts 23 October 2015 & 1 April 2016 ] confirmed that on the material day there
was a problem with the main server of MT which caused a loss of its connection
services with its customers. It was his department/Network Operations that observed
that there was a critical alarm on the MT system and alerted the various technical
teams.

An internal investigation was launched with the help of State Informatics Ltd and
various log sheets were generated from the MT Send Server/s to explain the break
down.

Mr Bundhoo explained that at that material time Accused was a technician who
was given remote home access to perform maintenance works on the MT computer
system, that Accused had inofficially informed MT that he would be leaving and
conceded that on the material day/20 March 2005 Accused was still in the employ of
MT but was not on call-duty and thus not authorised to have access to the MT server
number on that day.

Mr Bundhoo conceded that Accused had submitted his resignation on 14 March

2005 and this was supposed to have had effect as from 22 March 2005. It was informally
understood that Accused had taken employment with Africa Digital Bridges Company
on a more lucrative salary.

Mr Bundhoo explained that well before 20 March 2005, Accused casually showed
him his resignation letter before submitting same to MT’s Human Resource department
[hereinafter referred to as ‘”HR”] and informed him that he had taken employ
elsewhere. The procedure was that once the resignation was submitted to HR, a copy of
same would be forwarded to him/Mr Bundhoo. And the latter stated that he had
genuinely believed that Accused would not access the MT system between 14 th to 20th
March 2005 - all the more so as Accused had taken up employment elsewhere.

The protocol in such cases was explained - If and when a technician ceases duty
at the MT Data Section, his immediate supervisor will cause the technician’s computer
access to be blocked and the password changed to prevent any further access.
 However, according to Mr Bundhoo, on the material date Accused was still an MT
employee and in furtherance of his duties he had been given his access codes and
passwords and the permission to use same had not been revoked.

A log sheet - Doc G - was produced showing at pg 1 5 calls from Accused’s home
telephone line to the MT Server Number. And the problem started during access timed
at 15:49 hrs to 16:23.

Doc H reveals that on 20 March Accused’s home telephone number was used to
access the MR Server number 5 times namely -

(1) 15:43:03 hrs for 00:01:40,

(2) 15:44:52 hrs for 00:33:14,
(3) 16:18:16 hrs for 00:02:24,
(4) 16:20:47 hrs for 00:00:45&
(5) 16:21:43 hrs for 00:03:43

Mr Bundhoo reluctantly had to concede that all IT systems were vulnerable to

online hacking, spamming, launch of a virus attack, dormant implanted malware and
that on the part of MT, there was no in-depth examination of the system and could not
say if the hardware or software of the system had been affected. However an in-depth
examination was carried out by the creator of the server system [ see transcript 20
January 2017] and was submitted to MT’s higher management and to which report
he/Witness Bundhoo had not had access.

Witness Veeranah, MT Technician [ see transcript 20 January 2017] stated that

mere access to the MT system via access code and password as a frontline technician
would not necessarily suffice to intervene in the MT system be it to effect repairs or
damage same. And he added that the company that had engineered the system and
offered support to MT would have a more in-depth Access in order to do more
advanced work on the system.
 Witness Dhoomon, MT IT Manager [ see transcript 20 January 2017 at pg 22 ]
deposed that technicians on remote access could perform basic trouble shooting to
reset a fault in the system and/or determine where the problem originates from and
thereafter instruct the field technician to effect the appropriate maintenance. He also
added that the problem of 20 March 2005 had been with the software.

When the case was closed for the prosecution, the Defence put up a Submission
of No Case to Answer – which was eventually withdrawn and the Defence thereafter
closed its case without causing any evidence to be adduced.

The four unsworn defence statements of the Accused – Docs A, A1,A2 & A3, in
denial of the charge are on record - the gist of same when considered together, being
that in 2005 he resigned from MT and joined Network Plus Company ( which is
connected to Africa Digital Bridges Co Ltd) as from 2 February 2005 and was allocated a
laptop in furtherance of his duties. He conceded that his home line was registered in his
name. And that on Sunday 20 March 2005 between 15:40 hrs & 16:25 hrs, the said
laptop which is used solely by him was in his car boot under lock and key and that from
16:00 hrs to 20:00 hrs he was visiting his in-laws.

It is the contention of the Accused that his telephone line goes through the street
cabinets and distribution network and thus, his line could have been fraudulently used
for internet access. As regards his laptop being switched on between 15:40 hrs to 16:55
hrs, he explained that computers could be hacked and there were several ways to
access the MT system and that if required, he would reveal same in Court. He added
that persons unknown to him could have accessed the MT network with a view to
impair same and he was being falsely accused of same.

Accused had no comment to make when confronted with the contents of Doc C
[supra].

The Court notes that when the defence statement/s were recorded it was put to
Accused in detail amongst others - that he had deleted the operating systems and
crucial configuration file from the hard disk of the control processor found in the ATM
notes found at the MT Data Section causing a direct denial of access to the Operating
system to access the Network Manager.

After perusal of the evidence on record and of the submissions of counsel, the
Court comes to the following conclusions which are to be read comprehensively :-

 Elements of the offence

For ease of perusal the enabling enactment is reproduced below :-

7. Damaging or denying access to computer system

Any person who without lawful authority or lawful excuse, does an act which causes
directly or indirectly –

(a) a degradation, failure, interruption or obstruction of the operation of a computer

system; or

(b) ……

shall commit an offence ….

The Court notes that the word ‘’ collapse’’ as per information does not appear in
the enactment [supra]. However for the sake of legal argument and in order not to be
considered as obtuse, for the purposes of the matter at hand, Court has no difficulty in
equating the word ‘’ collapse’’ with ‘’ …. failure ….’’ [ supra].

