Cyber Crime Legislation - The Kangaroo Perspective

Cybercrime Legislation - The Kangaroo Perspective David Teisseire Version 1.2f (August 13, 2001) "The most effective means of preventing unauthorised access is, of course, the introduction and development of effective security measures." Council of Europe - Final Draft Explanatory Report to the Convention on Cyber-crime

Introduction In light of the Cybercrime Bill recently introduced into the Australian Parliament, it is a good time to review the provisions of this bill and to look at the broader issues of cyber crime legislation. As with any paper relating to computer and internet issues, the information contained could change very rapidly, and as such readers are encouraged to review the relevant source documents from the respective sites for any updates. Initially, this paper was to compare the Australian legislation with the rest of the world to establish the baseline level of compliance with other legislations. However, upon review it was discovered that there is almost a singular lack of consistency on which to compare the various national and regional acts. With this in mind, the brief was amended to review the Australian Bill, its relevance to Australian statutes and those documents that the bill was modeled on; namely the Council of Europe Draft Convention on Cybercrime and the UK Computer Misuse Act 1990.

The Need There seems little doubt that there is a urgent need for a universal cybercrime legislative framework. The number of incidents reported to organisations like CERT had risen from just under 10,000 (9,859) in 1999 to nearly 22,000 (21,756) for 2000. The trend continued with almost 35,000 (34,754) reported incidents for the first 3 quarters of 2001. (http://www.cert.org/stats/cert_stats.html) . The rise in internet crime and malicious damage doubling during those years, highlights, not only the need for proactive action by SysAdmins but also dramatic and timely changes to the legislation on cybercrime throughout the world. This area of law is one of rapid change but also one of jurisdictive challenges. The Internet by its very nature transcends physical national boundaries. Issues such as the country of origin of a cyber attack as well as the target destination must be taken into account. In the situation where the physical hardware for the attack is located in a third country then the problems are further compounded. A not uncommon situation is where an attacker has control over a number of computers located in a number of different countries. Such as was the case of the attacks on Steve Gibson's 'Shields Up!' site during May and June 2001 (http://www.grc.com). On the 4th of May 2001, 474 Windows based PCs mounted a Ping attack on the grc server, later on the 20th June 2001 a further 195 machines conducted a ICMP flood attack on the same site. Steve Gibson identified the IP addresses of the attacking machines in June and discovered that, in addition to a large number of US based machines, that there were computers located in Australia, the United Kingdom, Japan, Finland and Netherlands. In a scenario like this, who has legislative power to prosecute? Is it the country of origin of the attack, or the destination of the attack, or the country where the original perpetrator is located? In a situation like this there is a glaring need for a universal cybercrime code and mutual assistance pacts to bring the offender to justice. In addition, there is the issue of the number of potential parties involved in any legal proceedings, In the June 2001 attack on 'Shields UP!', there appears to be some 195 parties in addition to the offender and the target. The issue however, is not so much how many parties, but rather how many jurisdictions are involved and the respective legislation of those jurisdictions. In essence these are hard questions that need to be resolved. A further example occurred in May 2000, the 'I Love You' virus allegedly sent from the Philippines.

This virus is estimated to have caused damage well in excess of US$2 billion ( http://news.cnet.com/news/0-1003-200-1814907.html?tag=rltdnws). Due to a lack of specific cybercrime legislation in the Philippines, the party responsible was not prosecuted. It is of interest that the Philippine government enacted the Electronic Commerce Act 2000 shortly after, with specific provisions against hacking, cracking and virus crimes. It can be seen from this that, in general, the country of origin is of more significance than the destination, as evidenced by the fact that countries like the United Kingdom that have cyber crime legislation were not able to pursue the 'I Love You' offender at law. From this then, would appear that a jurisdictive power, to be effective, must have specific power in both the jurisdiction that the offense was committed and either power or an extradition agreement with the country where the original offender resides. In addition there may need to be some form of mutual assistance treaty in existence with the wayside countries where the remote computers used to launch the attack may be located.

