Clough - 2010 - Interception of Data

2
Computer as target
1. Introduction
We turn now to consider the first distinct category of cybercrimes:
those offences where a computer is itself the target. Such offences are
colloquially referred to as ‘hacking’,1 and cover a broad range of conduct
arising from an equally broad range of motivations. Given the ubiquitous
presence of computers in modern life, and the dependency of modern
commerce on computer networks, such offences have potentially serious
consequences.
We are not here concerned with those offences where a computer
is physically taken or damaged. Although some surveys include offences
such as theft of a computer within the definition of cybercrime, such
conduct falls comfortably within the scope of existing property offences.
Rather, our focus is on ‘[o]ffences against the confidentiality, integrity
and availability of computer data and systems’.2 In essence, the conduct
which these offences seek to address is:
1. the gaining of unauthorised access to a computer or computer system;
2. causing unauthorised damage or impairment to computer data or the
operation of a computer or computer system; or
3. the unauthorised interception of computer data.
Such conduct ranges from the technically sophisticated to the decidedly
low-tech. For example, twenty-one year old Gareth Crosskey convinced
Facebook staff to change the password of actress Selena Gomez’s account
1
For convenience, ‘hack’ and its variants will be used to describe unauthorised access to
computers and computer systems. While acknowledging that a distinction is sometimes
drawn between unauthorised access carried out for noble (‘hacking’) as opposed to ignoble
(‘cracking’) purposes, aside from sentencing such issues of motivation have little legal
relevance, and in popular usage the distinction is rarely observed.
2
Cybercrime Convention, Ch. II, Section I, Title 1.
31
Downloaded from https:/www.cambridge.org/core. University of Florida, on 08 Jan 2017 at 23:58:13, subject to the Cambridge Core terms of use
, available at https:/www.cambridge.org/core/terms. http://dx.doi.org/10.1017/CBO9781139540803.003
32 computer as target
by pretending to be her stepfather.3 At the other end of the spectrum,
high-profile attacks by groups such as ‘Anonymous’ have well and
truly brought hacking to the attention of the public and governments.
While the sophisticated hacker is a very real threat, some surveys indicate
that insiders are often just as likely as outsiders to be the source of
cyberattacks.4 Any criminal law response must be capable of responding
to this broad spectrum of offending conduct.
The history and phenomenon of ‘hacking’ has been extensively dis-
cussed elsewhere.5 For our purposes it will suffice to provide an outline
of the key forms of conduct which potentially fall within this class
of offence. At the outset it must be acknowledged that these categories
are neither mutually exclusive nor fixed. One of the great challenges
of drafting cybercrime laws is ensuring that they can adapt to a broad
range of overlapping and constantly evolving threats. Nonetheless, the
three main categories of conduct are:
1. unauthorised access to computers or computer systems;
2. malicious software; and
3. DoS attacks.
A. Unauthorised access to computers or computer systems

