Postboks 338, Kirkegaten 14 a
1530 Moss, Norway
Telefon 69 25 40 90
Telefax 69 25 27 45

Moss District Court



  THE LEGAL FRAMEWORK - UNAUTHORIZED ACCESS TO COMPUTER SYSTEMS

PENAL LEGISLATION IN 44 COUNTRIES

(Updated April 7, 2003)

By Stein Schjolberg
Chief Judge
Moss District Court, Norway
E-mail: steins@mossbyrett.of.no

I. INTERNATIONAL DEVELOPMENTS

The first comprehensive proposal for computer crime legislation was a federal Bill introduced in the US Congress by Senator Ribikoff in 1977. The Bill was not adopted, but this pioneer proposal created an awareness all around the world.

The OECD in Paris appointed in 1983 an expert committee (1) to discuss computer-related crime and the need for changes in the Penal Codes. As a result of the committees proposals, OECD recommended the member countries to ensure that their penal legislation also applied to certain categories of computer crime. The proposals included a list of acts which could constitute a common denomenator between the different approaches taken by the member countries.

Another expert committee was appointed by the Council of Europe and the legal issues was further discussed leading to the Recommendation No. R(89) 9. This Recommendation was adopted by the Council of Europe on September 13, 1989. It contains a minimum list of offences necessary for a uniform criminal policy on legislation concerning computer-related crime as, and an optional list. (2)

The subject was also discussed at the 13th Congress of the International Academy of Comparative Law in Montreal in 1990, at the UN`s 8th Criminal Congress in Havana the same year (3), and at a Conference in Wurzburg, Germany, in 1992. (4)

 

The Council of Europe adopted on September 11, 1995, another Recommendation concerning problems of procedural law connected with Information Technology. (5)

A Committee of Experts on Crime in Cyberspace (PC-CY) was in 1997 appointed in the Council of Europe in order to identify and define new crimes, jurisdictional rights and criminal liabilities due to communication on the Internet. Canada, Japan, South Africa and the United States were invited to meet with experts at the Committee meetings and participated in the negotiations. The Convention was finally adopted by the Ministers of Foreign Affairs on November 8, 2001. It was open for signatures at a meeting in Budapest, Hungary, on November 23, 2001. Ministers or their representative from 26 member countries together with Canada, Japan, South Africa and the United States signed the treaty. The total number of signatures are 33. Other countries outside the Council of Europe may later be invited to accede to the Convention. The treaty will come into force when five countries, at least three member countries have ratified it.

The Convention has in its preamble the following statement: " Convinced that the present Convention is necessary to deter actions directed against the confidentiality, integrity and availability of computer systems, networks and computer data, as well as the misuse of such systems, networks and data, by providing for the criminalisation of such conduct, as discribed in this Convention, and the adoption of powers sufficient for effectively combating such criminal offences, by facilitating the detection, investigation and prosecution of such criminal offences at both the domestic and international level, and by providing arrangements for fast and reliable international co-operation."

 

The European Union has taken a number of steps to fight harmful and illegal content on the Internet. In April 1998, The European Commission presented to the Council the results of a study on computer-related crime (the so-called COMCRIME study). In October 1999, the Tampere Summit of the European Council concluded that high-tech crime should be included in the efforts to agree on common definitions and sanctions. The European Parliament has also called for commonly acceptable definitions of computer-related offenses and for effective approximation of legislation, in particular in substantive criminal law. The Council of the European Union has adopted a Common Position on a number of initial elements as parts of the Union's strategy against high-tech crime.
See http://europa.eu.int/ISPO/eif/InternetPoliciesSite/Crime/CrimeCommEN.html.

A proposal from the EU Commission for a Council Framework Decision on attacks against information systems was published April 19. 2002, see

http://europa.eu.int/information_society/topics/telecoms/internet/crime/index_en.htm

On the substantive criminal law, the proposal includes two articles:

Article 3: Illegal access to Information Systems

Article 4: Illegal Interference with Information Systems

 

The High Tech Subgroup of the G-8's Senior Experts on Transnational Organized Crime has in 1997 developed Ten Principles and a plan of action combating computer crime. And established in March 1998 a 24-hour, seven day network of experts to assist in high-tech crime investigation. The goals are to ensure that no criminal receives safe haven anywhere in the world, and that the law enforcement authorities have the technical ability and legal process to find criminals who abuse technologies and bring them to justice. The principles should be implemented through treaties and through national laws and policies. Many other countries are already participating in the network.

