Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Cybercrime Bill 2001

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

1998-1999-2000-2001

 

 

 

 

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

 

 

 

 

 

THE HOUSE OF REPRESENTATIVES

 

 

 

 

 

 

CYBERCRIME BILL 2001

 

 

 

 

 

 

 

EXPLANATORY MEMORANDUM

 

 

 

 

 

 

 

 

 

 

 

(Circulated by authority of the Minister for Justice and

Customs, Senator the Honourable Chris Ellison)



 

CYBERCRIME BILL 2001

 

OUTLINE

 

This Bill would amend the Criminal Code Act 1995 (Criminal Code) by adding new Part 10.7, which contains new updated computer offences based on the January 2001 Model Criminal Code Damage and Computer Offences Report developed through Commonwealth, State and Territory cooperation as a model for national consistency.  The existing offences in Part VIA of the Crimes Act 1914 (Crimes Act), which were enacted in 1989 and pre-date existing technology, would be repealed. 

 

The Bill would also enhance investigation powers relating to the search and seizure of electronically stored data by amendments to the Crimes Act and Customs Act 1901 (Customs Act).  The amendments build on experience since the existing provisions were enacted in 1994 and take into account the draft Council of Europe Convention on Cybercrime. 

 

The remaining amendments to the Australian Security Intelligence Organisation Act 1979 (ASIO Act), Education Services for Overseas Students Act 2000 (ESOS Act) and Telecommunications (Interception) Act 1997 (TI Act) are consequential changes.

 

 

 

 

FINANCIAL IMPACT STATEMENT

 

There are no direct financial impacts from this Bill.



NOTES ON CLAUSES

 

Clause 1: Short title

This clause sets out the short title by which this Act may be cited. 

 

Clause 2: Commencement

This clause provides that the Act commences on a day to be fixed by Proclamation.  However, if the provisions of this Act do not commence within the period of 6 months beginning on the day which it receives the Royal Assent, the provisions commence on the first day after the end of that period.  This is necessary to ensure there is time for adequate training before the new provisions commence.

Clause 3: Schedule(s)

This clause provides that each Act that is specified in a Schedule is amended or repealed as set out in that Schedule.

Clause 4: Application-Criminal Code Amendments

 

This clause provides that the new computer offences inserted into the Criminal Code by Schedule 1 to the Act apply only to conduct that takes place after the commencement of the Schedule.  The clause also makes it clear that where conduct is alleged to have taken place between two dates, one prior to the commencement of the new computer offences and one on or after their commencement, the existing computer offences in Part VIA of the Crimes Act will apply to that conduct.

 

The provision ensures that there is no break in the law with the repeal of the existing computer offences and commencement of the new and also clarifies which regime will apply during transition from the existing offences to the new.

 



Schedule 1- Computer offences

 

This Schedule inserts new computer offences into the Criminal Code and repeals the existing outdated computer offences in the Crimes Act.  The Schedule also replaces all references in Commonwealth legislation to the existing computer offences with references to the new computer offences.

 

Australian Security Intelligence Organisation Act 1976

 

Item 1

 

This Item replaces the reference in the note to subsection 25A(4) of the ASIO Act to the computer offences in section 76D and 76E of the Crimes Act with a reference to the new computer offences in Part 10.7 of the Criminal Code.  The proposed amendment is consequential upon the repeal of the existing computer offences by Item 2 of this Schedule and the introduction of new computer offences by Item 4 of this Schedule.  The purpose of the note is to make it clear that an ASIO officer who obtains access to data stored in a target computer pursuant to a computer access warrant issued under section 25A of the ASIO Act does not commit an offence against the computer offences in Part 10.7 of the Criminal Code.

 

Crimes Act 1914

 

Item 2

 

This Item repeals Part VIA of the Crimes Act, which contains the existing Commonwealth computer offences.  The offences in Part VIA will be replaced by the proposed new computer offences inserted into the Criminal Code by Item 4 of this Schedule.  The reasons for the repeal of individual offences are discussed below in relation to the new offences.

 

Criminal Code Act 1995

 

Item 3

 

This item amends paragraph 4.1(1)(b) of the Criminal Code to clarify that a physical element of an offence includes a circumstance in which conduct or a result of conduct occurs.  The words “or a result of conduct” have been added to ensure that the provision cannot be interpreted restrictively to exclude a circumstance in which a result occurs from being regarded as a physical element of an offence.  If the provision was interpreted in this way, it would make it difficult to impose strict or absolute liability with respect to circumstances unless they could be described as circumstances in which an act, omission or state of affairs occurred.  In the proposed computer offences there are some circumstances which accompany a result rather than conduct and it is necessary to apply absolute liability to some of these circumstances - for example, the “telecommunications service” and “Commonwealth computer” elements of these offences.

 



Item 4

 

This Item inserts proposed Part 10.7 (Computer Offences) into Chapter 10 of the Criminal Code, which contains provisions concerning protection of the national infrastructure.  The Part contains new updated computer offences based on the offences recommended in the January 2001 Model Criminal Code Damage and Computer Offences Report .  The proposed offences are also consistent with the terms of the draft Council of Europe Convention on Cybercrime.  Similar offences are likely to be introduced at the State and Territory level.  The Standing Committee of Attorneys-General has agreed to give priority to the enactment of updated computer offences.  New South Wales has already enacted computer offences based on the Model Criminal Code.

 

The proposed computer offences are directed at conduct which impairs the security, integrity and reliability of computer data and electronic communications.  Advances in computer technology and electronic communications have created new means and possibilities for committing cybercrimes such as hacking, denial of service attacks and virus propagation.  The proposed offences are designed to address these new forms of cybercrime.

 

The existing computer offences were inserted into the Crimes Act in 1989.  The emergence and expansion of new technologies, such as the Internet, since that time has reduced the effectiveness of these provisions.  For example, the current provisions do not sufficiently address the impairment of electronic communications (eg. ‘denial of service attacks’), damage to electronic data stored on devices such as computer disks or credit cards, or the unauthorised use of a computer to commit another offence.  The proposed offences are designed to remedy these deficiencies in the existing offences.