The Australian Cybercrime Bill 2001 This bill was introduced into the Australian parliament on the 27th June 2001 and has passed through the House of Representatives with some amendments. Currently it is waiting to be reviewed by the Senate. As a result this bill is not law at this time but it is believed that the substance of the bill will pass into law at some time in the foreseeable future.

Australian legal framework Legal jurisdiction within the Australia and its territories is divided between the federal government and the respective state or territory governments . The Commonwealth government has powers to legislate on cybercrime issues subject to two constraints. Firstly it may legislate against any act against its own sites or equipment and, secondly by authority under Section 51(V) of the telecommunications act it may legislate against any act involving the telecommunications infrastructure. Although the telecommunications act states, "postal, telegraphic, telephonic, and other like services", the High Court of Australia has ruled in Jones v Commonwealth (1965) 112 CLR 206, that it extends to other forms of electronic communication (http://aph.gov.au/library/pubs/bd/2001-02/02bd048.htm).Clearly then, the jurisdiction of this bill covers offenses committed to either a federal government installation or any offense committed by use of the telecommunications system. By definition this includes internet attacks. Attacks within the bounds of a private local area network or physical attacks on equipment are not prosecutable under the provisions of this bill. Individual states' criminal codes have both the power and the responsibility to pursue offenders of this type. It is with this in mind that the Australian Federal Government has encouraged the States to adopt codes similar to this covered by federal statutes. To this end the Federal government has released a Model Criminal Code as a model document for the states and territories.

Current Australian State Legislation As stated above, the various states and territories of Australian have a responsibility to provide complementary legislation to the bill as detailed within this paper. A brief review of the current state and territory legislation follows. New South Wales To date, only the New South Wales government has implemented complementary state level legislation to cover similar cybercrime issues. The Crimes Amendment (Computer Offenses) Bill 2001 amends the Crimes Act 1900 (http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082) by replacing sections 309(1) through 309(4) and section 310 with the new provisions in the inserted sections 308C through to sections 308I.

Briefly the sections provide for the following offenses: Section 308C Unauthorised access, modification or impairment with intent to commit serious indictable offense Section 308D Unauthorised modification of data with intent to cause impairment Section 308E Unauthorised impairment of electronic communication Section 308F Possession of data with intent to commit computer offense Section 308G Producing, supplying or obtaining data with intent to commit computer offense Section 308H Unauthorised access to or modification of restricted data held in computer Section 308I Unauthorised impairment of data held in computer disk, credit card or other device South Australia South Australia has enacted Section 44 of the Summary Offenses Act 1953 (http://scaleplus.law.gov.au/html/sasact/0/373/top.htm ) with the provision of the offense 'unlawful operation of computer system'. The section provides that a potential offender must operate the computer without proper authorisation and that the computer must be a restricted access system. No other provisions or offenses are addressed by this legislation. Victoria Within the state of Victoria, cybercrimes are covered under Section 9A of the Summary Offences Act 1966. This section states that "A person must not gain access to, or enter, a computer system or part of a computer system without lawful authority to do so" (http://www.austlii.edu.au/au/legis/vic/consol_act/soa1966189/ ). Quite plainly this section does not cover anywhere near the breadth of the Commonwealth bill Queensland Section 408D of the Criminal Code Act 1899 (http://www.austlii.edu.au/au/legis/qld/consol_act/cca1899115/ ) defines the offenses of computer hacking and misuse. The offenses covered are restricted to the use of a computer without consent and two variations of causing detriment or damage. The clause of the act applicable is dependent on the financial loss or damage sustained. Western Australia In the state of Western Australia, this area of law is covered by the Criminal Code Act Compilation Act 1913 - SCHEDULE 1 (http://www.austlii.edu.au/au/legis/wa/consol_act/ccaca1913252/sch1.html ). Section 440 of this act was inserted into the act in 1990 and provides in clause 2 for the offense of gaining access or operation without authority. Tasmania In Tasmania, the Criminal Code Act 1924 (http://www.thelaw.tas.gov.au/summarize/s/1/?ACTTITLE= %22CRIMINAL%20CODE%20ACT%201924%20(NO.%2069%20OF%201924)%2) provides in Schedule 1, Part VI - Crimes Relating to Property, Chapter XXVIIIA - Crimes Relating to Computers, Sections 257C through to Section 257F the substance of their cybercrime legislation. Specific offenses are;