 

Stanford University, Hoover Institution, in California, organized in December 6-7, 1999, a Conference on International Cooperation to Combat Cyber Crime and Terrorism. See

http://www.oas.org/juridico/english/conference_agenda.htm

A proposal for an International Convention on Cyber Crime and Terrorism has been introduced in August 2000. See

http://cisac.stanford.edu

 

Among the International Law Enforcements, Interpol held in 1981 its First Interpol Training Seminar for Investigators of Computer Crime. Interpol has organized its International Conference on Computer Crime in 1995, 1996, 1998, 2000, and in October 2003 in Seoul, Korea.

 

II. PROPOSALS FOR INTERNATIONAL CONVENTIONS AND MODEL LEGISLATION

The development of information technology in cyberspace will change our societies and commerce, and our lifestyle in the way we are communicating, working, shopping. This development on the Internet creates some considerable legal problems in a number of areas. In the case of computer crime or cyber crime, it is more important than ever to legislate so as to prevent unauthorized access to data or information. It is important that legal principles are established through an international Convention.

 

The Proposal for an International Convention on Cyber Crime and Terrorism introduced by Hoover Institution, Stanford University, describes for the purpose of this paper, in Article 3 the offences as follows:

1. Offences under this Convention are committed if any person unlawfully and intentionally engages in any of the following conduct without legally recognised authority, permission, or consent:

(a) creates, stores, alters,deletes, transmits, diverts, misroutes, manipulates, or interferes with data or programs in a cyber system with the purpose of causing, or knowing that such activities would cause, said cyber system or another cyber system to cease functioning as intended or to perform functions or activities not intended by its owner and concidered illegal under this Conventions;

(b) creates, stores, alters, deletes, transmits, diverts, misroutes, manipulates, or interferes with data in a cyber system for the purpose and with the effect of providing false information in order to cause substantial damage to persons or property;

(c) enters into a cyber system for which access is restricted in a conspicuos and unambiguous manner;

(d) interferes with tamper-detection or authentication mechanisms;

(e) manufactures, sells, uses, posts, or otherwise distributes any device or program intended for the purpose of committing any conduct prohibited by Article 3 and 4 of this Convention;

(f) uses a cyber system as a material factor in committing an act made unlawful or prohibited by any of the following treaties:.....

(g) engages in any conduct prohibited under Articles 3 and 4 of this Convention with a purpose of targeting the critical infrastructure of any State Party.

2. Purpose, intent, or knowledge with respect to the crimes set forth in paragraph 1 of this section may be inferred from objective factual circumstances.

 

 

For the purpose of this paper the Council of Europe Convention on Cybercrime reads as follows:

SECTION 1 - SUBSTANTIVE CRIMINAL LAW

Title 1 - Offences against the confidentiality, integrity and availability of computer data and systems

Article 2 - Illegal Access

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system.

Article 3 - Illegal Interception

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emmissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system.

Article 4 - Data Interference

1. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, detoriation, alteration or suppresion of computer data without right.

2. A Party may reserve the right to require that the conduct described in paragraph 1 result in serious harm.

Article 5 - System Interference

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.

Article 6 - Misuse of Devices

1. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:

a. the production, sale, procurement for use, import, distribution or otherwise making available of:

1. a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Article 2 - 5,

2. a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed

with intent that it be used for the purpose of committing any of the offences established in Articles 2-5, and

b. the possession of an item referred to in paragraphs (a)(1) and (2) above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 - 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.

2. This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.

3. Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in papagraph 1 (a) (2).

