A) Statement
A comparison of the UK Computer Misuse Act (1990) with other European Computer Misuse Act, and the Singapore Act of 1993, and a discussion on how realistic such legislation is in practical use.
B) Introduction
Information technology today is encompassing all walks of life all over the world. The technological developments in the concept of computing, network and software engineering have helped in transition from paper to paperless transactions and Bi-media (text and data) to multimedia . Today, speed, efficiency, and accuracy in information exchange have become key tools for boosting innovations, creativity and increasing productivity. Activities as diverse as banking, healthcare, education, manufacturing, retailing, entertainment and mass media have come to depend on the ability to generate, access, store and transmit information. Computers are not only used extensively to perform the industrial and economic functions of society but are also used to perform many functions upon which human life is dependent. Medical treatment, air traffic control, industrial controlled and national security are few examples. Even a small glitch in the operation of the systems can put human lives in danger. Computers are also used to store confidential data of a political, social, economic or personal nature. Society’s dependence on computer systems, therefore, has a profound human dependence. The rapid development of computer telecommunication and other technology has led to the growth of new forms of transnational crime, especially computer related crime. Computer-related crime has virtually no boundaries and does or may affect every country in this world. To meet the challenge posed by new kinds of crime made possible by computer technology including telecommunication, many of the countries, largely industrialised and some of those which are moving towards industrialisation have in the past ten years reviewed their respective domestic criminal laws from the point of adaptation, further development and supplementation so as to prevent computer related crime. A number of countries have already introduced more or less extensive amendments by adding new statutes in their substantive criminal law. These are USA, Austria, Denmark, France Germany, Greece, Finland, Italy, Turkey, Sweden, Switzerland, Australia, Canada and Japan. United States have made numerous amendments to the law of federal and constituent level. Countries like Spain, Portugal, UK, Malaysia and Singapore have made isolated supplements by enacting new Acts to prevent computer -related crimes.
I) Comparison Computer Misuse Acts
The Computer Misuse Acts of the countries of the United Kingdom, Germany, and Singapore will be presented and evaluated in comparison to each others system and values.
1) Computer Misuse Act of the UK
There are basically two acts relating to top computer usage that have been passed by the British government, the Data Protection Act of 1984, and the Computer Misuse Act of 1990[1]. The first act generally deals with the actual procurement and use of personal data, while the second act defines the laws, procedures, and penalties surrounding unauthorized entry into computers. The next two paragraphs will go into more detail as to what exactly these two pieces of legislation encompass.
a. Background
The Data Protection Act of 1984[2] is divided into eight basic principles. The first deals with procurement of data, and generally outlines ways in which data may be processed fairly and lawfully. The next principle deals with the possession of data, and that it should only be held in a specified and lawful manner for a specific purpose. The third item states that data will not used or disclosed for anything other than its intended purpose. The fourth says that once that purpose is finished, is should be disposed of immediately and properly. The following two principles mandate the integrity of the data, stating that it should remain relevant and viable for its intended purpose, and should be kept accurate and up to date at all times. Finally, the last two points deal with the actual ownership of data, saying that it is up to the data user to maintain their own data and make sure adequate security measures are in place to prevent its unauthorized access, alteration, disclosure, or destruction. This act looked very peculiar at the time of its passage, and continues to today, because it seems to place the blame of hacking on the victim, and not on the aggressor. In other words, if a person hacks into ones computers, the computer owner is liable for not effectively defending their own computer from attacks.
As a result of the Data Protection Act’s curious bestowment of security burden on the victim, in 1990, Parliament passed the Computer Misuse Act to supersede many of the provisions of the 1984 act. The act grew out of public outrage over the growing proliferation of destructive hackers, and resulted in a very tough piece of legislation. In the United Kingdom, the British Banking Association has estimated the cost of computer crime at US$ 8 billion a year[3]. Its most significant components were the first three of eighteen sections, which effectively shifted the blame and responsibility of unauthorized access from the attacked to the attacker. Not only did it criminalize expected actions such as unauthorized access, modification, and destruction of material, but it also removed the burden of intent in order to find someone guilty under the act. In other words, someone who succeeded in accessing an unauthorized computer, even if he had no explicit intent of doing so, could be convicted under the act. The next six sections defined the jurisdiction of the act, and it was made broad enough to include prosecuting actions on British soil, at British soil, as well as the procedures for the proper prosecution of conviction of non-British citizens. The remaining sections dealt with the enforcement aspects of the legislation, outlining procedures for trial, search warrants, extradition, and what to do in case proceedings were held in either Scotland or Northern Ireland, who maintain their own separate court systems.