At a basic level, unauthorised access to a computer may be obtained
simply by logging on without permission. At the more sophisticated level,
it may involve hackers using networks to gain remote access, sometimes
via computers in a number of jurisdictions. Such hacks may be ‘user
level’, where the hacker has the same access to the system as an ordinary
user of the system, or ‘administrator’ or ‘root level’ access, where the
hacker has the same rights as the system administrator and can view or
modify data at will.6 The rapid pace with which software is developed
3
‘McDonald’s worker who hacked into emails between Selena Gomez and Justin Bieber
jailed for 12 months’, The Telegraph, 21 May 2012.
4
C. J. Sedak and P. Durojaiye, US cybercrime: Rising risks, reduced readiness – Key findings
from the 2014 US State of Cybercrime Survey (PWC, 10 June 2014), p. 9.
5
See M. Yar, Cybercrime and society (London: Sage Publications, 2006), Ch. 2; D. S. Wall,
Cybercrime: The transformation of crime in the information age (Cambridge: Polity, 2007),
Ch. 4; S. Furnell, ‘Hackers, viruses and malicious software’, in Y. Jewkes and M. Yar (eds.),
Handbook of internet crime (Cullompton: Wilan, 2010).
6
E. J. Sinrod and W. P. Reilly, ‘Cyber-crimes: A practical approach to the application of
federal computer crime laws’ (2000) 16 Santa Clara Computer and High Tech Law Journal
177, 205–7, 210–12.
computer as target 33
means that ‘bugs’ are inevitable, with hackers seeking to exploit these
vulnerabilities before they are rectified.7 So-called ‘zero-day vulnerabil-
ities’, those that are exploited before they can be patched, are a coveted
source of attack.8
The reasons for gaining unauthorised access to computers are as
varied as the data found in those computers. Nonetheless, some cat-
egorisation of offender motivation is important in refining further
precisely what conduct falls within the broad umbrella of unauthorised
‘access’ to a computer. It is suggested that there are essentially three
motivations:
1. access to information;
2. modification/impairment of data; and
3. use of a computer.
Access to information
Given the wealth of information that is stored on computers and in
computer networks, access to that information is an obvious motivation
for gaining access. In 2013, Symantec reported that there were 253 data
breaches, with over 552 million identities breached.9 The increasing use
of ‘cloud’ storage for both personal and business information makes
them an increasingly tempting target for access to information.10
Typical reasons for unauthorised access to data include obtaining
confidential commercial or government information (e.g. trade secrets,
intellectual property, defence secrets) or personal information (e.g. med-
ical records, credit card or social security numbers or credit history).
For example, in US v. Aleynikov11 the defendant was an employee at
Goldman Sachs & Co who, prior to leaving the company to join a
competitor organisation, downloaded source code for Goldman Sachs’
trading system. In Butler v. R12 the defendant was employed by a bank in
their ‘group security section’. This gave him access to those parts of the
bank’s systems which verified customer details. The defendant used this
access to assume client identities and apply for credit cards, causing
losses to the bank of just over A$450,000.13
7
Australian High Tech Crime Centre, Malware: Viruses, worms, Trojan horses, High Tech
Crime Brief No. 10 (AIC, 2006), p. 1.
8 9
Symantec, Internet security threat report 2014 (2014), p. 6. Ibid., p. 5.
10
Sophos, Security threat report 2014 (2014), p. 26.
11 12 13
737 F Supp 2d 173 (SDNY. 2010). [2012] NSWCCA 54. Ibid., at [4]–[5].
As noted above, unauthorised access may require varying degrees
of technical sophistication. In Mangham v. R14 the defendant gained
access to Facebook’s servers and was able to copy the ‘source code’; that
is, ‘the unique software which gives Facebook its functionality’.15 In order
to access that code, it was first necessary to access Facebook’s protected
systems. Having exploited vulnerabilities within those systems, it was
necessary to modify their functionality, giving access to the ‘Mailman
server’. This contained email archives and allowed the defendant to use
the compromised electronic identity of a Facebook employee to finally
gain access to the source code.
In contrast, in 2012 Christopher Chaney was sentenced to ten years
in prison after accessing the email accounts of people associated with the
entertainment industry, including Scarlett Johansson, Mila Kunis and
Renee Olstead.16 Chaney gained access to the email accounts by clicking
on the ‘forgot your password?’ function and correctly guessing the
answers to security questions by using publicly available information.
In other cases, the purpose is to interrogate the computer for possible
open connections or other vulnerabilities. For example, ‘port scanning’
is a technique by which requests are sent to networked computer ports in
order to ascertain whether particular machines have vulnerabilities;
the electronic equivalent of ‘rattling doorknobs’.17 A ‘structured query
language injection attack’ or ‘SQL attack’ ‘takes advantage of insecure
codes on a system connected to the internet, to bypass Firewalls and
access data not normally available’.18 Such conduct is commonly a
precursor to further intrusions, but may itself be a form of unauthorised
access. For example, members of the hacking group ‘LulzSec’ used an
‘SQL’ injection attack against the website of Sony Pictures to obtain
confidential information including names, addresses, phone numbers
and email addresses of more than 138,000 Sony customers which they
then distributed on the internet.19
14
[2012] EWCA Crim 973. The following summary is based on the court’s judgment at [4].
15
Ibid.
16
US Department of Justice, ‘Florida man convicted in wiretapping scheme targeting
celebrities sentenced to 10 years in federal prison for stealing personal data’, Press Release
(17 December 2012).
17
US v. Phillips, 477 F 3d 215 at 217 (5th Cir. 2007).
18
R v. Martin [2013] EWCA Crim 1420 at [7].
19
US Department of Justice, ‘Second member of hacking group sentenced to more than a
year in prison for stealing customer information from Sony Pictures computers’, Press
Release (8 August 2013).
Modification/impairment of data
A defendant may not only wish to gain access to data in a computer;
he or she may modify that data in some way. Hackers will commonly
take steps to conceal their presence; for example, by modifying system
logs. They may also wish to delete valuable data, or alter that data so that
it is misleading and/or worthless. For example, in US v. Middleton20
the defendant, a former employee of an internet service provider (ISP),
used a program called ‘Switch User’ to switch his account to that of the
company’s receptionist. He then used his unauthorised access to create,
delete and modify accounts, alter the computer’s registry and delete the
entire billing system and two internal databases.
Data may also be reprogrammed, for example, by defacing websites
or installing malware, and in 2013 it was reported that 77 per cent
of legitimate websites had exploitable vulnerabilities.21 For example,
hackers associated with the hacking group ‘Kryogeniks’ redirected all
traffic to the media company Comcast’s website, so that approximately
5 million people were redirected to a website containing the message
‘KRYOGENIKS Defiant and EBB RoXed COMCAST sHouTz to VIRUS
Warlock elul21 coll1er seven’.22
Modification of data may also be used to obtain a financial or other
advantage; for example, by increasing a line of credit23 or changing
test scores or grades. In 2013, two former students of the University
of Central Missouri pleaded guilty to hacking into the university’s
computers, allowing them to view and download faculty, staff, alumni
and student information, transfer money to their student accounts and
attempt to change grades.24
In 2010 Edwin Pena was sentenced to ten years’ imprisonment for
his role in what was said to be the first hacking of voice over internet
protocol (VoIP) networks.25 Pena worked with a professional hacker
called Robert Moore, who performed scans of computer networks
looking for vulnerable ports associated with VoIP providers. Between
20 21
231 F 3d 1207 (9th Cir. 2000). Symantec, Internet security threat report 2014, p. 6.
22
US Department of Justice, ‘Comcast hackers sentenced to prison’, Press Release (24
September 2010).
23
US v. Marles, 408 F Supp 2d 38 (D Maine. 2006).
24
US Department of Justice, ‘Former student pleads guilty to computer hacking at Univer-
sity of Central Missouri’, Press Release (12 April 2013).
25
US Department of Justice, ‘Extradited hacker sentenced to 10 years in federal prison for
masterminding first-ever hack into internet phone networks’, Press Release (24 Septem-
ber 2010).
June and October 2005, Moore initiated more than 6 million scans.26
Having discovered vulnerable ports he would then reprogramme the
computer networks to accept VoIP call traffic. Pena was thereby able to
sell heavily discounted internet-based phone services, which were routed
through the unsuspecting companies.27
Use of a computer
An obvious form of computer misuse is where a person uses a computer
for unauthorised purposes. In many cases, the use will be of negligible
value and impact and is hardly worth prosecuting. The use of a work
computer for non-work purposes, for example, is generally better dealt
with as a matter of employment law rather than criminal law. There are,
however, circumstances where unauthorised use of a computer may be
more significant. Unauthorised access to, and use of, commercial data-
bases may allow the hacker to obtain valuable services for free. Hackers
may gain access to more powerful computers in order to run programs
that require high levels of processing power, such as ‘brute-force’
password-cracking programs.28 In a novel example, enslaved computers
were enlisted to create or ‘mine’ the digital currency ‘bitcoin’.29 A hacker
may also deliberately gain access to a succession of computers in order
to conceal his or her identity and/or location.
A common example of unauthorised use is so-called ‘wardriving’30 or
‘wireless hacking’; that is, using a wireless network without authorisation.
In some contexts, networks are deliberately left open in order to attract
customers with free use of Wi-Fi. For those who wish to restrict access
the use of encryption, passwords and firewall protection will generally
deter all but the determined hacker.31 However, in some cases the owner
of the network may unwittingly grant access by leaving their network
unsecured. This may give rise to arguments of implied authorisation
to access the network and/or lack of mens rea on the part of the person
accessing.
26 27 28
Ibid. Ibid. US v. Phillips, 477 F 3d 215 at 218 (5th Cir. 2007).
29
Sophos, Security threat report 2014 (2014), p. 6.
30
The term is a variation of ‘wardialing’, made famous in the film War Games: P. S. Ryan,
‘War, peace, or stalemate: Wargames, wardialing, wardriving, and the emerging market
for hacker ethics’ (2004) 9 Virginia Journal of Law and Technology 7, 11. See, e.g., State v.
Allen, 260 Kan 107 (Kan. 1996).
31
A. Ramasastry, J. K. Winn and P. Winn, ‘Will wi-fi make your private network public?
Wardriving, criminal and civil liability, and the security risks of wireless networks’ (2005)
1 Shidler Journal of Law, Commerce and Technology 9, 10.
The unauthorised use of a wireless network gives rise to a number of
potentially criminal scenarios. First, there is the use of a service to which
the person is not entitled. Although in some cases this practice will have
no appreciable impact on the ‘victim’, if the authorised user is paying for
the service according to the amount of data downloaded, the cost of such
unauthorised use may be significant. It may also reduce download speed
for authorised users.
Secondly, use of another person’s network may allow a defendant to
conceal other illegal activities such as accessing child pornography or the
sending of spam, particularly public wireless access points that do not
require a subscription or collect an IP address.32
Thirdly, a wireless network may provide a point of entry for
unauthorised access to a computer system. In 2008, American Barry
Ardolf commenced a vendetta against his neighbours after they had
reported him to police for inappropriately kissing their four-year-old
son.33 Ardolf illegally gained access to the neighbour’s wireless
router and used that access to create an email account in the name
of the boy’s father. He then used that account to email the father’s
co-workers at a law firm, sending images of child pornography and
making sexually harassing comments to the father’s assistant. The
firm investigated and found the emails traced back to the father’s
router. Further threatening emails were sent to both parents until
Ardolf pushed his luck and sent death threats to the Vice-President.
This led to the involvement of the US Secret Service and ultimately
Ardolf’s arrest.
Fourthly, it is possible to intercept communications transmitted
over wireless networks. This may be done by cracking commonly used
encryption keys, or by creating a duplicate wireless internet access point
close to a legitimate access point. The illegitimate source has a stronger
signal than the legitimate source but mimics the legitimate settings.
The unsuspecting user therefore accesses the hacker’s network, allowing
him or her to monitor all communications over that network.34 The
ability to intercept unencrypted traffic over a wireless network opens the
32
S. Morris, The future of netcrime now: Part 1 – threats and challenges, Home Office
Online Report 62/04 (2004), p. 24.
33
US v. Ardolf, 683 F 3d 894 (8th Cir. 2012). These facts are summarised from the judgment
at 897–8.
34
S. McDonald, ‘Wireless hotspots: The truth about their evil twins’ (2006) 9 Internet Law
Bulletin 13.
possibility of a ‘man-in-the-middle attack’ in which a third party is able
to access and potentially alter the data being transmitted.35
B. Malicious software
The second category is where the defendant disseminates malicious
software (‘malware’) such as viruses, worms and/or Trojans. Whether
software is malicious may depend upon the purpose for which it was
installed. For example, software such as adware and spyware is often used
to provide advertising for products or to collect information for com-
mercial purposes. While most applications of this nature fall within the
realm of ‘unwanted’ rather than ‘malicious’, they may be used for mali-
cious purposes such as gathering personal information for the purposes
of fraud, or discovering computer vulnerabilities that may be exploited.36
Malware is also commonly used to access confidential information to
facilitate fraud and other offences, so-called ‘blended threats’.37
Malware may be disseminated directly, for example by inserting an
infected storage device such as a USB,38 or more commonly via the
internet or other computer network via executable files. In 2013, the
rate of viruses in email attachments was estimated to be one in 196,39
while 25 per cent of emails contained a malicious URL.40 So-called ‘drive-
by-downloads’ involve an application being downloaded unwittingly by
the user who clicks on a website or email link or a deceptive adver-
tisement.41 ‘Clickjacking’ is where malicious code is hidden beneath
legitimate buttons or other ‘clickable’ content.42
Mobile phones are increasingly exposed to all of the exploits that
have traditionally been seen in personal computers.43 Once hacked, a
35
A. Hutchings, Computer security threats faced by small businesses in Australia, Trends
and Issues in Criminal Justice No. 433 (AIC, February 2012) p. 2.
36
Australian High Tech Crime Centre, Malware, p. 1.
37
G. Urbas and K. R. Choo, Resource materials on technology-enabled crime, Technical and
Background Paper No. 28 (AIC, 2008), p. 5.
38
R v. Larkin [2012] WASCA 238.
39 40
Symantec, Internet security threat report 2014, p. 62. Ibid., p. 61.
41
A. Maurushat, ‘Australia’s accession to the Cybercrime Convention: Is the Convention
still relevant in combating cybercrime in the era of botnets and obfuscation crime tools?’
(2010) 33 University of New South Wales Law Journal 431, 438.
42
House of Commons Home Affairs Committee, E Crime, Fifth Report of Session 2013–14
(2013), p. 30.
43
Symantec, Internet security threat report 2014, pp. 69–76.
smartphone may allow hackers to engage in surveillance, impersonation,
identity theft, create a botnet, or make money more directly from ran-
somware or scareware.44 The increasing popularity of mobile phone
‘apps’ also provides an effective vector for the dissemination of malware,
with the number of malicious or high-risk ‘Android’ apps reportedly
exceeding 1 million.45
The main categories of malware are:
1. viruses and worms;
2. Trojans;
3. bots; and
4. spyware.
Viruses and worms