 

Proposed section 476.1 - Definitions

 

Proposed section 476.1 contains definitions of terms used in proposed Part 10.7 of the Criminal Code.  The definitions, with the exception of “Commonwealth computer” and “telecommunications service”, are based on the definitions proposed in the Model Criminal Code Damage and Computer Offences Report (sections 4.2.1 and 4.2.2, pages 120-147).

 

Access to data held in a computer is defined to mean the display of data by the computer or any other output of the data from the computer, such as the printing of data; the copying or moving of data to another place in the computer or to a device designed to contain data for use by a computer or, in the case of a computer program, the execution of that program.  This is more explicit than existing Australian legislation but avoids the complexity of the UK Computer Misuse Act 1990 .  Access is not a clear concept in the context of computers and warrants definition in a Criminal Code.

 

Commonwealth computer is defined to mean a computer owned, leased or operated by the Commonwealth or a Commonwealth authority.  This follows the approach of the existing Commonwealth provisions by partly anchoring jurisdiction to Commonwealth computers (see section 76A, Crimes Act).

 

Data includes information in any form or any program or part of a program.  This follows the Model Criminal Code, but does not vary in substance from the existing definition.

 

Data held in a computer includes data held in any removable data storage device, such as a computer disk, or any data held in a data storage device on a computer network of which the computer forms a part.

 

Data storage device is defined to mean a thing, such as a disk or file server, that contains, or is designed to contain, data for use by a computer.  This definition is consistent with the Electronic Transactions Act 1999 .

 

Electronic communication is defined to mean a communication of information in any form by means of guided or unguided electromagnetic energy.  This definition is consistent with the Electronic Transactions Act 1999 .

 

Impairment of electronic communication to or from a computer includes the prevention of any electronic communication or the impairment of any electronic communication on an electronic link or network used by the computer, but does not include a mere interception of an electronic communication.

 

Modification of data held in a computer is defined to mean the alteration or removal of the data or an addition to the data.

 

Telecommunications service is defined to mean a service for carrying communications by means of guided or unguided electromagnetic energy or both.  This definition is consistent with the terminology of the Telecommunications Act 1997 .

 

Unauthorised access, modification or impairment is defined in proposed section 476.2.

 

“Computer” is not defined.  However, the term “computer” as used in proposed Part 10.7 extends beyond the familiar concept of a desktop personal computer.  The term is not defined to ensure the proposed computer offences will encompass new developments in technology.  As discussed in the Model Criminal Code Report on computer offences (pages 123-125), a restrictive definition of what is and what is not a ‘computer’ could unduly limit the application of the proposed offences.  Definitions may be overtaken by developments in technology, so that new technologies which perform all the functions of a computer may fall outside the scope of any statutory definition.

 

Proposed subsection 476.1(2) limits the scope of the terms “access to data held in a computer”, “modification of data held in a computer” and “impairment of electronic communications to or from a computer”.  Where the terms are used in the proposed computer offences they refer to any such access, modification or impairment caused by the execution of a function of a computer.  Any such access, modification or impairment effected otherwise than by the execution of a function of a computer, for example, by causing physical damage to computer hardware, is not within the scope of the proposed offences.  The description of an offender’s conduct as “causing a computer to execute a function” ensures that the offences extend beyond obvious cases in which an offender uses a keyboard or other direct physical means to commit an offence to cover offenders, such as those who put a virus infected disk into circulation, who cannot be described as “using a computer” in the usual sense. 

 

Proposed section 476.2 - Meaning of unauthorised access, modification or impairment

 

Proposed section 476.2 defines unauthorised access, modification and impairment.  The proposed section is based on section 4.2.2 of the Model Criminal Code. 

 

Proposed subsection 476.2(1) provides that where a person causes (i) access to data held in a computer; (ii) modification of data held in a computer; (iii) impairment of electronic communications to or from a computer; or (iv) impairment of the security, reliability or security of data in a computer disk or other device, that access, modification or impairment is unauthorised if the person is not entitled to cause the access, modification or impairment.  As the proposed offences apply only to unauthorised actions, activities such as the authorised assurance testing of the security of a computer system would not be caught by the offences.

 

Proposed subsection 476.2(2) provides that any such access, modification or impairment is not unauthorised merely because the person causes the access, modification or impairment for a purpose other than that for which they are entitled to cause that access, modification or impairment.  For example, if a Commonwealth employee is authorised to access certain computer data so he or she can perform her duties but instead accesses that data for the purpose of defrauding the Commonwealth, that access does not become unauthorised.  However, if a person is entitled to make particular modifications to data and instead modifies the data in an unauthorised manner, that modification would be unauthorised.

 

Proposed subsection 476.2(3) specifies that, for the purposes of the proposed Part, a person causes access to data held in a computer, modification of data held in a computer, impairment of electronic communications to or from a computer or impairment of data on a disk etc if the person’s conduct substantially contributes to the access, modification or impairment.

 

Proposed section 476.3 - Geographical jurisdiction

 

Proposed section 476.3 applies Category A geographical jurisdiction, as set out in section 15.1 of the Criminal Code, to the proposed computer offences.  As a result of the application of C ategory A jurisdiction, t he offences would extend to situations where (i) the conduct constituting the offence occurs partly in Australia or on board an Australian ship or aircraft; (ii) the result of the conduct constituting the offence occurs partly in Australia or on board an Australian ship or aircraft; or (iii) the person committing the offence is an Australian citizen or an Australian company. 

 

This approach is broadly consistent with the draft Council of Europe Convention on Cybercrime, which recommends parties to the Convention establish jurisdiction over offences committed on board their ships or aircraft or by one of their nationals (Draft No. 25, Article 23).  It is also consistent with the Model Criminal Code, which, although a model State and Territory code, also includes broad geographical jurisdiction for these offences.

