Unauthorised or unsolicited access to, and use of, a person’s or company’s computer networks and databases is against the law. Common examples of unauthorized access to computer networks and databases can take the form of “hacking”, or what is also known as “phishing” and “phreaking”.
While phreaking is a telecommunications related crime more prevalent in the 1960s and 1970s, it can still be committed today in relation to new and emerging technology. Hacking is a relatively new area of criminal activity even though it too occurred in the early days of the internet. The reason why it has become associated with a more modern type of cybercrime is due to the rapid growth of computer use and programming delinquency over the last couple of decades.
Accordingly, the case-law for each field is relatively minimal at present. However, the amount of commerce and communication that is conducted online today suggests that this will be a rapidly expanding area of legal practice. The matters that arise under this area of the law can be closely related to legal principles relating to criminal fraud. More information can therefore be found in our section of “Internet Fraud”.
There are two major legislative schemes that address matters relating to unauthorised or unwelcome access and use of a computer or computer database. These establish the legal framework for the jurisdictions of the Commonwealth and the state of New South Wales. Both are applicable to the extent that they are not inconsistent, and both can inform one another when new concepts need to be defined or addressed. The common law will of course add to the body of law that outlines the rights and liabilities of individuals working in the IT industry or otherwise operating in cyberspace.
The Crimes Act 1900 (NSW) contains provisions relating to cybercrime. These apply to crimes that are committed within the state jurisdiction but can also relate to matters that involve extra-jurisdictional activities. This is not unusual for Internet related crimes as there are obviously no physical borders online. The provisions in the Crimes Act relate to the following:
- Section 308C, unauthorised access, modification or impairment with the intent to commit a serious indictable offence;
- Section 308D, unauthorised modification of data with the intent to cause an impairment;
- Section 308E, unauthorised impairment of electronic communication;
- Section 308F, possession of data with the intent to commit a serious computer offence;
- Section 308G, the production, supply or obtaining data with the intention to commit a serious computer offence;
- Section 308H, unauthorised access to or modification of restricted data held in a computer; and
- Section 308I, unauthorised impairment of data held in a computer disk of some other storage device.
The Criminal Code, which was passed as a schedule to the Criminal Code Act 1995 (Cth) and was amended by the Cybercrime Act 2001 (Cth) contains provisions that provide guidance when dealing with some matters pertaining to cyberspace and the Internet. The Criminal Code makes provisions for the following offences:
- Article 477.1, unauthorised access, modification or impairment with the intent to commit a serious offence under Commonwealth, State or Territory laws;
- Article 477.2, unauthorised modification of data to cause an impairment;
- Article 477.3, unauthorised impairment of electronic communication;
- Article 478.1, unauthorised access to or modification of restricted data;
- Article 478.2, unauthorised impairment of data held on a computer disk or other storage device;
- Article 478.3, possession or control of data with the intent to commit a computer offence under article 477; and
- Article 478.4, the production, supply, or obtaining data with the intention to commit a computer offence under article 477.
This area of law concerns fraud and therefore the common law principles relating to criminal and other fraudulent activity. It may also cross over into privacy, theft, and the potential violation of intellectual property rights. These further matters may need to be born in mind when dealing with computer crime and cyber law issues. Our legal team can assist with all of these areas.
Other relevant information can be found in our section concerning the Spam Act 2003 (Cth) under our “Spam Act” section.
In simple terms, “hacking” means the act of accessing a private or restricted computer database or network by circumventing its security systems, and doing so without authorization or legitimate right. A “hacker” can also refer to an individual who has a distributionist approach to computer software and who actively campaigns for the free movement of computer programmes. According to the Australian Institute of Criminology:
Perhaps in view of the ambiguity attached to the term hacking, it is not used in the substantive offence provisions (however, the heading of the Queensland provision does refer to computer hacking and misuse). Relevant offences do not rely on or define the term hacking. In each jurisdiction except Tasmania anti-hacking laws criminalise hacker behaviour by reference to the intention (or recklessness) of the hacker, or instances where restrictions on data access are breached by a hacker. [1]
A recent and high profile case conducted by the Australian Federal Police found that traditional methods of investigation were still relevant in obtaining prosecutions for hacking offences. In 1998, the AFP reported that:
while the traditional methods of investigation and the usual protocol for court may seem to be outmoded in a “hacking” investigation, it was significant that tangible and traditional evidence – fingerprints – was a major factor in linking the suspect with the crime, and the “victim impact statements” form a strong part of the Crown’s case. [2]
Nevertheless, the nature of the crime will naturally involve the utilization of the high level technical expertise from investigative authorities, and the evidentiary burden of the prosecution may involve intangible evidence obtained from internet service providers and other parties that may have information that records or casts light on the activities of hackers and their identity. Sometimes, expert evidence may need to be used in Court proceedings. This is a highly technical area of litigation and obtaining the right legal advice and assistance is crucial. If you require the services of a hacking lawyer or lawyer for your hacking matter, you may wish to contact our firm and ask to speak to a member of our cyberlaw and marketing law team.
