Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
1998-1999-2000-2001
THE PARLIAMENT OF THE
COMMONWEALTH OF AUSTRALIA
THE HOUSE OF
REPRESENTATIVES
EXPLANATORY
MEMORANDUM
(Circulated by
authority of the Minister for Justice and
Customs, Senator the Honourable
Chris Ellison)
This Bill would amend the Criminal Code Act 1995 (Criminal Code)
by adding new Part 10.7, which contains new updated computer offences based on
the January 2001 Model Criminal Code Damage and Computer Offences Report
developed through Commonwealth, State and Territory cooperation as a model for
national consistency. The existing offences in Part VIA of the Crimes Act
1914 (Crimes Act), which were enacted in 1989 and pre-date existing
technology, would be repealed.
The Bill would also enhance
investigation powers relating to the search and seizure of electronically stored
data by amendments to the Crimes Act and Customs Act 1901 (Customs Act).
The amendments build on experience since the existing provisions were enacted in
1994 and take into account the draft Council of Europe Convention on Cybercrime.
The remaining amendments to the Australian Security Intelligence
Organisation Act 1979 (ASIO Act), Education Services for Overseas
Students Act 2000 (ESOS Act) and Telecommunications (Interception) Act
1997 (TI Act) are consequential changes.
There are no direct financial impacts from this Bill.
NOTES ON
CLAUSES
This clause sets out the short title by which this Act may be cited.
This clause provides that the Act commences on a day to be fixed by Proclamation. However, if the provisions of this Act do not commence within the period of 6 months beginning on the day which it receives the Royal Assent, the provisions commence on the first day after the end of that period. This is necessary to ensure there is time for adequate training before the new provisions commence.
This clause provides that each Act that is specified in a Schedule is amended
or repealed as set out in that Schedule.
Clause 4: Application-Criminal
Code Amendments
This clause provides that the new computer offences
inserted into the Criminal Code by Schedule 1 to the Act apply only to conduct
that takes place after the commencement of the Schedule. The clause also makes
it clear that where conduct is alleged to have taken place between two dates,
one prior to the commencement of the new computer offences and one on or after
their commencement, the existing computer offences in Part VIA of the Crimes Act
will apply to that conduct.
The provision ensures that there is no break
in the law with the repeal of the existing computer offences and commencement of
the new and also clarifies which regime will apply during transition from the
existing offences to the new.
This Schedule inserts new computer offences into the Criminal Code and
repeals the existing outdated computer offences in the Crimes Act. The Schedule
also replaces all references in Commonwealth legislation to the existing
computer offences with references to the new computer
offences.
Australian Security Intelligence Organisation Act
1976
This Item replaces the reference in the note to subsection 25A(4) of the
ASIO Act to the computer offences in section 76D and 76E of the Crimes Act with
a reference to the new computer offences in Part 10.7 of the Criminal Code. The
proposed amendment is consequential upon the repeal of the existing computer
offences by Item 2 of this Schedule and the introduction of new computer
offences by Item 4 of this Schedule. The purpose of the note is to make it
clear that an ASIO officer who obtains access to data stored in a target
computer pursuant to a computer access warrant issued under section 25A of the
ASIO Act does not commit an offence against the computer offences in Part 10.7
of the Criminal Code.
Item 2
This Item repeals Part VIA of the Crimes Act, which
contains the existing Commonwealth computer offences. The offences in Part VIA
will be replaced by the proposed new computer offences inserted into the
Criminal Code by Item 4 of this Schedule. The reasons for the repeal of
individual offences are discussed below in relation to the new offences.
This item amends paragraph 4.1(1)(b) of the Criminal Code to clarify that
a physical element of an offence includes a circumstance in which conduct or
a result of conduct occurs. The words “or a result of conduct”
have been added to ensure that the provision cannot be interpreted restrictively
to exclude a circumstance in which a result occurs from being regarded as a
physical element of an offence. If the provision was interpreted in this way,
it would make it difficult to impose strict or absolute liability with respect
to circumstances unless they could be described as circumstances in which an
act, omission or state of affairs occurred. In the proposed computer offences
there are some circumstances which accompany a result rather than conduct and it
is necessary to apply absolute liability to some of these circumstances - for
example, the “telecommunications service” and “Commonwealth
computer” elements of these offences.
This Item inserts proposed Part 10.7 (Computer Offences) into Chapter 10
of the Criminal Code, which contains provisions concerning protection of the
national infrastructure. The Part contains new updated computer offences based
on the offences recommended in the January 2001 Model Criminal Code Damage
and Computer Offences Report. The proposed offences are also consistent
with the terms of the draft Council of Europe Convention on Cybercrime. Similar
offences are likely to be introduced at the State and Territory level. The
Standing Committee of Attorneys-General has agreed to give priority to the
enactment of updated computer offences. New South Wales has already enacted
computer offences based on the Model Criminal Code.
The proposed computer
offences are directed at conduct which impairs the security, integrity and
reliability of computer data and electronic communications. Advances in
computer technology and electronic communications have created new means and
possibilities for committing cybercrimes such as hacking, denial of service
attacks and virus propagation. The proposed offences are designed to address
these new forms of cybercrime.
The existing computer offences were
inserted into the Crimes Act in 1989. The emergence and expansion of new
technologies, such as the Internet, since that time has reduced the
effectiveness of these provisions. For example, the current provisions do not
sufficiently address the impairment of electronic communications (eg.
‘denial of service attacks’), damage to electronic data stored on
devices such as computer disks or credit cards, or the unauthorised use of a
computer to commit another offence. The proposed offences are designed to
remedy these deficiencies in the existing offences.
Proposed section
476.1 - Definitions
Proposed section 476.1 contains definitions of
terms used in proposed Part 10.7 of the Criminal Code. The definitions, with
the exception of “Commonwealth computer” and
“telecommunications service”, are based on the definitions proposed
in the Model Criminal Code Damage and Computer Offences Report (sections
4.2.1 and 4.2.2, pages 120-147).