Section 257C - Damaging Computer Data Section 257D - Unauthorised Access to a Computer Section 257E - Insertion of False Information as Data Australian Capital Territory Within the Australian Capital Territory, Sections 135H through to Section 135L of the Crimes Act 1900 (http://www.austlii.edu.au/au/legis/act/consol_act/ca190082/ ) covers computer crimes. The 3 classes of offense are covered as follows; Section 135J, Unlawful access to data in computer Section 135K, Damaging data in computers. The criteria for this section to apply is for a person to "... intentionally or recklessly, and without lawful authority or excuse"(ibid.) to cause the damage. Section 135,. Dishonest use of computers Northern Territory Cybercrime legislation in the Northern Territory is covered in Sections 222 and 276 of the Criminal Code Act (http://scaleplus.law.gov.au/html/ntacts/0/56/0/NA000010.htm). Section 222 covers the unlawful obtaining of confidential information with the intent to cause loss. The only other offense covered is in Section 276 where the fraudulent alteration or destroying of data is addressed. Clearly the legislation in the Northern Territory only addresses the issues of data modification or deletion with the purpose of causing loss.None of the other provisions of the Cybercrime Bill are addressed.

Similarities to other International Legislation Council of Europe Draft Convention The Council of Europe draft convention (http://www.conventions.coe.int/treaty/EN/projects/FinalCyberRapex.htm) (note b) consists of a number of Titles that cover the various areas of interest in the cybercrime field. Specifically Section 1 Title 1, "Offenses against the confidentiality, in integrity and availability of computer data and systems", canvases much the same issues as the proposed Part 10.7 Divisions 476 to 478 inclusive .. The other titles, Title 2 through to Title 5 cover issues not specifically part of this paper, these include but are not limited to, computer related fraud and forgery (Title 2), pornography (Title 3), copyright issues, (Title 4) and corporate liability and sanctions (Title 5). Section 2 Procedural law, specifically addresses some of the issues in securing and maintaining digital evidence. In this light there are similarities between the 2nd Schedule of the Australian bill and these specific paragraphs of section 2 of the Council of Europe draft. Computer Misuse Act 1990 This act (http://www.ja.net/CERT/JANET-CERT/law/cma.html ) specifically targets 3 offenses in sections 1 to 3 respectively. Section 1 relates to "unauthorised access to computer material". The wording of the act places more emphasis on the accessing of data as distinct to the physical access of the computer hardware. As will be observed in other sections, the issue of intent is a basis prerequisite to the application of the section. Section 2 unauthorised access with intent to commit or facilitate commission of further offenses, further

extends the provisions of section 1 above to subsequent access and/or assisting in the access by other parties. Finally Section 3 provides for jurisdictive power against unauthorised modification of computer contents.Of significance, this section stipulates in section 3.-(1) b. that the offender must have "... the requisite intent and the requisite knowledge"(ibid). The inclusion of this sub-section opens up the possibility of an inept hacker avoiding the offense by proving lack of the necessary knowledge. This may not be as trivial as it first appears, as a novice, like a 'script kiddie' may be able to demonstrate that although they had intent, they lacked the required knowledge. Their justification being that the hacking/cracking software that was used was written by another party and was used in much the same way that one may use a word processing package, that is as a novice user. Although the Australian bill is purported to be based in part on the British Computer Misuse Act 1990, there appears to be little correlation between the two documents apart for the broad inclusion in the Australian bill of the 3 types of offense. In terms of the correlation between the definition and application of the relative sections, the British act defines access in terms of data and seems to allow an incompetence loophole to section 3. No provision is made for the Australian offenses of possession of hacking tools nor the development of malicious code. The issues of search and seizure are covered in section 14 of the British legislation. The wording of the section permits the seizure of an 'article' and in this regard does not address the issue of data not being a physical entity. This is in stark contrast to the Australian bill where the non material nature of data is recognised.

