Cybercrime Legislation - The Kangaroo Perspective

David Teisseire
Version 1.2f (August 13, 2001)

"The most effective means of preventing unauthorised access is, of course,

the introduction and development of effective security measures."
Council of Europe - Final Draft Explanatory Report to the Convention on Cyber-crime

Introduction

In light of the Cybercrime Bill recently introduced into the Australian Parliament, it is a good time to
review the provisions of this bill and to look at the broader issues of cyber crime legislation. As with any
paper relating to computer and internet issues, the information contained could change very rapidly, and
as such readers are encouraged to review the relevant source documents from the respective sites for any
updates.

Initially, this paper was to compare the Australian legislation with the rest of the world to establish the
baseline level of compliance with other legislations. However, upon review it was discovered that there is
almost a singular lack of consistency on which to compare the various national and regional acts. With
this in mind, the brief was amended to review the Australian Bill, its relevance to Australian statutes and
those documents that the bill was modeled on; namely the Council of Europe Draft Convention on Cyber-
crime and the UK Computer Misuse Act 1990.

The Need

There seems little doubt that there is a urgent need for a universal cybercrime legislative framework. The
number of incidents reported to organisations like CERT had risen from just under 10,000 (9,859) in 1999
to nearly 22,000 (21,756) for 2000. The trend continued with almost 35,000 (34,754) reported incidents
for the first 3 quarters of 2001. (http://www.cert.org/stats/cert_stats.html) . The rise in internet crime and
malicious damage doubling during those years, highlights, not only the need for proactive action by
SysAdmins but also dramatic and timely changes to the legislation on cybercrime throughout the world.

This area of law is one of rapid change but also one of jurisdictive challenges. The Internet by its very
nature transcends physical national boundaries. Issues such as the country of origin of a cyber attack as
well as the target destination must be taken into account. In the situation where the physical hardware for
the attack is located in a third country then the problems are further compounded.

A not uncommon situation is where an attacker has control over a number of computers located in a
number of different countries. Such as was the case of the attacks on Steve Gibson's 'Shields Up!' site
during May and June 2001 (http://www.grc.com). On the 4th of May 2001, 474 Windows based PCs
mounted a Ping attack on the grc server, later on the 20th June 2001 a further 195 machines conducted a
ICMP flood attack on the same site. Steve Gibson identified the IP addresses of the attacking machines in
June and discovered that, in addition to a large number of US based machines, that there were computers
located in Australia, the United Kingdom, Japan, Finland and Netherlands. In a scenario like this, who has
legislative power to prosecute? Is it the country of origin of the attack, or the destination of the attack, or
the country where the original perpetrator is located? In a situation like this there is a glaring need for a
universal cybercrime code and mutual assistance pacts to bring the offender to justice.

In addition, there is the issue of the number of potential parties involved in any legal proceedings, In the
June 2001 attack on 'Shields UP!', there appears to be some 195 parties in addition to the offender and the
target. The issue however, is not so much how many parties, but rather how many jurisdictions are
involved and the respective legislation of those jurisdictions. In essence these are hard questions that
need to be resolved.

A further example occurred in May 2000, the 'I Love You' virus allegedly sent from the Philippines.
This virus is estimated to have caused damage well in excess of US$2 billion (
http://news.cnet.com/news/0-1003-200-1814907.html?tag=rltdnws). Due to a lack of specific cybercrime
legislation in the Philippines, the party responsible was not prosecuted. It is of interest that the Philippine
government enacted the Electronic Commerce Act 2000 shortly after, with specific provisions against
hacking, cracking and virus crimes.

It can be seen from this that, in general, the country of origin is of more significance than the destination,
as evidenced by the fact that countries like the United Kingdom that have cyber crime legislation were
not able to pursue the 'I Love You' offender at law. From this then, would appear that a jurisdictive
power, to be effective, must have specific power in both the jurisdiction that the offense was committed
and either power or an extradition agreement with the country where the original offender resides. In
addition there may need to be some form of mutual assistance treaty in existence with the wayside
countries where the remote computers used to launch the attack may be located.