 

Computer crime is often perpetrated remotely from where it has effect.  The application of Category A jurisdiction would mean that, regardless of where conduct constituting an offence occurs, if the results of that conduct affect Australia the person responsible would generally be able to be prosecuted in Australia.  An Australian citizen who travels to a country where hacking is not an offence and, while there, uses a laptop computer to hack into a computer in a third country would also be caught by the proposed jurisdiction.

 

Proposed section 476.4 - Saving of other laws

 

Proposed section 476.4 provides for the concurrent operation of Commonwealth, State and Territory laws.  Providing for concurrent operation of Commonwealth and State laws ensures that there are no gaps in jurisdiction and also allows computer crimes to be prosecuted in whatever forum is most convenient. 

 

State and Territory computer offences would cover computer crime activities committed by employees using an internal computer network.  As computer crime on internal computer networks does not involve use of the telecommunications system the Commonwealth cannot regulate this conduct. 

 

Proposed section 476.5 - Liability for certain acts

 

Proposed section 476.5 provides limited immunity from civil and criminal liability for staff or agents of agencies whose activities, in the proper performance of their functions, are intended and required by Government.  These activities might otherwise be prohibited by Australian laws dealing with computer-related acts.

 

Proposed section 477.1 - Unauthorised access, modification or impairment with intent to commit a serious offence

 

Proposed section 477.1 would make it an offence to cause any unauthorised access to data held in a computer, any unauthorised modification of data held in a computer or any unauthorised impairment of electronic communications to or from a computer, knowing the access, modification or impairment is unauthorised and with the intention of committing or facilitating the commission of a serious offence.  A serious offence is defined to mean an offence punishable by life imprisonment or a term of 5 or more years imprisonment.  The proposed offence would carry a maximum penalty equal to the maximum penalty for the serious offence the person is intending to commit.  The offence is based on section 4.2.4 of the Model Criminal Code (see pages 148-155 of the Model Criminal Code Damage and Computer Offences Report for further discussion).

 

Paragraph 477.1(1)(a) does not specify the fault elements that apply to a person’s conduct (the act that causes unauthorised access, modification or impairment) or the result of that conduct (unauthorised access, modification or impairment).  As a consequence, the default fault elements set out in section 5.6 of the Criminal Code would apply.  The application of the fault elements in section 5.6 means that the offence requires intention to do an act, which causes unauthorised access, modification or impairment, and recklessness as to whether the act will cause that access, modification or impairment.

 

Where the unauthorised access, modification or impairment is caused by means of a telecommunications service, the offence would apply whether the serious offence the person intends to commit is a Commonwealth, State or Territory offence.  In all other cases, the offence would apply only where the serious offence the person intends to commit is a Commonwealth offence.  In establishing that a person has committed this offence it would not be necessary for the prosecution to prove that the defendant knew the offence he or she was intending to commit was an offence against the law of the Commonwealth, a State or a Territory or that he or she knew that the offence is punishable by imprisonment for life or a period of 5 or more years.  This is consistent with recently enacted Criminal Code offences (for example, section 132.4, which concerns burglary).  It is not appropriate to require the prosecution to prove jurisdictional elements of offences in these circumstances.

 

The proposed offence is designed to cover the unauthorised use of computer technology to commit serious crimes such as fraud or stalking.  The offence is particularly targeted at situations where preparatory action is taken by a person but the intended offence is not completed.  This offence will apply, for example, where a Centrelink employee alters social security data in order to fraudulently obtain social security payments to which he or she is not entitled.  The offence will be committed even where the employee’s actions are discovered before he or she actually obtains any payments and would be punishable by a maximum penalty equivalent to the fraud offence which the employee was intending to commit (ie, 10 years imprisonment).  This offence will also apply where a person uses the Internet to hack into a bank’s computer system with the intention of accessing credit card details and using them to obtain money.  There is no equivalent Commonwealth offence at present.

 

Proposed section 477.2 - Unauthorised modification of data to cause impairment

 

Proposed section 477.2 makes it an offence for a person to cause any unauthorised modification of data held in a computer, where the person knows that the modification is unauthorised, and intends by that modification to impair access to, or the reliability, security or operation of, any data held in a computer or is reckless as to any such impairment.  The maximum penalty for this offence would be 10 years imprisonment.  This penalty is equivalent to the penalty for the existing computer offences (Crimes Act, paragraphs 76C(a) and 76E(a)) and the penalty for fraud and forgery offences in the Criminal Code.  The offence is based on section 4.2.5 of the Model Criminal Code (see pages 156-169 of the Model Criminal Code Damage and Computer Offences Report for further discussion).

 

The offence would only be committed where one or more of the Commonwealth jurisdictional connections set out in proposed paragraph 477.2(1)(d) applies.  Absolute liability would apply to the jurisdictional connections.  Subsection 6.2(2) of the Criminal Code provides that if a law that creates an offence provides that absolute liability applies to a particular physical element of the offence (eg, data held in a Commonwealth computer), then a fault element (for example, knowledge) does not have to be proved and there is no defence of mistake of fact.  This obviates the need for the prosecution to prove, for example, that a defendant knew the computer data he or she was modifying was held on behalf of the Commonwealth.  As mentioned earlier, this is appropriate and consistent with other offences.

 

Absolute liability applies to the elements in paragraph 477.2(1)(d) because, if the prosecution was required to prove, for example, awareness of the part of the defendant that the modified data was held in a Commonwealth computer, many defendants would be able to escape liability by demonstrating that they did not even think about who owned the computer in which the data was held.  The elements in paragraph 477.2(1)(d) are included merely to trigger Commonwealth jurisdiction and do not have any bearing on the gravity of the offence.

The proposed offence will cover a range of situations including (i) a person with limited authorisation impairing data by engaging in an unauthorised operation on a Commonwealth computer; (ii) a hacker who obtains unauthorised access over the Internet and modifies data and causes impairment; and (iii) a person who circulates a disk containing a computer virus which infects a Commonwealth computer.  The offence would not require that the impairment of data actually occur. 

