Computer Access and Computer Crimes
- The Cybercrime Convention
- Commonwealth Criminal Offences
- Fault Elements
- Queensland Legislation
- Private Law: Electronic Contracts
Video Overview of Crimes Against Computer Systems by Nicolas Suzor
The Cybercrime Act 2001 introduced a series of computer-related offences into the Commonwealth Criminal Code. These were later expanded after Australia joined the Cybercrime Convention. There are also numerous provisions in State law that prohibit unauthorised access and misuse of computers.
The Cybercrime Convention
Video Overview of the Convention on Cybercrime by Lucy Jorgensen
The Council of Europe’s Convention on Cybercrime was the first international treaty on crimes committed via the Internet and other computer networks. It was ratified by Australia on the 1st March 2013 and has been ratified by 47 countries worldwide.
The Convention’s main objective is to promote a common criminal policy, which aims to protect society against cybercrime, by adopting legislation and promoting international co-operation.
The Convention primarily deals with:
-
Copyright Infringement
-
Computer-related fraud and forgery
-
Child pornography
-
Violations of network security
In order to achieve the goal of establishing a common criminal policy, the Convention requires signatories to:
-
Define criminal offenses and sanctions under their domestic laws according to the four categories of computer crimes listed above.
-
Establish domestic procedures for detecting, investigating and prosecuting computer crimes and collecting electronic evidence of any criminal offence.
-
Establish a rapid and effective system for international cooperation. This includes allowing law enforcement authorities in one country to collect computer-based evidence for those in another country.
Australia’s ratification of the Convention complements existing laws, increasing the capacity for international co-operation to deal with increasingly sophisticated forms of computer-related criminal activity. Being a party to the Convention is designed to help Australia combat criminal offences related to fraud, child pornography, copyright infringement and network security violations. Under the Convention, Australia participates in a 24/7 global network of high tech crime points of contact, allowing for speedy assistance between signatory countries. It aims to enable domestic agencies to access and share information to facilitate international investigations, and seeks to ensure that vital evidence is not lost before a mutual assistance request can be complete.
Commonwealth Criminal Offences
Definitions
- “unauthorised”: “not entitled to cause that access, modification or impairment.” (s 476.2)
- But access, modification, or impairment is “not unauthorised merely because he or she has an ulterior purpose for causing it.”
Fault Elements
Default fault elements are included in Criminal Code 1995 (Cth) s 5.6. Except where explicitly stated, all these offences require:
- Intent to access or modify; and
- Recklessness as to whether data was actually modified or access impaired.
Jurisdiction
These offences now apply to all conduct in Australia, against Australian computer systems, or by Australian citizens (s 15.1) There is some overlap with State laws. In many cases, conduct will be prohibited under both State and Federal law.
Unauthorised Access
Friedrich Kuepper Explains the Unauthorised Access Offences
Section 477.1 creates the offence of “Unauthorised access, modification or impairment with intent to commit a serious offence”
- Maximum penalty: 10 years imprisonment
- Requires intent to gain access (default fault element - s 5.6)
- Requires knowledge that access is unauthorised
- Requires intent to commit a serious offence (5+ years imprisonment)
478.1 Unauthorised Access to, or Modification of, Restricted Data
- Maximum penalty: 2 years imprisonment
- Requires knowledge that access is unauthorised
- Requires intent to gain access or modify
- Restricted data is any data within a computer that is protected by an access control system.
477.2 Unauthorised Modification of Data to Cause Impairment
- Maximum penalty: 10 years imprisonment
- Requires knowledge that the modification is unauthorised
- Requires intent to modify (default fault element - s 5.6)
- Requires recklessness as to whether the modification impairs or will impair access to data, reliability, security, or operation.
Impairment
477.3 Unauthorised Impairment of Electronic Communication
- Maximum penalty: 10 years imprisonment
- Requires knowledge that impairment was unauthorised
- Requires intent to cause impairment
Telecommunications Interception
Telecommunications (Interception and Access) Act 1979 (Cth), s 7
- Maximum penalty: 2 years imprisonment (s 105)
- There is also a summary offence: 6 months imprisonment (s 105)
A person shall not:
- intercept;
- authorize, suffer or permit another person to intercept;
- or do any act or thing that will enable him or her or another person to intercept;
a communication passing over a telecommunications system.