Although technically distinct, the line between viruses and worms is
increasingly blurred. Both are programs that infect a computer by
being copied and then performing a programmed function. These func-
tions can vary from the very simple, such as displaying a message on a
particular date, to deletion or modification of data or installation of other
malware such as Trojans or bots. Some malware, known as ‘logic bombs’,
is programmed to activate on a certain event occurring, such as a specific
date or when a particular program is loaded. For example, in 2010
Rajendrasinh Makwana was sentenced to forty-one months in prison
for transmitting malware to the servers of the mortgage company Fannie
Mae.46 After being fired as a computer programmer with the company,
he transmitted malicious code which was intended to execute at a later
date, and upon execution would ‘propagate throughout the Fannie Mae
network of computers and destroy all data, including financial, securities
and mortgage information’.47
The distinction between viruses and worms is that a virus must
infect another program. For example, the infamous ‘Melissa’ virus was
first posted on an internet newsgroup ‘Alt.Sex.’ in 1999. Visitors to the
newsgroup were tempted to download the document which promised
44
Sophos, Security threat report 2014, p. 9.
45
RSA, The current state of cybercrime 2014: An inside look at the changing threat landscape,
White Paper (2014), p. 1.
46
US Department of Justice, ‘Fannie Mae computer intruder sentenced to over 3 years in
prison for attempting to wipe out Fannie Mae financial data’, Press Release (17 Decem-
ber 2010).
47
Ibid.
passwords to adult websites. Once the file was executed, the victim’s
computer was infected. The virus targeted Windows operating systems
and altered Microsoft word processing programs so that any document
created using Word would also be infected. The virus was then able
to replicate itself via Microsoft Outlook by causing computers to
send emails to the first fifty addresses in the victim’s address book. Each
email contained the message ‘Here is that document you asked for . . .
don’t show anyone else ;-)’. Opening the document of course infected
the computer, which in turn caused more emails to be sent. Because
each infected computer could infect fifty additional computers, which in
turn could infect another fifty computers, the virus proliferated rapidly
and exponentially, resulting in substantial impairment of computer
networks.48
Worms are similar to viruses but are self-replicating; that is, they do
not need to infect another application. In one of the earliest cybercrime
prosecutions the defendant, a graduate student at Cornell University,
programmed a computer worm that he released to the fledgling internet
via a computer at the Massachusetts Institute of Technology.49 The worm
was intended to test security and other weaknesses in the internet, which
at that time was ‘a group of national networks that connect university,
governmental, and military computers around the country’.50 Although
the defendant took a number of steps to reduce the impact of the worm,
he miscalculated the speed with which it would replicate and a large
number of computers crashed as a result.
Trojans
Like the legendary Trojan horse after which they are named, Trojans are
programs which appear to be innocent but contain a hidden function.
Such programs may be embedded in software, email attachments or
websites. Some may install a ‘back door’, allowing remote access by a
hacker. Financial Trojans may scan for the URLs of common financial
institutions, performing ‘Man-In-The-Browser’ (MITB) attacks during
online banking sessions.51 The malware then ‘spoofs’ the website of the
legitimate institution, or adds additional fields asking for identity
48
US Department of Justice, ‘Creator of Melissa computer virus sentenced to 20 months in
federal prison’, Press Release (1 May 2002).
49 50
US v. Morris, 928 F 2d 504 (2nd Cir. 1991). Ibid., at 505.
51
Symantec, Internet security threat report 2014, p. 50.
information.52 Banking Trojans may be delivered via malicious banking
apps for mobile phones, and are able to intercept and send SMS mes-
sages, forward incoming calls, and acquire information stored on the
mobile device.53 Hackers may infect websites with malware that remains
invisible to the user but captures keystrokes of those visiting the site.54
Malware may also disable the computer’s anti-viral software, but give the
appearance that it is still operating and receiving updates.55
Because they may allow remote operation of a computer unknown
to the authorised user, the possible presence of malware may also be used
as a ‘defence’ in some cases. That is, the defendant asserts that the
conduct was in fact caused by malware installed on his or her computer
of which the defendant was unaware.56
Bots
A bot is a program which infects a targeted computer and allows it to
be controlled remotely. The attacker exploits security weaknesses to
place small programs called ‘daemons’ which run in the background of
the host computer, unknown to the third party. These computers are
often referred to as ‘zombies’ or ‘bots’ and these ‘botnets’ can then be
instructed to perform coordinated tasks.57 In 2013, there were estimated
to be 2.3 million bots, down from 3.4 million in 2012.58 One of the largest
botnets was ZeroAccess which, in 2011, was estimated to have infected
between 1 and 2 million computers.59
Botnets are incredibly versatile, and may be involved in a range of
cybercrimes including spam, distributed denial of service (DDoS) attacks,
distribution of malware or child exploitation material, click-fraud and
identity theft.60 One of the largest botnets, KELIHOS, was estimated to
send 10.41 billion spam emails per day.61 Access to botnets may also be
sold for these purposes. In one case, the defendant admitted taking more
52
Fortinet, Anatomy of a botnet, White Paper (2013), p. 3.
53
RSA, Current state of cybercrime 2014, p. 2.
54
CERT Australia, Cyber crime & security survey report 2013 (Commonwealth of Australia,
2014), p. 26.
55
R v. Walker [2008] NZHC 1114 at [4].
56
S. W. Brenner, B. Carrier and J. Henninger, ‘The Trojan horse defense in cybercrime
cases’ (2004) 21 Santa Clara Computer and High Technology Law Journal 1.
57
Sinrod and Reilly, ‘Cybercrimes’, 194–7.
58
59
Fortinet, Anatomy of a botnet, p. 7.
60
Maurushat, ‘Australia’s accession to the Cybercrime Convention’, 439–40.
61
than US$107,000 in exchange for downloading adware to more than
400,000 infected computers that he controlled.62
Botnets increasingly use p2p networks, making them harder to shut
down as there is no single point of control.63 Botnets that utilise
a command-and-control centre can conceal it within a Tor-based
network,64 or use ‘dynamic Domain Name Server’ or ‘fast flux’ rotation
techniques to continually change location.65 Because of the difficulty
of detection, botnets may also be used as proxies for malicious websites,
allowing the IP addresses for those sites to be rotated to evade
discovery.66
Spyware
The term ‘spyware’ is a generic description for a range of programs
that in some way monitor computer use. This ranges from adware that
generates ‘pop-ups’, to programs that communicate information
about an internet user’s activities to a remote system without his or
her knowledge.67 These include ‘sniffer’ programs, which intercept pass-
words; keyloggers, which record the user’s keystrokes; and ‘cookies’,
which record the user’s internet viewing habits. A ‘browser hijacker’,
often associated with pornography websites, is malware that can change
browser settings (such as the default start page), produce pop-up ads,
add bookmarks or redirect users to unwanted websites. In 2007, the
Dutch telecommunications regulator, OPTA, imposed fines totalling
€1 million on companies and individuals involved in the large-scale
distribution of unsolicited adware and spyware, with approximately
22 million computers infected.68
Other spyware is specifically designed for covert surveillance. The
‘SpyEye’ virus could be controlled through command-and-control
(C2) servers, allowing hackers to access the infected computers, acquire
62
US Department of Justice, ‘“Botherder” dealt record prison sentence for selling and
spreading malicious computer code’, Press Release (8 May 2006).
63 64
RSA, Current state of cybercrime 2014, p. 5. Ibid.
65
Maurushat, ‘Australia’s accession to the Cybercrime Convention’, 439.
66
Federal Trade Commission, Spam summit: The next generation of threats and solutions
(2007), p. 12.
67
All Party Parliamentary Internet Group, Revision of the Computer Misuse Act: Report of
an inquiry by the All Party Internet Group (2004), [49].
68
OPTA, Decision to impose fine on dollar revenue, Fact Sheet (December 2007). The fines
were subsequently reduced on appeal to €800,000; Telecompaper, OPTA fine for spyware
whittled down by district court (8 February 2010).
personal and financial information, and transmit that information
back.69 It was sold for prices ranging from US$1,000 to $8,500, and
was estimated to have infected more than 1.4 million computers.70
Spyware such as ‘Mobistealth’ and ‘StealthGenie’ may be used to infect
mobile phones or computers, allowing the user to record ‘phone
calls, texts, voicemail, e-mail, appointments, digital address and contact
information, photographs and videos, and oral conversations’ associated
with the infected device.71
C. DoS attacks
A DoS attack exploits the way in which networked computers communi-
cate in order to overwhelm a network and thereby ‘deny service’.
A similar effect may be observed when a website is unable to cope with
the number of requests it is receiving, for example when tickets go on sale
