end of module essay legal aspects of information security
TRANSCRIPT
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
1/22
To what extent are the current provisions of criminal law adequate as a
response to the apparent proliferation of computer viruses? Should greater
obligations be placed upon software developers and computer users to
develop and maintain adequate security against the risk of such
infections?
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
2/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
TABLE OF CONTENTS
Introduction
What is a Computer Virus?
The Criminal Law relating to Computer Viruses
The Computer Misuse Act 1990
The Malaysian Computer Crimes Act 1997
The Cyber Crime Convention 2001
Conclusions
2
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
3/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
Introduction
The Utopian ideal that cyberspace is the realm of perfect freedom, anarchy without
chaos, where government and the law need not intrude, is no longer sustainable
because the digital era has brought with it a new generation of criminals; young and
intelligent technological experts, whose knowledge of computer code and technology is
great; in many cases exceeding the knowledge of law enforcement agencies that bear
the task of entrapping them.
Criminalising unauthorised access to computers and computer held information has
been in the realm of social and legal consciousness since the late 1980's, though the
increasing degree of interest and disquiet relating to the implications of the misuse of
computerisation, which plays an ever budding role in public, commercial and private life
has become most apparent in recent years. As information infrastructure has
progressively come under attack by cyber criminals. And the number, cost and
sophistication of attacks has continued to increase at alarming rates, threatening the
substantial and growing reliance of businesses, governments, and the community on
computer technology.
In light of the vast and growing costs of computer virus related crime, which sprawls
upward as more businesses link to the internet, thus accelerating the rate at which the
contagion can spread, law makers have begun to tackle the challenge by adopting laws
that make dodgy cyber activities criminal, demonstrating that a determined response to
the proliferation of computer viruses is not a matter of choice but a question of survival.
Given the advantages of digital crime over its analog counterparts and the growing
number of computer literate thieves, it is indubitably in the interests of law makers to do
as much as possible to establish and strengthen legislation to combat computer virus
related crime while there still remains an opportunity of catching up with these criminals.
This paper will examine criminal law relating to computer viruses in the United Kingdom
at length and both Malaysia and the European Union in brief, showing how legislatures
have responded to the threat of computer virus related crime by either enacting specific
legislation or amending existing criminal legislation. In so doing, this paper shall
3
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
4/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
determine whether the existing criminal legislation is adequate in response to the
apparent proliferation of computer viruses. And whether the obligation should be placed
upon software developers and computer users to develop and maintain adequate
security against the risks of computer viruses.
What is a Computer Virus?
The term computer virus was defined by computer expert Dr. Fred Cohen in 1987 as: -
"A program that can infect other programs by modifying them to include a
possibly evolved copy of itself. The key property of a virus is its ability to infect
other programs. Every program that gets infected may also act as a virus and
thus, infection grows. With the infection property, a virus can spread throughout
a computer system or network."1
From Dr. Cohen's' definition, it is apparent that computer viruses are some form of
malicious computer instructions that when inserted into a computer program or a
computer's operating system, replicate many times during the program execution,
infecting every program on a computer disk, and when the infected programmes are run,
the viral code is executed and the virus spreads further. 2 Its ability to create a copy of
itself and attach the copy to other programs or system files in the computer bears a
likeness to the behaviour of a biological virus. Therefore, legislators must bear in mind
the fact that like biological viruses, computer viruses are hard to preclude and even more
exigent to cure.
In the present day, viruses are intentionally released into systems and then transmitted
within and between systems by various means, and while once seen as pranks or the
products of misdirected creativity, now comprise business pathogens with destructive
powers; like letter bombs of the computer ages.3
For example, in a widely reported incident, Simon Vallor, a computer hacker based in
Wales, admitted to releasing a virus which spread to forty two (42) countries and
1Cohen "Computer Viruses: Theory and Experiments" Computers & Security, February 1987 at pp 23-23
2Eugene. H. Spafford "Computer Viruses as Artificial Life", Journal of Artificial Life, MIT Press, 1994
3"Letter Bomb of the Computer Age" New York Times, 5 November 1988, p.16
4
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
5/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
affected an estimated two thousand seven hundred (27000) terminals, causing millions
of dollars of damage to numerous businesses. It is reported that he claimed his
motivation was to see whether he could do it and if the virus would eventually spread
back to him,4 which at first glance seems like a rather naive objective, however, when
one takes the amount of damage caused by Vallor's virus into account, the harsh reality
of the act can be seen as deserving of punishment. Not only to deter other like minded
individuals from doing the same, but to teach the perpetrators of such crimes that the
law will not sit by and watch as the benefits of the computer age are overshadowed by
criminal elements.
