Law in the Information Age
Cybercrime
Different types of crimes, discuss the issues (legal and otherwise).
In-class exercises.
Types
- Access related crimes
- Cyber pornography
- Digital Signature related crimes
- Tampering with computer source code
- Digital Evidence
- Adjudication & Investigation issues
- predatory stalking
- hacking
- malware (including viruses and worms)
- fraud against individuals or companies
- cyberterrorism.
Links
'Cyber Crime,' The Law Report, ABC Radio National, 16 November 2004
http://www.abc.net.au/cgi-bin/common/printfriendly.pl?http://www.abc.net.au/rn/talks/8.30/lawrpt/stories/s1243620.htm
Dr Adam Graycar, 'Nine types of cybercrime', Director, Australian Institute of Criminology, Speech at Cyber Crime: Old Wine in New Bottles?, Centre for Criminology, The University of Hong Kong, 24 February 2000
http://www.aic.gov.au/conferences/other/graycar_adam/2000-02-cybercrime.html
ZDNet Australia 10 May 2006
http://www.zdnet.com.au/insight/security/print.htm?TYPE=story&AT=139255969-139023764t-110000105c
Examples
1) Cyber-stalking / bullying
The American case of Lori Drew. She impersonated her daughter, sent abusive messages to her daughter's friend, and eventually the girl committed suicide.
She was prosecuted under a hacking provision - unauthorised modification of a computer or data - because the state did not have any stalking criminal provisions, or anything similar.
Discussion Question: Does it seem appropriate to use hacking provisions for such cases? Is new criminal law needed?
2) Child Pornography
http://www.austlii.edu.au/au/legis/cth/consol_act/cca1995115/sch1.html
The Simpson's reference. Head into whether animated child pornography should be included. Divide the class up into groups and have them debate the topic.
3) Online Fraud
Go to the Zango video of "Paris Hilton Striptease". (use Google)
WARNING - MAKE SURE YOUR VIRUS AND MALWARE PROTECTION IS UP TO DATE!
Try to download the video.
Look at the terms and conditions.
Note the provisions which tell you that the information will be shared for internal marketing purposes, etc.
Ask what this means?
Answer - we can:
- collect information and track your use of the Internet (adware and spyware)
- alter your browser's security settings to enable criminals to install malicious software
- download video and a Trojan is also installed automatically which is backed by organized crime groups which capture your passwords, usernames and other passwords information used to make a dossier of you (sometimes for stealing online bank account details, etc. but mostly dormant for later unknown uses)
- often your computer will become part of a botnet which is used to facilitate new cybercrime
4) Criminalization of copyright (illegal P2P)
- copyright law doesn't cover P2P explicitly
-should it?
- France's example: 3 strikes and you're out
(issued two warnings by ISPs, then after third, you are not able to use a French ISP again and you are issued a fine)
5) General role of ISP - "common carrier" - is it under threat?
- danger of private corporate parties being delegated policing activities
6) Internet Filtering Regime
http://cyberlawcentre.org/2008/censorship/ - see References section
----------
Cybercrime Act 2001
The Cybercrime Act 2001 made a range of amendments to the Criminal Code Act 1995 to update the computer offences, in ways based on the joint Commonwealth, State and Territory Model Criminal Code Damage and Computer Offences Report (January 2001), along with other changes to authorise certain intelligence activities. Some are concerned at the broad language of the Act and the possible abuse of its provisions by security agencies.[66]
We do not suggest that the introduction of the Cybercrime Act was quite as directed to short term political goals as the Federal censorship and gambling controls. The Act does make some substantive improvements. However no doubt it is also intended to fulfill something of a similar symbolic role in painting cyberspace as a more regulated and safer place to inhabit. Also, it may be that in the rush to push through amendments the new laws were not as well considered or crafted as they might have been.
For example, one of the many things apparently targetted by these amendments was the problem of so called "denial of service" attacks.[67] These forms of attack on websites often involve the unknowing co-option through rogue software of hundreds or thousands of "innocent" computer systems to bombard a website with so many information requests that the increased traffic denies access by "legitimate" users. They go under appropriately crypto anarchic/new age descriptions such as "Tribal Flood Network". Such attacks are very hard to guard against as it may be virtually impossible to discriminate between legitimate and illegitimate access requests.[68]
However, as intimated above, there are a wide range of activities that could come within the ambit of the description of "denial of service" attacks, from co-ordinated but manual flooding of a website with queries or requests of varying types by, for example, environmental or anti-globalisation lobby groups, right through to a clandestine and fully automated distributed denial of service attack under which a range of innocent host computes are hijacked by "trojan horse" software and used by the attacker in a deliberate attempt to take a particular website offline (from commercial or other motivations).[69]
The discussion in the Explanatory Memorandum about the relevant new provision (477.3) does not discuss these complexities but simply describes its purpose as follows:
"This proposed offence is designed to target tactics such as 'denial of service attacks', where an e-mail address or web site is inundated with a large volume of unwanted messages thus overloading the computer system and disrupting, impeding or preventing its functioning. The proposed offence would extend to situations where a person impairs a computer 'server', 'router' or other computerised component of the telecommunications system that relays or directs the passage of electronic communications from one computer to another."