See the Council of Europe Convention at http://conventions.coe.int/treaty/EN/projets/FinalCybercrime.htm

 


The University of Dayton School of Law, Ohio, USA, has created a comprehensive cyber crime draft legislation, including Computer Trespass, as a Model State Computer Crimes Code in the United States, http://cybercrimes.net

 

 

III. UNAUTHORIZED ACCESS

"Unauthorized access is emerging in many jurisdictions as the treshold offence in the field of computer crime. This is not at all surprising, since access is the fundamental factual predicate for anything else that can be done with a computer. In any event , unauthorized access appears to be the basic building block of most other computer crimes. It is the "least included offense" in a hierarchical series of crimes that become progressively more serious as aggravating harms and culpability states are added to the base offense." (Cole Durham, Brigham Young University, Utah, USA)(6)


Penal provision is of vital importance in protecting and preventing information technology from criminal activity. The perpetration itself might appear to be innocent, but illegal access to data or information can cause severe problems. Whenever there is a suspicion of illegal access from system hackers, all data including programs has to be verified for irregularities and viruses.

As a result of the recommendations from the OECD and the Recommendation, and the Council of Europe Convention, many countries have made the unauthorized access to data or information liable to punishment.(6)

In the survey " no special penal legislation " does not necessary mean not punishable. Traditional penal statutes in the individual countries may be interpreted including unauthorized access to data or information, or such prohibitions exists in Privacy Acts or other special legislations.

( The translations from non-English speaking countries are unofficial. )

 

COUNTRIES

ARGENTINA
AUSTRALIA (new)
AUSTRIA
BELGIUM
BRAZIL
CANADA
CHILE

PEOPLES REPUBLIC OF CHINA
CZECH REPUBLIC
DENMARK
ESTONIA

FINLAND
FRANCE
GERMANY
GREECE

HUNGARY
INDIA

IRELAND
ICELAND
ISRAEL
ITALY
JAPAN

LATVIA
LUXEMBOURG
MALAYSIA

MALTA
MAURITSIUS

MEXICO
THE NETHERLANDS
NEW ZEALAND
NORWAY
POLAND

PORTUGAL
PHILIPPINES
SINGAPORE
SOUTH AFRICA (new)
SPAIN

SWEDEN
SWITZERLAND
TUNISIA
TURKEY
UNITED KINGDOM
UNITED STATES

VENEZUELA



ARGENTINA

No special penal legislation

 

AUSTRALIA

Federal legislation:

THE CYBERCRIME ACT 2001

The Cybercrime Act 2001 amended the Criminal Code Act 1995 to replace existing oudated computer offences.

478.1 Unauthorised access to, or modification of, restricted data

(1) A person is guilty of an offence if:

(a) the person causes any unauthorised access to, or modification of, restricted data; and

(b) the person intends to cause the access or modification; and

(c) the person knows that the access or modification is unauthorised; and

(d) one or more of the following applies:

(i) the restricted data is held in a Commonwealth computer;

(ii) the resticted data is held on behalf of the Commonwealth;

(iii) the access to, or modification of, the resticted data is caused by means of a telecommunications service.

Penalty: 2 years imprisonment.

 

(2) Absolute liability applies to paragraph (1)(d)

(3) In this section:

restricted data means data.

(a) held in a computer; and

(b) to which access is restricted by an access control system associated with a function of the computer.

 

 

 

AUSTRIA

Privacy Act 2000, effective as of January 1, 2000:

Section 10:

§ 52. Administrative Penalty Clause

(1) Provided that the offence does not meet the statutory definition of a punishable action within the relevant jurisdiction of the court nor is threatened by a more severe punishment under a different administrative penalty clause, a minor administrative offence shall be pronounced with a fine of up to S260.000. Parties who

1. willfully obtain unlawful access to a data application or willfully maintain discernable, unlawful, and deliberate access or

2. intentionally transmit data in violation of the Data Secrecy Clause (§15), especially data that were entrusted to him/her according to §46 and §47, for intentional use for other purposes or

3. use data contrary to a legal judgement or decision, withhold data, fail to correct false data, fail to delete data or

4. intentionally delete data contrary to §26, Section 7.

 

BELGIUM

The Belgian Parliament has in November 2000 adopted new articles in the Criminal Code on computer crime, in effect from February 13, 2001. The four main problems of computer forgery, computer fraud, hacking and sabotage are made criminal offences. This unofficial text in english is based on a June 2000 version.

IV. COMPUTER HACKING

Article 550(b) of the Criminal Code:

§1. Any person who, aware that he is not authorised, accesses or maintains his access to a computer system, may be sentenced to a term of imprisonment of 3 months to 1 year and to a fine of (Bfr 5,200-5m) or to one of these sentences.