The Criminal Law relating to Computer Viruses
When it comes to crime, existing laws are often inadequate for dealing with new
economy threats such as virus spreading. Our criminal laws are designed to punish bank
robbers and murderers, not those who deface web sites or bring down a company's
internal e-mail system. But these high tech crimes, while not necessarily deadly, are
surely deserving of punishment in much the same way as good-old fashioned crime.5
It is vital that numerous aspects of the entire criminal process in relation to computer
related crime is looked at in this paper, in order to enable me to determine the adequacy
of the existing criminal laws. For example: -
Concealment and manipulation of computer held information
The Criminal process in regard to computer held information is complex and
investigating computer held information is difficult, because computer held
information is intangible and therefore prone to easy manipulation and corruption.
This is coupled with the fact that information can be stored in computer systems
spread over many locations, both national and foreign. The information may not
be easily accessible to law enforcement agencies, who may enter upon premises
and obtain evidence from a computer therein, but fail to link or trace the evidence
to any other related material concealed in other computers, but related to the
4The Job, volume 35 Issue 895 January 10 2003, posted at www.met.police.uk
5Doug Isenberg "The Case for Criminal Hacking and Antivirus Laws" posted at www.gigalaw.com
5
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
6/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
same crime. Therefore, law enforcement agencies must be equipped through
criminal legislation, with the mandate to access computers spread in different
locations, intercept and/or monitor data during transmission and obtain the co
operation of all suspects and/or third parties linked to the case being
investigated. And the investigation of computer viruses needs to be a regulated
activity with failure to apply for regulation being a criminal offence.
Difficulty in identifying and tracing the perpetrator of the crime
Another intricate area for the criminal law to deal with is finding the perpetrator of
the crime (i.e.) the person who created the virus. You'll always have a criminal
case if you can find the person who created the virus, because creating a virus is
a malicious act, however, it is often very difficult to identify the origin of a virus as
it may be transmitted to a number of hosts simultaneously, therefore making it
even harder to trace the virus writer.6
Following on from above, if the criminal legislation embodied in this paper fails to provide
legal provisions encompassing the above named obstacles and complexities, then this
would seem to suggest that the criminal law is not adequate enough to deal with the
proliferation of computer viruses.
Another lingering task for criminal legislation to deal with is the question "is creating a
virus a crime even if you don't intend to spread it?"7 I believe that virus writing is an evil
that cannot be justified in any circumstances. For that reason, prosecution of virus
writers is something which should be legally provided for and accepted as appropriate
action. Virus writing needs to be recognised as a criminal act. And like murders and
terrorists, virus writers should find not be allowed to get away with it.8
6Natasha Jarvie "Control of Cyber crime - Is an end to Our Privacy on the Internet a Price worth Paying? Part 1
COMPTLR 2003, 9(3), 76-817Doug Isenberg "The Case for Criminal Hacking and Antivirus Laws" posted at www.gigalaw.com.
8Kelman A (1997) The Regulation of Virus Research and the prosecution for unlawful research?" Commentary, 1997 (3)
the Journal of Information, Law and Technology (JILT), http://elj. Warwick.ac.uk/jilt/compcrim/97-3elm
6
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
7/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
Computer Viruses and what constitutes the crime
According to Mathias Klang,9 the elements of the crime relating to the creation and
dissemination of computer viruses include the following: -
The writing of the code which he equates to the preparation to commit a
crime;
The unauthorised access which occurs when the virus enters into a new
computer without the authority of the legitimate user;
The unauthorised modification which could be the infection of a file, boot
sector, or part;
The loss of data, the effects of the virus that the data is no longer usable by
the legitimate user;
The endangerment of public safety due to the failure or reduction of efficiency
of the computers;
The making of the virus code available to others which can be seen as
incitement, this includes making available viruses, virus code, information on
virus creation and virus engines and
Denial of service which may be the effects of the virus.