Access to data held in a
computer is defined to mean the display of data by the computer or any
other output of the data from the computer, such as the printing of data; the
copying or moving of data to another place in the computer or to a device
designed to contain data for use by a computer or, in the case of a computer
program, the execution of that program. This is more explicit than existing
Australian legislation but avoids the complexity of the UK Computer Misuse
Act 1990. Access is not a clear concept in the context of computers and
warrants definition in a Criminal Code.
Commonwealth
computer is defined to mean a computer owned, leased or operated by the
Commonwealth or a Commonwealth authority. This follows the approach of the
existing Commonwealth provisions by partly anchoring jurisdiction to
Commonwealth computers (see section 76A, Crimes Act).
Data
includes information in any form or any program or part of a program. This
follows the Model Criminal Code, but does not vary in substance from the
existing definition.
Data held in a computer includes data
held in any removable data storage device, such as a computer disk, or any data
held in a data storage device on a computer network of which the computer forms
a part.
Data storage device is defined to mean a thing,
such as a disk or file server, that contains, or is designed to contain, data
for use by a computer. This definition is consistent with the Electronic
Transactions Act 1999.
Electronic communication is
defined to mean a communication of information in any form by means of guided or
unguided electromagnetic energy. This definition is consistent with the
Electronic Transactions Act 1999.
Impairment of electronic
communication to or from a computer includes the prevention of any
electronic communication or the impairment of any electronic communication on an
electronic link or network used by the computer, but does not include a mere
interception of an electronic communication.
Modification
of data held in a computer is defined to mean the alteration or removal of the
data or an addition to the data.
Telecommunications service
is defined to mean a service for carrying communications by means of guided or
unguided electromagnetic energy or both. This definition is consistent with the
terminology of the Telecommunications Act 1997.
Unauthorised
access, modification or impairment is defined in proposed section
476.2.
“Computer” is not defined. However, the term
“computer” as used in proposed Part 10.7 extends beyond the familiar
concept of a desktop personal computer. The term is not defined to ensure the
proposed computer offences will encompass new developments in technology. As
discussed in the Model Criminal Code Report on computer offences (pages
123-125), a restrictive definition of what is and what is not a
‘computer’ could unduly limit the application of the proposed
offences. Definitions may be overtaken by developments in technology, so that
new technologies which perform all the functions of a computer may fall outside
the scope of any statutory definition.
Proposed subsection 476.1(2)
limits the scope of the terms “access to data held in a computer”,
“modification of data held in a computer” and “impairment of
electronic communications to or from a computer”. Where the terms are
used in the proposed computer offences they refer to any such access,
modification or impairment caused by the execution of a function of a computer.
Any such access, modification or impairment effected otherwise than by the
execution of a function of a computer, for example, by causing physical damage
to computer hardware, is not within the scope of the proposed offences. The
description of an offender’s conduct as “causing a computer to
execute a function” ensures that the offences extend beyond obvious cases
in which an offender uses a keyboard or other direct physical means to commit an
offence to cover offenders, such as those who put a virus infected disk into
circulation, who cannot be described as “using a computer” in the
usual sense.
Proposed section 476.2 – Meaning of unauthorised
access, modification or impairment
Proposed section 476.2 defines
unauthorised access, modification and impairment. The proposed section is based
on section 4.2.2 of the Model Criminal Code.
Proposed subsection
476.2(1) provides that where a person causes (i) access to data held in a
computer; (ii) modification of data held in a computer; (iii) impairment of
electronic communications to or from a computer; or (iv) impairment of the
security, reliability or security of data in a computer disk or other device,
that access, modification or impairment is unauthorised if the person is not
entitled to cause the access, modification or impairment. As the proposed
offences apply only to unauthorised actions, activities such as the authorised
assurance testing of the security of a computer system would not be caught by
the offences.
Proposed subsection 476.2(2) provides that any such access,
modification or impairment is not unauthorised merely because the person causes
the access, modification or impairment for a purpose other than that for which
they are entitled to cause that access, modification or impairment. For
example, if a Commonwealth employee is authorised to access certain computer
data so he or she can perform her duties but instead accesses that data for the
purpose of defrauding the Commonwealth, that access does not become
unauthorised. However, if a person is entitled to make particular modifications
to data and instead modifies the data in an unauthorised manner, that
modification would be unauthorised.
Proposed subsection 476.2(3)
specifies that, for the purposes of the proposed Part, a person causes access to
data held in a computer, modification of data held in a computer, impairment of
electronic communications to or from a computer or impairment of data on a disk
etc if the person’s conduct substantially contributes to the access,
modification or impairment.
Proposed section 476.3 applies Category A geographical jurisdiction, as
set out in section 15.1 of the Criminal Code, to the proposed computer offences.
As a result of the application of Category A jurisdiction, the offences would
extend to situations where (i) the conduct constituting the offence occurs
partly in Australia or on board an Australian ship or aircraft; (ii) the result
of the conduct constituting the offence occurs partly in Australia or on board
an Australian ship or aircraft; or (iii) the person committing the offence is an
Australian citizen or an Australian company.
This approach is broadly
consistent with the draft Council of Europe Convention on Cybercrime, which
recommends parties to the Convention establish jurisdiction over offences
committed on board their ships or aircraft or by one of their nationals (Draft
No. 25, Article 23). It is also consistent with the Model Criminal Code, which,
although a model State and Territory code, also includes broad geographical
jurisdiction for these offences.
Computer crime is often perpetrated
remotely from where it has effect. The application of Category A jurisdiction
would mean that, regardless of where conduct constituting an offence occurs, if
the results of that conduct affect Australia the person responsible would
generally be able to be prosecuted in Australia. An Australian citizen who
travels to a country where hacking is not an offence and, while there, uses a
laptop computer to hack into a computer in a third country would also be caught
by the proposed jurisdiction.