 

The proposed offence is limited to instances where a person modifying computer data intends to impair data or is reckless as to causing impairment.  The existing offence contains no such limitation and merely requires that the person modify the data intentionally and without authority or lawful excuse (Crimes Act, paragraphs 76C(a) and 76E(a)).  The existing offence is too broad and vague for a maximum 10 year penalty, as it extends to the harmless use of another person’s computer without that person’s permission.  The mass expansion in the use of computers in the workplace and elsewhere that has occurred in the past decade means that the existing offence is even more problematic than when it was enacted.

 

Proposed section 477.3 - Unauthorised impairment of electronic communication

 

Proposed section 477.3 makes it an offence for a person to cause any unauthorised impairment of electronic communication to or from a computer, where the person knows the impairment is unauthorised, and either intends to impair electronic communication or is reckless as to any such impairment.  The maximum penalty for this offence would be 10 years imprisonment.  The 10 year maximum penalty recognises the importance of reliable computer-facilitated communication and the considerable damage that can result if that communication is impaired.  The offence is based on section 4.2.6 of the Model Criminal Code (see pages 170-173 of the Model Criminal Code Damage and Computer Offences Report for further discussion).

 

The offence would only be committed where the electronic communication that is impaired occurs by means of a telecommunication service or is to or from a Commonwealth computer.  Absolute liability would apply to these Commonwealth jurisdictional connections.  Subsection 6.2(2) of the Criminal Code provides that if a law that creates an offence provides that absolute liability applies to a particular physical element of the offence (eg, the electronic communication is sent to or from a Commonwealth computer), then a fault element (for example, knowledge) does not have to be proved and there is no defence of mistake of fact.

 

The elements in paragraph 477.3(1)(c) do not have any bearing on the gravity of the offence.  Absolute liability applies to these elements because, if the prosecution was required to prove, for example, awareness on the part of the defendant that the electronic communication was to or from a Commonwealth computer, many defendants would be able to evade liability by demonstrating that they did not turn their minds to the question of who owned the computer.

This proposed offence is designed to target tactics such as ‘denial of service attacks’, where an e-mail address or web site is inundated with a large volume of unwanted messages thus overloading the computer system and disrupting, impeding or preventing its functioning.  The proposed offence would extend to situations where a person impairs a computer ‘server’, ‘router’ or other computerised component of the telecommunications system that relays or directs the passage of electronic communications from one computer to another. 

 

The existing offence of interfering with, interrupting or obstructing the lawful use of a computer (Crimes Act, paragraph 76E(b)) applies to conduct that impairs the ability of a computer to send or receive communications.  However, it does not clearly cover actions that interfere with the passage of electronic communications to or from computers, for example, by altering addresses, re-routing messages or interfering with the capacity of the telecommunications system to transmit those communications.  The proposed offence would cover this conduct.

 

The proposed offence would only apply to unauthorised impairment.  Consequently, the offence would not apply, for example, to a refusal by an Internet Service Provider (ISP) to carry certain types of electronic communications traffic on its network if such a refusal is pursuant to a contractual arrangement or an agreement between the ISP and users of the service.  Furthermore, this offence, like the other proposed offences, applies only to acts and not to omissions.  Therefore, a strike by telecommunications maintenance workers that resulted in impairment of electronic communication, for instance, would not constitute the commission of this offence.

 

Proposed section 478.1 - Unauthorised access to, or modification of, restricted data

 

Proposed section 478.1 makes it an offence for a person to cause unauthorised access to, or modification of, restricted data held in a computer, where the person intends to cause the access or modification and knows that the access or modification is unauthorised.  The maximum penalty would be 2 years imprisonment.  The offence is based on the Model Criminal Code summary offence of “Unauthorised access to, or modification of, restricted data” (see pages 186-197 of the Model Criminal Code Damage and Computer Offences Report for further discussion).

 

The offence would only be committed where one or more of the Commonwealth jurisdictional connections set out in proposed paragraph 478.1(1)(d) applies.  Absolute liability would apply to the jurisdictional connections.  Subsection 6.2(2) of the Criminal Code provides that if a law that creates an offence provides that absolute liability applies to a particular physical element of the offence (eg, data held in a Commonwealth computer), then a fault element (for example, knowledge) does not have to be proved and there is no defence of mistake of fact.

 

The proposed offence relates only to unauthorised access or modification of restricted data rather than any data.  'Restricted data' is defined to mean "data held on a computer to which access is restricted by an access control system associated with a function of the computer".  Therefore, a person would only commit an offence if he or she by-passed an access control system, such as a password or other security feature.

 

The existing Crimes Act provisions contain a general unauthorised access offence (subsection 76D(1)), which is not limited to “restricted data”.  This offence is too broad and impinges on many harmless actions that should not be subject to criminal penalties.  For example, a more general offence would apply to an office worker who simply uses, without permission, a colleague’s computer to type up an urgent note.  Furthermore, limiting the offence of unauthorised access to situations in which the accessed data is protected in some way recognises that security measures, such as passwords, are widely available and in use compared to when section 76D was enacted in 1989.  It is also desirable policy to link the applicability of the offence to good and almost universal practices.

 

This offence will apply to a person who hacks into a computer system protected by a password or other similar security measure in order to access personal or commercial information or alter that information.  The offence will also cover an employee who breaks a password on his or her employer’s computer system in order to access the Internet or to access protected information.  However, the offence would not apply to an employee who has access to the Internet at work and uses that access to place bets on horse races in defiance of his or her employer’s ban on using the Internet for purposes that are not work-related.

 

The proposed offence applies only to unauthorised actions.  Therefore, activities such as the authorised assurance testing of the security of a computer system would not be caught by this offence.

 

Proposed section 478.2 - Unauthorised impairment of data held in a computer disk etc

 

Proposed section 478.2 makes it an offence for a person to cause any unauthorised impairment of the reliability, security or operation of any data held on a computer disk, credit card or other device used to store data by electronic means, where the person intends to cause the impairment and knows that the impairment is unauthorised.  The maximum penalty for the proposed offence is 2 years imprisonment.  The offence is based on the Model Criminal Code summary offence of “Unauthorised impairment of data” (see pages 198-199 of the Model Criminal Code Damage and Computer Offences Report for further discussion).  There is currently no equivalent offence, as the existing Crimes Act offences pertain only to data stored in a computer, and do not extend to electronic data held in other devices.