[1] Australian Institute of Criminology, “Hacking Offences” High Tech Crime Brief (No. 0074, 2005)
[2] Janice Jarrett, “AFP computer crime team investigation leads to first jail sentence for computer hacking” Platypus Magazine (June 1998) <www.afp.org.au> (accessed online 19 December 2012)
“Phreaking” was a term once used to describe the act of gaining access to a telephone network via the use of a “blue box”, “red box”, “beige box”, “clear box” or a “black box” so as to be able to use a telecommunications service without paying or tracing. Since the advent and increasing use of computer technology for communications, the definition of phreaking has evolved and assumed a somewhat different meaning. According to “TechTerms”:
Phreaking has evolved over past several decades along with telecommunications technology. In the 1980s and 1990s, phreaks began using modems to access to computer systems over telephone lines. Once connected via modem, tech-savvy users could access private data or exploit computers connected on the local network. This activity also faded out around the turn of the century as dial-up modems were replaced by DSL and cable modems and new security measures were put into place. While phreaking still exists, it is much less common than other types of computer hacking. [1]
Today, broadly speaking, phreaking involves the use of computer systems to fool an exchange into thinking that a call is being made by a third-party telephone account. Phreaking can also be used as a term to identify activity that reflects the same methodology once used in respect of telephone communication but is applied today to communication between and within computer networks. To the extent that the term has any specific meaning as denoting a unique form of cybercrime, it may still fall under various provisions of statute or common law prohibiting that activity as a subset of hacking or fraud. Our cyberlaw team is able to provide you with the assistance of a phreaking lawyer, who is able to provide legal assistance in this rather complicated area of the law.
[1] TechTerms, “Phreaking” <www.techterms.com> (updated 30 April 2010; accessed 19 December 2012)
The term “phishing” is the act of causing an electronic communication to be made to a third party, where the communication gives the impression that its source is some legitimate body, whereas in reality the source is a fraudster seeking to acquire personal information for an ulterior purpose. That information can often be of a banking or financial nature such as credit card numbers or accounts and account related details.
The most common form of phishing will be an email, purportedly from a banking institution, lottery, or some overseas interest, which either warns of some problem with the recipient’s bank account, notifies the recipient that he or she has apparently won some money, or makes some other gratuitous offer, requiring the recipient to click on a link and provide personal details to either fix the alleged problem or claim the prize or offer. Russell Kay of Computerworld writes that:
Phishing (sometimes called carding or brand spoofing) uses e-mail messages that purport to come from legitimate businesses that one might have dealings with -- banks such as Citibank; online organizations such as eBay and PayPal; Internet service providers such as AOL, MSN, Yahoo and EarthLink; online retailers such as Best Buy; and insurance agencies. The messages may look quite authentic, featuring corporate logos and formats similar to the ones used for legitimate messages. Typically, they ask for verification of certain information, such as account numbers and passwords, allegedly for auditing purposes. And because these e-mails look so official, up to 20% of unsuspecting recipients may respond to them, resulting in financial losses, identity theft and other fraudulent activity against them. [1]
A phishing exercise can be very sophisticated and cunning, but most are relatively easy to demask. Common ways of discovering that an email is phishing may be:
- The fact that the recipient of the email has had no prior dealings with the purported source of the email;
- The fact that the email seems to be drafted in an unprofessional manner;
- The fact that the email may appear to look too insistent in the manner in which it has been presented;
- The fact that the link may redirect to another server that does not contain the purported source’s domain name, or is a domain name that is unfamiliar; and
- The fact that the email may have an odd looking attachment, such as a html document, a zip file or something that is unexpected or unusual.
Phishing is an act of fraud and is illegal. In the event that you have been the victim of phishing, it is important that:
- You do not click on any links in the email and do not, under any circumstances, open any attachments to that email;
- The email and any responses to it (in the unfortunate event that you may have replied to the email) must not be destroyed because the electronic form of these files can contain information that might be used to trace the source of the fraudster;
- You obtain legal representation to ensure that your bank is immediately notified of the phishing and its result; and
- You may contact a phishing lawyer who can advise you on your rights and make representations to any investigative and prosecutorial authorities.
Victims of phishing should not delay any steps in resolving their matter. In the unfortunate event that personal information may have been acquired under false pretences by a third party fraudster, it is beneficial to obtain legal advice and ensure that bank account and financial assets are secured from interference.