If the offence specified in §1 above is committed with intention to defraud, the term of imprisonment may be from 6 months to 2 years.

§2. Any person who, with the intention to defraud or with the intention to cause harm, exceeds his power of access to a computer system, may be sentenced to a term of imprisonment of 6 months to 2 years and to a fine of (BFr 5,200-20m) or to one of these sentences.

§3 Any person finding himself in one of the situations specified in §§ 1 and 2 and who either: accesses data which is stored, processed or transmitted by a computer system, or procures such data in any way whatsoever, or makes any use whatsoever of a computer system, or causes any damage, even unintentionally, to a computer system or to data which is stored, processed or transmitted by such a system, may be sentenced to a term of imprisonment of 1 to 3 years and to a fine of (BFr 5,200-10m) or to one of these sentences.

§4. The attempt to commit one of the offences specified in §§ 1 and 2 is sanctioned by the same sentences as the offence itself.

§5. Any person who, with intention to defraud or with the intention to cause harm, seeks, assembles, supplies, diffuses or commercialises data which is stored, processed or transmitted by a computer system and by means of which the offences specified in §§1-4 may be committed, may be sentenced to a term of imprisonment of 6 months to 3 years and to a fine of (BFr 5,200-20m) or to one of these sentences.

§6. Any person who orders or incites one of the offences specified in §§ 1-5 to be committed may be sentenced to a term of imprisonment of 6 months to 5 years and to a fine of (BFr 5,200-40m) or to one of these sentences.

§7. Any person who, aware that data has been obtained by the commission of one of the offences specified in §§1-3, holds, reveals or divulges to another person, or makes any use whatsoever of data thus obtained, may be sentenced to a term of imprisonment of 6 months to 3 years and to a fine of (BFr 5,200-20m) or to one of these sentences.

 

BRAZIL

Law no. 9,983 of July 14, 2000 has been adopted covering provisions:

ENTRY OF FALSE DATA INTO THE INFORMATION SYSTEM.

Art. 313-A. Entry, or facilitation on the part of an authorized employee of the entry, of false data, improper alteration or exclusion of correct data with respect to the information system or the data bank of the Public Management for purposes of achieving an improper advantage for himself or for some other person, or of causing damages.

Penalty-imprisonment for 2 to 12 years, and fines.

UNAUTHORIZED MODIFICATION OR ALTERATION OF THE INFORMATION SYSTEM.

Art. 313-B. Modification or alteration of the information system or computer program by an employee, without authorization by or at the request of a competent authority.

Penalty-detention for 3 months to 2 years, and fines.

The penalties are increased by one-third (one terco) until one-half if the modification or alteration results in damage to the Public Management or to the individual.

 

CANADA

Canadian Criminal Code Section 342.1 states:

(1) Every one who, fraudulently and without color of right,

(a) obtains, directly or indirectly, any computer service,

(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly , any function of a computer system.
(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or

(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.

 

 

CHILE

Chile has a Law on Automated Data Processing Crimes no. 19.223, published June 7, 1993.

Article 2:

Anyone illegally obtains access to or uses information contained in an information processing system, intercepts or interferes with it, shall be liable for imprisonment from a minor to a medium sentence.

 

PEOPLES REPUBLIC OF CHINA

Decree No. 147 of the State Council of the Peoples Republic of China, February 18, 1994.

Regulations of The Peoples Republic of China on Protecting the Safety of Computer Information

System: Chapter 4 - Legal Responsibilities.

Article 23 - The public security organisations shall give warnings or may impose maximum fines of 5.000 Yuan on individuals and 15.000 Yuan on organisations in cases when they deliberately input a computer virus or other harmful data endangering a computer information system, or in a case when they sell special safety protection products for computer information systems without permission. Their illegal income will be confiscated and a fine shall be imposed in the amount of one to three times as much as the illegal income (if any).

See also Computer Information Network and Internet Security, Protection and Management Regulations, approved by the State Council, December 11, 1997, and published December 30, 1997.