 

The offence would only be committed where the computer disk, credit card or other device is owned or leased by the Commonwealth or a Commonwealth authority.  Absolute liability would apply to this element of the offence.  Subsection 6.2(2) of the Criminal Code provides that if a law that creates an offence stipulates that absolute liability applies to a particular physical element of the offence (eg, data held in a Commonwealth computer), then a fault element (eg, knowledge) does not have to be proved and there is no defence of mistake of fact.

 

This offence is a counterpart to the more serious proposed offence of unauthorised modification of data to cause impairment in section 477.2.  However, there are a number of important differences between the two offences.  First, this lesser offence applies to data stored electronically on disks, credit cards, tokens or tickets, while the proposed section 477.2 offence applies to ‘data held in a computer’.  Second, the section 477.2 offence requires that modification of data be caused by the execution of a computer function, whereas this offence is designed to cover impairment of data caused by other means such as passing a magnet over a credit card.  Although this offence could be committed by a person inserting a computer disk into a computer and impairing the data on the disk, once the disk is in the computer the data is “data held in a computer” and impairment of the data on the disk would be covered by the proposed section 477.2 offence. 

 

Section 478.3 - Possession or control of data with intent to commit a computer offence

 

Proposed section 478.3 makes it an offence for a person to possess or control data with the intention of committing or facilitating the commission of an offence against proposed section 477.1, 477.2 or 477.3 by that person or another person.  The proposed offence is analogous to the offence of ‘going equipped for theft’ in section 132.7 of the Criminal Code, though in this instance the offence extends beyond cases where the data is physically held by the offender to encompass situations where the data is in the offender’s control even though it is in the possession of another person.  The maximum penalty for this offence is 3 years imprisonment.  The offence is based on section 4.2.7 of the Model Criminal Code (see pages 174-181 of the Model Criminal Code Damage and Computer Offences Report for further discussion).  This offence and the offence in proposed section 478.4 are intended to match the requirements of the draft Council of Europe Convention on Cybercrime (Draft No. 25, Article 6).  There is no comparable existing Commonwealth computer offence.

 

This offence is designed to cover persons who possess programs or technology designed to hack into other people’s computer systems or impair data or electronic communication.  For example, a person will commit the offence if the person possesses a program which will enable him or her to launch a ‘denial of service attack’ against a Commonwealth Department’s computer system and intends to use the program for that purpose.  It would also be an offence for a person to possess a disk containing a computer virus that the person intends to release over the Internet in order to impair data in infected computers.  In both instances, the person would also commit the offence if he or she intends to provide the program to another person for the purpose of enabling the other person to impair electronic communication or computer data.  There will be many occasions where that intention will be evident from the content of the data.

 



Proposed section 478.4 - Producing, supplying or obtaining data with intent to commit a computer offence

 

Proposed section 478.4 makes it an offence to produce, supply or obtain data with the intention of committing or facilitating a computer offence by that person or another person.  The maximum penalty for the proposed offence is 3 years imprisonment.  The offence is based on section 4.2.8 of the Model Criminal Code (see pages 182-185 of the Model Criminal Code Damage and Computer Offences Report for further discussion).

 

The proposed offence is similar in application to the offence in proposed section 478.3.  However, this offence is primarily targeted at those who devise, propagate or publish programs which are intended for use in the commission of an offence against proposed section 477.1, 477.2 or 477.3, whereas the offence in proposed section 478.3 is targeted at those who have such programs in their possession or control.

 

Education Services for Overseas Students Act 2000

 

Item 5

This Item amends Note 2 to subsection 109(5) of the ESOS Act to replace the reference to the existing computer offences in Part VIA of the Crimes Act with a reference to the proposed computer offences in Part 10.7 of the Criminal Code.  The purpose of the note is to explain that a person who obtains unauthorised access to information on a computer system established for the purpose of receiving and storing information about accepted students that is protected by an access control system (eg, a password) could be guilty of an offence against Part 10-7 of the Criminal Code

Telecommunications (Interception) Act 1997

Item 6

 

This Item amends subsection 5D(5) of the TI Act to replace the reference to the existing computer offences in Part VIA of the Crimes Act with a reference to the proposed computer offences in Part 10.7 of the Criminal Code. 

 

Warrants authorising telecommunications interception can only be obtained under the TI Act for the investigation of specified offences.  The existing computer offences in Part VIA of the Crimes Act are currently specified as offences for which a telecommunications interception warrant may be obtained.  The proposed amendment will ensure that a warrant can be obtained for the investigation of the proposed computer offences.



Schedule 2 - Law enforcement powers relating to computers

This Schedule amends the investigation powers in the Crimes Act and Customs Act that relate to the search and seizure of electronically stored data.  The amendments bring the investigation powers up to date with aspects of the draft Council of Europe Convention on Cybercrime and also reflect experience with the existing provisions.  The amendments are designed to provide law enforcement agencies with the necessary powers to detect and investigate crime involving the use of computers.  Although the existing powers were only introduced in 1994, they, like the computer offences, have been superseded by developments in technology.  Existing search powers do not, for example, enable law enforcement agencies to require a person with knowledge of a relevant computer system to assist investigators to access encrypted information. 

The large amount of data which can be stored on computer drives and disks and the complex security measures, such as encryption and passwords, which can be used to protect that information present particular problems for investigators.  The proposed enhancement of search and seizure powers will assist law enforcement officers in surmounting those problems.

Item 1

This Item inserts a definition of the term data into subsection 3C(1) of the Crimes Act.  The definition corresponds to the definition of “data” in the new computer offences. 

Item 2

This Item inserts a definition of the term data held in a computer into subsection 3C(1) of the Crimes Act.  The definition matches the definition used in the new computer offences.