Proposed section 476.4 – Saving of
other laws
Proposed section 476.4 provides for the concurrent
operation of Commonwealth, State and Territory laws. Providing for concurrent
operation of Commonwealth and State laws ensures that there are no gaps in
jurisdiction and also allows computer crimes to be prosecuted in whatever forum
is most convenient.
State and Territory computer offences would cover
computer crime activities committed by employees using an internal computer
network. As computer crime on internal computer networks does not involve use
of the telecommunications system the Commonwealth cannot regulate this conduct.
Proposed section 476.5 provides limited immunity from civil and criminal
liability for staff or agents of agencies whose activities, in the proper
performance of their functions, are intended and required by Government. These
activities might otherwise be prohibited by Australian laws dealing with
computer-related acts.
Proposed section 477.1 - Unauthorised access,
modification or impairment with intent to commit a serious offence
Proposed section 477.1 would make it an offence to cause any
unauthorised access to data held in a computer, any unauthorised modification of
data held in a computer or any unauthorised impairment of electronic
communications to or from a computer, knowing the access, modification or
impairment is unauthorised and with the intention of committing or facilitating
the commission of a serious offence. A serious offence is defined to mean an
offence punishable by life imprisonment or a term of 5 or more years
imprisonment. The proposed offence would carry a maximum penalty equal to the
maximum penalty for the serious offence the person is intending to commit. The
offence is based on section 4.2.4 of the Model Criminal Code (see pages 148-155
of the Model Criminal Code Damage and Computer Offences Report for
further discussion).
Paragraph 477.1(1)(a) does not specify the fault
elements that apply to a person’s conduct (the act that causes
unauthorised access, modification or impairment) or the result of that conduct
(unauthorised access, modification or impairment). As a consequence, the
default fault elements set out in section 5.6 of the Criminal Code would apply.
The application of the fault elements in section 5.6 means that the offence
requires intention to do an act, which causes unauthorised access,
modification or impairment, and recklessness as to whether the act will
cause that access, modification or impairment.
Where the unauthorised
access, modification or impairment is caused by means of a telecommunications
service, the offence would apply whether the serious offence the person intends
to commit is a Commonwealth, State or Territory offence. In all other cases,
the offence would apply only where the serious offence the person intends to
commit is a Commonwealth offence. In establishing that a person has committed
this offence it would not be necessary for the prosecution to prove that the
defendant knew the offence he or she was intending to commit was an offence
against the law of the Commonwealth, a State or a Territory or that he or she
knew that the offence is punishable by imprisonment for life or a period of 5 or
more years. This is consistent with recently enacted Criminal Code offences
(for example, section 132.4, which concerns burglary). It is not appropriate to
require the prosecution to prove jurisdictional elements of offences in these
circumstances.
The proposed offence is designed to cover the
unauthorised use of computer technology to commit serious crimes such as
fraud or stalking. The offence is particularly targeted at situations where
preparatory action is taken by a person but the intended offence is not
completed. This offence will apply, for example, where a Centrelink employee
alters social security data in order to fraudulently obtain social security
payments to which he or she is not entitled. The offence will be committed even
where the employee’s actions are discovered before he or she actually
obtains any payments and would be punishable by a maximum penalty equivalent to
the fraud offence which the employee was intending to commit (ie, 10 years
imprisonment). This offence will also apply where a person uses the Internet to
hack into a bank’s computer system with the intention of accessing credit
card details and using them to obtain money. There is no equivalent
Commonwealth offence at present.
Proposed section 477.2 -
Unauthorised modification of data to cause impairment
Proposed
section 477.2 makes it an offence for a person to cause any unauthorised
modification of data held in a computer, where the person knows that the
modification is unauthorised, and intends by that modification to impair access
to, or the reliability, security or operation of, any data held in a computer or
is reckless as to any such impairment. The maximum penalty for this offence
would be 10 years imprisonment. This penalty is equivalent to the penalty for
the existing computer offences (Crimes Act, paragraphs 76C(a) and 76E(a)) and
the penalty for fraud and forgery offences in the Criminal Code. The offence is
based on section 4.2.5 of the Model Criminal Code (see pages 156-169 of the
Model Criminal Code Damage and Computer Offences Report for further
discussion).
The offence would only be committed where one or more of the
Commonwealth jurisdictional connections set out in proposed paragraph
477.2(1)(d) applies. Absolute liability would apply to the jurisdictional
connections. Subsection 6.2(2) of the Criminal Code provides that if a law that
creates an offence provides that absolute liability applies to a particular
physical element of the offence (eg, data held in a Commonwealth computer), then
a fault element (for example, knowledge) does not have to be proved and there is
no defence of mistake of fact. This obviates the need for the prosecution to
prove, for example, that a defendant knew the computer data he or she was
modifying was held on behalf of the Commonwealth. As mentioned earlier, this is
appropriate and consistent with other offences.
Absolute liability applies to the elements in paragraph 477.2(1)(d) because,
if the prosecution was required to prove, for example, awareness of the part of
the defendant that the modified data was held in a Commonwealth computer, many
defendants would be able to escape liability by demonstrating that they did not
even think about who owned the computer in which the data was held. The
elements in paragraph 477.2(1)(d) are included merely to trigger Commonwealth
jurisdiction and do not have any bearing on the gravity of the offence.
The
proposed offence will cover a range of situations including (i) a person with
limited authorisation impairing data by engaging in an unauthorised operation on
a Commonwealth computer; (ii) a hacker who obtains unauthorised access over the
Internet and modifies data and causes impairment; and (iii) a person who
circulates a disk containing a computer virus which infects a Commonwealth
computer. The offence would not require that the impairment of data actually
occur.