The Cybercrime Bill 2001 Specific Provisions and Reservations The bill (http://search.aph.gov.au/search/ParlInfo.ASP?action=view&item=2&resultsID=6vbqx )consists of two schedules. The first schedule as it relates to this paper, Specifically Part 10.7 - Computer offenses, is further divided into divisions, 476 to 478 inclusive. Although the bill is largely self explanatory, there are some sections that require some explanation as detailed below. Division 476.3 - Geographical jurisdiction. This section draws on the geographic jurisdiction definition as set out in Section 51.1 of the Criminal Code. Specifically it provides for jurisdiction within the following areas; 1. where the offence occurs partly or wholly within Australia or on board an Australian ship or aircraft. 2. where the result of the offence occurs partly or wholly within Australia or on board an Australian ship or aircraft 3. where the party committing the offence is either an Australian citizen or an Australian company. 478.3 Possession or control of data with intent to commit a computer offense. Possession or control of data in this context, relates specifically but not exclusively to the possession of software tools designed to exploit vulnerabilities or to probe a system for vulnerabilities. Covered in this group are software tools such as SATAN, Nessus, and the like. This clause is somewhat akin to being in possession of breaking tools. Whereas the breaking tools offense relies in part on the physical location of the suspect while in possession of the tools, clause 478.3 relies on the intent of the person in possession of the tools. During the public submission phase of this bill, a number of civil rights groups pointed to the possibility of SysAdmins, security consultants and the like being caught in the net of this clause, even though they had legitimate cause to have the tools in their possession.The inclusion of the intention criteria, substantially protects those with legitimate cause and reason from inappropriate application of the provisions of this section of the bill.

478.4 Producing, supplying or obtaining data with intent to commit a computer offense. This section of the bill non exclusively addresses the issues surrounding the production and supply of computer viruses and malicious software. Once again civil rights groups were quick to point out that there are legitimate scenarios where a person could be brought to charge under the provisions of this section. One such situation is where a SysAdmin transmits a virus to a virus protection firm so that they may be able to extract its signature. Another potential case would be be where a SysAdmin or similar writes a script or software module to test their own system for a vulnerability. Once again the specification in subsection (1) (b) that "the person does so with the intention", mitigates against the fears of the civil rights groups. Second Schedule Within the second Schedule, there are a number of subsections of relevance, specifically in regard to the Crimes Act 1914 and Customs Act 1901. The provisions of the bill are materially the same for both acts and this paper will cover only the Crimes Act references for the sake of brevity. Subsection 3K(2) provides for the movement from a premises to another place for examination. Relatedly, Subsection 3K(3) allows for the item to be moved to another place for examination for a period of up to 72 hours. A recommendation to extend the period from 72 hours to 5 days is proposed in paragraph 2.64 of the "Inquiry in to the Provisions of the Cybercrime Bill 2001, August 2001". Contrastingly, "Additional Comments by the Labor Senators", in the same paper, (Labor is the opposition party in federal parliament at this time), Clause 1.134 points out the possible serious commercial consequences of the 5 day retention. Subsection 3K(2) correlates to the Council of Europe Draft Section 2, Title 4, Search and seizure of stored computer data, Article 19. This article provides for the search and seizure of computer data, as most legislation's provide only for search and seizure of tangible objects and data is clearly not tangible. Paragraphs 1 and 2 relate specifically to the seizure of data, whereas provision is made in paragraph 3 for the seizure of physical hardware. Paragraph 3 effectively covers the situation where the data is not readily accessible due possibly to the use of a unique operating system or the use of an encryption or steganographic scheme on either part or whole of the disk. Subsection 3L(1) gives certain parties, specifically the executing officer or a constable, the authority to operate electronic equipment to access and copy data to another media. To further enhance these powers Subsection 3LA provides the power upon application to a magistrate for an order to require a specified person to provide information or assistance to allow access to the data. This includes but does not appear to be limited to the provision of passwords or passphrases. This provision is the most controversial in the entire bill. In this regard, numerous civil rights groups have pointed out in submissions to the Inquiry into the Provisions of the Cybercrime Bill 2001, that the provision of passwords or passphrases is a contravention of personal privacy rights. One organisation, Electronic Frontiers Australia, rightly pointed out that a passphrase may be used to digitally sign a document. "A further problem is that a single encryption key often serves the dual purpose of ensuring confidentiality and providing secure authentication of the signatory to a document (through a digital signature). Revealing the key (or the passphrase therto) can therefore compromise the integrity of the owner's digital signature. (It should be noted that the person on whom the assistance order is served is not necessarily assumed to be guilty of an offence)." (http://www.efa.org.au/Analysis/cybercrime_bill.htm) Many civil rights groups suggested that this provision was unique to this legislation and was not found anywhere else, however, Section 2 - Procedural Law of the Council of Europe Final Draft Explanatory