It is important to remember that all criminal offences require the establishment of a guilty
act (actus reus) and the requisite intent (mens rea) before guilt can be proved. In order
to comprehend the sufficiency of contemporary criminal laws relating to viruses, I believe
it is vital to look at criminal legislation in the United Kingdom, Malaysia and the European
Union in light of the above named offences.
The Computer Misuse Act of 1990
The Computer Misuse Act of 1990 was enacted after numerous cases such as Cox v.
Riley10 and R v. Gold11 proved that computer crime offences could not be prosecuted
straightforwardly under the Criminal Damage Act of 1971 or the Forgery and
9Mathias Klang "A Critical Look at the Regulation of Computer Viruses" International Journal of Law and Information
Technology, Vol. 11 No.210
(1986) Crim.L.R. 46011
(1988) 2 All E.R. 186,HL
7
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
8/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
Counterfeiting Act. Therefore the new Act sought to address the legal lacunae relating to
computer crime.
Section 1 of the Computer Misuse Act creates a summary offence12 and covers
unauthorised access to computer systems, including hacking. It therefore embodies the
second element of the offence described by Mathias Klang as "unauthorised access
which occurs when the virus enters into a new computer without the authority of the
legitimate user".13
Section 1 states as follows: -
"A person is guilty of an offence if he causes any computer to perform any
function with intent to secure access to any program or data held in any
computer, if the access he intends to secure is unauthorised and he knows at the
time when he causes the computer to perform the function that that is the case"
Under Section 1, access is unauthorised where the suspect is not entitled to access of
the kind in question, to the program or data and/or does not have consent (from any
person who is so entitled), to access the kind of program and/or data. The offence is
applicable whether one or more than one computer is used, with intent to gain access to
another computer.14
The intent in Section 1 does not have to be aimed at a particular program or particular
data, as long as the suspect "causes a computer to perform a function". This excludes
physical contact with a computer and the examination of data without any interaction
with a computer,15 and ensures that the suspect does not have to be successful in
achieving access to commit the offence. Section 1 therefore serves to bar access to a
suspect even where the suspect has no evil intent or is merely snooping around, thus
deterring those who contemplate releasing viruses into computer systems or committing
other offences that could cost the owner of the system broken into, a considerable
amount of money and/or time to repair.
12Blackstone's Criminal Practice 2004, Part B Offences available at http://grenville.butterworths.co.uk
13Mathias Klang "A Critical Look at the Regulation of Computer Viruses" International Journal of Law and Information
Technology, Vol. 11 No.214
Attorney General's reference (No.1 of 1991) ( (1992) 3 W.L.R 43215
ibid
8
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
9/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
The actus reus in Section 1 is the act of causing the computer to perform any function,
while the mens rea would be the knowledge of the suspect that at the time of securing
access he/she knew that the access secured or intended was unauthorised.
By using the word "any" in Section 1(1)(a) the legislature has ensured that the
unauthorised access does not need to relate to the computer that the suspect is
breaking into at the time of accessing, and also ensures that the offence is not limited to
inside hackers but also encompasses outsiders as well, making both the physical
unauthorised access as well as the remote unauthorised access into any computer a
crime.
An offence committed under Section 1, carries a fine of two thousand ( 2000) pounds
and/or up to six (6) months in jail and is triable by the Magistrates Court.
The Computer Misuse Act of 1990 does not define the words "computer", "program" or
"data", which means that it is not restricted to our comprehension of these concepts
today and will therefore have the advantage of the ability to govern computer misuse
with the several changes in computer technology over the years.
Section 2 deals with unauthorised access with intent to commit or facilitate the
commission of a serious offence and therefore provides for the second and third element
of the crime according to Mathias Klang (i.e.) "unauthorised access which occurs when
the virus enters into a new computer without the authority of the legitimate user"16 and
"unauthorised modification."17
Section 2 states as follows: -
"A person is guilty of an offence under this section if he commits an offence
under Section 1 with intent: -
16Mathias Klang "A Critical Look at the Regulation of Computer Viruses" International Journal of Law and Information
Technology, Vol. 11 No.217Mathias Klang "A Critical Look at the Regulation of Computer Viruses" International Journal of Law and Information
Technology, Vol. 11 No.2
9
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
10/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
(a) to commit an offence to which this section applies; or
(b) to facilitate the commission of such an offence (whether by himself or another
person);
and the offence he intends to commit or facilitate is referred to below in this
section as the further offence"
An offence committed under Section 2 of the Computer Misuse Act carries a maximum
penalty of five (5) years imprisonment, and/or an unlimited fine and is triable by the
Crown Court.