The Australian Cybercrime Bill 2001

This bill was introduced into the Australian parliament on the 27th June 2001 and has passed through the
House of Representatives with some amendments. Currently it is waiting to be reviewed by the Senate.
As a result this bill is not law at this time but it is believed that the substance of the bill will pass into law
at some time in the foreseeable future.

Australian legal framework

Legal jurisdiction within the Australia and its territories is divided between the federal government and
the respective state or territory governments . The Commonwealth government has powers to legislate on
cybercrime issues subject to two constraints. Firstly it may legislate against any act against its own sites
or equipment and, secondly by authority under Section 51(V) of the telecommunications act it may
legislate against any act involving the telecommunications infrastructure. Although the
telecommunications act states, "postal, telegraphic, telephonic, and other like services", the High Court of
Australia has ruled in Jones v Commonwealth (1965) 112 CLR 206, that it extends to other forms of
electronic communication (http://aph.gov.au/library/pubs/bd/2001-02/02bd048.htm).Clearly then, the
jurisdiction of this bill covers offenses committed to either a federal government installation or any
offense committed by use of the telecommunications system. By definition this includes internet attacks.

Attacks within the bounds of a private local area network or physical attacks on equipment are not
prosecutable under the provisions of this bill. Individual states' criminal codes have both the power and
the responsibility to pursue offenders of this type. It is with this in mind that the Australian Federal
Government has encouraged the States to adopt codes similar to this covered by federal statutes. To this
end the Federal government has released a Model Criminal Code as a model document for the states and
territories.

Current Australian State Legislation

As stated above, the various states and territories of Australian have a responsibility to provide
complementary legislation to the bill as detailed within this paper. A brief review of the current state and
territory legislation follows.

New South Wales

To date, only the New South Wales government has implemented complementary state level legislation to
cover similar cybercrime issues. The Crimes Amendment (Computer Offenses) Bill 2001 amends the
Crimes Act 1900 (http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082) by replacing sections
309(1) through 309(4) and section 310 with the new provisions in the inserted sections 308C through to
sections 308I.
Briefly the sections provide for the following offenses:

Section 308C Unauthorised access, modification or impairment with intent to commit serious indictable
offense

Section 308D Unauthorised modification of data with intent to cause impairment

Section 308E Unauthorised impairment of electronic communication

Section 308F Possession of data with intent to commit computer offense

Section 308G Producing, supplying or obtaining data with intent to commit computer offense

Section 308H Unauthorised access to or modification of restricted data held in computer

Section 308I Unauthorised impairment of data held in computer disk, credit card or other device

South Australia

South Australia has enacted Section 44 of the Summary Offenses Act 1953
(http://scaleplus.law.gov.au/html/sasact/0/373/top.htm ) with the provision of the offense 'unlawful
operation of computer system'. The section provides that a potential offender must operate the computer
without proper authorisation and that the computer must be a restricted access system. No other
provisions or offenses are addressed by this legislation.

Victoria

Within the state of Victoria, cybercrimes are covered under Section 9A of the Summary Offences Act
1966. This section states that "A person must not gain access to, or enter, a computer system or part of a
computer system without lawful authority to do so"
(http://www.austlii.edu.au/au/legis/vic/consol_act/soa1966189/ ). Quite plainly this section does not cover
anywhere near the breadth of the Commonwealth bill

Queensland

Section 408D of the Criminal Code Act 1899

(http://www.austlii.edu.au/au/legis/qld/consol_act/cca1899115/ ) defines the offenses of computer
hacking and misuse. The offenses covered are restricted to the use of a computer without consent and two
variations of causing detriment or damage. The clause of the act applicable is dependent on the financial
loss or damage sustained.

Western Australia

In the state of Western Australia, this area of law is covered by the Criminal Code Act Compilation Act
1913 - SCHEDULE 1 (http://www.austlii.edu.au/au/legis/wa/consol_act/ccaca1913252/sch1.html ).
Section 440 of this act was inserted into the act in 1990 and provides in clause 2 for the offense of
gaining access or operation without authority.

