Commonwealth Internet Governance Forum

The Cybersecurity SeriesComputer-related Forgery and Fraud

Compiled by

Dr Stephanie Borg Psaila

Foreword

The Commonwealth Internet Governance Forum (CIGF) is a virtual space that has been created for the broadest representation of Internet stakeholders to share information on topical public policy issues and promote good practice in matters relating to the access and use of the Internet

The initiative to set up CIGF derives from the Commonwealth’s ICT4D Programme known as Commonwealth Connects. The purpose of this Programme is to facilitate technology and knowledge transfer between member states and institutions.

In setting up the IGF we asked people what they saw as the issues relating to the Internet’s proliferation and our increasing reliance on it in the home, our place of work, in the classroom and for the conduct of all manner of business. Coming close to the top of a long list of these was the issue of cybersecurity. We are indebted to Stephanie Psaila for this compilation of legal measures, and other resources on the subject .

This compilation is the first version collated for our Commonwealth audience. This will be periodically updated as more relevant information becomes available.

Joseph V. TaboneChairman

Commonwealth Internet Governance Forum

Computer-related forgery and fraud

International conventions/binding agreements

The Council of Europe Cybercrime Convention1 is the first international treaty that addresses computer and Internet crimes, which include illegal access and illegal interception, computer misuse, computer-related forgery and fraud, child pornography and infringements of intellectual property rights.

The Convention has been described by Council of Europe as the only binding international treaty on the subject to have been adopted to date, and which lays down guidelines for all governments wishing to develop legislation against cybercrime.

The Convention was drawn up by the Council of Europe; it was opened for signature on November 23, 2001 and entered into force on July 1, 2004. An Additional Protocol to the Convention on 1 See: http://conventions.coe.int/Treaty/EN/Treaties/html/185.htm

Cybercrime2 came into force on March 1, 2006, also criminalising the dissemination of racist and xenophobic material through computer systems, and racist and xenophobic-motivated threats and insults.

In relation to computer-related forgery and fraud, Title 2, Articles 7 and 8, state that:

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the input, altera-tion, deletion, or suppression of computer data, resulting in inauthen-tic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible.

A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches.Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the causing of a loss of property to another person by:

a. any input, alteration, deletion or suppression of computer data,b. any interference with the functioning of a computer system, with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.

2 See: http://conventions.coe.int/treaty/en/treaties/html/189.htm

National legislation

United StatesIn the United States, Title 18 of the United States Code3 (Crimes and Criminal Procedure, Part I - Crimes, Chapter 47 - Fraud and False Statements, Section 1030) addresses computer-related fraud and crime. This legislation protects consumers from harmful attacks but does not extend to cyberstalking.

The Act that codified this provision is the Computer Fraud and Abuse Act of 1986, amended in 1994, 1996 and 2001, which marked a significant step in criminalising unauthorised access to computer systems and networks. The Act also applies to “federal interest computers”, including any system used by the US government as well as most financial institutions.

The National Information Infrastructure Protection Act of 1996 amended the Computer Fraud and Abuse Act to cover the confidentiality, integrity, and availability of computer networks, and broadening the definition of computer hacking punishable under federal law. On the other hand, the Patriot Act of 2001, passed in response to the 9/11 terrorist attacks, amended the Computer Fraud and Abuse Act to provide new investigative powers to the attorney general to order monitoring of Internet communication and usage for the purpose of protecting national security.

Title 18 of the United States Code also criminalises other aspects of fraud. In Crimes and Criminal Procedure, Part I - Crimes, Chapter 47 - Fraud and False Statements, Section 1028 deals with fraud

3 See: http://uscode.house.gov/download/ascii.shtml

and related activity in connection with identification documents, authentication features, and information, as amended by the Identity Theft and Assumption Deterrence Act of 1998; Section 1028A deals with aggravated identity theft, while Section 1029 deals with fraud and related activity in connection with access devices.

Other laws include the Telecommunications Act of 1996 which protects customer proprietary network information, the Sarbanes-Oxley Act of 2002 which protects company financial data integrity, and the Health Information Technology for Economic and Clinical Health Act of 2009 which protects digital medical records.

CanadaCanada criminalises fraud and forgery offences through its Criminal Code4. Section 380, on Fraud, punishes anyone who, by deceit, falsehood or other fraudulent means, whether or not it is a false pretence within the meaning of this Act, defrauds the public or any person, whether ascertained or not, of any property, money or valuable security or any service.

Section 402.2, on Identity Theft, punishes anyone who knowingly obtains or possesses another person’s identity information in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.

Section 403, on Identity Fraud, punishes anyone who commits an offence who fraudulently personates another person, living or dead, with intent to gain advantage for themselves or another person, to obtain any property or an interest in any property, to cause

4 See: http://laws.justice.gc.ca/en/C-46/

disadvantage to the person being personated or another person, or to avoid arrest or prosecution or to obstruct, pervert or defeat the course of justice.

United KingdomUnder English law, offences related to fraud are criminalised in the Fraud Act 20065, which redefined most offences found in the Theft Act 19686. The Act categorises fraud in three classes: fraud by false representation (section 2), fraud by failing to disclose information (section 3), and fraud by abuse of position (section 4). The Act also criminalises the possession of articles for use in frauds (section 6) and the making or supplying articles for use in frauds (section 7), which definition of “articles” is extended so as to include any program or data held in electronic form (section 8).

Forgery-related offences are criminalised by the Forgery and Counterfeiting Acts 19817, whose section 1 states that “A person is guilty of forgery if he makes a false instrument, with the intention that he or another shall use it to induce somebody to accept it as genuine, and by reason of so accepting it to do or not to do some act to his own or any other person’s prejudice.” The Act also defines “instrument” as any formal or informal document, any stamp issued or sold by a postal operator, any Inland Revenue stamp, and any disc, tape, sound track or other device on or in which information is recorded or stored by mechanical, electronic or other means (section 8).

AustraliaAt the Commonwealth level, fraud and forgery crimes are punishable

5 See: http://www.legislation.gov.uk/ukpga/2006/35/contents6 See: http://www.statutelaw.gov.uk/content.aspx?ActiveTextDocId=12042387 See: http://www.opsi.gov.uk/revisedstatutes/acts/ukpga/1981/cukpga_19810045_en_1

under the Criminal Code Act 19958 which was amended by the Criminal Code Amendment (Theft, Fraud, Bribery & Related Offences) Act 20009.

At state level, each state has enacted laws that criminalise various aspects of identity and fraud issues. South Australia’s identity theft provisions are contained in the Criminal Law Consolidation Act 193510, New South Wales’ provisions are in the Crimes Amendment (Fraud, Identity and Forgery Offences) Act 200911, Queensland’s provisions are in its Criminal Code 189912.

8 See: http://scaleplus.law.gov.au/ComLaw/Legislation/ActCompilation1.nsf/0/3A5F446649A6 CE6BCA25773C001A6973?OpenDocument9 See: http://www.comlaw.gov.au/ComLaw/Legislation/Act1.nsf/0/865FCEDADC6399BACA256 F72000AEFE4?OpenDocument10 See: http://www.legislation.sa.gov.au/lz/c/a/criminal law consolidation act 1935/ current/1935.2252.un.pdf11 See: http://www.legislation.nsw.gov.au/fullhtml/inforce/act+99+2009+cd+0+Y