b. Offences and punishments
- Unauthorised access to computer material Imprisonment up to 6 months and/or fine up to UKP 5,000
- Unauthorised access with intent to commit or facilitate commission of further offences Imprisonment up to 6 months and/or fine on summary conviction Imprisonment up to 5 years and/or fine on conviction on indictment
- Jurisdiction : England, Wales, Scotland and N. Ireland
- Interpretation of the act
c. evaluation
2) The Singapore Computer Misuse Act 1993
a) Background
Singapore in their Computer Misuse Act has classified the following activities as computer crime, 1) Unauthorised access to computer material 2), Unauthorised access with intent to commit or facilitate commission of further offences 3), Unauthorised modification of computer material, 4), Unauthorised use and interception of computer services
b) Offences and Punishments:
- Unauthorised access to computer material a). Imprisonment up to 2 years and/or fine up to $2,000 b) Imprisonment up to 5 years and/or fine up to $20,000 if the damage exceeds $10,000
- Unauthorised access with intent to commit or facilitate commission of further offences Imprisonment up to 10 years and/or fine up to $50,000
- Unauthorised modification of computer material a). Imprisonment up to 2 years and/or fine up to $2,000 b) Imprisonment up to 5 years and/or fine up to $20,000 if the damage exceeds $10,000
- Unauthorised access with intent to commit or facilitate commission of further offences Imprisonment up to 10 years and/or fine up to $50,000
- Unauthorised use or interception of computer services a). Imprisonment up to 2 years and/or fine up to $2,000 b) Imprisonment up to 5 years and/or fine up to $20,000 if the damage exceeds $10,000
- Computer output shall be admissible as evidence
c) Evaluation
The Singapore Computer Misuse Act from 1993[4] lacks clarity and tends to disregard the human rights of suspects. Its objective to protect its victims of computer misuse by criminalizing associate activities such as eavesdropping , and the setting of higher penalties in comparison with the UK Computer Misuse act, are out of proportion to the norm. Furthermore if Compared to the Computer Misuse Acts (CMAs) of both the UK and Germany (and of course other European Countries), the punishments are very severe. Both the prison sentences, and the fines exceed the western standard by far. Why is Singapore, next to the People’s Republic of China, responding with a harsh criminal response in regard to computer crime? The Singapore Government justifies (and hopes) its strict laws and enforcement of laws will act as a deterrent against irresponsible use of the Internet, especially since more hackers may enter the picture and stakes get higher due to E-commerce. The truth though behind the subject is, that Singapore has a reputation for an unusual harsh punishment system, that will even enforce the death penalty to many offences such as drug trafficking. Of course one must admit, that Singapore has a higher average Crime rate, than most western countries, but does this have to mean, that harsher laws will prevent people from committing (computer) crimes? Can Singapore really go another way, when the broad western societies have very similar computer laws? Although Singapore is busily developing ways to regulate the Internet within their borders, I believe that it will eventually go the way of television and radio, where try as they might, it will ultimately be extremely difficult to regulate Internet access using this methods
3) German Computer Misuse Act
a) Background
Germany has classified the following computer crime as offences: 1) data spying, 2) computer fraud, 3) forgery of prohibitive data, 4) alteration of data, 5) computer sabotage.
b) Offences and Punishments:
- Data spying Imprisonment up to 3 years or fine
- Computer fraud Imprisonment up to 5 years or fine
- Forgery of probative data Imprisonment up to 5 years or fine
- Alteration of data Imprisonment up to 2 years or fine
- Computer sabotage Imprisonment up to 5 years or fine
c) Evaluation
Interesting is, that the computer crimes were implemented to the StGB, the German Criminal Code, under § 263a computer fraud (§ 263 is the code for fraud), § 202a. Data Espionage, § 303a: Alteration of Data, § 303b Computer Sabotage. Problems in legislature arouse in the past decade, due to computer crimes, that couldn’t be prosecuted as either fraud or theft. The code of fraud demands, that a natural person is being betrayed, which of course a computer can’t fulfil. Germany has had serious troubles with groups of hackers (for example the Computer Chaos Club), and demanded a strict legislation to battle this new form of crime. In fact, an EEC study[5] showed that in Germany 4112 cases of computer crimes were reported to the police during 1995. About 60 per cent of these cases were considered by the Police to be case of computer crime under Penal Code. By now the figure has reached over 60.000 reported cases, whereas those figures do not include the uncovered ones. According to a study conducted by European Commission (EEC) investigations a few years ago, indicated losses from computer manipulation between 15,000,000 and 20,000,000 DM, which in some cases were even higher in the following years. Germany has very well adapted CMA compared to the UK and other European Countries. Different from the UK CMA the German legislator has emphacised, that he will convict anyone spying on, or sabotaging Data, which is one of the most feared economic threats for German companies. Reason for this step might also be found in Germany’s history, especially the role it played before the German Unification of 1989. You could also say, that the punishments leave judges a wider range on which they can react, if found guilty of a computer crime, but the general tendencies show, that this hasn’t become practice. In fact, even though many computer crimes are registered each year, the decisions of judges has been relatively mild. Of course this is also dues to the fact that the field of computer crimes is very young, and other codes of criminal law have caught the attention of the legislators in the 6th criminal reform from 1998. Germany will certainly be watching the development of computer crime very closely, but will probably wait for any further EU suggestions, or regulations on this subject.