The proposed offence is limited to instances where a person
modifying computer data intends to impair data or is reckless as to causing
impairment. The existing offence contains no such limitation and merely
requires that the person modify the data intentionally and without authority or
lawful excuse (Crimes Act, paragraphs 76C(a) and 76E(a)). The existing offence
is too broad and vague for a maximum 10 year penalty, as it extends to the
harmless use of another person’s computer without that person’s
permission. The mass expansion in the use of computers in the workplace and
elsewhere that has occurred in the past decade means that the existing offence
is even more problematic than when it was enacted.
Proposed section
477.3 - Unauthorised impairment of electronic communication
Proposed
section 477.3 makes it an offence for a person to cause any unauthorised
impairment of electronic communication to or from a computer, where the person
knows the impairment is unauthorised, and either intends to impair electronic
communication or is reckless as to any such impairment. The maximum penalty for
this offence would be 10 years imprisonment. The 10 year maximum penalty
recognises the importance of reliable computer-facilitated communication and the
considerable damage that can result if that communication is impaired. The
offence is based on section 4.2.6 of the Model Criminal Code (see pages 170-173
of the Model Criminal Code Damage and Computer Offences Report for
further discussion).
The offence would only be committed where the
electronic communication that is impaired occurs by means of a telecommunication
service or is to or from a Commonwealth computer. Absolute liability would
apply to these Commonwealth jurisdictional connections. Subsection 6.2(2) of
the Criminal Code provides that if a law that creates an offence provides that
absolute liability applies to a particular physical element of the offence (eg,
the electronic communication is sent to or from a Commonwealth computer), then a
fault element (for example, knowledge) does not have to be proved and there is
no defence of mistake of fact.
The elements in paragraph 477.3(1)(c) do not have any bearing on the gravity
of the offence. Absolute liability applies to these elements because, if the
prosecution was required to prove, for example, awareness on the part of the
defendant that the electronic communication was to or from a Commonwealth
computer, many defendants would be able to evade liability by demonstrating that
they did not turn their minds to the question of who owned the computer.
This proposed offence is designed to target tactics such as ‘denial of
service attacks’, where an e-mail address or web site is inundated with a
large volume of unwanted messages thus overloading the computer system and
disrupting, impeding or preventing its functioning. The proposed offence would
extend to situations where a person impairs a computer ‘server’,
‘router’ or other computerised component of the telecommunications
system that relays or directs the passage of electronic communications from one
computer to another.
The existing offence of interfering with,
interrupting or obstructing the lawful use of a computer (Crimes Act, paragraph
76E(b)) applies to conduct that impairs the ability of a computer to send or
receive communications. However, it does not clearly cover actions that
interfere with the passage of electronic communications to or from computers,
for example, by altering addresses, re-routing messages or interfering with the
capacity of the telecommunications system to transmit those communications. The
proposed offence would cover this conduct.
The proposed offence would
only apply to unauthorised impairment. Consequently, the offence would
not apply, for example, to a refusal by an Internet Service Provider (ISP) to
carry certain types of electronic communications traffic on its network if such
a refusal is pursuant to a contractual arrangement or an agreement between the
ISP and users of the service. Furthermore, this offence, like the other
proposed offences, applies only to acts and not to omissions. Therefore, a
strike by telecommunications maintenance workers that resulted in impairment of
electronic communication, for instance, would not constitute the commission of
this offence.
Proposed section 478.1 - Unauthorised access to, or
modification of, restricted data
Proposed section 478.1 makes it an
offence for a person to cause unauthorised access to, or modification of,
restricted data held in a computer, where the person intends to cause the access
or modification and knows that the access or modification is unauthorised. The
maximum penalty would be 2 years imprisonment. The offence is based on the
Model Criminal Code summary offence of “Unauthorised access to, or
modification of, restricted data” (see pages 186-197 of the Model Criminal
Code Damage and Computer Offences Report for further
discussion).
The offence would only be committed where one or more of the
Commonwealth jurisdictional connections set out in proposed paragraph
478.1(1)(d) applies. Absolute liability would apply to the jurisdictional
connections. Subsection 6.2(2) of the Criminal Code provides that if a law that
creates an offence provides that absolute liability applies to a particular
physical element of the offence (eg, data held in a Commonwealth computer), then
a fault element (for example, knowledge) does not have to be proved and there is
no defence of mistake of fact.
The proposed offence relates only to
unauthorised access or modification of restricted data rather than any
data. 'Restricted data' is defined to mean "data held on a computer to which
access is restricted by an access control system associated with a function of
the computer". Therefore, a person would only commit an offence if he or she
by-passed an access control system, such as a password or other security
feature.
The existing Crimes Act provisions contain a general
unauthorised access offence (subsection 76D(1)), which is not limited to
“restricted data”. This offence is too broad and impinges on many
harmless actions that should not be subject to criminal penalties. For example,
a more general offence would apply to an office worker who simply uses, without
permission, a colleague’s computer to type up an urgent note.
Furthermore, limiting the offence of unauthorised access to situations in which
the accessed data is protected in some way recognises that security measures,
such as passwords, are widely available and in use compared to when section 76D
was enacted in 1989. It is also desirable policy to link the applicability of
the offence to good and almost universal practices.
This offence will
apply to a person who hacks into a computer system protected by a password or
other similar security measure in order to access personal or commercial
information or alter that information. The offence will also cover an employee
who breaks a password on his or her employer’s computer system in order to
access the Internet or to access protected information. However, the offence
would not apply to an employee who has access to the Internet at work and uses
that access to place bets on horse races in defiance of his or her
employer’s ban on using the Internet for purposes that are not
work-related.
The proposed offence applies only to unauthorised
actions. Therefore, activities such as the authorised assurance testing of the
security of a computer system would not be caught by this
offence.
Proposed section 478.2 - Unauthorised impairment of data held
in a computer disk etc
Proposed section 478.2 makes it an offence for
a person to cause any unauthorised impairment of the reliability, security or
operation of any data held on a computer disk, credit card or other device used
to store data by electronic means, where the person intends to cause the
impairment and knows that the impairment is unauthorised. The maximum penalty
for the proposed offence is 2 years imprisonment. The offence is based on the
Model Criminal Code summary offence of “Unauthorised impairment of
data” (see pages 198-199 of the Model Criminal Code Damage and Computer
Offences Report for further discussion). There is currently no equivalent
offence, as the existing Crimes Act offences pertain only to data stored in a
computer, and do not extend to electronic data held in other devices.