Section 2 focuses on unauthorised access gained, with intent to commit a further
offence. This indicates that, even where the perpetrator of the crime does not commit a
further offence, he will be prosecuted for carrying out the activity with the intent to
commit the further offence. The further offence must be one fixed by law or one for
which the maximum sentence is not less than five (5) years.
This offence applies to arrestable offences generally, these being offences punishable
on first conviction, on indictment18. For an offence to be proved under this section, an
offence under Section 1 must be committed. If the access is not unauthorised then the
Section 2 offence cannot be committed. It is immaterial whether the further offence is to
be committed at the time of the unauthorised access or on some future occasion. This
allows for action to be taken against the suspect who sends a virus that will complete an
offence some months beyond the initial unauthorised accessing of a computer.19
However, it does not seem to envisage a situation where the suspect has authorised
access to a computer and uses that authorised access to cause mayhem or release a
virus into the system and/or network causing damage to other computers linked to the
same network.
Section 3 of the Computer Misuse Act provides for unauthorised modification and
therefore embodies the third and fourth elements of the crime according to Mathias
18Blackstone's Criminal Practice 2004, Part B Offences available at http://grenville.butterworths.co.uk
19ibid
10
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
11/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
Klang which are "unauthorised modification which could be the infection of a file, boot
sector, or part"20 and "loss of data, the effects of the virus that the data is no longer
usable by the legitimate user.21
Section 3 of the Act states: -
"A person is guilty of an offence if: -
(a) he does any act which causes an unauthorised modification of the contents of
any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite
knowledge"
For the purposes of this section the modification of the contents of a computer
would: -
(a) impair the operation of any computer;
(b) prevent or hinder access to any program or data;
(c) impair the operation of any program or the reliability of any such data.
The requisite knowledge is knowledge that any modification intended is unauthorised,
therefore the suspect has to have an intention to cause unauthorised modification which
would mean that mere recklessness is not sufficient to justify a charge and/or conviction.
The Section 3 offence will apply where any act is done which causes an unauthorised
modification of the contents of a computer intending to impair the reliability of the data
held in the computer. The concept of modification will encompass the addition of data, its
alteration or deletion. Prosecution of Section 3 offences would therefore apply to
20Mathias Klang "A Critical Look at the Regulation of Computer Viruses" International Journal of Law and Information
Technology, Vol. 11 No.221Mathias Klang "A Critical Look at the Regulation of Computer Viruses" International Journal of Law and Information
Technology, Vol. 11 No.2
11
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
12/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
persons releasing viruses onto a computer system. However, the effect of the
modification must be to impair the operation of any computer; to prevent or hinder
access to the program or data held in the computer; or to impair the operation of any
such program or the reliability of any such data.
It is possible that even where the virus causes only inconvenience, that amounts to
impairment in operation in terms of Section 3 (a), or alternatively, that it hinders access
to the program or data in terms of Section 3 (b). But the offence will only be supported
where a person released a virus on to a system, which resulted in one or all of the
consequences specified. Therefore where the releasing of the virus does not result in
the consequences specified, the law needs to provide an open ended provision that
allows for the punishment of not only the act of creating the virus but releasing it onto the
system regardless of the damage caused or consequences of such.
Section 3(3) makes it immaterial whether the intent is directed at a particular computer,
program or data, or is of a particular kind or of any particular modification.
An offence committed under Section 3 carries a maximum penalty of five (5) years
imprisonment and/or an unlimited fine and is triable by the Crown Court.
Jurisdiction
In respect of the three offences envisaged above, under the Computer Misuse Act,
courts in the United Kingdom have jurisdiction whether the computer misuse originates
in the home country or is directed against a computer located within it. 22 For these
purposes, Northern Ireland and Scotland are treated as separate home countries from
England and Wales, so that these broader rules will apply to a hacker in England who
gained unauthorised access to a computer in Scotland. Basically, the Act applies to the
whole of the United Kingdom. Therefore a prosecution can be undertaken if the offence
is committed in the United Kingdom, if either the victim or the suspect is in the United
Kingdom or a significant link with the United Kingdom exists.
