IS3532 - Lecture 10

Legal Control of Computer CrimeInformation Management and Computer

Security, 3, 2, 13-19, 1995

Introduction

Hacking and computer viruses - 2 of the

more fashionable activities under the

computer crime umbrella. In some countries they may not be

criminal acts due to the lack of legislation outlawing such activities.

This is particularly true in the Asia Pacific region.

Definitions No precise definition of computer crime,

but includes both criminal and antisocial activities, for example computer fraud, computer abuse and software piracy.

Computer Fraud - wilful misrepresentation with intent to gain

unlawfully or to cause others to lose.

Fraud - a means to another end

Computer Abuse - certain types of abusive misuse of

computer resources, viz. hacking (unauthorised use and access of computer resources), unauthorised modification of data, propagation of computer viruses,…

Abuse - an end in its own right Piracy -

unauthorised copying and distribution of proprietary software. - cf. Intellectual property law.

HK Govt Computer Crimes Ordinance established in April 1993.

New criminal offences involving use of computers

Unauthorised access/hacking ($20,000)

even just trying to log on. must be through telecommunications

(i.e. cannot be voice or retina activated) must be knowingly unauthorised, i.e. not

innocent/accidental if the accused does not “know” or

“believe” that the access is unauthorised, guilt is hard to prove

Tampering with Computers, Programs,

Data (10 years) causing a computer not to function normally altering or deleting any program or data held in any

form/medium adding any program/data to a computer or other

storage medium. Irrelevant whether or not the computer functions

better or worse as a result. Intention is a necessary condition here for

prosecution, i.e. not inadvertent or accidental modification

Defence?

Defence possible if accused believes s/he either had already been given permission to do the activities, or would have been given that permission if s/he asked for it and if the authorising person knew all the circumstances of the activities.

A genuine belief is enough, even if the belief seems unreasonable.

Other Aspects

Threatening to do an activity is illegal Possessing something with which to do

an illegal activity, e.g. possessing a virus-infected disk with the intent to copy data from the disk (even if the accused had no knowledge of the virus’ existence as this equates to recklessness).

Accessing a computer with the intent to commit further or subsequent crimes.

Even if the access is authorised, the intent to commit crimes is illegal. (5 years)

Trespassing with the intent to commit a crime with computers (14 years)

But trespass must be in a fixed and permanent structure, i.e. not a tent or portable toilet

A key problem in the IS security area is

that crimes are often not reported by management which fears losing its credibility with its customers and exposing internal IS security weaknesses.

Reporting and prosecution of such cases is essential if legal deterrents are to work. Such reporting should be incorporated into company policies, even if there is no legal obligation to make such reports.