Item 3

This Item inserts a definition of data storage device in subsection 3C(1) of the Crimes Act.  The definition corresponds to the definition of “data storage device” in the proposed computer offence provisions.

Item 4

This Item makes a minor amendment to subsection 3K(1) of the Crimes Act to replace the references to “things” with references to “a thing”.  The proposed amendment would clarify that section 3K allows “a thing” (singular) to be moved to another place for examination and processing.

Item 5

This Item amends subsection 3K(2) of the Crimes Act.  The proposed amendment would allow a thing to be moved from the search premises to another place for examination or processing, without the occupier’s consent, where it is significantly more practicable than processing the thing at the search premises and where there are reasonable grounds to believe that the thing contains or constitutes evidential material.  In determining whether it is significantly more practicable to process or examine the thing at another place, the executing officer or constable assisting must have regard to the timeliness and cost of processing or examining the thing at another place rather than on site and to the availability of expert assistance.  In other words, the proposed amendment would permit a thing to be moved to another place if it is significantly faster or less costly to process or examine the thing at that other place or easier to obtain expert assistance to process or examine the thing at the other place.

 

As the use of computers becomes more widespread, it is becoming increasingly common for information to be stored on computer hard drives, computer disks or other storage devices.  Searching computers and related disks can be a difficult exercise.  There can be technical problems in searching a computer if the owner has taken steps to build in security measures such as encryption.  There may be multi-levels of password protection.  The computer may also be programmed to delete or alter data if the right password is not used.  In addition, given the large amount of information that can be stored on computer hard drives and computer disks, it can be a time consuming process to search them for evidential material. 

 

In cases which involve a large number of disks, for example, the most effective way of searching the disks may be to develop a search program to search the data on the disks, possibly after loading the data on the disks onto a single device.  That process requires computing skills and cannot easily be done at search premises.  Provision for moving computer equipment and disks off-site would allow the equipment or disks to be accessed or searched by an expert at premises properly equipped with external search equipment.

The existing subsection 3K(2) only permits things at the warrant premises to be moved to another place to be examined or processed if it is not practicable to do so at the premises (or if the occupier of the premises consents).  The existing provision is too restrictive.  The requirement that it be “not practicable” to process or examine a thing at the warrant premises before it can be moved does not allow consideration to be given to whether it would be more efficient or effective to process or examine the thing at another place.  The existing provision reflects the difficulties involved in moving computers at the time it was enacted.  Since then computers have become increasingly portable.

Item 6

This Item makes a minor amendment to subsection 3K(3) of the Crimes Act to replace the reference to “things” with references to “a thing”.  The proposed amendment clarifies that section 3K allows “a thing” (singular) to be moved to another place for examination and processing.

Item 7

This Item inserts proposed new subsections 3K(3A), 3K(3B) and 3K(3C) into the Crimes Act.  Proposed subsection 3K(3A) provides that a thing that is moved to another place for examination and processing under proposed subsection 3K(2) may only be moved to that other place for up to 72 hours.  Proposed subsection 3K(3B) provides that the officer responsible for executing the search warrant may apply to an issuing officer for an extension of the 72 hour time period if he or she believes on reasonable grounds that the thing cannot be examined or processed within 72 hours.  Proposed subsection 3K(3C) provides that the executing officer must give notice of the application for a extension of time to the occupier of the warrant premises and that the occupier is entitled to be heard by the issuing officer in relation to that application. 

Item 8

 

This Item amends subsection 3L(1) of the Crimes Act and inserts new subsection 3L(1A). 

 

Proposed subsection 3L(1) would clarify that the existing power to operate electronic equipment on premises to find evidential material includes material physically located away from the premises.  An executing officer or constable assisting would be able to use a computer on search premises to access data held on computers situated elsewhere, where he or she believes on reasonable grounds that data held on other computers may contain evidential material of a kind covered by the search warrant.  Although the current provision arguably permits access to material not held on warrant premises, the proposed amendment would ensure this is clearly stated in the provision.

As most business computers are networked to other desktop computers and to central storage computers, files physically held on one computer are often accessible from another computer.  In some cases these computer networks can extend across different office locations.  Accordingly, it is critical that law enforcement officers executing a search warrant are able to search not only material on computers located on the search premises but also material accessible from those computers but located elsewhere.

An executing officer would not be required to notify operators of computers not on search premises if data held on those computers is accessed under warrant.  The reasons for this are threefold.  First, the existing search warrant provisions do not require notification of third parties before searching or seizing their material.  Second, it is not practicable to impose a notification requirement on investigating officers, as it will not always be apparent when accessing data whether it is held on premises or off site.  For example, computer files accessible from a personal computer connected to a network may be stored on a mainframe computer located elsewhere, but there may be nothing that would indicate to a person accessing those files that they are not held on the search premises.  Third, aspects of the current provision are arguably broader than the proposed provision.  The existing subsection 3L(1) permits an officer to operate equipment on site to see whether evidential material is accessible by doing so.  The provision only requires that the data be accessible from equipment on site, it does not require that it be held on site.  In contrast, the proposed provision will only allow an officer to access data if he or she believes on reasonable grounds that it may contain evidential material.

 

Proposed subsection 3L(1A) would enable law enforcement officers executing a search warrant to copy data held on any electronic equipment or associated devices at search premises to a storage device where there are reasonable grounds for suspecting that the data contains evidential material.  This will permit officers to copy all data held on a computer hard drive or data storage device if some of the data contains evidential material or if there are reasonable grounds to suspect the data contains evidential material. 

 

The existing provision only allows evidential material to be copied (Crimes Act, paragraph 3L(2)(c)).  Electronic equipment, such as a computer hard drive, can hold large amounts of data.  It is often not practicable for officers to search all the data for evidential material while at the search premises and to then copy only the evidential material which is found.  The proposed provision would allow officers to copy all the data on a piece of electronic equipment (by imaging a computer hard drive for example) in situations where an initial search of the data uncovers some evidential material or where the officer believes on reasonable grounds that the equipment might contain evidential material.