The
offence would only be committed where the computer disk, credit card or other
device is owned or leased by the Commonwealth or a Commonwealth authority.
Absolute liability would apply to this element of the offence. Subsection
6.2(2) of the Criminal Code provides that if a law that creates an offence
stipulates that absolute liability applies to a particular physical element of
the offence (eg, data held in a Commonwealth computer), then a fault element
(eg, knowledge) does not have to be proved and there is no defence of mistake of
fact.
This offence is a counterpart to the more serious proposed offence
of unauthorised modification of data to cause impairment in section 477.2.
However, there are a number of important differences between the two offences.
First, this lesser offence applies to data stored electronically on disks,
credit cards, tokens or tickets, while the proposed section 477.2 offence
applies to ‘data held in a computer’. Second, the section 477.2
offence requires that modification of data be caused by the execution of a
computer function, whereas this offence is designed to cover impairment of data
caused by other means such as passing a magnet over a credit card. Although
this offence could be committed by a person inserting a computer disk into a
computer and impairing the data on the disk, once the disk is in the computer
the data is “data held in a computer” and impairment of the data on
the disk would be covered by the proposed section 477.2 offence.
Section 478.3 - Possession or control of data with intent to commit a
computer offence
Proposed section 478.3 makes it an offence for a
person to possess or control data with the intention of committing or
facilitating the commission of an offence against proposed section 477.1, 477.2
or 477.3 by that person or another person. The proposed offence is analogous to
the offence of ‘going equipped for theft’ in section 132.7 of the
Criminal Code, though in this instance the offence extends beyond cases where
the data is physically held by the offender to encompass situations where the
data is in the offender’s control even though it is in the possession of
another person. The maximum penalty for this offence is 3 years imprisonment.
The offence is based on section 4.2.7 of the Model Criminal Code (see pages
174-181 of the Model Criminal Code Damage and Computer Offences Report
for further discussion). This offence and the offence in proposed section 478.4
are intended to match the requirements of the draft Council of Europe Convention
on Cybercrime (Draft No. 25, Article 6). There is no comparable existing
Commonwealth computer offence.
This offence is designed to cover persons
who possess programs or technology designed to hack into other people’s
computer systems or impair data or electronic communication. For example, a
person will commit the offence if the person possesses a program which will
enable him or her to launch a ‘denial of service attack’ against a
Commonwealth Department’s computer system and intends to use the program
for that purpose. It would also be an offence for a person to possess a disk
containing a computer virus that the person intends to release over the Internet
in order to impair data in infected computers. In both instances, the person
would also commit the offence if he or she intends to provide the program to
another person for the purpose of enabling the other person to impair electronic
communication or computer data. There will be many occasions where that
intention will be evident from the content of the data.
Proposed
section 478.4 - Producing, supplying or obtaining data with intent to commit a
computer offence
Proposed section 478.4 makes it an offence to
produce, supply or obtain data with the intention of committing or facilitating
a computer offence by that person or another person. The maximum penalty for
the proposed offence is 3 years imprisonment. The offence is based on section
4.2.8 of the Model Criminal Code (see pages 182-185 of the Model Criminal Code
Damage and Computer Offences Report for further discussion).
The
proposed offence is similar in application to the offence in proposed section
478.3. However, this offence is primarily targeted at those who devise,
propagate or publish programs which are intended for use in the commission of an
offence against proposed section 477.1, 477.2 or 477.3, whereas the offence in
proposed section 478.3 is targeted at those who have such programs in their
possession or control.
This Item amends Note 2 to subsection 109(5) of the ESOS Act to replace the reference to the existing computer offences in Part VIA of the Crimes Act with a reference to the proposed computer offences in Part 10.7 of the Criminal Code. The purpose of the note is to explain that a person who obtains unauthorised access to information on a computer system established for the purpose of receiving and storing information about accepted students that is protected by an access control system (eg, a password) could be guilty of an offence against Part 10-7 of the Criminal Code.
Telecommunications (Interception) Act 1997
This Item amends subsection 5D(5) of the TI Act to replace the reference
to the existing computer offences in Part VIA of the Crimes Act with a reference
to the proposed computer offences in Part 10.7 of the Criminal Code.
Warrants authorising telecommunications interception can only be
obtained under the TI Act for the investigation of specified offences. The
existing computer offences in Part VIA of the Crimes Act are currently specified
as offences for which a telecommunications interception warrant may be obtained.
The proposed amendment will ensure that a warrant can be obtained for the
investigation of the proposed computer offences.
Schedule 2 – Law enforcement powers relating to computers
This Schedule amends the investigation powers in the Crimes Act and Customs Act that relate to the search and seizure of electronically stored data. The amendments bring the investigation powers up to date with aspects of the draft Council of Europe Convention on Cybercrime and also reflect experience with the existing provisions. The amendments are designed to provide law enforcement agencies with the necessary powers to detect and investigate crime involving the use of computers. Although the existing powers were only introduced in 1994, they, like the computer offences, have been superseded by developments in technology. Existing search powers do not, for example, enable law enforcement agencies to require a person with knowledge of a relevant computer system to assist investigators to access encrypted information.
The large amount of data which can be stored on computer drives and disks and the complex security measures, such as encryption and passwords, which can be used to protect that information present particular problems for investigators. The proposed enhancement of search and seizure powers will assist law enforcement officers in surmounting those problems.
Item 1
This Item inserts a definition of the term data into subsection 3C(1) of the Crimes Act. The definition corresponds to the definition of “data” in the new computer offences.
Item 2
This Item inserts a definition of the term data held in a computer into subsection 3C(1) of the Crimes Act. The definition matches the definition used in the new computer offences.