Tasmania

In Tasmania, the Criminal Code Act 1924 (http://www.thelaw.tas.gov.au/summarize/s/1/?ACTTITLE=

%22CRIMINAL%20CODE%20ACT%201924%20(NO.%2069%20OF%201924)%2) provides in
Schedule 1, Part VI - Crimes Relating to Property, Chapter XXVIIIA - Crimes Relating to Computers,
Sections 257C through to Section 257F the substance of their cybercrime legislation. Specific offenses
are;
Section 257C - Damaging Computer Data

Section 257D - Unauthorised Access to a Computer

Section 257E - Insertion of False Information as Data

Australian Capital Territory

Within the Australian Capital Territory, Sections 135H through to Section 135L of the Crimes Act 1900
(http://www.austlii.edu.au/au/legis/act/consol_act/ca190082/ ) covers computer crimes. The 3 classes of
offense are covered as follows;

Section 135J, Unlawful access to data in computer

Section 135K, Damaging data in computers. The criteria for this section to apply is for a person to "...
intentionally or recklessly, and without lawful authority or
excuse"(ibid.) to cause the damage.

Section 135,. Dishonest use of computers

Northern Territory

Cybercrime legislation in the Northern Territory is covered in Sections 222 and 276 of the Criminal Code
Act (http://scaleplus.law.gov.au/html/ntacts/0/56/0/NA000010.htm). Section 222 covers the unlawful
obtaining of confidential information with the intent to cause loss. The only other offense covered is in
Section 276 where the fraudulent alteration or destroying of data is addressed. Clearly the legislation in
the Northern Territory only addresses the issues of data modification or deletion with the purpose of
causing loss.None of the other provisions of the Cybercrime Bill are addressed.

Similarities to other International Legislation

Council of Europe Draft Convention

The Council of Europe draft convention

(http://www.conventions.coe.int/treaty/EN/projects/FinalCyberRapex.htm) (note b) consists of a number
of Titles that cover the various areas of interest in the cybercrime field. Specifically Section 1 Title 1,
"Offenses against the confidentiality, in integrity and availability of computer data and systems",
canvases much the same issues as the proposed Part 10.7 Divisions 476 to 478 inclusive ..

The other titles, Title 2 through to Title 5 cover issues not specifically part of this paper, these include but
are not limited to, computer related fraud and forgery (Title 2), pornography (Title 3), copyright issues,
(Title 4) and corporate liability and sanctions (Title 5).

Section 2 Procedural law, specifically addresses some of the issues in securing and maintaining digital
evidence. In this light there are similarities between the 2nd Schedule of the Australian bill and these
specific paragraphs of section 2 of the Council of Europe draft.

Computer Misuse Act 1990

This act (http://www.ja.net/CERT/JANET-CERT/law/cma.html ) specifically targets 3 offenses in

sections 1 to 3 respectively. Section 1 relates to "unauthorised access to computer material". The wording
of the act places more emphasis on the accessing of data as distinct to the physical access of the computer
hardware. As will be observed in other sections, the issue of intent is a basis prerequisite to the
application of the section.

Section 2 unauthorised access with intent to commit or facilitate commission of further offenses, further
extends the provisions of section 1 above to subsequent access and/or assisting in the access by other
parties.

Finally Section 3 provides for jurisdictive power against unauthorised modification of computer
contents.Of significance, this section stipulates in section 3.-(1) b. that the offender must have "... the
requisite intent and the requisite knowledge"(ibid). The inclusion of this sub-section opens up the
possibility of an inept hacker avoiding the offense by proving lack of the necessary knowledge. This may
not be as trivial as it first appears, as a novice, like a 'script kiddie' may be able to demonstrate that
although they had intent, they lacked the required knowledge. Their justification being that the
hacking/cracking software that was used was written by another party and was used in much the same
way that one may use a word processing package, that is as a novice user.

Although the Australian bill is purported to be based in part on the British Computer Misuse Act 1990,
there appears to be little correlation between the two documents apart for the broad inclusion in the
Australian bill of the 3 types of offense. In terms of the correlation between the definition and application
of the relative sections, the British act defines access in terms of data and seems to allow an incompetence
loophole to section 3. No provision is made for the Australian offenses of possession of hacking tools nor
the development of malicious code.