for a popular concert and the system is overwhelmed by the number of
simultaneous requests. A DoS attack replicates this effect intentionally,
and can target a single computer, server, website or network.
There are a number of ways in which DoS attacks may be achieved. At
its most basic, individuals may send thousands of emails72 or a sufficient
number of requests to a website to overwhelm a system.73 DoS may
also result from a replicating program such as a virus overwhelming the
network, or where it is used for significant processing such as brute-force
cracking. In US v. Phillips74 the defendant’s use of a brute-force program
to send thousands of requests to a university computer increased the
usual monthly number of unique requests from approximately 20,000 to
as many as 1,200,000, causing the system to crash.
More sophisticated DoS attacks utilise internet protocols to overwhelm
the target computer(s). A networked system such as the internet relies
upon protocols to allow computers to communicate with one another
and to ensure that the data requested arrives at its destination. The
client computer sends a request to the server, which then responds and
69
US Department of Justice, ‘Cyber criminal pleads guilty to developing and distributing
notorious spyeye malware’, Press Release (28 January 2014).
70
Ibid.
71
US Department of Justice, ‘California resident pleaded guilty to wiretapping law enforce-
ment communications and others’, Press Release (10 November 2014).
72
US v. Carlson, 209 Fed. Appx. 181 (3rd Cir. 2006).
73
Pulte Homes, Inc. v. Laborers’ International Union 648 F 3d 295 (6th Cir. 2011).
74
477 F 3d 215 (5th Cir. 2007).
identifies itself. Once the client computer receives this identification, data
can be transferred.75
A number of techniques may be utilised to overwhelm this process.
For example, the server may be overwhelmed with requests. As the server
can only handle a certain number of requests, they are put into a queue.
Eventually, there is no room in the queue and no further requests will be
received. This is analogous to overwhelming the staff of a store with
bogus enquiries until they cannot respond to legitimate customers who
form a queue and block the entrance to the store, further denying access
to legitimate customers.76 Alternatively, the attacker may use a spoofed
address to send the request to the server. The server duly identifies itself
and waits to hear back. However, it will never hear back because it has
been given the wrong or a non-existent address. If enough messages are
sent the server is paralysed by waiting.77
Another variation is an internet control message protocol (ICMP)
flood. ‘Pings’ are small signals that are sent to other computers to see
if they are available and connected to the same network, and to check
for network problems. An ICMP attack involves sending a large
number of forged ping requests to a third-party server. The ping
requests have the return address of the victim which is then flooded
with responses to the pings from the server. This can cause both server
and victim to crash.78
In a DDoS attack the attacker enlists other computers to attack
the target computer or network. In 2010, a computer programmer was
convicted in relation to infecting thousands of computers and using the
botnet to engage in DDoS attacks against media outlets that republished
stories about him.79 In R v. Martin80 the defendant was convicted under
the Computer Misuse Act 1990 (UK) and sentenced to a total of two
years’ imprisonment in relation to DDoS attacks against the websites
of Oxford and Cambridge Universities and the Kent Police. The volume
of data generated in DDoS attacks in order to overwhelm the target
system has been increasingly rapidly. A recent survey reported a number
of attacks above 100 Gbps (gigabits per second), with a peak of 400
Gbps.81 Ten years ago, the typical peak was 5–8 Gbps.82
75
The process is described in detail in Sinrod and Reilly, ‘Cybercrimes’, 190–1.
76 77 78
Ibid., n. 60. Ibid., 192. Ibid., 193.
79 80
US v. Raisley, 466 Fed Appx 135 (3rd Cir. 2012). [2013] EWCA Crim 1420.
81
Arbor Networks, Worldwide infrastructure security report, Vol. X (2015), p. 24.
82
Ibid.
2. The prevalence of cybercrime
The difficulty in obtaining meaningful statistics on cybercrime generally
has already been noted. The problem is particularly acute in the context
of cyber-dependent crimes which are often not recorded in official crime
statistics. For example, although in 2012–13 there were 58,662 cyber-
enabled frauds and 9,898 computer misuse reports to Action Fraud in the
United Kingdom,83 the Crime Survey for England and Wales does not
currently cover fraud and other forms of cybercrime.84
In other cases, computer crimes may be punished under other provi-
sions, if at all. For example, the apparently low number of sentenced
offenders under the Computer Misuse Act may be explained in part
by the high number of cybercrimes prosecuted under other acts, such
as the Fraud Act 2006.85 Following the phone hacking scandals in the
United Kingdom, it was noted that although mobile phones and
the servers on which voicemail messages are stored could be described
as ‘computers’, there had been no prosecutions under the Computer
Misuse Act in relation to unauthorised access to phone messages.86
One of the most common sources of information on cybercrime is
surveys of security professionals and/or executives with responsibility for
IT security. Given the targeted nature of these surveys, the results tend
to be skewed due to small response rates and non-random samples.87
Further, the definition of ‘computer crime’ is often very broad, and may
include such offences as theft of laptops/mobile devices. Nonetheless,
these surveys provide one of the few ongoing sources of information on
cybercrime trends.
For many years, one of the most comprehensive surveys was the
CSI Computer Crime and Security Survey. According to the fifteenth
and apparently final report in 2010/2011, the most common incidents
were malware infection (67.1 per cent), phishing where the victim was
83
National Fraud Authority (UK), Annual fraud indicator (June 2013), p. 9.
84
Office for National Statistics (UK), Discussion paper on the coverage of crime statistics,
Discussion Paper (23 January 2014); Office for National Statistics (UK), Work to extend
the crime survey for England and Wales to include fraud and cyber-crime, Methodological
Note (16 October 2014).
85
M. McGuire and S. Dowling, Cyber crime: A review of the evidence, Research Report 75
(Home Office, 2013), ch. 1, p. 13.
86
House of Commons, Committee on Standards and Privileges, Privilege: Hacking of
members’ mobile phones (Fourteenth Report of Session 2010–11, 31 March 2011), p. 7.
87
R. Richardson, CSI computer crime and security survey (Computer Security Institute,
2011), p. 3. (Formerly known as the ‘CSI/FBI’ survey.)
represented as the sender (38.9 per cent), laptop theft (33.5 per cent) and
bots on the network (28.9 per cent).88 More recently, a 2014 report by
PricewaterhouseCoopers cited the most frequent cybersecurity incidents
as ‘malware, phishing, network interruption, spyware, and denial of
service attacks’.89 Increasingly, respondents are reporting ‘targeted
attacks’, with malware being customised to make it more effective against
specific targets.90
The equivalent Australian survey is produced by CERT Australia.91
According to the 2013 survey, 56 per cent of respondents experienced
electronic attacks.92 Of those who experienced an attack, 63 per cent
reported ‘targeted emails’ (‘spear phishing’),93 52 per cent experienced
‘virus or worm infections’ and 46 per cent experienced ‘trojan or rootkit
malware’ infections.94 Rounding out the top five were theft of mobile
devices (35 per cent) and unauthorised access (26 per cent).95
In terms of the impact of cybercrimes, it is estimated that 7 per cent of
US organisations lost US$1 million or more due to cybercrime in 2013.96
A further 19 per cent reported financial losses of between US$50,000 and
$1 million.97 The average number of security incidents detected was
135 per organisation, although it must be noted that there is potentially
a very large number of incidents that go undetected.98
Although limited, police and prosecution statistics provide a clearer
indication of the extent to which cybercrimes are coming to the attention
of enforcement agencies. For example, in Canada in 2012, police reported
that 88 per cent of cybercrimes were cyber-enabled crimes, with fraud
being the most prevalent.99 Only 10 per cent of reported cybercrimes
were cyber-dependent crimes, with 2 per cent unable to be classified.100
In the United Kingdom in 2012, the most common computer misuse
incidents reported to Action Fraud were viruses, spyware and malware
(3,949 reports) and hacking into social network or email accounts (1,603
reports).101 Between 2007 and 2012, there were 101 prosecutions under
the Computer Misuse Act, with eighty-eight people sentenced with a
88 89
Ibid., p. 15. Sedak and Durojaiye, US cybercrime, p. 9.
90
Richardson, Computer crime and security survey, p. 13.
91 92
CERT Australia, Cyber crime & security survey. Ibid., p. 22.
93 94 95
Ibid., pp. 25–6. Ibid. Ibid.
96 97 98
Sedak and Durojaiye, US cybercrime, p. 5. Ibid. Ibid., p. 7.
99
B. Mazowita and M. Vézina, Juristat: Police reported cybercrime in Canada, 2012
(Statistics Canada, 2014), p. 3.
100
Ibid., p. 4.
101
McGuire and Dowling, Cyber crime: A review of the evidence, ch. 1, p. 11.
primary offence under the Act.102 In the United States in 2012 there
was a total of seventy-two completed prosecutions under the principal
cybercrime provision (18 USC § 1030).103
3. The legislative environment

