Cybercrime Act: some unforeseen consequences
by Adrian McCullagh & Martin McEniery
The Commonwealth Government has attempted to address the increasing problems of IT security for online activities and business by enacting the Cybercrime Act 2001. The intention behind the Act is to criminalise activities such as computer hacking, denial of service attacks, spreading computer viruses and interfering with websites.
The Offences Act is comprised of two separate schedules. Schedule 1 creates the following offences to replace those previously found in the Crimes Act:
(a) Unauthorised access to or modification of data stored in a computer with intent to commit a serious offence
(b) Unauthorised impairment of electronic communication to or from a computer with intent to commit a serious offence
(c) Unauthorised modification of data to cause impairment
(d) Unauthorised impairment of an electronic communication
(e) Unauthorised access to, or modification of restricted data (ie, data protected by a password or other security feature), where the restricted data is either held for or on behalf of the Commonwealth or the access to or modification of it is caused by means of a telecommunications service
(f) Unauthorised impairment of data held on a computer disk etc
(g) Possession or control of data with intent to commit a computer offence
(h) Producing, supplying or obtaining data with intent to commit a computer offence.
There is also a so-called 'accomplice provision' in the Act, which provides that, for the purposes of any of the above offences, a person causes unauthorised access, modification or impairment if the person's conduct 'substantially contributes to' the occurrence of the offence.
Schedule 2 of the Cybercrime Act has introduced far-reaching law enforcement powers relating to the search and seizure of electronically stored data. The provisions allow:
- equipment found at premises to be moved to another place for examination if there are reasonable grounds to believe that it contains or constitutes evidential material and it is practicable to do so
- executing officers to operate electronic equipment and copy data to a disk, tape or other associated device if they believe on reasonable grounds that the equipment may constitute evidential material
- an order to be obtained from a magistrate requiring a specified person to provide the information and assistance that is reasonable and necessary for an officer to access, copy and convert data found in computers into documentary form, and
- executing officers to access via computer, data that is not physically at the warrant premises.
The provisions of the Cybercrime Act have already attracted criticism from those in the IT security industry due to the high potential for offences to be committed in the course of every day investigations carried out to determine the level of security or otherwise of a client's system. Activities such as penetration testing and ethical attacks without authority will technically offend the provisions despite the intention behind them. For example, the possession offence outlined in paragraph (g) above, is designed to catch people in possession of technology to be used for hacking activities, however, it fails to recognise that similar or identical tools may be used for legitimate security purposes. IT security providers must be very careful in the allocation of such tools to staff and consultants and should closely monitor their usage. It is also particularly concerning that some of the offences can be established regardless of whether any damage has been incurred and that some offences are absolute liability offences, meaning that mistake of fact cannot be made out as a defence.
Furthermore, the law enforcement provisions have been criticised for potentially undermining confidence in the security and integrity of electronic transactions and overriding the common law privilege against self-incrimination. These criticisms have arisen due to the ability of magistrates to give 'assistance orders' which are designed to compel persons to assist an investigation, effectively by allowing access to their computer systems. This may involve revealing passwords and any data, encrypted or otherwise. Consequently concerns have been raised that the breadth of the law enforcement provisions may result in the privacy of individuals being infringed. There is also concern that even persons who are not under suspicion can still be compelled to cooperate with an assistance order and there does not seem to be any safeguards in place for people who honestly cannot provide the required assistance.
It is essential that providers of IT security services are made aware of these recent changes to the legal environment in which they operate. It is significant that the majority of the offences outlined in the Cybercrime Act occur because of unauthorised activities. Providing clear written authorisation is obtained from clients such activities will not be an offence under the Act. Therefore, it is advisable to obtain written authorisation backed by appropriate indemnities from all clients prior to conducting any security investigations in order to avoid criminal liability.