[1] Russell Kay, “Quick Study: Phishing” Computerworld (19 January 2004) <www.computerworld.com> (accessed 19 December 2012)
Part 6 of the Crimes Act 1900 (NSW) contains provisions relating to computer offences. The relevant sections largely reflect the Commonwealth provisions (described below). The scope of the legislation can be found in the definition of terms such as “data” and “data held in a computer” in section 308:
Data includes:
- Information in any form; or
- Any program (or part of a program).
Data held in a computer includes:
- Data entered or copied into the computer,
- Data held in any removable data storage device for the time being in the computer, or
- Data held in a data storage device on a computer network of which the computer forms part.
Section 308A provides further clarification for the kind of activity that the law applies to, specifically to “access”, “modification” and “impairment”. Accessing data essentially means displaying the data on any output device, copying or moving it within the computer or onto a storage device or the execution of a programme. Modification means alteration, removal or addition to data. Impairment means to prevent communication or hindering it.
In relation to “unauthorised access, modification or impairment”, under section 308B an action is unauthorised if the person committing the access, modification or impairment was not “entitled” to commit act. This is also referred to as an “unauthorised computer function”. Under the legislation, it is an offence to make an unauthorised computer function with the intention to commit a serious indictable offence. The terms of similar offences also exist under the Act in respect of modification of data intending to cause an impairment (section 308D), impairment of electronic communication (section 308E), the possession of data (section 308F); producing, supplying and obtaining data (section 308G), access or modification to restricted data (section 308H) and impairment of data held on a computer disk, credit card or other such device.
The offences under section 308F and 308G require proof that the accused party intended to commit a serious computer offence. Offences under sections 308H and 308I are summary offences. All the offences under these sections require proof that the action taken was unauthorised. Proper authorisation is therefore a complete defense to any claim under these provisions.
On the face of it, the Commonwealth Criminal Code provides a mechanism through which a hacking offence can be prosecuted. Part 10.7 specifically deals with computer offences. Under article 476.1, the phrase “access to data held in a computer” is defined as:
- The display of the data by the computer or any other output of the data from the computer;
- The copying or moving of the data to any other place in the computer or to a data storage device; or
- In the case of a program—the execution of the program.
This means that access is established when evidence is shown that some output has been displayed on another computer, or when certain files are moved even if only within the computer which is being accessed, or the running of a programme. Likewise, the term “modification” is defined as:
- The alteration or removal of the data; or
- An addition to the data.
This means that any changes that are made to any data on a computer, either by alteration, removal or addition thereto, will be a modification to that data. Arguably, phishing and phreaking do not necessarily appear to involve accessing computer data to the same degree as hacking, nor do they necessarily involve the modification, impairment or control of that private or restricted data – but depending on the systems they use to perform their operations on or from a victim’s computer, they certainly could.
In any event, under article 478.4 of the Criminal Code, a person may be guilty of an offence if he “produces, supplies or obtains data” with the intention that that data be used to commit or facilitate the commission of an offence under article 477. The production or obtaining of data may be interpreted as the production of or obtaining a programme which facilitates the intended act of hacking, or to the extent possible, any phishing or phreaking. Article 477.1 states, among other things, that an offence is committed if a person causes the “unauthorised access to data stored in a computer” or the modification or impairment of that data, and:
- Where that access was done through a “carriage service” which is a “service for carrying communications by means of guided and/or unguided electromagnetic energy” under section 7 of the Telecommunications Act 1997 (Cth);
- Where the person knows that the access was unauthorized; and
- Where the person intends to commit or facilitate an offence which is punishable by a term of imprisonment for life of a period of five years or more.
The purported consent of the owner of the computer or database is no defense against a claim that no authorisation was provided, if that consent was obtained fraudulently. If an act of hacking, phishing or phreaking causes access or modification to any data that is stored on the victim’s computer, the guilty party may become liable under the terms of these provisions.
If you are considering legal action based on any of the matters discussed above, there will be a variety of important legal considerations that could need to be thought about before you finally decide how to approach your matter. Our IT lawyers have been assisting people for over a decade and we have the expertises and experience required to guide you through the complex nature of legal proceedings in this area.
If you would like to discuss anything discussed here further, you can contact our firm by telephone on (02) 9233 4048 or send an email to info@navado.com.au to arrange a meeting with our IT solicitors.
This webpage (and any material or wording appearing on this webpage) is provided for general information purposes only and does not constitute any Legal Advice. It does not take into account your objectives, your instructions or all of the relevant facts and/or circumstances. Navado accepts no responsibility to any person who relies on the information provided on this website. We further refer you to our Disclaimer.
Sorry, but no Articles are available at this time.