Item 3
This Item inserts a definition of data storage device in subsection 3C(1) of the Crimes Act. The definition corresponds to the definition of “data storage device” in the proposed computer offence provisions.
Item 4
This Item makes a minor amendment to subsection 3K(1) of the Crimes Act to replace the references to “things” with references to “a thing”. The proposed amendment would clarify that section 3K allows “a thing” (singular) to be moved to another place for examination and processing.
Item 5
This Item amends subsection 3K(2) of the Crimes Act. The
proposed amendment would allow a thing to be moved from the search premises to
another place for examination or processing, without the occupier’s
consent, where it is significantly more practicable than processing the thing at
the search premises and where there are reasonable grounds to believe that the
thing contains or constitutes evidential material. In determining whether it is
significantly more practicable to process or examine the thing at another place,
the executing officer or constable assisting must have regard to the timeliness
and cost of processing or examining the thing at another place rather than on
site and to the availability of expert assistance. In other words, the proposed
amendment would permit a thing to be moved to another place if it is
significantly faster or less costly to process or examine the thing at that
other place or easier to obtain expert assistance to process or examine the
thing at the other place.
As the use of computers becomes more
widespread, it is becoming increasingly common for information to be stored on
computer hard drives, computer disks or other storage devices. Searching
computers and related disks can be a difficult exercise. There can be technical
problems in searching a computer if the owner has taken steps to build in
security measures such as encryption. There may be multi-levels of password
protection. The computer may also be programmed to delete or alter data if the
right password is not used. In addition, given the large amount of information
that can be stored on computer hard drives and computer disks, it can be a time
consuming process to search them for evidential material.
In cases which involve a large number of disks, for example, the most effective way of searching the disks may be to develop a search program to search the data on the disks, possibly after loading the data on the disks onto a single device. That process requires computing skills and cannot easily be done at search premises. Provision for moving computer equipment and disks off-site would allow the equipment or disks to be accessed or searched by an expert at premises properly equipped with external search equipment.
The existing subsection 3K(2) only permits things at the warrant premises to be moved to another place to be examined or processed if it is not practicable to do so at the premises (or if the occupier of the premises consents). The existing provision is too restrictive. The requirement that it be “not practicable” to process or examine a thing at the warrant premises before it can be moved does not allow consideration to be given to whether it would be more efficient or effective to process or examine the thing at another place. The existing provision reflects the difficulties involved in moving computers at the time it was enacted. Since then computers have become increasingly portable.
Item 6
This Item makes a minor amendment to subsection 3K(3) of the Crimes Act to replace the reference to “things” with references to “a thing”. The proposed amendment clarifies that section 3K allows “a thing” (singular) to be moved to another place for examination and processing.
Item 7
This Item inserts proposed new subsections 3K(3A), 3K(3B) and 3K(3C) into the Crimes Act. Proposed subsection 3K(3A) provides that a thing that is moved to another place for examination and processing under proposed subsection 3K(2) may only be moved to that other place for up to 72 hours. Proposed subsection 3K(3B) provides that the officer responsible for executing the search warrant may apply to an issuing officer for an extension of the 72 hour time period if he or she believes on reasonable grounds that the thing cannot be examined or processed within 72 hours. Proposed subsection 3K(3C) provides that the executing officer must give notice of the application for a extension of time to the occupier of the warrant premises and that the occupier is entitled to be heard by the issuing officer in relation to that application.
This Item amends subsection 3L(1) of the Crimes Act and inserts new
subsection 3L(1A).
Proposed subsection 3L(1) would clarify that the
existing power to operate electronic equipment on premises to find evidential
material includes material physically located away from the premises. An
executing officer or constable assisting would be able to use a computer on
search premises to access data held on computers situated elsewhere, where he or
she believes on reasonable grounds that data held on other computers may contain
evidential material of a kind covered by the search warrant. Although the
current provision arguably permits access to material not held on warrant
premises, the proposed amendment would ensure this is clearly stated in the
provision.
As most business computers are networked to other desktop computers and to central storage computers, files physically held on one computer are often accessible from another computer. In some cases these computer networks can extend across different office locations. Accordingly, it is critical that law enforcement officers executing a search warrant are able to search not only material on computers located on the search premises but also material accessible from those computers but located elsewhere.
An executing officer would not be required to notify operators of computers
not on search premises if data held on those computers is accessed under
warrant. The reasons for this are threefold. First, the existing search
warrant provisions do not require notification of third parties before searching
or seizing their material. Second, it is not practicable to impose a
notification requirement on investigating officers, as it will not always be
apparent when accessing data whether it is held on premises or off site. For
example, computer files accessible from a personal computer connected to a
network may be stored on a mainframe computer located elsewhere, but there may
be nothing that would indicate to a person accessing those files that they are
not held on the search premises. Third, aspects of the current provision are
arguably broader than the proposed provision. The existing subsection 3L(1)
permits an officer to operate equipment on site to see whether evidential
material is accessible by doing so. The provision only requires that the data
be accessible from equipment on site, it does not require that it be held on
site. In contrast, the proposed provision will only allow an officer to access
data if he or she believes on reasonable grounds that it may contain evidential
material.
Proposed subsection 3L(1A) would enable law enforcement
officers executing a search warrant to copy data held on any electronic
equipment or associated devices at search premises to a storage device where
there are reasonable grounds for suspecting that the data contains evidential
material. This will permit officers to copy all data held on a computer hard
drive or data storage device if some of the data contains evidential material or
if there are reasonable grounds to suspect the data contains evidential
material.
The existing provision only allows evidential material to be
copied (Crimes Act, paragraph 3L(2)(c)). Electronic equipment, such as a
computer hard drive, can hold large amounts of data. It is often not
practicable for officers to search all the data for evidential material while at
the search premises and to then copy only the evidential material which is
found. The proposed provision would allow officers to copy all the data on a
piece of electronic equipment (by imaging a computer hard drive for example) in
situations where an initial search of the data uncovers some evidential material
or where the officer believes on reasonable grounds that the equipment might
contain evidential material.