22Blackstone's Criminal Practice 2004, Part B Offences available at http://grenville.butterworths.co.uk
12
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
13/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
Jurisdiction in computer misuse cases is however made subject to the principle of
double criminality.23 Where the hacker is operating in England but the further offence
envisaged by him on a charge under Section 2 of the Act takes place abroad, the
English courts will only have jurisdiction where the contemplated conduct is a criminal
offence in that country as well as in England.
Extradition
Offences under the Computer Misuse Act 1990 are extraditable, within the scope of the
Extradition Act of 1989,24 which was passed prior to any computer misuse legislation
being enforced in the United Kingdom. This is an important aspect of the enforcement of
criminal law in response to the proliferation of computer viruses considering that the
dissemination of computer viruses can be committed over the internet and considering
that virus perpetrators have no respect for national borders. Consequently a crime can
transcend national borders and is therefore not necessarily contained within the borders
of a particular country.
Investigation
Any restrictions on the procedure of search and seizure and/or investigation of computer
evidence envisaged by criminal legislation in the United Kingdom will definitely hinder
the investigation process of computer virus related crime since data and programs can
be easily removed and destroyed without leaving traces and the law enforcement
agencies and/or police might not be able to access certain relevant material. Therefore a
brief look at these provisions is vital in my attempt to determine the adequacy of the
criminal law in response to the proliferation of computer viruses.
Section 14 of the Computer Misuse Act confers powers on the circuit judge to issue a
search warrant where there are reasonable grounds for believing that a basic hacking
offence has been or is about to be committed on the premises in question.
23Blackstone's Criminal Practice 2004, Part B Offences available at http://grenville.butterworths.co.uk
24Blackstone's Criminal Practice 2004, Part B Offences available at http://grenville.butterworths.co.uk
13
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
14/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
Investigative powers for Sections 2 and 3 of the Act which are punishable on indictment,
come under the Police and Criminal Evidence Act of 198425 which provides for the
issuance of a search warrant by a justice of peace, who is satisfied that an arrestable
offence has been committed and relevant evidence shall be found on the premises in
question. All relevant evidence found can be seized in accordance with Section 19 to
prevent concealment or alteration at a later date.
Evidence
Computer generated evidence is accepted by the courts in the United Kingdom under
Section 69 of the Police and Criminal Evidence Act 1984. However, in cases involving
computer viruses, evidence is usually hard to procure, yet in order to secure a
conviction, the prosecution must ensure that its case is water tight by equipping itself
with enough evidence to support its case. This won't be possible where for example the
defence insists on proof that the computer was working properly as seen in the case of
Shepard,26which might be difficult to prove in cases where the hackers have damaged
the hard disks by deleting files or introducing viruses with such effect that even getting a
print out is impossible.27Evidential difficulties are compounded by the fact that in most
cases the viruses destroy themselves as well as damaging the computer, leaving little or
no evidence behind.
Case Law
The first case in which a computer virus writer was prosecuted in England was in the
1995 during the Pile case.28 Pile created two vicious viruses named Pathogen and
Queeg. Prominent British companies were affected by the virus though the total damage
caused was unquantifiable (e.g.) Microprose estimated its losses to be up to 500,000
(Five hundred thousand) pounds and used more than four hundred and eighty (480) staff
hours checking more than a million files. Pile spread his viruses all around the world
through computer bulletin boards and in most cases hid them in computer games.
Christopher Pile was sentenced to eighteen (18) months under Section 3 of the
25Blackstone's Criminal Practice 2004, Part B Offences available at http://grenville.butterworths.co.uk
261993 Crim LR 295
27Turner, M (1994) "R v Vastal Patel - The Computer Misuse Act 1990 s.3(1)" , 57 Journal of Computers & Law 4
28Uhlig R (1995) "Black Baron, computer virus writer jailed for 18 months" The Electronic Telegraph 16 November,
available at http://www.telegraph.co.uk
14
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
15/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
Computer Misuse Act 1990 for gaining unauthorised access to computers, making
unauthorised modification and inciting others to spread the viruses he had written. This
clearly shows that the Computer Misuse Act has gone some way in providing protection
to the victims of computer virus related crime.
