House of Representatives

Cybercrime Bill 2001

Second Reading Speech

Senator Hill (Minister for the Environment and Heritage)

I move:

That the bill be now read a second time.

More than 3 million Australian households and over 1 billion people worldwide are connected to the Internet. With the exponential growth in the Internet population and in electronic commerce over the last decade, the integrity, security and reliability of computer data and electronic communication is becoming increasingly important. Cybercrime activities, including hacking, virus propagation, denial of service attacks and website vandalism, pose a significant threat to the integrity and security of computer data. Indeed, according to recent estimates, cybercrime is costing companies worldwide approximately 3 trillion dollars a year.

Updated laws are vital if authorities are to effectively detect, investigate and prosecute cybercrime activities. The proposed new computer offences and investigation powers in this bill are a significant development in the fight against these activities and will place Australia at the forefront of international efforts to address the issue of cybercrime.

Computer Offences

The Cybercrime Bill 2001 proposes the enactment of seven new computer offences. The offences are based on the recommendations of the January 2001 Model Criminal Code Damage and Computer Offences Report developed with the cooperation of the Commonwealth, States and Territories. Implementation of the Model Criminal Code offences is an important step toward achieving national consistency and remedying deficiencies in the existing laws. The new updated offences would replace the existing offences in the Crimes Act, which, although only 10 years old, are already seriously outdated.

All the proposed offences are supported by extended extra-territorial jurisdiction in recognition of the fact that computer crime is often perpetrated remotely from where it has effect. The proposed offences have been drafted in technology-neutral terms. The offences also dove-tail with the terminology of the Electronic Transactions Act 1999, which has been an important vehicle for expanding electronic commerce.

The first offence in the bill targets those who access or modify computer data or impair electronic communications to or from a computer that they are not authorised to access, modify or impair and who do so with the intention of committing a serious offence punishable by 5 or more years imprisonment. The offence would attract a maximum penalty equal to the maximum penalty for the serious offence. For example, if a person hacked into a bank computer and accessed credit card details with the intention of using them to obtain money, the penalty would be equivalent to the fraud offence the person was intending to commit (10 years imprisonment).

It would be an offence for a person to cause any unauthorised modification of data in a computer where the person is reckless as to whether that modification will impair data. A maximum penalty of 10 years imprisonment would apply. The offence covers a range of situations including a hacker who obtains unauthorised access to a computer system and impairs data and a person who circulates a disk containing a computer virus which infects a Commonwealth computer.

The bill proposes an offence of causing an unauthorised impairment of electronic communications to or from a computer, carrying a maximum penalty of 10 years imprisonment. This offence is particularly designed to prohibit tactics such as `denial of service attacks', where a web site is inundated with a large volume of unwanted messages thus crashing the computer server. The penalty for this offence recognises the importance of computer-facilitated communication and the considerable damage that can result if that communication is impaired.

The proposed offence of causing unauthorised access to or modification of restricted data held in a computer carries a maximum penalty of 2 years imprisonment. The offence relates only to unauthorised access or modification of data that is protected by a password or other security feature rather than any data. The offence will target those who hack into a password-protected computer system in order to access personal or commercial information or alter that information.

The bill proposes an offence of causing unauthorised impairment of the reliability, security or operation of any data held on a Commonwealth computer disk or credit card or other device. A maximum penalty of 2 years imprisonment would apply. This offence is particularly designed to cover impairment of data caused by actions such as passing a magnet over a credit card or cutting a computer disk in half.

Lastly, the bill proposes two offences relating to the possession and supply of data or programs that are intended for use in the commission of a computer offence. Each offence would attract a maximum penalty of 3 years imprisonment. These offences are designed to cover persons who possess or trade in programs and technology designed to hack into or damage other people's computer systems. For example, a person will commit an offence if he or she possesses a hacking program or a disk containing a computer virus with the intention of using it to access or damage data.

Investigation Powers

The bill will enhance the criminal investigation powers in the Crimes Act 1914 and Customs Act 1901 relating to the search, seizure and copying of electronically stored data. The large amounts of data which can be stored on computer drives and disks and the complex security measures, such as encryption and passwords, which can be used to protect that information present particular problems for investigators. The proposed enhancement of search and seizure powers will assist law enforcement officers in surmounting those problems.

The proposed amendments would clarify that a search warrant can be used to access data that is accessible from, but not held on, electronic equipment at the search premises. As most business computers are networked to other desktop computers and to central storage computers, it is critical that law enforcement officers executing a search warrant are able to search not only material on computers located on the search premises but also material accessible from those computers but located elsewhere.

Computer equipment and disks would be able to be examined and processed off-site if this is significantly more practicable than processing them on-site. The proposed amendment recognises that searching computers and disks can be a difficult and time-consuming exercise because of the large amount of information they can store and the application of security measures such as encryption. A further proposed amendment would permit officers to copy all data held on a computer hard drive or data storage device where some of the data is evidential material or if there are reasonable grounds to suspect the data contains evidential material.

A magistrate would be able to order a person with knowledge of a computer system to provide such information or assistance as is necessary and reasonable to enable the officer to access, copy or print data. Such a power is contained in the draft Council of Europe Convention on Cybercrime and will assist officers in gaining access to encrypted information.

Conclusion

The high speed and broad reach of computer technology offers new means, methods and possibilities for crime. The measures contained in the Cybercrime Bill are vital to protecting the security, reliability and integrity of computer data and electronic communications and remedying the deficiencies in existing laws. By addressing the threats posed by cybercrime activities, the bill will strengthen community confidence in the use of new technology and provide a means of ensuring that the benefits of that technology are not comprised by crime.