This Item amends paragraph 3L(2)(b) of the Crimes Act to remove the word
“or” from the end of the paragraph consequent upon the repeal of
paragraph 3L(2)(c) by Item 10.
This Item repeals paragraph 3L(2)(c) of the Crimes Act consequent upon
the insertion of proposed subsection 3L(1A) into the Crimes Act by Item 8.
This Item amends paragraph 3L(3)(a) of the Crimes Act consequent upon the
repeal of paragraph 3L(2)(c) and its replacement with subsection 3L(1A).
This Item inserts proposed new section 3LA into the Crimes Act. Proposed
section 3LA would enable a law enforcement officer executing a search warrant to
apply to a magistrate for an ‘assistance’ order. To grant the
order, the magistrate would have to be satisfied (i) of the existence of
reasonable grounds to suspect a computer on search premises contains evidence of
an offence; (ii) that the subject of the order is reasonably suspected of the
offence or is the owner of the computer or computer system, or a current
employee of the owner; and (iii) that the subject of the order has knowledge of
the functioning of the computer or system or measures applied to protect the
computer or system.
The person to whom the order is directed would be
required to provide the officer, to the extent reasonably practicable, with such
information or assistance as is necessary to enable the officer to access data
on the computer system, copy it to a storage device or convert it to documentary
form. For example, a person could be required to explain how to access the
system or to provide a password to enable access. The maximum penalty for
non-compliance with the order would be 6 months imprisonment. This is in line
with penalties in other Commonwealth legislation (for example, Companies Act
1981, subsection 14(5); Futures Industry Act 1986, subsection 15(5);
and Australian Securities and Investments Commission Act 1989, subsection
65(2)).
While there is no requirement to provide such assistance under
the existing Crimes Act search warrant provisions, assistance requirements are
common in Commonwealth regulatory legislation. Such a power is also contained
in the Cybercrime Convention being developed by the Council of Europe (Draft No.
25, Article 19).
This Item amends paragraph 3N(2)(a) of the Crimes Act consequent upon the
repeal of paragraph 3L(2)(c) and its replacement with subsection 3L(1A).
The provisions in the Customs Act relating to searches of electronic
equipment and associated devices are identical to the provisions in the Crimes
Act. The amendments to the Customs Act would ensure that the two sets of
provisions remain consistent. As the processing of imports and exports is
increasingly computerised, it is also important that the Customs Act provisions
are updated to enable effective searches of electronically stored
material.
This Item inserts a definition of the term data into section 4 of the Customs Act. The definition corresponds to the definition of “data” in the new computer offences.
This Item amends paragraph 67EU(1)(b) to remove the reference to
“programs”. The amendment is consequential upon the insertion of a
definition of “data” which includes “any program (or part of a
program)” into section 4 of the Customs Act by Item 14.
This Item amends subsection 67EU(1) to remove the reference to
“programs”. The amendment is consequential upon the insertion of a
definition of “data” which includes “any program (or part of a
program)” into section 4 of the Customs Act by Item 14.
This Item amends subsection 67EU(3) to remove the reference to a
“program”. The amendment is consequential upon the insertion of a
definition of “data” which includes “any program (or part of a
program)” into section 4 of the Customs Act by Item 14.
Item 18
This Item inserts a definition of the term data held in a computer into subsection 183UA(1) of the Customs Act. The definition matches the definition used in the new computer offences.
Item 19
This Item inserts a definition of data storage device in subsection 183UA(1) of the Customs Act. The definition corresponds to the definition used in the proposed computer offence provisions.
Item 20
This Item makes a minor amendment to subsection 2001(1) of the Customs Act to replace the references to “things” with references to “a thing”. The proposed amendment will make it clear that section 200 allows “a thing” (singular) to be moved to another place for examination and processing.
Item 21
This Item amends subsection 200(2) of the Customs Act. The
proposed amendment would allow a thing to be moved from the search premises to
another place for examination or processing without the occupier’s consent
where it is significantly more practicable than processing the thing at the
search premises and where there are reasonable grounds to believe that the thing
contains or constitutes evidential material. In determining whether it is
significantly more practicable to process or examine the thing at another place,
the executing officer or person assisting must have regard to the timeliness and
cost of processing or examining the thing at another place and to the
availability of expert assistance. In other words, the proposed amendment would
permit a thing to be moved to another place if it is significantly faster or
less costly to process or examine the thing at that other place or easier to
obtain expert assistance to process or examine the thing at the other
place.
As the use of computers becomes more widespread, it is becoming
increasingly common for information to be stored on computer hard drives,
computer disks or other storage devices. Searching computers and related disks
can be a difficult exercise. There can be technical problems in searching a
computer if the owner has taken steps to build in security measures such as
encryption. There may be multi-levels of password protection. The computer may
also be programmed to delete or alter data if the right password is not used.
In addition, given the large amount of information that can be stored on
computer hard drives and computer disks, it can be a time consuming process to
search them for evidential material.
In cases which involve a large number of disks, for example, the most effective way of searching the disks may be to develop a search program to search the data on the disks, possibly after loading the data on the disks onto a single device. That process requires computing skills and cannot easily be done at search premises. Provision for moving computer equipment and disks off-site would allow the equipment or disks to be accessed or searched by an expert at premises properly equipped with external search equipment.
The existing subsection 200(2) only permits things at the warrant premises to be moved to another place to be examined or processed if it is not practicable to do so at the premises (or if the occupier of the premises consents). The existing provision is too restrictive. The requirement that it be “not practicable” to process or examine a thing at the warrant premises before it can be moved does not allow consideration to be given to whether it would be more efficient or effective to process or examine the thing at another place. The existing provision reflects the difficulties involved in moving computers at the time it was enacted. Since then computers have become increasingly portable.