Adequacy of the Law
The Computer Misuse Act 1990 goes a substantial way in providing a valuable answer
to some incidents of computer virus related crime, but only in cases where the viruses
are detected and if those responsible can be identified and prosecuted under the
jurisdiction of the law which is restricted to the United Kingdom.
It addresses the major loop holes in previous laws in which the act of obtaining
unauthorised access to data in the absence of further aggravating conduct did not
constitute a criminal offence. By creating new offences (i.e.) the unauthorised access
offence29 and the ulterior intent offence,30 it has enabled the prosecution of a proliferation
of new criminality, and so took a step towards the protection of victims.
Despite the above, the Computer Misuse Act has been criticised on the following
grounds: -
It is an insufficient deterrent with few successful prosecutions and lenient
sentencing,31 due mainly to the difficulties of meeting the requirement to
prove intent on the offender's part and the inability of the police force to
understand and deal with cyber crime.32
The Act is based on the concept of unauthorised access which is increasingly
hard to prove in a networked world and does not cover new forms of
computer crime such as denial of service attacks.33
29Computer Misuse Act, s.1
30Computer Misuse Act, s.2
31Figures from the Home Office show only thirty three prosecutions for offences under the Computer Misuse Act in 1999
and 2000 the latest year's for which figures are available. And although Section 1 does not require intent the penalties forthe commission of the offence under Section 1 are insufficient.32
EURIM briefing No.34 April 200233
Claire Coleman "Cyberspace security; Securing Cyberspace - new laws and developing strategies" Information Security
Technical Report, Vol,5, Issue 2, 1 June 2000, Pgs 51 - 59
15
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
16/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
It lacks the framework for international co-operation in investigating and
prosecuting e-crime and there may be jurisdictional problems with pursuing a
cyber criminal who hacks into systems from another country as often is the
case.34
In addition to the above, it is evident from my discussion of the Computer Misuse Act
above that it does not provide for the punishment of the virus writer, or the fifth element
of the crime as described by Mathias Klang (i.e.) "endangerment of public safety due to
the failure or reduction of efficiency of the computers." Therefore it can be argued that
the Computer Misuse Act may act as a deterrent tool but is not fully adequate in
response to the proliferation of computer viruses.
The Malaysian Computer Crimes Act 1997
Like the Computer Misuse Act 1990 of the United Kingdom, the Computer Crimes Act
1997; creates categories of offences relating to computer crime. It creates two
categories of offences relating to unauthorised access to computer material,35 which
includes access in excess of authority and the unauthorised modification of the contents
of any computer.36 It criminalises behaviour performed on a computer which is not
criminal if performed in the absence of a computer, by making all forms of unauthorised
access an offence without exception. And therefore goes further than the United
Kingdom Act to guard against the proliferation of computer viruses.
34ibid
35Section 3 (1) A person shall be guilty of an offence if: -
(a) he causes a computer to perform any function with intent to secure access to any program or data held in ancomputer;(b) the access he intends to secure is unauthorised; and(c) he knows at the time when he causes the computer to perform the function that that is the case.
(2) The intent of the person has to have to commit an offence under this section need not be directed at: -(a) any particular program or data;(b) a program or data of any particular kind; or(c) a program or data held in any particular computer.36
Section 5 (1) A person shall be guilty of an offence if he does any act which he knows will cause unauthorised
modification of the contents of any computer.(2) For the purposes of this section, it is immaterial that the act in question is not directed at: -(a) any particular program or data;(b) program or data of any particular kind; or(c) a program or data held in any particular computer.(3) For the purposes of this section, it is immaterial whether the unauthorised modification is. Or is intended to bepermanent or merely temporary.
16
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
17/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
Investigation
Part III of the Act gives a Magistrate who thinks (upon reasonable grounds) that an
offence is being or has been committed under the Act the mandate to empower the
police of the rank of Inspector or more senior, to have access to the premises where it is
believed to be occurring to have the said premises searched,37 access programs and
data on a computer and inspect the operation of a computer or associated apparatus,
suspected to have been used in connection with the commission of the offence. 38On
carrying out the search, the said Inspector has the mandate to seize and detain any
evidence found at the premises that could help build a case against the suspect.