Report to the Convention on Cybercrime does address this same issue in Title 3, Article 18, Production Order, the requirement for Parties to submit subscriber information. The production order appears to specifically relate to ISP's or organisations that collect traffic and other data as it passes through their sites or routers. Its inclusion appears on the surface to be included to circumvent the issue of an ISP breaking disclosure/non-disclosure provider contracts, by legally requiring the provider to supply the data. Although nothing in this title is as far reaching as the provisions of Paragraph 3LA, it does show intent to obtain data from third parties by order. Continuing in this vein paragraph 4 Section 2 of Title 4 does introduce the ability to compel a system administrator or similar person to assist. Of significance, the Council of Europe states that the provision of the necessary information could be deemed the disclosure, thus circumventing the issue of revealing passwords. This title appears to revolve around non-disclosure agreements imposed on individuals such as SysAdmins, and this provision is designed to circumvent that without exposing them to civil or legal action following a disclosure. The Australian legislation however appears much broader and provides for the person suspected of the offense, or the owner, or employee of the owner being compelled to provide the assistance. Civil rights groups have pointed out that the inclusion of the person suspected of the offence raises issues of self incrimination. The cybercrime Bill 2001 (Bills Digest 48 2001-02) partly addresses this issue in that an assistance order is different in that it does not require a person to produce particular data; it specifically requires the person to provide assistance necessary to enable a law enforcement office to get open access to the computer. A parallel is drawn between common law where a person cannot refuse access to physical premises under privilege against self-incrimination. Given that passphrases, in particular have the potential of establishing identity through digital signature, then this author considers the provision of a passphrase equivalent to handing over one's identity. This issue needs further clarification, as to whether the courts would see the provision of an open system or the de-encryption of the files and/or disks as complying with the assistance order as is the case with the Council of Europe draft.

Conclusion The introduction of and the almost certain passing of the Cybercrime Bill, will bring a level of legal accountability to those persons who commit cybercrime within Australia and its jurisdictions. However, in light of the lack of effective legislation in all states except New South Wales, it can be seen that Australia is still far from having the legislative framework to bring cyber crime offenders to account in the court system. Internationally, the bill attempts to bring Australia significantly in line with both its historical sovereign and the Council of Europe.