HONGKONG

Telecommunication Ordinance: Section 27A: Unauthorized access to computer by telecommunication:

(1) Any person who, by telecommunication, knowingly causes a computer to perform any function to obtain unauthorized access to any program or data held in a computer commits an offence and is liable on conviction to a fine of $ 20000.
(2) For the purposes of subsection (1)-
(a) the intent of the person need not be directed at-
(i) any particular program or data;
(ii) a program or data of a particular kind; or
(iii) a program or data held in a particular computer;
(b) access of any kind by a person to any program or data held in a computer is unauthorized if he is not entitled to control access of the kind in question to the program or data held in the computer and-
(i) he has not been authorized to obtain access of the kind in question to the program or data held in the computer by any person who is entitled;
(ii) he does not believe that he has been so authorized; and
(iii) he does not believe that he would have been so authorized if he had applied for the appropriate authority.
(3) Subsection (1) has effect without prejudice to any law relating to powers of inspection, search or seizure.
(4) Notwithstanding section 26 of the Magistrates Ordinance (Cap 227), proceedings for an offence under this section may be brought at any time within 3 years of the commission of the offence or within 6 months of the discovery of the offence by the prosecuter, whichever period expires first.

Section 161: Access to computer with criminal or dishonest intent.

(1) Any person who obtains access to a computer-
(a) with intent to commit an offence;
(b) with a dishonest intent to deceive;
(c) with a view to dishonest gain for himself or another; or
(d) with a dishonest intent to cause loss to another,
whether on the same occasion as he obtains such access or on any future occasion, commits an offence and is liable on conviction upon indictment to imprisonment for 5 years.
(2) For the purposes of subsection (1) "gain" and "loss" are to be construed as extending not only to gain or loss in money or other property, but as extending to any such gain or loss whether temporary or permanent; and-
(a) "gain" includes a gain by keeping what one has, as well as gain by getting what one has not; and
(b) "loss" includes a loss by not getting what one might get, as well as a loss by parting with what one has.

 


CZECH REPUBLIC

No special legislation on unauthorized access to computer systems, but the following provisions of the Criminal Code may be applicable:

§ 182 - Impairing and endangering the operation of public utility facilities.

§ 249 - Unauthorized use of other people's articles.

§ 257a - Damaging and misusing records in information stores.

See http://www.mvcr.cz

 

DENMARK

Penal Code Section 263:

(2) Any person who, in an unlawful manner, obtains access to another persons information or programs which are meant to be used in a data processing system, shall be liable to a fine, to simple detention or to imprisonment for a term not exceeding 6 months.

(3) If an act of the kind described in subsection 1 or 2 is committed with the intent to procure or make oneself acquainted with information concerning trade secrets of a company or under other extraordinary aggravating circumstances, the punishment shall be increased to imprisonment for a term not exceeding 2 years.

 

ESTONIA

Estonian Criminal Code:

§ 269: Destruction of programs and data in a computer.

§ 270: Computer sabotage.

§ 271: Unauthorized use of computers, computer systems and networks.

§ 272: Damaging or interferes with computer network connections.

§ 273. Spreading of computer viruses.

 

FINLAND

Penal Code Chapter 38 Section 8:

Data trespass.

Any person who, by using an identification code that does not belong to him or by breaking through a corresponding protective system unjustifiable, breaks into a computer system where data are processed, stored or transmitted by electronical or other technical methods or into a separately protected part of such a system, shall be sentenced for data trespass to fines or imprisonment not exceeding one year.

For data trespass is also sentenced any person without breaking into a computer system or a part thereof, uses a special technical device to unjustifiably obtain information that is stored in such a computer system.

Attempt is also punishable.

This Section will only be applied if the act is not punishable as a more severe offense.

 

FRANCE

The new Penal Code, in effect since March 1, 1993

Chapter III: ATTACKS ON SYSTEMS FOR AUTOMATED DATA PROCESSING

Article 323-1:

The act of fraudulently gaining access to, or maintaining, in all or part of an automated data processing system is punishable by imprisonment not exceeding one year and a fine of up to 100.000 F.

Whenever this results in the suppression or modification of data contained in the system, or an alteration in the functioning of the system, the act is punished by imprisonment not exceeding two years and a fine up to 200.000 FF.

Article 323-2:

The act of hindering or of distorting the functioning of an automated data processing system is punishable by imprisonment not exceeding three years and a fine up to 300.000 FF.