4) Comparison in perspective
In Comparison the German CMA only differs in structure compared to the UK model. Even though one might arguer, that German law may punish someone harsher, than in the UK, this really doesn’t create a great gap between the two acts. Then again the Singapore Computer Misuse Act definitely reviles the other side of the coin. This country has misinterpreted the threat of computer crime. Through harsh laws the legislator wants to prevent any potential perpetrator to commit computer crime. That this form of prevention does not work can be seen in any study done: harsher laws doesn’t necesserely prevent someone from committing a crime.
II. Realistic Use of Different Computer Misuse Acts
In the last part I will discuss how the legislation of the countries above are realistic in practice. All three Countries, Germany, the UK, and Singapore will have some problems in common.
a) Practical and Legal Problems
A variety of practical and legal problems[6] are faced in the task of establishing the identity of the wrongdoer and obtaining evidence to support a criminal conviction. Guidelines and the procedures of all countries have to be evolved, for instance, to the application of the provision on search and seizure to the access, recording and storing new data, on wire tapping to the interception of telecommunication. The opinion and adoption of the procedure for the investigation of computer crime is almost essential and should necessarily follow any enactment or new law or supplementation of existing law. Guidelines should also include such aspects as search of the premises, powers of seizure, the duty of witnesses to hand-over witnesses as well as legality of gathering, storing and linking personal data.
b) Issues of Jurisdiction
Issues of jurisdiction[7] will also be of considerable significance in the situation where access is obtained to a computer system by means of some telecommunication link. In this situation, it is very possible that the perpetrator may be located in one jurisdiction and the victim of the crime in another.
c) Tracking and Identifying
Another problem is naturally tracking down the person committing a crime. This means, that the particular country has to have well trained and equipped forces, that can hunt down hackers[8] like in hard to solve cases like R vs. Gold[9], since finding and identifying someone who has hacked into or misused a system is a difficult and, above all, time consuming task. It is sometimes possible to identify the person uniquely. More often it relies on producing sufficient circumstantial evidence to persuade the offender to admit that he perpetrated the offence. Same applies to perhaps the most notorious forms of conduct in the computer field consisting of the creation and/or disseminations of computer viruses like the Dark Avenger, Devils Dance, or the harmless Cookie Monster, where the origin and the dissembling of the source code are races against time and amounts of damage done.
d) preventive measures
In all countries there is a lack of information on the issues of Security and computer crime and anything related to it. This leads to general confusion and unwanted conflicts with the law. In addition to use of laws as a preventive measure, it is necessary to develop concepts and guidelines and manuals for computer security and implement the guidelines in a serious manner at all levels and within different types of entities and organisations. Such guidelines or manuals are fundamentally important and hold greater prospects of success than to enact new laws for protection. They should detail out the procedures and evolve self-regulating code of conduct or possible introduction of an obligation on the part of the enterprise to provide, in their annual accounts, information on the reliability of the data processing. While preparing the guidelines/manual, historical traditions should be reviewed and kept in mind
e) Specific Problems the CMAs of the UK, Germany, and Singapore
As already hinted many times above, Singapore has a rather unrealistic approach to crime in general. Of course their harsh laws will not prevent a hacker to intrude a system, same as it won’t prevent anyone from committing any other sort of crime. Realistically speaking, Singapore will eventually change it’s system in the near future, once it has moved more toward western standards. Germany and the UK will always have general problems, as discussed in the last section, that will dilute the realistic approach toward computer crime. Then again the approach is quite practical, since something is being done, and the convictions show, that the law is being applied. Same as with any field of crime, it will always be the general policies and the system’s values, that will determine how much crime the country has to deal with. Therefore the two countries should inform the public, and abide the law in every way possible. On a European dimension we are surely going to see many more practical changes in the future.
III. Evaluation
C) Conclusion
The conclusion may, therefore, be drawn that computer-related crime is a real, at least in respect of certain offences, expanding phenomenon, even though some of the statistics are probably not reliable. Furthermore, a steady increase in number of cases is expected. As of now the growth rate in number of computer crime cases reported worldwide is in between 12-15 per cent. The time has clearly come for our country to put in hand a series of preventive measures in the field of security or of instructions in computer ethics, and to respond to this by forming appropriate guidelines and legislation. All the countries addressed in this paper are trying to deal with the issue of computer crime adapted to their system. What we might think of taking things too far might be working for the system that we cannot relate to. Realistic is that we will see many more challenges of computer crime in this millennium.
[1] Lloyd p. 184-185
[2] Data Protection Act 1984, http://web.doc.ic.ac.uk/~ard/teach/DataProtectionAct.html
[3] R/D/C p. 4
[4] The Statutes of the Republic of Singapore Computer Misuse Act, 1994
[5] R/D/C p. 5
[6] Lloyd p. 231, Tapper pp. 363 f.
[7] Tapper pp. 427-428
[8] Denning pp. 1 f.
[9] R. vs. Gold [1988] AC 1063