References (note a) ACT Consolidated Legislation, Crimes Act 1900, at http://www.austlii.edu.au/au/legis/act/consol_act/ca190082/ Baker & MaKenzie, Australia e-commerce legislation and regulations, Computer Crime, at http://www.bmck.com/ecommerce/australia/australia_crime.htm CERT/CC Statistics 1988-2001, at http://www.cert.org/stats/cert_stats.html Computer Security Institute, Computer Security Issues and Trends: 2001 CSI/FBI Computer Crime and Security Survey, VOL. VII, NO.1 (Spring 2001), at http://www.gocsi.com/pdfs/fbi/FBIsurvey.pdf Electronic Frontiers Australia Inc, EFA Commentary on the Cybercrime Bill 2001, at http://www.efa.org.au/Analysis/cybercrime_bill.htm

European Committee on Crime Problems (CDPC), Council of Europe - Final Draft Explanatory Report to the Convention on Cyber-crime, at http://www.conventions.coe.int/treaty/EN/projects/FinalCyberRapex.htm (note b) Frequently asked Questions and Answers about the Council of Europe Convention on Cybercrime (Draft 24REV2), at http://www.usdoj.gov/criminal/cybercrime/COEFAQs.htm Gregor Urbas, Cybercrime Legislation in the Asia Pacific Region, April 2001 at, http://www.aic.gov.au/conferences/other/cybercrime_asia.pdf New South Wales Parliament, Crimes Act 1900 at http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082 Northern Territory Government, Criminal Code Act, at http://scaleplus.law.gov.au/html/ntacts/0/56/0/NA000010.htm Parliament of Australian Parliamentary Library, Cybercrime Bill 2001 (Bills Digest 48 2001-02), at http://aph.gov.au/library/pubs/bd/2001-02/02bd048.htm Paul Festa and Joe Wilcox, Experts estimate damages in the billions for bug, CNET News.com May 5, 2000, at http://news.cnet.com/news/0-1003-200-1814907.html?tag=rltdnws Queensland Parliament, Criminal Code Act 1899, at http://www.austlii.edu.au/au/legis/qld/consol_act/cca1899115/ Shields Up! at http://www.grc.com South Australian Parliament, Summary Offenses Act 1953, at http://scaleplus.law.gov.au/html/sasact/0/373/top.htm Stein Schjolberg, The Legal framework- Unauthorised Access to Computer Systems Penal Legislation in 41 countries, at http://www.mosbyrett.of.no/info/legal.html Susan W Brenner, State Cybercrime Legislation inthe United States of America: A Survey; 7 RICH. J.L. & TECH. 28 (Winter 2001), at http://www.richmond.edu/jolt/v7i3/article2.html The Department of Premier and Cabinet, Criminal Code Act 1924, at http://www.thelaw.tas.gov.au/summarize/s/1/?ACTTITLE=%22CRIMINAL%20CODE%20ACT %201924%20(NO.%2069%20OF%201924)%22 The Parliament of the Commonwealth of Australia, Senate Legal and Constitutional Legislation Committee, Inquiry into the Provisions of the Cybercrime Bill 2001, at http://www.aph.gov.au/senate/committee/legcon_ctte/cybercrimebill01/cybercrime.htm The Parliament of the Commonwealth of Australia, The House of Representatives, Cybercrime Bill 2001, Explanatory Memorandum, at http://search.aph.gov.au/search/ParlInfo.ASP? action=view&item=1&resultsID=6vbqx United Kingdom Parliament, Computer Misuse Act 1990, at http://www.ja.net/CERT/JANET-CERT/law/ cma.html Victorian Parliament, Summary Offenses Act 1966 at http://www.austlii.edu.au/au/legis/vic/consol_act/soa1966189/ Western Australian Parliament, Criminal Code Act Compilation Act 1913 - SCHEDULE 1, at

http://www.austlii.edu.au/au/legis/wa/consol_act/ccaca1913252/sch1.html note a the citation for Susan W Brenner is cited as requested on The Richmond Journal of Law and Technology site, accordingly all other citations have been cited in the same form to ensure continuity throughout this paper. note b Since the preparation of this paper the Council of Europe has changed the status of this document from draft to Convention on Cybercrime. As a result the web links to the draft have become redundant. Consideration was given to the option of updating the web links to the new document, however, since the Australian legislation was based on the Draft and not the final document, the author considered the historical links to be a true indication of the sources of the Australian legislation. Accordingly, the links have been listed, but not hyperlinked as active.