The above named provisions go a long way in aiding the criminal law to procure
substantial evidence against the perpetrators of computer virus related crimes, and alsoappears to give law enforcement agencies extensive powers which could encompass
access to information that may be unconnected with the case in question, (i.e.)
belonging to or rather operated by third parties, thus enabling law enforcers to obtain a
warrant for the search of one computer and use it to search other computer networks.
The Act allows a police officer to without a warrant, enter, search, seize and require co
operation of the suspect as if a warrant had been issued, in cases where the time lost in
obtaining a warrant is likely to hinder the investigative process.39 Therefore, it is evident
that the Malaysian Act goes a step further than the Computer Misuse Act of the UnitedKingdom, to ensure that its law enforcement agencies are well equipped with the arm
and backing of the law so as not to hinder the vital process of search, investigation and
seizure in computer virus related cases.
By virtue of Section 10 (1) (b) any suspect and/or person in charge of or concerned with
the operation of the computer in question, is required to co operate with the police officer
and failure to comply or obstruction may cause the suspect or person to be prosecuted
under Section 11, leading to a fine of not more than 25000 ringgit and/or a maximum of
three (3) years imprisonment.
37S. 10(1) Malaysian Computer Crimes Act 1997
38S. 10 (1) (a) Malaysian Computer Crimes Act 1997
39S. 10 (2) Malaysian Computer Crimes Act 1997
17
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
18/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
The Cyber Crime Convention of 2001
In view of the fact that cyber crimes have an international element and national
measures need to be supplemented with international co operation based on global
measures, co-ordinated international work and binding minimum standards, I shall take a
brief look at the Convention on Cyber Crime of the Council of Europe which came into
play to harmonise computer crime provisions, catalyse investigations and ensure
effective international co-operation among authorities of the European Union.
The Convention on Cyber Crime was the product of four (4) years of work by Council of
Europe experts, with the aid of the United States, Canada, Japan and South Africa. As
the first international treaty to address criminal law and crimes committed via the Internet
and other computer networks, it is appropriate to the proliferation of computer viruses,
because it deals with aspects of infringement of computer-related fraud, violations of
network security and provides a legal back bone for the extradition of computer hackers
from and to countries that have no formal extradition treaties between them.
Its main objective, set out in the preamble, is to pursue a common criminal policy aimed
at the protection of society against cyber crime, especially by adopting appropriate
legislation and fostering international co-operation, to harmonise legislation, facilitate
investigations and allow efficient levels of co-operation between the authorities ofdifferent member states and other third party states.
The Convention attempts to address the problem of criminal law concerning computer
viruses by creating offences relating to: -
intentional illegal access to computer systems,40
intentional interference with computer data including deletion or alteration,41
intentional interference with computer systems,42
40Article 2, Cyber Crime Convention
41Article 4, Cyber Crime Convention
42Article 5, Cyber Crime Convention
18
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
19/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
misuse of certain devices designed or adapted primarily for the purpose of
committing any of the offences established under Articles 2 to 5,43 and
the possession of such devices with an intent to commit the above named
offences.44
Since cyber crime is not constrained within national boundaries, it can only be properly
and efficiently addressed by having some international understanding as to what it is and
how it should be fought. However, achieving global consensus is a difficult task due to
differences in cultural and national security issues making the attempt to establish
common standards a daunting task.
The Cyber Crime Convention made an attempt to lead the members of the European
Union towards better legislation to fight computer virus related crime by providing a
Framework for the implementation of various legislation, in the respective member
countries. However, it has not been ratified by many countries including the United
Kingdom and therefore was fruitless.
Conclusion
Computers have ushered in a new age filled with the potential for good. Unfortunately,the computer age has also ushered in new types of crime for the police to address.
Therefore law enforcement must seek ways to keep draw backs from overshadowing the
great promise of the computer age.
More than ever the need is apparent for a law enforcement regime which can deal
effectively with crimes committed in networked environment boundaries. However, it is
also clear that improvement in cyber crime laws and enforcement alone will not be
enough - organisations need to identify system vulnerabilities and implement protectivemeasures.