The relevant provisions inserted into the Criminal Code are as follows:
"477.3 (1)A person is guilty of an offence if:
(a) the person causes any unauthorised impairment of electronic communication to or from a computer; and
(b) the person knows that the impairment is unauthorised; and
(c) one or both of the following applies:(i) the electronic communication is sent to or from the computer by means of a telecommunications service;
(ii)the electronic communication is sent to or from a Commonwealth computer."
"476.2 (1) In this Part the impairment of electronic communication to or from a computer by a person is unauthorised if the person is not entitled to cause that impairment.
(2) Any such impairment caused by the person is not unauthorised merely because he or she has an ulterior purpose for causing it.
(3) For the purposes of an offence under this Part, a person causes any such impairment if the person's conduct substantially contributes to it."
Obviously a lot hinges around the interpretation of the highlighted element above - whether or not the person is "entitled" to cause the impairment. The difficulty here is in applying this to the context of denial of service attacks (of which there are many different kinds, as noted above). But if all a person engaged in such "attacks" is doing is communicating with a website deliberately open to the public, with explicit avenues for such communication, then it seems hard to say that such a person is clearly not "entitled" to engage in such activities (whether or not there may be a simultaneous overflow in the ability of the website to process those communication requests).
Also, interestingly, while it does not discuss "unauthorised" acts in detail, the Explanatory Memorandum also includes the following discussion about 477.3:
"The proposed offence would only apply to unauthorised impairment. Consequently, the offence would not apply, for example, to a refusal by an Internet Service Provider (ISP) to carry certain types of electronic communications traffic on its network if such a refusal is pursuant to a contractual arrangement or an agreement between the ISP and users of the service."
This raises a number of interesting further questions. For instance, it would appear that the "authorisation" can be given by a person other than the operator of an affected website - eg one that was indirectly excised or censored out of access due to a contractually authorised technical measure, for example some blacklisting activities directed against servers allegedly used for "spamming" purposes. But it would also imply that those measures need contractual authorisation by the network users and cannot be implemented as a technical block alone. Of course whether the gloss put on these provisions by the Explanatory Memorandum is reflective of the actual provisions is another matter.
Cybercrime Convention
In 2001 the Council of Europe concluded the text of a Convention on Cybercrime. This convention focuses on international regulatory co-operation, enforcement mechanisms and expedited extradition procedures to combat cybercrime, rather than introducing too much new model substantive law.
It is intended to harmonize the computer crime laws of the members of the members of the Council (but is also open to other countries). It contains many controversial elements expanding surveillance powers and limiting encryption, anonymity, and security tools. Some of its controversial elements include:
- provisions to force service providers[73]to either capture content themselves by building in surveillance capabilities, or to "cooperate and assist" with authorities in doing so;
- criminalising "illegal devices," such as software which can be used for hacking purposes (and permitting extradition for these offences);
- provisions allowing government agents to force disclosure of computer system functioning or encryption of data.
There have now been additional draft protocols released in relation to the Convention, in relation to matters such as the criminalisation of racist or xenophobic acts committed through computer systems, and terrorist messages.
The Convention illustrates a widespread recognition that the Internet raises special needs for prompt and internationally co-ordinated responses to threats. In its emphasis on improving the mechanisms for such co-operation and also in its back up to technical controls and forensic data collection, rather than substantive law changes, it also shows a recognition that it is in these other areas that initial attention might be best directed in attempting to confront Internet threats.
5.3 US Action
This is a new focus for legislative activity in the wake of the September 11 2001 attacks and concerns about the vulnerability of information infrastructures to attack. In the US we have seen the passage of the USA Patriot Act which contains specific provisions directed against acts of cyberterrorism (eg section 814). There is also the US Cyber Security Enhancement Act of 2001, as well as relevant prior US legislation such as the National Information Infrastructure Protection Act of 1996.
However the US is not simply relying on the passage of new provisions outlawing such provisions - some of these new laws and other executive actions are allocating very significant resources into the development of technical responses and enforcement action.
-----