- Email: [email protected]
International initiatives in legislation
November
Computer Fraud & Security Bulletin
1989
a.
LEGAL BRIEFING INTERNATIONAL LEGISLATION
INITIATIVES
to machines or computers who lack the psychological conditions to be ‘misled’.
IN b.
The legal definitions of a document generally don’t apply to computer data, because they don’t show the identity of the author.
C.
Only tangible objects can be damaged.
This is the first of a two part report by Rik Kaspersen of the Law Department of Vrije University, The Netherlands. Computer abuse and computer crime are in the focus of national and international discussions. More than any other type of crime, computer crimes show the fragility of national frontiers and border patrol. In the latest book of the Hamburg Computer Chaos Club, the young and adult hackers managed to get access to computer systems all over the world by using international networks, without even leaving the chair in front of their personal computers. The phenomenon of computer crime forces the various states to review their criminal law provisions in order to be able to prosecute these forms of computer abuse. The border-crossing nature of computer crime compels international coordination and cooperation and should not be left only to individual legislative initiatives in specific countries. The OECD-initiative In 1983 the Organization for Economic Cooperation and Development (OECD) began a study of computer-related economic crimes. the involvement of an organization like the OECD was motivated by the potentially high financial damage caused by computer crime, which could have economic implications. Furthermore, unequal criminal protection against computer crime between the various countries - an act is a crime in country A but not in country B - can create unequal market conditions and mean a distortion of free competition. The OECD published a final report in 1986. The conclusions of the report were based on an analysis of international substantive law, showing the following problems.
01989
Elsevier Science Publishers Ltd
The traditional theft and deceit-provisions require a human victim. They do not apply
The report therefore contains a recommendation to national legislators to make punishable under national law, at least these forms of computer abuse. a.
Manipulation (i.e. input, alteration, erasure or suppression) of computer data and programs in order to commit fraud.
b.
Manipulation of data and programs in order to commit forgery.
C.
Manipulation of data and programs in order to commit computer sabotage.
d.
Computer software piracy.
e.
Hacking of computer systems.
The report has an ‘open ending’, recommending a continuous study of other forms of computer abuse. These suggestions were not followed by OECD itself but were taken over by other organizations. The Council of Europe In 1985 the Council of Europe nominated a special committee to study crime problems and to produce a report. Since most countries have already enacted, or are planning to enact computer crime provisions in the Criminal Code, the Council of Europe focuses on refinement and harmonization of international substantive law. Moreover, it studies the problems of international cooperation as to the investigation and prosecution of computer crime within the frame of the European Conventions on criminal assistance. The aim
15
Computer Fraud & Security Bulletin
November
1989
of the study is to launch a recommendation of the Committee of Ministers of the Council of Europe for less formality when dealing with so called ‘letters rogatory,’ and perhaps to design an International Convention, as was done with Data Protection. To discuss the findings of the
easily apply to computer software because programs normally are meant to be traded and not kept a secret. Most countries have explicitly provided copyright protection for computer programs by legislative amendments, or copyright protection of
Council of Europe here would be premature, because no final decisions have been taken yet.
computer software is recognized in case law. However, it would be desirable to find a common solution to these problems before the establishment of national legislation makes
The EC report
uniformity
The problems of computer crime were brought to the attention of the Commission of the European Communities in a special report which was discussed in the first half of 1988. The report shows the problems of the traditional legislation and the need for amendments in order to provide adequate tools for fighting computer crime. The solution of the report is an integrated one. Not only are recommendations given in the field of substantive and procedural criminal law, but also consideration is given to the feasibility of imposing legal obligations for security measures on computer systems owners. Moreover, a recommendation is given about the possibilities of imposing ‘legal’ duties within the framework of codes of conduct. The report takes the findings of the OECD as a starting point: in order to arrive at an international consensus on computer crime, it is to be recommended that all legal systems first ascertain that the manipulation of data, with the intent to cause an illegal transfer of funds, is covered by the traditional provisions of fraud or by a similar provision on ‘computer fraud’, neither of which presupposes a person being deceived. Moreover, the next forms of computer abuse are analysed. 1.