Prior to the enactment of specific cybercrime offences, prosecutors
looked to existing offences to deal with this new form of offending.
For example, unauthorised access could be seen as analogous to trespass.
Other parallels to impairment of data could be found in criminal
damage.104 Such an approach had the advantage of being seen as an
extension of the law rather than a radical overhaul.105
Although property offences provided a ready analogy, such efforts
were complicated by the application of traditional notions of property
to computer data.106 For example, at common law, confidential infor-
mation is generally not regarded as ‘property’ for the purposes of theft.107
Applying this same principle to computer data, a person who accesses
but does not modify data will not generally be liable for theft as there
is no taking away of property.108
In other contexts, courts had difficulty in determining whether
computer data constitutes property at all; the success or failure of
the prosecution largely depending upon the wording of the particular
statute. For example, in US v. Brown109 it was held that a computer
program was not ‘goods, wares, merchandise, securities, or moneys’
for the purposes of transporting stolen property.110 In contrast, in
102
Ibid., p. 13.
103
Bureau of Justice Statistics, Federal Justice Statistics Resource Center, www.bjs.gov/fjsrc/
tsec.cfm.
104
S. W. Brenner, ‘Is there such a thing as “virtual crime”?’ (2001) 4 California Criminal
Law Review 1, 71–3, 82–4.
105
M. Wasik, Crime and the computer (Oxford: Clarendon Press, 1991), p. 69.
106
Ibid., pp. 95–102; O. S. Kerr, ‘Cybercrime’s scope: Interpreting “access” and “authoriza-
tion” in computer misuse statutes’ (2003) 78 New York University Law Review 1596,
1603–13.
107
Oxford v. Moss (1978) 68 Cr App R 183. See also R v. Stewart [1988] 1 SCR 963.
108
Ward v. Superior Court of Alameda County, 3 Computer L Serv Rep (Callaghan) 206
(Cal Super Ct 1972). Cf. Hancock v. Texas, 402 SW 2d 906 (CCA Tex. 1966) where the
computer programs were in written form.
109
925 F 2d 1301 at 1308–9 (10th Cir. 1991). Cf. US v. Farraj, 142 F Supp 2d 484
(SDNY. 2001).
110
18 USC §§ 2314, 2315.
US v. Collins111 it was held that the offence of converting government
property contrary to 18 USC § 641 was not limited to tangible property
and could apply to unauthorised use of a government computer.112
Other prosecutions focused on the use of the computer without author-
isation as being theft of a telecommunication service,113 fraud114 or
criminal damage.115
While convictions were sometimes obtained by utilising existing
offences, there was ‘recurrent (and understandable) difficulty in
explaining to judges, magistrates and juries how the facts fit in with the
present law’.116 One particularly tortured example was R v. Gold, R v.
Schifreen,117 described by the House of Lords as a ‘Procrustean attempt
to force these facts into the language of an Act not designed to fit
them’.118
While it may be thought that a simple remedy would be to amend
the definition of ‘property’ to incorporate computer data,119 such an
approach has generally not been adopted for a number of reasons. First,
it is not only the concept of ‘property’ which is problematic. Similar
difficulties arise in respect of other elements such as whether there has
been an appropriation120 or whether the defendant had an intention
to permanently deprive.121
In the recent Canadian case of R v. Maurer,122 the defendant had been
in a relationship with the complainant. In the process of assisting her
to recover data from a faulty computer, he gained access to intimate
111
56 F 3d 1416 (DC Cir. 1995). Also see State v. Schwartz, 173 Ore App 301 at 317
(Or. Ct App. 2001) where it was held that password files could be the subject of theft
under the Oregon statute.
112
Also see US v. Kernell, 742 P Supp 2d 904 (ED Tenn. 2010) in which the defendant was
prosecuted, inter alia, for wire fraud in relation to unauthorised access to Governor
Sarah Palin’s email account. The court rejected a motion to dismiss which argued
that ‘information data and pictures’ cannot constitute ‘property’ for the purposes of
18 USC § 1343.
113
R v. McLaughlin [1980] 2 SCR 331.
114
See, e.g., US v. Schreier, 908 F 2d 645 (10th Cir. 1990).
115
R v. Whitely (1991) 93 Cr App R 25; Cox v. Riley (1986) 83 Cr App R 54; Re Turner
(1984) 13 CCC (3d) 430.
116
Law Commission (UK), Computer misuse, Final Report No. 186 (1989), [2.31].
117 118
[1988] AC 1063. Ibid., at 1071.
119
D. B. Parker, Fighting computer crime (New York: Scribner, 1983), p. 240; J. McConvill,
‘Contemporary comment: Computer trespass in Victoria’ (2001) 25 Criminal Law
Journal 220, 224.
120
Lund v. Commonwealth, 217 Va 688 (SC Va. 1977).
121
State v. McGraw, 480 NE 2d 552 (SC Ind. 1985). See also S. W. Brenner, ‘Bits, bytes, and
bicycles: Theft and cyber theft’ (2012) 47 New England Law Review 817.
122
R v. Maurer, 2014 SKPC 118.
photographs which she had taken during a previous relationship.
The defendant refused her request to delete the images and, after their
relationship soured, he posted the images on the internet, and distributed
flyers at her workplace providing a link to the site.123
The defendant was charged with unauthorised use of a computer
under s. 342.1(1) and mischief under s. 430(1.1) Criminal Code (Can).
Importantly, the charges were particularised on the basis that the defend-
ant ‘stole’ personal data belonging to the complainant.124 Although theft
is not an essential element of either of the offences charged, the prosecu-
tion had to prove its case as particularised.125 The issue of whether
the complainant’s data could be stolen was therefore determinative of
the case.126
The court held, following Stewart, that the data in the form of the
nude images did not fall within the meaning of ‘anything’ for the pur-
poses of theft under the Criminal Code. ‘The data is not capable of being
taken or converted in a manner that results in the deprivation of the
victim.’127 Even if it were considered property, other elements of theft
were not made out as the defendant ‘did not intend to deprive the
complainant of her property interest in the data, nor did he intend to
deal with the data in a manner that it could not be restored to the
condition it was in at the time it was taken or converted’.128 His intention
was to publish the information and publicly humiliate her, which did not
constitute theft.129
Secondly, it confers upon information stored within a computer
the status of property, which does not generally apply to information
stored in other forms. By simply defining data to be property, the need
for criminalisation is assumed to be the same as that which applies to
tangible property. This avoids a thorough analysis of the underlying
criminality of such conduct.130
Thirdly, such offences also fail to encompass newer forms of offen-
ding such as DoS attacks that suppress rather than modify or delete
data. Continued reliance on existing laws is a reactive response to a
constantly evolving problem. Even if property and related offences may
be utilised in the context of domestic prosecutions, those offences
may not have analogues in other jurisdictions, thereby hampering
123 124 125 126