 

Item 9

 

This Item amends paragraph 3L(2)(b) of the Crimes Act to remove the word “or” from the end of the paragraph consequent upon the repeal of paragraph 3L(2)(c) by Item 10.

 

Item 10

 

This Item repeals paragraph 3L(2)(c) of the Crimes Act consequent upon the insertion of proposed subsection 3L(1A) into the Crimes Act by Item 8.

 

Item 11

 

This Item amends paragraph 3L(3)(a) of the Crimes Act consequent upon the repeal of paragraph 3L(2)(c) and its replacement with subsection 3L(1A).

 

Item 12

 

This Item inserts proposed new section 3LA into the Crimes Act.  Proposed section 3LA would enable a law enforcement officer executing a search warrant to apply to a magistrate for an ‘assistance’ order.  To grant the order, the magistrate would have to be satisfied (i) of the existence of reasonable grounds to suspect a computer on search premises contains evidence of an offence; (ii) that the subject of the order is reasonably suspected of the offence or is the owner of the computer or computer system, or a current employee of the owner; and (iii) that the subject of the order has knowledge of the functioning of the computer or system or measures applied to protect the computer or system. 

 

The person to whom the order is directed would be required to provide the officer, to the extent reasonably practicable, with such information or assistance as is necessary to enable the officer to access data on the computer system, copy it to a storage device or convert it to documentary form.  For example, a person could be required to explain how to access the system or to provide a password to enable access.  The maximum penalty for non-compliance with the order would be 6 months imprisonment.  This is in line with penalties in other Commonwealth legislation (for example, Companies Act 1981 , subsection 14(5); Futures Industry Act 1986 , subsection 15(5); and Australian Securities and Investments Commission Act 1989 , subsection 65(2)).

 

While there is no requirement to provide such assistance under the existing Crimes Act search warrant provisions, assistance requirements are common in Commonwealth regulatory legislation.  Such a power is also contained in the Cybercrime Convention being developed by the Council of Europe (Draft No. 25, Article 19). 

 

Item 13

 

This Item amends paragraph 3N(2)(a) of the Crimes Act consequent upon the repeal of paragraph 3L(2)(c) and its replacement with subsection 3L(1A).

 

Customs Act 1901

 

The provisions in the Customs Act relating to searches of electronic equipment and associated devices are identical to the provisions in the Crimes Act.  The amendments to the Customs Act would ensure that the two sets of provisions remain consistent.  As the processing of imports and exports is increasingly computerised, it is also important that the Customs Act provisions are updated to enable effective searches of electronically stored material.

 

Item 14

 

This Item inserts a definition of the term data into section 4 of the Customs Act.  The definition corresponds to the definition of “data” in the new computer offences. 

Item 15

 

This Item amends paragraph 67EU(1)(b) to remove the reference to “programs”.  The amendment is consequential upon the insertion of a definition of “data” which includes “any program (or part of a program)” into section 4 of the Customs Act by Item 14.

 

Item 16

 

This Item amends subsection 67EU(1) to remove the reference to “programs”.  The amendment is consequential upon the insertion of a definition of “data” which includes “any program (or part of a program)” into section 4 of the Customs Act by Item 14.

 

Item 17

 

This Item amends subsection 67EU(3) to remove the reference to a “program”.  The amendment is consequential upon the insertion of a definition of “data” which includes “any program (or part of a program)” into section 4 of the Customs Act by Item 14.

 



Item 18

This Item inserts a definition of the term data held in a computer into subsection 183UA(1) of the Customs Act.  The definition matches the definition used in the new computer offences.

Item 19

This Item inserts a definition of data storage device in subsection 183UA(1) of the Customs Act.  The definition corresponds to the definition used in the proposed computer offence provisions.

Item 20

This Item makes a minor amendment to subsection 2001(1) of the Customs Act to replace the references to “things” with references to “a thing”.  The proposed amendment will make it clear that section 200 allows “a thing” (singular) to be moved to another place for examination and processing.

Item 21

This Item amends subsection 200(2) of the Customs Act.  The proposed amendment would allow a thing to be moved from the search premises to another place for examination or processing without the occupier’s consent where it is significantly more practicable than processing the thing at the search premises and where there are reasonable grounds to believe that the thing contains or constitutes evidential material. In determining whether it is significantly more practicable to process or examine the thing at another place, the executing officer or person assisting must have regard to the timeliness and cost of processing or examining the thing at another place and to the availability of expert assistance.  In other words, the proposed amendment would permit a thing to be moved to another place if it is significantly faster or less costly to process or examine the thing at that other place or easier to obtain expert assistance to process or examine the thing at the other place.

 

As the use of computers becomes more widespread, it is becoming increasingly common for information to be stored on computer hard drives, computer disks or other storage devices.  Searching computers and related disks can be a difficult exercise.  There can be technical problems in searching a computer if the owner has taken steps to build in security measures such as encryption.  There may be multi-levels of password protection.  The computer may also be programmed to delete or alter data if the right password is not used.  In addition, given the large amount of information that can be stored on computer hard drives and computer disks, it can be a time consuming process to search them for evidential material. 

 

In cases which involve a large number of disks, for example, the most effective way of searching the disks may be to develop a search program to search the data on the disks, possibly after loading the data on the disks onto a single device.  That process requires computing skills and cannot easily be done at search premises.  Provision for moving computer equipment and disks off-site would allow the equipment or disks to be accessed or searched by an expert at premises properly equipped with external search equipment.

The existing subsection 200(2) only permits things at the warrant premises to be moved to another place to be examined or processed if it is not practicable to do so at the premises (or if the occupier of the premises consents).  The existing provision is too restrictive.  The requirement that it be “not practicable” to process or examine a thing at the warrant premises before it can be moved does not allow consideration to be given to whether it would be more efficient or effective to process or examine the thing at another place.  The existing provision reflects the difficulties involved in moving computers at the time it was enacted.  Since then computers have become increasingly portable.