Computer espionage
and software theft
The question arises as to what extent pure acquisition of intangible information can or should be covered by the traditional provisions. Trade secret protection will not
16
much more difficult.
Similar considerations
can be given with
regard to semiconductor integrated circuits (chips). In the US and Japan a special protection for computer chips was provided (Semiconductor Chip Protection Act, 1984). In various countries of Europe special laws protecting the topographies of semiconductor products were also enacted, based on a directive of the Council of the European Communities. 2.
Computer sabotage.
The provisions on mischief in most countries require that tangible property be damaged, which will cause legal problems in cases of non-physical (logical) damage, especially when data is erased. From a point of view of a common criminal policy, it is to be recommended that the penal codes of all Western countries contain provisions comprising not only damage to corporeal property but also to data. 3.
Theft of services.
Only in certain cases of unauthorized use of computer services or ‘time’ can the penal provisions on theft, breach of trust, etc. be applied. In some countries new special statutes have therefore been enacted. In other countries the extension of the criminalization of furtum usus has not been considered necessary. There is no international agreement recommending that countries should penalize the unauthorized use of computerized information.
01989
Elsevier Science Publishers
Ltd
November
4.
Computer Fraud & Security Bulletin
1989
Unauthorized
access.
LElTERS
The new penal provisions on unauthorized access to DP systems, which are presently
THE EMMA NICHOLSON
PROJECT
being developed in a number of legislations, are based on the concept of protecting the integrity of DP systems. The traditional wiretap status of most legal systems only refer to the interception of oral communication or conversations and not to data communication. Due to the potential danger connected with the increasing frequency of wiretapping and unauthorized access to computers, especially by remote data processing systems, overall criminalization of both wiretapping and unauthorized access to computer systems is appropriate. Since future technical developments will make it more and more difficult to distinguish between telecommunication
systems and computer
systems, it might be suitable to combine these two acts in one provision. 5.
Computer-related
infringements
You may be aware of the activities of Emma Nicholson, a UK Member of Parliament, in promoting government legislation to outlaw unauthorfzed access to computer data and other computer misuse in the UK. Micronyx UK Ltd has been asked by Emma Nicholson to assist in the collection of a dossier of computer security breaches. This information will include full details of incidents in both private and public sector organizations, and will be used as evidence to support the need for the legislation. Understanding that many companies will be reluctant to disclose highly sensitive information on security breaches, two categories of disclosure have been suggested. 1.
Disclosed only to the Prime Minister.
2.
Disclosed to the English Commission.
of privacy.
The expanded possibilities of collecting and processing data, prompts many countries to enact new bodies of administrative, civil and penal regulations. The penal provisions in these laws largely refer to the corresponding administrative provisions. Consequently, one difference regarding the criminal offences in
Law
Emma Nicholson has already solicited Mrs Thatcher’s involvement and plans to submit the dossier to the Prime Minister and, where companies agree, to Mr Richard Buxton QC, Chairman of the Law Commission.
the privacy laws of the various countries concerns the scope of data, the use of which is prohibited. Summarizing the survey of criminal privacy offences in Western countries, it may be concluded that these offences contain considerable differences and heterogeneities. These heterogeneities and vagueness in the penal provisions create severe legal
I would be most grateful if you could supply details of known breaches of confidentiality or security constraints to pass on to Emma Nicholson. If you can help on this project please contact Louis Oley at Micronyx UK Ltd, 33 Linford Forum, Rockingham Drive, Linford Wood, Milton Keynes, MK14 6LY, UK.
uncertainty and impede transborder data flow, says the report. Therefore, in this field, a far-reaching harmonization of the various laws
SECURITY STATISTICS
would be desirable. Rik Kaspersen
01989
Elsevier Science Publishers Ltd
It is unfortunate that Keith Jackson in his review of Security of information and Data in the September 1989 issue of the bulletin,
17
Computer Fraud & Security Bulletin
1989
a.