Ibid., at [7]–[17]. Ibid., at [18]. Ibid., at [24]. Ibid., at [5].
127 128 129
Ibid., at [25]. Ibid., at [26]. Ibid.
130
See generally, J. Clough, ‘Data theft? Cybercrime and the increasing criminalization of
access to data’ (2011) 22 Criminal Law Forum 145.
international co-operation in the investigation and prosecution of
cybercrimes. Computers and computer networks are simply too import-
ant for their protection to be dependent on the adaptation of often arcane
doctrine.
Accordingly, each jurisdiction has enacted specific cybercrime provi-
sions. Under the Cybercrime Convention, such offences are classified as
offences against the confidentiality, integrity and availability of computer
data and systems.131
A. Australia
In Australia, criminal law is primarily a matter of state and territory
responsibility, with the Commonwealth limited to areas within its consti-
tutional power. Despite this, the Commonwealth has had a considerable
influence in the area of cybercrime for two reasons.
First, the Commonwealth has been instrumental in the wholesale
review of Australian criminal laws. Although the earliest Australian
legislative reforms relating to cybercrime occurred in the Northern
Territory in 1983,132 more widespread reform did not occur until the
recommendations of the Attorney General’s Department’s Review of
Commonwealth Criminal Law in 1988.133 These were in turn overtaken
by the project to develop a uniform Criminal Code, a task carried out
by the Model Criminal Code Officers Committee (MCCOC).134 This
resulted in the current computer offence provisions found in Pt. 10.7
of the Criminal Code Act 1995 (Cth).135
Although based to a large extent on the UK reforms discussed below,
the Committee was also influenced by the Cybercrime Convention,
131
Cybercrime Convention, Ch. II, Section I, Title 1. Also relevant in the EU is Directive
2013/40/EU of the European Parliament and of the Council of 12 August 2013 on
attacks against information systems and replacing Council Framework Decision 2005/
222/JHA [2013] OJ L 218/8.
132
Criminal Code Act (NT), s. 222. See S. Bronitt and M. Gani, ‘Shifting boundaries of
cybercrime: From computer hacking to cyberterrorism’ (2003) 27 Criminal Law Journal
303, 307.
133
Attorney General’s Department (Australia), Review of Commonwealth criminal law:
Interim report, computer crime (1988).
134
See generally Model Criminal Code Officers Committee, Chapter 4: Damage and
computer offences, Discussion Paper (2000); Chapter 4: Damage and computer offences,
Final Report (2001).
135
‘Criminal Code (Cth)’.
which at the time was in draft form.136 Part 10.7 contains a range of
offences concerned with unauthorised access, modification and impair-
ment of data. These offences are further divided into ‘serious computer
offences’ (Division 477) and ‘other computer offences’ (Division 478).
The interception of communications is dealt with in separate legisla-
tion.137 Although intended to provide a model for all jurisdictions, the
Criminal Code has not been widely adopted. Consequently, Australian
cybercrimes are a patchwork of jurisdictions with some based on Part
10.7,138 some adopting their own approaches139 while others do both.140
Secondly, the Commonwealth’s legislative power in relation to tele-
communications gives it a wide legislative mandate in this area.141 The
most extreme example is found in s. 474.14. Under this provision it is an
offence to connect equipment to, or use equipment connected142 to, a
telecommunications network intending to commit, or to facilitate the
commission of, a serious offence.143
There is no limitation on the nature of the serious offence; that is, it
need not be concerned with telecommunications. So long as the network
is used to facilitate or commit such an offence, the offence is made out.
Nor is there a need to prove that the serious offence was actually
facilitated; in fact, the offence may be made out even where committing
the serious offence is impossible.144 It is enough that the defendant
intended to facilitate the offence. It therefore punishes preparatory con-
duct that may fall far short of the law of attempts.145
136
Model Criminal Code Officers Committee, Computer offences (2001), p. 89.
137
See Chapter 6.
138
Criminal Code 2002 (ACT), Pt. 4.2; Crimes Act 1900 (NSW), Pt. 6; Crimes Act 1958
(Vic), Pt. I Div. 3(6).
139
Criminal Code Act 1899 (Qld), s. 408E; Criminal Code Act 1924 (Tas), Ch. XXVIIIA;
Criminal Code Act Compilation Act 1913 (WA), s. 440A.
140
Criminal Code (NT), Pt. VII Div. 10; Summary Offences Act 1953 (SA), ss. 44, 44A;
Criminal Law Consolidation Act 1935 (SA), Pt. 4A.
141
For a range of offences associated with telecommunications, see Criminal Code (Cth),
Pt. 10.6, Div. 474.
142
‘Connected’ in relation to a telecommunications network is defined to include ‘connec-
tion otherwise than by means of physical contact (e.g., a connection by means of radio
communication)’: Criminal Code (Cth), s. 473.1.
143
Either against a law of the Commonwealth, a state or a territory or a foreign law: ibid.,
s. 474.12(1)(b). Both offences are punishable by a penalty not exceeding the penalty
applicable to the serious offence: at s. 474.14(3).
144
Criminal Code (Cth), s. 474.14(5).
145
It is not, however, an offence to attempt to commit these offences: ibid., s. 474.14(6).
This represents an extraordinary expansion of Commonwealth power,
which not only potentially overlaps with state laws (although it is
unlikely that the Commonwealth has evinced an intention to cover the
field) but may displace more targeted Commonwealth offences such as
those concerned with unauthorised access to computers with intention
to commit a serious offence.146 These problems are further exacerbated
by its application to foreign laws.147
Most recently, a number of jurisdictional restrictions were removed
from the Commonwealth computer offences by the Cybercrime Legisla-
tion Amendment Act 2012 (Cth). In particular, restrictions based on
Commonwealth computers or data, or the use of a carriage service,148
were removed in order to ensure compliance with the Cybercrime Con-
vention in anticipation of Australia’s accession.149 These requirements
were initially necessary to provide the government with federal power
over computer offences. However, with the accession of Australia to the
Cybercrime Convention, the Commonwealth will rely on the ‘external
affairs’ power to provide comprehensive computer crime offences.150
Although these will overlap to a considerable extent with state and
territory provisions, the Commonwealth’s intention is not to ‘cover
the field’, therefore retaining the validity of inconsistent state laws.151
B. Canada
Reform of the Canadian Criminal Code152 to address problems of com-
puter misuse arose largely as a result of the Supreme Court’s decision in
146
Urbas and Choo, Technology-enabled crime, p. 23.
147
‘Serious offence against a foreign law’ means an offence against a law of a foreign
country constituted by conduct that, if it had occurred in Australia, would have
constituted a serious offence against a law of the Commonwealth, a state or a territory:
Criminal Code (Cth), s. 473.1.
148
In the Dictionary to the Code, ‘carriage service’ has the same meaning as in s. 7
Telecommunications Act 1997 (Cth); that is, ‘a service for carrying communications
by means of guided and/or unguided electromagnetic energy’.
149
Commonwealth of Australia, Explanatory Memorandum, Cybercrime Legislation
Amendment Bill 2011 (Cth).
150
Commonwealth Parliament, Review of the Cybercrime Legislation Amendment Bill 2011
(Joint Select Committee on Cyber-Safety, August 2011), p. 50.
151
Ibid. However, doubts have been expressed on the correctness of this view: see ibid.,
pp. 51–5.
152
Criminal Code, RSC 1985, c C-46 (‘Criminal Code (Can)’).
McLaughlin.153 A bill154 was referred to the House Standing Committee
on Justice and Legal Affairs, which tabled its report on 29 June 1983.
The Committee rejected the idea of a specific cybercrime statute on the
basis that such a statute would take too long to draft, and that cybercrime
should not be treated differently from other types of crime.155 The
Committee therefore recommended amendments to the Criminal Code,
adopting a two-tier approach, with an offence of unauthorised access
and one of unauthorised alteration or destruction of computer data.156
These amendments came into force on 4 December 1985,157 and were
supplemented in 1997 by the Criminal Law Improvement Act, which
introduced an offence of trafficking in computer passwords and devices
used to commit cybercrimes.158 Most recently, a number of amendments
were made by the Protecting Canadians from Online Crime Act 2014.
C. The United Kingdom