The issues of search and seizure are covered in section 14 of the British legislation. The wording of the
section permits the seizure of an 'article' and in this regard does not address the issue of data not being a
physical entity. This is in stark contrast to the Australian bill where the non material nature of data is
recognised.

The Cybercrime Bill 2001 Specific Provisions and Reservations

The bill (http://search.aph.gov.au/search/ParlInfo.ASP?action=view&item=2&resultsID=6vbqx )consists

of two schedules. The first schedule as it relates to this paper, Specifically Part 10.7 - Computer offenses,
is further divided into divisions, 476 to 478 inclusive. Although the bill is largely self explanatory, there
are some sections that require some explanation as detailed below.

Division 476.3 - Geographical jurisdiction.

This section draws on the geographic jurisdiction definition as set out in Section 51.1 of the Criminal
Code. Specifically it provides for jurisdiction within the following areas;

1. where the offence occurs partly or wholly within Australia or on board an Australian ship or aircraft.

2. where the result of the offence occurs partly or wholly within Australia or on board an Australian ship
or aircraft

3. where the party committing the offence is either an Australian citizen or an Australian company.

478.3 Possession or control of data with intent to commit a computer offense.

Possession or control of data in this context, relates specifically but not exclusively to the possession of
software tools designed to exploit vulnerabilities or to probe a system for vulnerabilities. Covered in this
group are software tools such as SATAN, Nessus, and the like. This clause is somewhat akin to being in
possession of breaking tools. Whereas the breaking tools offense relies in part on the physical location of
the suspect while in possession of the tools, clause 478.3 relies on the intent of the person in possession of
the tools. During the public submission phase of this bill, a number of civil rights groups pointed to the
possibility of SysAdmins, security consultants and the like being caught in the net of this clause, even
though they had legitimate cause to have the tools in their possession.The inclusion of the intention
criteria, substantially protects those with legitimate cause and reason from inappropriate application of the
provisions of this section of the bill.
478.4 Producing, supplying or obtaining data with intent to commit a computer offense.

This section of the bill non exclusively addresses the issues surrounding the production and supply of
computer viruses and malicious software. Once again civil rights groups were quick to point out that there
are legitimate scenarios where a person could be brought to charge under the provisions of this section.
One such situation is where a SysAdmin transmits a virus to a virus protection firm so that they may be
able to extract its signature. Another potential case would be be where a SysAdmin or similar writes a
script or software module to test their own system for a vulnerability. Once again the specification in sub-
section (1) (b) that "the person does so with the intention", mitigates against the fears of the civil rights
groups.

Second Schedule

Within the second Schedule, there are a number of subsections of relevance, specifically in regard to the
Crimes Act 1914 and Customs Act 1901. The provisions of the bill are materially the same for both acts
and this paper will cover only the Crimes Act references for the sake of brevity.

Subsection 3K(2) provides for the movement from a premises to another place for examination.
Relatedly, Subsection 3K(3) allows for the item to be moved to another place for examination for a period
of up to 72 hours. A recommendation to extend the period from 72 hours to 5 days is proposed in
paragraph 2.64 of the "Inquiry in to the Provisions of the Cybercrime Bill 2001, August 2001".
Contrastingly, "Additional Comments by the Labor Senators", in the same paper, (Labor is the
opposition party in federal parliament at this time), Clause 1.134 points out the possible serious
commercial consequences of the 5 day retention.

Subsection 3K(2) correlates to the Council of Europe Draft Section 2, Title 4, Search and seizure of
stored computer data, Article 19. This article provides for the search and seizure of computer data, as
most legislation's provide only for search and seizure of tangible objects and data is clearly not tangible.
Paragraphs 1 and 2 relate specifically to the seizure of data, whereas provision is made in paragraph 3 for
the seizure of physical hardware. Paragraph 3 effectively covers the situation where the data is not
readily accessible due possibly to the use of a unique operating system or the use of an encryption or
steganographic scheme on either part or whole of the disk.