Other Computer Offences
478.2 Unauthorised impairment of data held on a computer disk etc.
478.3 Possession or control of data with intent to commit a computer offence
478.4 Producing, supplying or obtaining data with intent to commit a computer offence
Other crimes involving computers
474.14 Using a telecommunications network with intention to commit a serious offence
474.15 Using a carriage service to make a threat
474.17 Using a carriage service to menace, harass or cause offence
Queensland Legislation
Video: Sarah Lawrence explains how Section 359B of Queensland’s Criminal Code regulates cyberstalking
Incidents of cyberstalking are recognised under the definition of unlawful stalking in Section 359b of Queensland’s Criminal Code. Through the inclusion of subsection (c)(ii) unlawful stalking extends to contact through the use of telephone, mail, fax, email or through any technology.
Cyberstalking includes email stalking, phone stalking and computer stalking. Both email and phone are expressly stated in section 359B of the Criminal Code as methods of contact for unlawful stalking. Computer stalking, while not expressly stated in the provision, would likely be covered by the phrase ‘any technology’ and therefore would still be caught by the stalking offence.
A major controversy surrounding the stalking offence is the that the victim must have suffered a real apprehension or fear of violence, however, cyberstalking is unlikely to meet this threshold due to its virtual and non-physical nature. In addition, the prosecution of cyberstalking is difficult and victims must turn to other avenues to find relief. The current and most realistic remedies for victims would be to approach social media services to have material removed, or to report the behaviour to the eSafety commissioner.
Private Law: Electronic Contracts
Access to computer systems is typically constrained by both code and contract law. The code that makes computer systems interactive will often have some system for controlling access to the system. For example, websites are often made accessible to the public, but webservers can be configured to ensure that different parts of the website are only accessible to logged-in users with the correct permissions. Similarly, login controls prevent people from gaining access to computer systems without the correct password or credentials. Accessing computer systems by breaking these authentication mechanisms will usually be an offence under the unauthorised access or computer trespass provisions in the criminal law.
Shrink-wrap, click-wrap, and browse-wrap agreements
Video: What’s the difference between a click-wrap and a browse-wrap agreement? by Erin Laird
The link between access control systems and private law is typically made through a contract. Many websites now have contractual terms of use that purport to limit access to the website upon acceptance of those terms. When this is done in the registration process, where a user must affirmatively agree to contractual terms (typically by checking a box or clicking a button), this is called a ‘clickwrap’ contract. When contractual terms are instead incorporated by reference (for example, a link at the bottom of the page entitled ‘terms of use’), this is called a ‘browsewrap’ contract.
‘Shrink-wrap’ licence agreements are agreements found inside software packaged for sale. This raised the question of how software licence agreement of the provider was binding on the consumer, when the consumer entered into the sale contract with the retail shop. In ProCD Inc v Zeidenberg 86 F 3d 1447 (1996), the Court held that consumers will be bound to the licence agreement if they open the packaging and subsequently install the software, as they reliquished an opportunity to reject it by returning the software.
A ‘click-wrap’ agreement is an online agreement where the user actively gives consent to the terms and conditions. The user will do this by either clicking on a button or checking a box next to a statement saying “I agree to the terms and conditions”. A browse-wrap agreement is an online agreement where the user is assumed to have given passive consent by merely being on the website because being on the website is stated to amount to entering into an agreement with the provider.
Click-wrap and browse-wrap agreements differ from how the terms are incorporated to the agreement by reference. To be enforceable, it must be done by signature or reasonable notice.1 Click-wrap agreements do this by signature. Browse-wrap agreements attempt this through reasonable notice, but this is sometimes harder to enforce.2
Terms of Use documents are either click-wrap or browse-wrap agreements that typically deal with a series of different legal issues. They might include limitations of liability clauses, standards of acceptable conduct, copyright and other intellectual property policies, dispute resolution mechanisms, and many other terms. These can be very useful for online service providers. Because users must agree to the terms to use the website, these terms become enforceable through contract law and, in some cases, also through the criminal prohibitions on unauthorised access. In practice, the contractual component is the most important: through electronic contracts, online service providers are able to structure their rights and exposure to potential liability in a standardised, low cost manner.
Matthias Klepper Explains the Authority In US v Drew that Breach of Terms of Service Does Not Constitute ‘Unauthorised’ Access
Terms of Use documents are often criticised for the problems they pose for consumers. Click-wrap contracts are generally enforceable, regardless of whether the consumer has actually read the terms or not. Many firms abuse this system by including quite harsh terms in the fine print of the contract in order to minimise their potential risk. In response to this general concern, Australia has recently introduced unfair terms legislation that will limit the enforceability of standard form contracts that are deemed to be unfair.
Video Overview of the Contract Dispute in eBay v Creative Festival Entertainment