Once commenced, reform in the United Kingdom occurred rapidly.
The Law Commission published both its Working Paper159 and Final
Report160 on ‘Computer Misuse’ within a year of each other. This was
followed in 1990 by the enactment of the Computer Misuse Act 1990
(UK).161 The Act initially penalised two forms of conduct: ‘unauthorised
access to computer material’ (ss. 1 and 2) and ‘unauthorised modification
of computer material’ (s. 3). Following a review by the All Party Parlia-
mentary Internet Group (APIG)162 some important reforms were made
by Part 5 of the Police and Justice Act 2006 (UK). These amendments
attempted to address some of the specific problems that had arisen
under the existing law, particularly in relation to DoS attacks, and also
153
See p. 160.
154
Bill C-667, ‘An Act to Amend the Criminal Code and the Canada Evidence Act in
respect of Computer Crime’ (1982).
155
House of Commons Standing Committee on Justice and Legal Affairs, Computer crime,
Final Report (1983), pp. 15–16.
156
Ibid., p. 16.
157
Criminal Law Amendment Act 1985 (Can). See M. Hébert and H. Pilon, Computer crime
(Department of Justice Canada, 1991).
158
An Act to amend the Criminal Code and certain other Acts, SC 1997, c. 18, s. 18.
159
Law Commission (UK), Computer misuse, Working Paper No. 110 (1988).
160
Law Commission (UK), Computer misuse (1989). The Scottish Law Commission had
published its report two years earlier: Scottish Law Commission, Report on computer
crime, Final Report No. 106 (1987).
161
‘Computer Misuse Act’.
162
All Party Parliamentary Internet Group, Revision of the Computer Misuse Act (2004).
to conform with the Cybercrime Convention and the EU Framework
Decision.163 The amendments also introduced a new offence dealing
with trafficking in ‘hacking devices’.
More recently, significant changes to the Computer Misuse Act
have been enacted as part of the Serious Crime Act 2015 (UK). These
particular reforms arose out of a review of the Act, as foreshadowed in
the Cyber Security Strategy.164 The first significant reform is the creation
of a new offence of unauthorised acts causing, or creating the risk of,
serious damage.165 This is intended to address a perceived gap in the law
where the maximum penalty for unauthorised access causing impairment
is ten years’ imprisonment, regardless of the level of harm caused.166
The second group of reforms arose out of the need to comply with
the EC Directive on attacks against information systems.167 Section 3A,
which is concerned with trafficking in hacking tools, is amended
to include those situations where the defendant obtains tools for use to
commit an offence under the Act, regardless of an intention to supply.168
The reforms also expanded the jurisdictional reach of the United King-
dom in relation to offences under the Act in order to comply with Article
12 of the Directive.169
D. The United States