Subsection 3L(1) gives certain parties, specifically the executing officer or a constable, the authority to
operate electronic equipment to access and copy data to another media. To further enhance these powers
Subsection 3LA provides the power upon application to a magistrate for an order to require a specified
person to provide information or assistance to allow access to the data. This includes but does not appear
to be limited to the provision of passwords or passphrases. This provision is the most controversial in the
entire bill.

In this regard, numerous civil rights groups have pointed out in submissions to the Inquiry into the
Provisions of the Cybercrime Bill 2001, that the provision of passwords or passphrases is a contravention
of personal privacy rights. One organisation, Electronic Frontiers Australia, rightly pointed out that a
passphrase may be used to digitally sign a document.

"A further problem is that a single encryption key often serves the dual purpose
of ensuring confidentiality and providing secure authentication of the
signatory to a document (through a digital signature). Revealing
the key (or the passphrase therto) can therefore compromise the integrity
of the owner's digital signature. (It should be noted that the person
on whom the assistance order is served is not necessarily assumed to be
guilty of an offence)."
(http://www.efa.org.au/Analysis/cybercrime_bill.htm)

Many civil rights groups suggested that this provision was unique to this legislation and was not found
anywhere else, however, Section 2 - Procedural Law of the Council of Europe Final Draft Explanatory
Report to the Convention on Cybercrime does address this same issue in Title 3, Article 18, Production
Order, the requirement for Parties to submit subscriber information.

The production order appears to specifically relate to ISP's or organisations that collect traffic and other
data as it passes through their sites or routers. Its inclusion appears on the surface to be included to
circumvent the issue of an ISP breaking disclosure/non-disclosure provider contracts, by legally requiring
the provider to supply the data. Although nothing in this title is as far reaching as the provisions of
Paragraph 3LA, it does show intent to obtain data from third parties by order.

Continuing in this vein paragraph 4 Section 2 of Title 4 does introduce the ability to compel a system
administrator or similar person to assist. Of significance, the Council of Europe states that the provision
of the necessary information could be deemed the disclosure, thus circumventing the issue of revealing
passwords. This title appears to revolve around non-disclosure agreements imposed on individuals such
as SysAdmins, and this provision is designed to circumvent that without exposing them to civil or legal
action following a disclosure. The Australian legislation however appears much broader and provides for
the person suspected of the offense, or the owner, or employee of the owner being compelled to provide
the assistance. Civil rights groups have pointed out that the inclusion of the person suspected of the
offence raises issues of self incrimination. The cybercrime Bill 2001 (Bills Digest 48 2001-02) partly
addresses this issue in that an assistance order is different in that it does not require a person to produce
particular data; it specifically requires the person to provide assistance necessary to enable a law
enforcement office to get open access to the computer.

A parallel is drawn between common law where a person cannot refuse access to physical premises under
privilege against self-incrimination. Given that passphrases, in particular have the potential of
establishing identity through digital signature, then this author considers the provision of a passphrase
equivalent to handing over one's identity. This issue needs further clarification, as to whether the courts
would see the provision of an open system or the de-encryption of the files and/or disks as complying
with the assistance order as is the case with the Council of Europe draft.

Conclusion

The introduction of and the almost certain passing of the Cybercrime Bill, will bring a level of legal
accountability to those persons who commit cybercrime within Australia and its jurisdictions. However,
in light of the lack of effective legislation in all states except New South Wales, it can be seen that
Australia is still far from having the legislative framework to bring cyber crime offenders to account in
the court system. Internationally, the bill attempts to bring Australia significantly in line with both its
historical sovereign and the Council of Europe.