 By whom was Accused employed on the material date ?

The Court cannot help noting that in the information Accused is styled as a ’’ …
Senior Technician at the Mauritius Telecom …’’ in contradiction to the Prosecution’s
case based on the fact that Accused was not an MT employee on the material day.

In his defence statement/s , Accused described himself as an MT ex-employee

and conceded that on 2 February 2005, he took up employment with Network Plus as a
Senior Network Engineer and albeit his formal resignation at MT took effect as from 14
March 2005.
 This would be consistent with Witness Boodram’s testimony that Accused was
considered as having resigned as from the beginning of February 2005 [ supra]. And in
contradiction with Witness Bundhoo’s testimony, as reproduced above, as he
considered that Accused’s resignation would have taken effect from 22 March 2005.

The Court would prefer to rely on Witness Boodram’s testimony as he was

deposing as a representative from MT’s Personnel Section whereas Witness Bundhoo
was deposing as an MT Operations Manager.

For all the reasons given above, the Court finds that on the material date/20
March 2005, Accused was not an MT employee.

 Did Accused access the MT server number on the material day?

There is undisputed, overwhelming evidence that there indeed was access - on 5

occasions - from Accused’s home line to the MT Server number. And the Court is also
satisfied that none other than Accused’s laptop was used to that end.

No evidence has been adduced on the part of the defence to effectively

rebut/dispute the documents produced in support of the aspect of ‘’access’’ and
‘’access via Accused’s laptop’’.

And the Court notes that no evidence was adduced by the defence as regards
Accused’s out-of-court averments as per his defence statements, his ‘’alibi’’ of visiting
his in-laws as from 16:00 hrs, his laptop being unused at the relevant times, his
unfounded theories of possible fraudulent use of his telephone line, hacking etc. See
also Docs C, E, G & H as described above.

In the teeth of Accused’s averments in his unchallenged defence statements that

he was the only person to use his laptop and when combined with all the reasons set
forth above, the Court is entirely satisfied that none other than Accused accessed the
MT Server number via his laptop and home line on the material day.

 As a former MT employee, was Accused authorized to access the MT

Server number via his MT password and access codes on the material
day?
 Irrespective of Witness Bundhoo’s testimony [ supra] that as at the material date
of the offence, the Accused’s password and access codes had not been revoked by MT,
the fact remains that Accused having conceded that he had taken up employment
elsewhere since 2 February 2005 and that his resignation from MT took effect as from
14 March 2005, Accused cannot be considered as having been authorized by MT to use
his codes/password to access the MT system on the material day.

And as such, the Court is satisfied that on the material day, Accused was not
authorized to access the MT system.

Though it has no bearing on the case, the Court has observed that as regards
Accused’s termination of employment at MT, MT’s HR department did not produce any
formal documents emanating from its department and/or a copy of Accused’s
resignation letter and that the Prosecution was content to establish Accused’s
employment/non employment by MT via correspondence/s MT forwarded to the
Commissioner of Police [ supra].

 Has the Prosecution adduced any evidence as regards the actual

collapse/failure of the MT Operation System?

Save that perfunctory reference was made to a critical failure of MT’s Operation
system on 20 March 2005 and that the problem was resolved on the next day, there is
no evidence on record as regards the actual ‘’damage’’ caused (if at all) and whether
Accused’s unauthorized access to same that directly or indirectly caused such damage.

The Court notes the detailed acts allegedly performed by Accused and
description of the ‘’damage’’ sustained by the MT Server as put to Accused during the
course of the recording of his defence statements - as referred to above. And notes that
evidence as regards such acts and ‘damage’’ has not been adduced before Court.

It is possible that such evidence would have emanated from the South African
prosecution witnesses – which were not called by the Prosecution.

 Has the causal link been established between “’ unauthorized access by

Accused’’ and ‘’collapse/failure’’ of MT’s Operation System?
 The fact that the Court has found that Accused has indeed accessed the MT
Server number does not necessarily mean that the said Server was damaged by such
access - however unauthorized or unlawful.

And the Court takes note of the combined testimonies of Witnesses Veeranah
and Dhoomon to the effect that a technician on remote duty could merely effect basic
trouble shooting, that a high Access Level would be required to invade the MT system
and that only the company that had created the MT system had overriding Access and
this in order to effect advanced work and offer support to the local system as and when
required.

It could be that as a Senior Technical Officer, Accused would have had a relatively
high access level. But no evidence was adduced as regards same and whether Accused’s
level of Access - at the time when he was in MT’s employ and which had not been
revoked by MT - was sufficient to invade/damage the carefully fire-walled protected MT
Server in order to wilfully cause its collapse AND that such access directly or indirectly
led to the overnight collapse of the MT Operation System.

For all the Court knows, Accused’s Access to the MT server could have been
perfectly innocuous and the Court notes that it has not been proved by the Prosecution
that Accused’s unauthorized access directly or indirectly led to the failure of the MT
system.

 Have all the material elements of the offence been proved ?

It does not suffice to prove that Accused had had unauthorized Access to the MT
system on the material day.

The Court considers that it was furthermore incumbent on the Prosecution to

satisfactorily prove the element of ‘damage’’ per se and the link between Accused’s
access and acts directly or indirectly leading to such ‘’damage’’ which are crucial
elements to the successful proving of the offence.
 For all the reasons set forth above, the Court had not been satisfied whether
Accused’s unauthorized access/es to the MT server on the material day directly or
indirectly led to damage/failure/collapse of the MT Server system.

Accordingly, this Court considers that the Prosecution has not proved its case
beyond all reasonable doubt and dismisses the information against Accused.

Dated this 30th day of May 2018.

N.Ramsoondar
President, Intermediate Court (Criminal Division)