The first US computer crime statute was enacted in Florida in 1978, with
all fifty states now having followed suit.170 Although federal legislation
had been proposed earlier,171 the first federal Act was the Counterfeit
Access Device and Computer Fraud and Abuse Act of 1984. However,
163
Explanatory Notes, Police and Justice Act 2006 (UK), [301].
164
Cabinet Office, The UK cyber security strategy: Protecting and promoting the UK in a
digital world (Cabinet Office, 2011).
165
Serious Crime Act 2015 (UK), s. 41.
166
Explanatory Notes, Serious Crime Bill 2014 (UK) [HL], Bill No. 116, p. 29.
167
Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013
on attacks against information systems and replacing Council Framework Decision
2005/222/JHA, [2013] OJ L 218/8, Arts. 7, 12.
168
Serious Crime Act 2015 (UK) s. 42. Explanatory Notes, Serious Crime Bill [HL], Bill
No. 116, p. 31.
169
Serious Crime Act 2015 (UK) s. 43. Explanatory Notes, Serious Crime Bill [HL], Bill
No. 116, pp. 31–2.
170
Kerr, ‘Cybercrime’s scope’, 1615.
171
J. Roddy, ‘The Federal Computer Systems Protection Act’ (1979) 7 Rutgers Journal of
Computer Technology and the Law 343.
its narrow scope and lack of clarity meant it was soon superseded by the
Computer Fraud and Abuse Act of 1986 (CFAA), codified at 18 USC
§ 1030. This remains the principal federal computer crime statute,
although its reach has been significantly expanded to include ‘protected
computers’, the dissemination of malware and trafficking in computer
passwords. Importantly, the CFAA also allows for civil remedies,172
which has been a significant contributor to jurisprudence in this area
and has, arguably, led to more expansive interpretations than might
occur in the criminal courts.173
We now turn to consider the specific offence categories. Chapter 3 is
concerned with unauthorised access to computers, while Chapter 4
focuses on unauthorised modification or impairment of data. Also rele-
vant to this category of offending are those offences relating to the misuse
of devices which may be used to facilitate the commission of these
offences (Chapter 5) and unauthorised interception of data (Chapter 6).
172
18 USC § 1030(g).
173
O. S. Kerr, ‘Lifting the “fog” of internet surveillance: How a suppression remedy would
change computer crime law’ (2003) 54 Hastings Law Journal 805, 829–36.

Clough - 2010 - Interception of Data

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Clough - 2010 - Interception of Data

Încărcat de

Drepturi de autor:

Formate disponibile

2

A. Unauthorised access to computers or computer systems

Viruses and worms

3. The legislative environment

123 124 125 126

C. The United Kingdom

D. The United States

S-ar putea să vă placă și