Article 323-3:

The act of fraudulently introducing data into an automated data processing system or of fraudulently suppressing or modifying data contained therein is punishable by imprisonment not exceeding three years and a fine up to 300.000 FF.

Article 323-4:

Participation in a formed group or in an agreement with preparation in mind, characterized by one or more material acts, of one or more offenses provided for by Articles 323-1 to 323-3, is punishable by the sentences provided for the most serious offense committed.

 

GERMANY

Penal Code Section 202a. Data Espionage:

(1) Any person who obtains without authorization, for himself or for another, data which are not meant for him and which are specially protected against unauthorized access, shall be liable to imprisonment for a term not exceeding three years or to a fine .

(2) Data within the meaning of subsection 1 are only such as are stored or transmitted electronically or magnetically or in any form not directly visible.

Penal Code Section 303a: Alteration of Data

(1) Any person who unlawfully erases, suppresses, renders useless, or alters data (section 202a(2)) shall be liable to imprisonment for a term not exceeding two years or to a fine.

(2) The attempt shall be punishable.

Penal Code Section 303b: Computer Sabotage

(1) Imprisonment not exceeding five years or a fine shall be imposed on any person who interferes with data processing which is of essential importance to another business, another's enterprise or an administrative authority by:

1. committing an offense under section 300a(1) or

2. destroying, damaging, rendering useless, removing, or altering a computer system or a data carrier.

(2) The attempt shall be punishable.

 

GREECE

Criminal Code Article 370C§2:

Every one who obtains access to data recorded in a computer or in the external memory of a computer or transmitted by telecommunication systems shall be punished by imprisonment for up to three months or by a pecuniary penalty not less than ten thousands drachmas, under condition that these acts have been committed without right, especially in violation of prohibitions or of security measures taken by the legal holder. If the act concerns the international relations or the security of the State, he shall be punished according to Art. 148.
If the offender is in the service of the legal holder of the data, the act of the preceding paragraph shall be punished only if it has been explicitly prohibited by internal regulations or by a written decision of the holder or of a competent employee of his.


HUNGARY


Penal Code Section 300 C:

Computer Fraud.

 

(1)Whoever, with the intent of obtaining for himself an unlawful gain, or by damaging, interferes with the results of electronic data processing, by altering programs, by erasing, by entering incorrect or incomplete data, or by other unlawful means commits an offence, imprisonment for a term not exceeding 3 years may be imposed.

(2) The punishment is

a) imprisonment not exceeding 5 years whenever the fraudulent offence causes conciderable damage.

b) imprisonment from 2 years until 8 years whenever the fraudulent offence causes exceptional conciderable damage.

(3) Whoever commits the offences under subsection (1)-(2) by using an electronic card for public or mobile telephone, or by altering the microprogram for the mobile telephone commits also fraud in connection with data.

 

 

IRELAND

Criminal Damage Act, 1991:

Section 5:

(1) A person who without lawful excuse operates a computer -

(a) within the State with intent to access any data kept either within or outside the State, or:

(b) outside the State with intent to access any data kept within the State, shall, whether or not he accesses any data, be guilty of an offense and shall be liable on summary conviction to a fine not exceeding £500 or imprisonment for a term not exceeding 3 months or both.

(2) Subsection (1) applies whether or not the person intended to access any particular data or any category of data or data kept by any particular person.


ICELAND

Penal Code § 228 Section 1:

The same penalty shall apply on any person who by unlawful manner obtains access to data or programs stored as data.

 

INDIA

THE INFORMTION TECHNOLOGY ACT, 2000 (No. 21 of 2000)

CHAPTER XI

OFFENCES

66.Hacking with computer system.

(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or dimishes its value or utility or affects it injuriously by any means, commits hack.

(2) Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend upto two lakh rupees, or with both.

 

ISRAEL

The Computer Law of 1995, Section 4:

Any person who, unlawfully obtains access to data in a computer, shall be sentenced to imprisonment not exceeding three years.

With access to data means access to equipment's connected to computers or access activated through such equipment's, in addition to access defined as unlawful wiretapping according to the Law of 1979.