Item 22
This Item makes a minor amendment to subsection 200(3) of the Customs Act to replace the reference to “things” with a reference to “a thing”. The proposed amendment will make it clear that section 200 allows “a thing” (singular) to be moved to another place for examination and processing.
Item 23
This Item inserts proposed new subsections 200(3A), 200(3B) and 200(3C) into the Customs Act. Proposed subsection 200(3A) provides that a thing that is moved to another place for examination and processing under proposed subsection 200(2) may only be moved for up to 72 hours. Proposed subsection 200(3B) provides that the officer responsible for executing the search warrant may apply to an issuing officer for an extension of the 72 hour time period if he or she believes on reasonable grounds that the thing cannot be examined or processed within 72 hours. Proposed subsection 200(3C) provides that the executing officer must give notice of the application for a extension of time to the occupier of the warrant premises and that the occupier is entitled to be heard by the issuing officer in relation to that application.
This Item amends subsection 201(1) of the Customs Act and inserts new
subsection 201(1A).
Proposed subsection 201(1) would clarify that the
existing power to operate electronic equipment on premises to find evidential
material includes material physically located away from the premises. An
executing officer or person assisting would be able to use a computer on search
premises to access data held on computers situated elsewhere, where he or she
believes on reasonable grounds that data held on other computers may contain
evidential material of a kind covered by the search warrant. Although the
current provision arguably permits access to material not held on warrant
premises, the proposed amendment would ensure this is clearly stated in the
provision.
As most business computers are networked to other desktop
computers and to central storage computers, files physically held on one
computer are often accessible from another computer. In some cases these
computer networks can extend across different office locations. Accordingly, it
is critical that law enforcement officers executing a search warrant are able to
search not only material on computers located on the search premises but also
material accessible from those computers but located elsewhere.
An executing officer would not be required to notify operators of computers
not on search premises if data held on those computers is accessed under
warrant. The reasons for this are threefold. First, the existing search
warrant provisions do not require notification of third parties before searching
or seizing their material. Second, it is not practicable to impose a
notification requirement on investigating officers, as it will not always be
apparent when accessing data whether it is held on premises or off site. For
example, computer files accessible from a personal computer connected to a
network may be stored on a mainframe computer located elsewhere, but there may
be nothing that would indicate to a person accessing those files that they are
not held on site. Third, aspects of the current provision are arguably broader
than the proposed provision. The existing subsection 201(1) permits an officer
to operate equipment on site to see whether evidential material is accessible by
doing so. The provision only requires that the data be accessible from
equipment on site, it does not require that it be held on site. In contrast,
the proposed provision will only allow an officer to access data if he or she
believes on reasonable grounds that it may contain evidential
material.
Proposed subsection 201(1A) would enable law enforcement
officers executing a search warrant to copy data held on any electronic
equipment or associated devices at search premises to a storage device where
there are reasonable grounds for suspecting that the data contains evidential
material. This will permit officers to copy all data held on a computer hard
drive or data storage device if some of the data contains evidential material or
if there are reasonable grounds to suspect the data contains evidential
material.
The existing provision only allows evidential material to be
copied (Customs Act, paragraph 201(2)(c)). Electronic equipment, such as a
computer hard drive, can hold large amounts of data. It is often not
practicable for officers to search all the data for evidential material while at
the search premises and to then copy only the evidential material that is found.
The proposed provision would allow officers to copy all the data on a piece of
electronic equipment (for example by imaging a computer hard drive) in
situations where an initial search of the data uncovers some evidential material
or where the officer believes on reasonable grounds that the equipment might
contain evidential material.
This Item amends paragraph 201(2)(b) of the Customs Act to remove the
word “or” from the end of the paragraph consequent upon the repeal
of paragraph 201(2)(c) by Item 26.
This Item repeals paragraph 201(2)(c) of the Customs Act consequent upon
the insertion of proposed subsection 201(1A) into the Customs Act.
This Item amends subsection 201(3) of the Customs Act consequent upon the
repeal of paragraph 201(2)(c) and its replacement with subsection
201(1A).
This Item inserts proposed new section 201A into the Customs Act.
Proposed section 201A would enable a law enforcement officer executing a search
warrant to apply to a magistrate for an ‘assistance’ order. To
grant the order, the magistrate would have to be satisfied (i) of the existence
of reasonable grounds to suspect a computer on search premises contains evidence
of an offence; (ii) that the subject of the order is reasonably suspected of the
offence or is the owner of the computer or computer system, or a current
employee of the owner; and (iii) that the subject of the order has knowledge of
the functioning of the computer or system or measures applied to protect the
computer or system.
The person to whom the order is directed would be
required to provide the officer, to the extent reasonably practicable, with such
information or assistance as is necessary to enable the officer to access data
on the computer system, copy it to a storage device or convert it to documentary
form. For example, a person could be required to explain how to access the
system or to provide a password to enable access. The maximum penalty for
non-compliance with the order would be 6 months. This is in line with penalties
in other Commonwealth legislation (for example, Companies Act 1981,
subsection 14(5); Futures Industry Act 1986, subsection 15(5); and
Australian Securities and Investments Commission Act 1989, subsection
65(2)).
While there is no requirement to provide such assistance under
the existing Crimes Act search warrant provisions, assistance requirements are
common in Commonwealth regulatory legislation. Such a power is also contained
in the Cybercrime Convention being developed by the Council of Europe (Draft No.
25, Article 19).
This Item amends subsection 202(1) to remove references a
“program”. The amendment is consequential upon the insertion of a
definition of “data” that includes “any program (or part of a
program)” into section 4 of the Customs Act by Item 14.
This Item amends paragraph 202A(2)(a) of the Customs Act consequent upon
the repeal of paragraph 201(2)(c) and its replacement with subsection
201(1A).
This Item provides that the amendments made by this Schedule apply only
to search warrants that are issued after the commencement of this Schedule.