LEGAL BRIEFING INTERNATIONAL LEGISLATION
INITIATIVES
to machines or computers who lack the psychological conditions to be ‘misled’.
IN b.
The legal definitions of a document generally don’t apply to computer data, because they don’t show the identity of the author.
C.
Only tangible objects can be damaged.
This is the first of a two part report by Rik Kaspersen of the Law Department of Vrije University, The Netherlands. Computer abuse and computer crime are in the focus of national and international discussions. More than any other type of crime, computer crimes show the fragility of national frontiers and border patrol. In the latest book of the Hamburg Computer Chaos Club, the young and adult hackers managed to get access to computer systems all over the world by using international networks, without even leaving the chair in front of their personal computers. The phenomenon of computer crime forces the various states to review their criminal law provisions in order to be able to prosecute these forms of computer abuse. The border-crossing nature of computer crime compels international coordination and cooperation and should not be left only to individual legislative initiatives in specific countries. The OECD-initiative In 1983 the Organization for Economic Cooperation and Development (OECD) began a study of computer-related economic crimes. the involvement of an organization like the OECD was motivated by the potentially high financial damage caused by computer crime, which could have economic implications. Furthermore, unequal criminal protection against computer crime between the various countries - an act is a crime in country A but not in country B - can create unequal market conditions and mean a distortion of free competition. The OECD published a final report in 1986. The conclusions of the report were based on an analysis of international substantive law, showing the following problems.
01989
Elsevier Science Publishers Ltd
The traditional theft and deceit-provisions require a human victim. They do not apply
The report therefore contains a recommendation to national legislators to make punishable under national law, at least these forms of computer abuse. a.
Manipulation (i.e. input, alteration, erasure or suppression) of computer data and programs in order to commit fraud.
b.
Manipulation of data and programs in order to commit forgery.
C.
Manipulation of data and programs in order to commit computer sabotage.
d.
Computer software piracy.
e.
Hacking of computer systems.
The report has an ‘open ending’, recommending a continuous study of other forms of computer abuse. These suggestions were not followed by OECD itself but were taken over by other organizations. The Council of Europe In 1985 the Council of Europe nominated a special committee to study crime problems and to produce a report. Since most countries have already enacted, or are planning to enact computer crime provisions in the Criminal Code, the Council of Europe focuses on refinement and harmonization of international substantive law. Moreover, it studies the problems of international cooperation as to the investigation and prosecution of computer crime within the frame of the European Conventions on criminal assistance. The aim
15
Computer Fraud & Security Bulletin
November
1989
of the study is to launch a recommendation of the Committee of Ministers of the Council of Europe for less formality when dealing with so called ‘letters rogatory,’ and perhaps to design an International Convention, as was done with Data Protection. To discuss the findings of the
easily apply to computer software because programs normally are meant to be traded and not kept a secret. Most countries have explicitly provided copyright protection for computer programs by legislative amendments, or copyright protection of
Council of Europe here would be premature, because no final decisions have been taken yet.
computer software is recognized in case law. However, it would be desirable to find a common solution to these problems before the establishment of national legislation makes
The EC report
uniformity
The problems of computer crime were brought to the attention of the Commission of the European Communities in a special report which was discussed in the first half of 1988. The report shows the problems of the traditional legislation and the need for amendments in order to provide adequate tools for fighting computer crime. The solution of the report is an integrated one. Not only are recommendations given in the field of substantive and procedural criminal law, but also consideration is given to the feasibility of imposing legal obligations for security measures on computer systems owners. Moreover, a recommendation is given about the possibilities of imposing ‘legal’ duties within the framework of codes of conduct. The report takes the findings of the OECD as a starting point: in order to arrive at an international consensus on computer crime, it is to be recommended that all legal systems first ascertain that the manipulation of data, with the intent to cause an illegal transfer of funds, is covered by the traditional provisions of fraud or by a similar provision on ‘computer fraud’, neither of which presupposes a person being deceived. Moreover, the next forms of computer abuse are analysed. 1.