References (note a)

ACT Consolidated Legislation, Crimes Act 1900, at

http://www.austlii.edu.au/au/legis/act/consol_act/ca190082/

Baker & MaKenzie, Australia e-commerce legislation and regulations, Computer Crime, at
http://www.bmck.com/ecommerce/australia/australia_crime.htm

CERT/CC Statistics 1988-2001, at http://www.cert.org/stats/cert_stats.html

Computer Security Institute, Computer Security Issues and Trends: 2001 CSI/FBI Computer Crime and
Security Survey, VOL. VII, NO.1 (Spring 2001), at http://www.gocsi.com/pdfs/fbi/FBIsurvey.pdf

Electronic Frontiers Australia Inc, EFA Commentary on the Cybercrime Bill 2001, at
http://www.efa.org.au/Analysis/cybercrime_bill.htm
European Committee on Crime Problems (CDPC), Council of Europe - Final Draft Explanatory Report to
the Convention on Cyber-crime, at
http://www.conventions.coe.int/treaty/EN/projects/FinalCyberRapex.htm (note b)

Frequently asked Questions and Answers about the Council of Europe Convention on Cybercrime (Draft
24REV2), at http://www.usdoj.gov/criminal/cybercrime/COEFAQs.htm

Gregor Urbas, Cybercrime Legislation in the Asia Pacific Region, April 2001 at,
http://www.aic.gov.au/conferences/other/cybercrime_asia.pdf

New South Wales Parliament, Crimes Act 1900 at

http://www.austlii.edu.au/au/legis/nsw/consol_act/ca190082

Northern Territory Government, Criminal Code Act, at

http://scaleplus.law.gov.au/html/ntacts/0/56/0/NA000010.htm

Parliament of Australian Parliamentary Library, Cybercrime Bill 2001 (Bills Digest 48 2001-02), at
http://aph.gov.au/library/pubs/bd/2001-02/02bd048.htm

Paul Festa and Joe Wilcox, Experts estimate damages in the billions for bug, CNET News.com May 5,
2000, at http://news.cnet.com/news/0-1003-200-1814907.html?tag=rltdnws

Queensland Parliament, Criminal Code Act 1899, at

http://www.austlii.edu.au/au/legis/qld/consol_act/cca1899115/

Shields Up! at http://www.grc.com

South Australian Parliament, Summary Offenses Act 1953, at

http://scaleplus.law.gov.au/html/sasact/0/373/top.htm

Stein Schjolberg, The Legal framework- Unauthorised Access to Computer Systems Penal Legislation in
41 countries, at http://www.mosbyrett.of.no/info/legal.html

Susan W Brenner, State Cybercrime Legislation inthe United States of America: A Survey; 7 RICH. J.L.
& TECH. 28 (Winter 2001), at
http://www.richmond.edu/jolt/v7i3/article2.html

The Department of Premier and Cabinet, Criminal Code Act 1924, at

http://www.thelaw.tas.gov.au/summarize/s/1/?ACTTITLE=%22CRIMINAL%20CODE%20ACT
%201924%20(NO.%2069%20OF%201924)%22

The Parliament of the Commonwealth of Australia, Senate Legal and Constitutional Legislation
Committee, Inquiry into the Provisions of the Cybercrime Bill 2001, at
http://www.aph.gov.au/senate/committee/legcon_ctte/cybercrimebill01/cybercrime.htm

The Parliament of the Commonwealth of Australia, The House of Representatives, Cybercrime Bill 2001,
Explanatory Memorandum, at http://search.aph.gov.au/search/ParlInfo.ASP?
action=view&item=1&resultsID=6vbqx

United Kingdom Parliament, Computer Misuse Act 1990, at http://www.ja.net/CERT/JANET-CERT/law/

cma.html

Victorian Parliament, Summary Offenses Act 1966 at

http://www.austlii.edu.au/au/legis/vic/consol_act/soa1966189/

Western Australian Parliament, Criminal Code Act Compilation Act 1913 - SCHEDULE 1, at
http://www.austlii.edu.au/au/legis/wa/consol_act/ccaca1913252/sch1.html

note a
the citation for Susan W Brenner is cited as requested on The Richmond Journal of Law and Technology
site, accordingly all other citations have been cited in the same form to ensure continuity throughout this
paper.

note b
Since the preparation of this paper the Council of Europe has changed the status of this document from
draft to Convention on Cybercrime. As a result the web links to the draft have become redundant.
Consideration was given to the option of updating the web links to the new document, however, since the
Australian legislation was based on the Draft and not the final document, the author considered the
historical links to be a true indication of the sources of the Australian legislation. Accordingly, the links
have been listed, but not hyperlinked as active.