Lack of security in computer systems is a real problem. Some training must be given to
the public regarding security because securing the computer system is very important,
43Article 6, Cyber Crime Convention
44Article 6(1) (b), Cyber Crime Convention
19
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
20/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
since the breaking of passwords for example, is the first door to illegal entry on a
computer system. Security is of course the first defence against computer crime
because the inadequacy of the victim's security system facilitates the commission of the
crime.
Although numerous legislations worldwide are valuable legal weapons to fight computer
crime, it remains imperative that practical computer security is taken very serious by the
business community therefore both software developers and computer users need to be
sensitised about the importance of beefing up their security systems on all networks,
however the obligation must remain with the law enforcers and legislators of the law to
ensure that the law is adequate enough to deter and punish all perpetrators of computer
virus related crime.
In the final analysis therefore it is right to assert that the criminal law is not adequate in
relation to the proliferation of computer viruses and the obligation should not be placed
on software developers and computer users to develop and maintain adequate security
against such infections.
20
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
21/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
References
Law
Police and Criminal Evidence Act 1984 (1984 c.60)
Forgery and Counterfeiting Act 1981 (1981 c.45)
The Computer Misuse Act 1990 (1990 c.18)
Malaysian Computer Crimes Act 1997
Cyber Crime Convention, 23 November 2001, Budapest, Council of Europe
Blackstone's Criminal Practice 2004, Part B Offences available at
http://greeville.butterworths.co.uk
Attorney general's reference (No.1 of 1991) (1993) 3 W.L.R. 432
Papers and Articles
Carter & Katz "Computer Crime: An emerging Challenge for Law Enforcement" FBI Law
Enforcement Bulletin, December 1996
Claire Coleman "Cyberspace security; Securing cyberspace - new laws and developing
strategies" Computer Law & Security Report 19 (2) at pp 131-136
Cohen "Computer Viruses: Theory and Experiments" Computers & Security, February 1987 at pp
23
Doug Isenberg "The Case of Criminal Hacking and Antivirus Laws" available at www.gigalaw.com
Eugene.H.Spafford "Computer Viruses as Artificial Life" Journal of Artificial Life, MIT Press, 1994
Joan L. Aaron, Michael O'Leary, Ronald. A. Gove, Shiva Azadegan and M. Christina Schneider
"The Benefits of a Notification Process in Addressing the Worsening Computer Virus Problem:
21
-
8/8/2019 End of Module Essay Legal Aspects of Information Security
22/22
To what extent are the current provisions of criminal law adequate as a response to the apparent proliferation ofcomputer viruses? Should greater obligations be placed upon software developers and computer users todevelop and maintain adequate security against the risk of such infections?
Results of a Survey and a Simulation Model", Computer & Security, Vol.21, No.2, 2002 at pp 142
- 163.
Jones, SC (1996) "Computer terrorist or mad boffin?" New Law Journal 46
Kelman A (1997) "Regulation of Virus Research and the prosecution of unlawful research"
Commentary, 1997 (3), the Journal of Information, Law and Technology (JILT), available at
http:///elj.warwick.ac.uk/jilt/compcrim/97-3elm
Kit Burden & Creole Palmer "Internet crime; Cyber Crime - A new breed of criminal?" Computer
La w & Security report Vol. 19, Issue 3, May 2003, Pgs 222-227
Mathias Klang "A Critical Look at the Regulation of Computer Viruses" International Journal of
Law and Information Technology, Vol. 11 No.2
Nagavalli Annamalai "Cyber Laws of Malaysia - The Multimedia Super Corridor" Journal of
International Banking Law 1997, 12(12), 473-481
Natasha Jarvie "Control of Cyber crime - Is an end to our privacy on the Internet a Price worth
paying?" Part 1 COMPTLR 2003, 9(3), 76-81
Turner M (1994) "R v Vatsal Patel - The Computer Misuse Act 1990 s.3 (1)", 57 Journal of
Computer & Law 4
Newspaper Articles
"Letter bomb of the Computer Age" New York Times, 5 November 1988, p.16
Uhlig R (1995) "Black Baron, computer virus writer jailed for 18 months" The electronic telegraph
16 November 1995, available at http://www.telegraph.co.uk
The Job, Volume 35 Issue 895, January 10, 2003 available at www.met.police.uk