Computer espionage
and software theft
The question arises as to what extent pure acquisition of intangible information can or should be covered by the traditional provisions. Trade secret protection will not
16
much more difficult.
Similar considerations
can be given with
regard to semiconductor integrated circuits (chips). In the US and Japan a special protection for computer chips was provided (Semiconductor Chip Protection Act, 1984). In various countries of Europe special laws protecting the topographies of semiconductor products were also enacted, based on a directive of the Council of the European Communities. 2.
Computer sabotage.
The provisions on mischief in most countries require that tangible property be damaged, which will cause legal problems in cases of non-physical (logical) damage, especially when data is erased. From a point of view of a common criminal policy, it is to be recommended that the penal codes of all Western countries contain provisions comprising not only damage to corporeal property but also to data. 3.
Theft of services.
Only in certain cases of unauthorized use of computer services or ‘time’ can the penal provisions on theft, breach of trust, etc. be applied. In some countries new special statutes have therefore been enacted. In other countries the extension of the criminalization of furtum usus has not been considered necessary. There is no international agreement recommending that countries should penalize the unauthorized use of computerized information.
01989
Elsevier Science Publishers
Ltd
November
4.
Computer Fraud & Security Bulletin
1989
Unauthorized
access.
LElTERS
The new penal provisions on unauthorized access to DP systems, which are presently
THE EMMA NICHOLSON
PROJECT
being developed in a number of legislations, are based on the concept of protecting the integrity of DP systems. The traditional wiretap status of most legal systems only refer to the interception of oral communication or conversations and not to data communication. Due to the potential danger connected with the increasing frequency of wiretapping and unauthorized access to computers, especially by remote data processing systems, overall criminalization of both wiretapping and unauthorized access to computer systems is appropriate. Since future technical developments will make it more and more difficult to distinguish between telecommunication
systems and computer
systems, it might be suitable to combine these two acts in one provision. 5.
Computer-related
infringements
You may be aware of the activities of Emma Nicholson, a UK Member of Parliament, in promoting government legislation to outlaw unauthorfzed access to computer data and other computer misuse in the UK. Micronyx UK Ltd has been asked by Emma Nicholson to assist in the collection of a dossier of computer security breaches. This information will include full details of incidents in both private and public sector organizations, and will be used as evidence to support the need for the legislation. Understanding that many companies will be reluctant to disclose highly sensitive information on security breaches, two categories of disclosure have been suggested. 1.
Disclosed only to the Prime Minister.
2.
Disclosed to the English Commission.
of privacy.
The expanded possibilities of collecting and processing data, prompts many countries to enact new bodies of administrative, civil and penal regulations. The penal provisions in these laws largely refer to the corresponding administrative provisions. Consequently, one difference regarding the criminal offences in
Law
Emma Nicholson has already solicited Mrs Thatcher’s involvement and plans to submit the dossier to the Prime Minister and, where companies agree, to Mr Richard Buxton QC, Chairman of the Law Commission.
the privacy laws of the various countries concerns the scope of data, the use of which is prohibited. Summarizing the survey of criminal privacy offences in Western countries, it may be concluded that these offences contain considerable differences and heterogeneities. These heterogeneities and vagueness in the penal provisions create severe legal
I would be most grateful if you could supply details of known breaches of confidentiality or security constraints to pass on to Emma Nicholson. If you can help on this project please contact Louis Oley at Micronyx UK Ltd, 33 Linford Forum, Rockingham Drive, Linford Wood, Milton Keynes, MK14 6LY, UK.
uncertainty and impede transborder data flow, says the report. Therefore, in this field, a far-reaching harmonization of the various laws
SECURITY STATISTICS
would be desirable. Rik Kaspersen
01989
Elsevier Science Publishers Ltd
It is unfortunate that Keith Jackson in his review of Security of information and Data in the September 1989 issue of the bulletin,
17