As mandated by Commonwealth Law Ministers, an expert working group (the Group) met in London on July 10-14, 2000 to consider a proposed Model Law for computer and computer-related offences, as well as recommendations for international co-operation in relation to computer crime and associated matters, digital forensic evidence and general recommendations regarding these issues. In analysing the issues, the Group considered material generated in other international fora, as well as existing legislation in various countries. Particular regard was given to the Draft Convention on Cyber-crime prepared by a Committee of Experts on Crime in Cyber-Space, established by the European Committee on Crime Problems of the Council of Europe.1Page 33
The Group considered the legal framework necessary to combat computer abuse, outlining the necessary content of a model law.
The Group recommended that the Model Law should contain the following substantive criminal offences.
Offence to intentionally, without lawful excuse or justification2, access the whole or any part of a computer system.
The Group was of the opinion that this offence is central to an effective law to combat computer crime. The offence is important in several respects. It is analogous to an offence of "break and enter" as it involves accessing private "premises" without excuse or justification. Viewing it as such, the offence provides protection against unlawful violations of the privacy rights that attach to computer systems and data. In addition to the direct harm that can be occasioned from this offence, there is also the potential for other damage, intentional and unintentional, arising from the unlawful access. Many recent highly public instances of "computer hacking" illustrate the potential for very serious results arising from such activity. By criminalising this activity, the aim is to prevent not only that harmful conduct in itself but also the possible related damage to computer systems that can be occasioned by the unlawful access. For these reasons, the Group recommended this offence as a key component of any law relating to computer crime.
In considering this offence, the Group deliberately decided to recommend an offence of illegal access without any qualification with respect to the purpose or intent of the access. Consideration was given to additional offences such as access with the intent to obtain information or with intent to commit one of the otherPage 34 offences outlined in the Model Law. However, there was concern that the inclusion of such offences, particularly as aggravated forms of illegal access, could impair the effectiveness of the general access offence. The Group was of the view that the offence of illegal access, in and of itself, should be regarded as a serious offence, irrespective of the purpose of the access. The example was given that accessing the national security or defence system of a country was a serious offence, even without an intention to take information or commit other offences in light of the potential for significant consequences, whether intended or unintentional, occurring as a consequence of the unlawful access.
The Group was of the opinion that the purpose or other circumstances that may aggravate or mitigate the offence should be addressed by way of sentence. Therefore, for this particular offence, the Group specifically recommended a wide penalty range, with an adequate maximum, which would be flexible enough to allow for sufficient penalties in relation to the different cases that may be brought before the court under this provision.
Offence to intentionally or recklessly, without lawful excuse or justification:
a. destroy or alter data;
b. render data meaningless, useless or ineffective;
c. obstruct, interrupt or interfere with the lawful use of data; or
d. obstruct, interrupt or interfere with any person in the lawful use of data or deny access to data to any person entitled to it on a temporary or permanent basis.
The Group was of the view that an offence of data interference was essential to an effective regime relating to computer crime. The world is becoming increasingly dependent on computer data for the most essential services. Therefore, the destruction, alteration etc. of data is of significant concern, due to the potential severe consequences. The Group was of the view that not only should such an offence be included, it should be of sufficient scope, so as to cover the various forms of interference with data. This would include interference with the use of, or denial of access to, data. Consideration was given to how best to frame the offence to insure that it would be sufficient in this regard. The Group examined the Council of Europe3text, as well as the Canadian 4and UK legislation 5in order to arrive at the formulation outlined above. Various types of interference are listed and thePage 35 proposed offence would apply to an effect of a temporary or permanent nature.
An important consideration that was discussed at some length was the nature of the mens rea applicable to this offence. The Group was of the view that this offence should go beyond intentional acts to include recklessness because of the very serious nature of the possible offences. The Group concluded that such a standard would not be inappropriate to impose on those who are dealing with computer data. The offences are similar in nature to traditional offences of mischief or causing criminal damage, which can be committed recklessly. The proposed offence therefore includes a mens rea of intention and recklessness.
Offence to intentionally or recklessly, without lawful excuse or justification, hinder or interfere with the functioning of a computer system or hinder or interfere with a person who is lawfully using or operating a computer system.6
As with data interference, a separate offence addressing interference with a computer system was considered to be essential. The Group considered whether the offence provision should contain a list of the types of predicate actions in relation to data that would constitute hindering, such as that incorporated in the Council of Europe draft convention7. Such a list has both advantages and disadvantages. The list would provide some guidance for those investigating, prosecuting or hearing cases as to the intended meaning of the section. However, any form of example, even if not exhaustive, may be interpreted as a limitation on the scope of the provision. The Group decided to recommend an offence provision that referred to hindering or interfering, without a list of specific predicate acts, to avoid the offence being narrowly construed. At the same time, a footnote was included to capture examples of what is intended.
The Council of Europe text also limits the application of the offence to "serious" hindering. The Group considered that such a qualification was unnecessary and could prevent the offence from applying to the full range of possible harmful conduct. Gravity of the offence could be addressed in charging practices or sentences.
Consideration was also given to the need to cover not only direct actions against the computer system but also actions that prevent a person from using the system. An example posed was the situation of a lawful user on a remote terminalPage 36 who is cut off from the main system, which still functions. As it was considered important to cover both situations, the recommended provision reflects both direct and indirect actions.
Because the offences of data interference and system interference are analogous and inter-related, the Group felt it was appropriate to have the same mens rea for both offences. Thus, here again the offence includes intention and recklessness for the mental element.
(1) An offence to intentionally, without lawful excuse or justification, produce, sell, procure for use, import, export, distribute or otherwise make available:
(a) a device, including a computer program, designed or adapted for the purpose of committing offences as outlined in sections 1 -3 and 5;
(b) a computer password, access code or similar data by which the whole or any part of a computer system is capable of being accessed with the intent that it be used by any person for the purpose of committing the offences established in sections 1-3 and 5.8
While very few countries have legislation addressing specifically the use of illegal devices, experience with technology has demonstrated the importance of including such an offence. In formulating the proposed offence, consideration was given to the Council of Europe text9as well as the Canadian legislation.10The Group was of the view that this offence should be broad enough in scope to capture the full range of illegal devices that can be used in relation to computer offences, covering hardware and software, codes and passwords and the various means of dissemination of such devices. The Group was of the opinion that the Council of Europe text...