Item 22

This Item makes a minor amendment to subsection 200(3) of the Customs Act to replace the reference to “things” with a reference to “a thing”.  The proposed amendment will make it clear that section 200 allows “a thing” (singular) to be moved to another place for examination and processing.

Item 23

This Item inserts proposed new subsections 200(3A), 200(3B) and 200(3C) into the Customs Act.  Proposed subsection 200(3A) provides that a thing that is moved to another place for examination and processing under proposed subsection 200(2) may only be moved for up to 72 hours.  Proposed subsection 200(3B) provides that the officer responsible for executing the search warrant may apply to an issuing officer for an extension of the 72 hour time period if he or she believes on reasonable grounds that the thing cannot be examined or processed within 72 hours.  Proposed subsection 200(3C) provides that the executing officer must give notice of the application for a extension of time to the occupier of the warrant premises and that the occupier is entitled to be heard by the issuing officer in relation to that application. 

Item 24

 

This Item amends subsection 201(1) of the Customs Act and inserts new subsection 201(1A). 

 

Proposed subsection 201(1) would clarify that the existing power to operate electronic equipment on premises to find evidential material includes material physically located away from the premises.  An executing officer or person assisting would be able to use a computer on search premises to access data held on computers situated elsewhere, where he or she believes on reasonable grounds that data held on other computers may contain evidential material of a kind covered by the search warrant.  Although the current provision arguably permits access to material not held on warrant premises, the proposed amendment would ensure this is clearly stated in the provision.

 

As most business computers are networked to other desktop computers and to central storage computers, files physically held on one computer are often accessible from another computer.  In some cases these computer networks can extend across different office locations.  Accordingly, it is critical that law enforcement officers executing a search warrant are able to search not only material on computers located on the search premises but also material accessible from those computers but located elsewhere.

An executing officer would not be required to notify operators of computers not on search premises if data held on those computers is accessed under warrant.  The reasons for this are threefold.  First, the existing search warrant provisions do not require notification of third parties before searching or seizing their material.  Second, it is not practicable to impose a notification requirement on investigating officers, as it will not always be apparent when accessing data whether it is held on premises or off site.  For example, computer files accessible from a personal computer connected to a network may be stored on a mainframe computer located elsewhere, but there may be nothing that would indicate to a person accessing those files that they are not held on site.  Third, aspects of the current provision are arguably broader than the proposed provision.  The existing subsection 201(1) permits an officer to operate equipment on site to see whether evidential material is accessible by doing so.  The provision only requires that the data be accessible from equipment on site, it does not require that it be held on site.  In contrast, the proposed provision will only allow an officer to access data if he or she believes on reasonable grounds that it may contain evidential material.

 

Proposed subsection 201(1A) would enable law enforcement officers executing a search warrant to copy data held on any electronic equipment or associated devices at search premises to a storage device where there are reasonable grounds for suspecting that the data contains evidential material.  This will permit officers to copy all data held on a computer hard drive or data storage device if some of the data contains evidential material or if there are reasonable grounds to suspect the data contains evidential material. 

 

The existing provision only allows evidential material to be copied (Customs Act, paragraph 201(2)(c)).  Electronic equipment, such as a computer hard drive, can hold large amounts of data.  It is often not practicable for officers to search all the data for evidential material while at the search premises and to then copy only the evidential material that is found.  The proposed provision would allow officers to copy all the data on a piece of electronic equipment (for example by imaging a computer hard drive) in situations where an initial search of the data uncovers some evidential material or where the officer believes on reasonable grounds that the equipment might contain evidential material.

 

Item 25

 

This Item amends paragraph 201(2)(b) of the Customs Act to remove the word “or” from the end of the paragraph consequent upon the repeal of paragraph 201(2)(c) by Item 26.

 

Item 26

 

This Item repeals paragraph 201(2)(c) of the Customs Act consequent upon the insertion of proposed subsection 201(1A) into the Customs Act.

 

Item 27

 

This Item amends subsection 201(3) of the Customs Act consequent upon the repeal of paragraph 201(2)(c) and its replacement with subsection 201(1A).

 

Item 28

 

This Item inserts proposed new section 201A into the Customs Act.  Proposed section 201A would enable a law enforcement officer executing a search warrant to apply to a magistrate for an ‘assistance’ order.  To grant the order, the magistrate would have to be satisfied (i) of the existence of reasonable grounds to suspect a computer on search premises contains evidence of an offence; (ii) that the subject of the order is reasonably suspected of the offence or is the owner of the computer or computer system, or a current employee of the owner; and (iii) that the subject of the order has knowledge of the functioning of the computer or system or measures applied to protect the computer or system. 

 

The person to whom the order is directed would be required to provide the officer, to the extent reasonably practicable, with such information or assistance as is necessary to enable the officer to access data on the computer system, copy it to a storage device or convert it to documentary form.  For example, a person could be required to explain how to access the system or to provide a password to enable access.  The maximum penalty for non-compliance with the order would be 6 months.  This is in line with penalties in other Commonwealth legislation (for example, Companies Act 1981 , subsection 14(5); Futures Industry Act 1986 , subsection 15(5); and Australian Securities and Investments Commission Act 1989 , subsection 65(2)).

 

While there is no requirement to provide such assistance under the existing Crimes Act search warrant provisions, assistance requirements are common in Commonwealth regulatory legislation.  Such a power is also contained in the Cybercrime Convention being developed by the Council of Europe (Draft No. 25, Article 19).

 

Item 29

 

This Item amends subsection 202(1) to remove references a “program”.  The amendment is consequential upon the insertion of a definition of “data” that includes “any program (or part of a program)” into section 4 of the Customs Act by Item 14.

 

Item 30

 

This Item amends paragraph 202A(2)(a) of the Customs Act consequent upon the repeal of paragraph 201(2)(c) and its replacement with subsection 201(1A).

 

Item 31

 

This Item provides that the amendments made by this Schedule apply only to search warrants that are issued after the commencement of this Schedule.