 

ITALY

Penal Code Article 615 ter: Unauthorized access into a computer or telecommunication systems:

Anyone who enters unauthorized into a computer or telecommunication system protected by security measures, or remains in it against the expressed or implied will of the one who has the right to exclude him, shall be sentenced to imprisonment not exceeding three years.

The imprisonment is from one until five years:

1) if the crime is committed by a public official or by an officer of a public service, through abuse of power or through violation of the duties concerning the function or the service, or by a person who practices - even without a licence - the profession of a private investigator, or with abuse of the capacity of a system operator.

2) if to commit the crime the culprit uses violence upon things or people, or if he is manifestedly armed.

3) if the deed causes the destruction or the damage of the system or the partial or total interruption of its working, or rather the destruction or damage of the data, the information or the programs contained in it.

Should the deeds of the 1st and 2nd paragraphs concern computer or telecommunication systems of military interest or (concerning) public order or public security or civil defence or whatsoever public interest, the penalty is - respectively- one to five years or three to eight years' imprisonment. In the case provided for in the 1st paragraph, the crime is liable to punishment only after an action by the plaintiff; the other cases are prosecutioned "ex-officio".

-615 quater: Illegal Possession and Diffusion of Access Codes to Computer or Telecommunication Systems:

Whoever, in order to obtain a profit for himself or for another or to cause damage to others, illegally gets hold of, reproduces, propagates, transmits or deliver codes, key-words or other means for the access to a computer or telecommunication system protected by safety measures, or however provides information or instructions fit to the above purpose, is punished with the imprisonment not exceeding one year and a fine not exceeding 10 million liras.

The penalty is imprisonment from one until two years and a fine from 10 until 20 million liras in the case of one of the circumstances numbered in 1 and 2 in the 4th paragraph of article 617-quater.

-615 quinquies: Diffusion of Programs Aimed to Damage or to Interrupt a Computer System:

Whoever propagates, transmits or delivers a computer program - edited by himself or by another - with the aim and the effect to damage a computer or telecommunication system, the data or the programs contained or pertinent to it, or rather the partial or total interuption or an alteration in its working, is punished with imprisonment not exceeding two years and fined not exceeding 20 million liras.

 

JAPAN

Unauthorized Computer Access Law

Law No. 128 of 1999 (in effect from February 3, 2000)

Husei access kinski hou

(Prohibition of acts of unauthorized computer access)

Article 3. No person shall conduct an act of unauthorized computer access.

 

2. The act of unauthorized computer access mentioned in the preceding paragraph means an act that falls under one of the following items:

(1) An act of making available a specific use which is restricted by an access control function by making in operation a specific computer having that access control function through inputting into that specific computer, via telecommunication line, another persons identification code for that access control function (to exclude such acts conducted by the access administrator who has added the access control function concerned, or conducted with the approval of the access administrator concerned or of the authorized user for that identification code);

(2) An act of making available a restricted specific use by making in operation a specific computer having that access control function through inputting into it, via telecommunication line, any information (excluding an identification code) or command that can evade the restrictions placed by that access control function on that specific use (to exclude such acts conducted by the access administrator who has added the access control function concerned, or conducted with the approval of the access administrator concerned; the same shall apply in the following item);

(3) An act of making available a restricted specific use by making in operation a specific computer, whose specific use is restricted by an access control function installed into another specific computer which is connected, via a telecommunication line, to that specific computer, through inputting into it, via a telecomminucation, any information or command that can evade the restriction concerned.

 

(Prohibition of acts of facilitating unauthorized computer access)

Article 4. No person shall provide another person's identification code relating to an access control function to a person other than the access administrator for that access control function or the authorized user for that identification code, in indicating that it is the identification code for which specific computer's specific use, or at the request of a person who has such knowledge, excepting the case where such acts are conducted by that access administrator, or with the approval of that access administrator or of that authorized user.

 

(Penal provisions)

Article 8. A person who falls under one of the following items shall be punished with penal servitude for not more than one year or a fine of not more than 500,000 yen:

(1) A person who has infringed the provision of Article 3, paragraph 1;

Article 9. A person who has infringed the provision of Article 4 shall be punished with a fine of not more than 300,000 yen.

 

LATVIA

The Criminal Law Section 241: Arbitrarily Accessing Computer Systems

(1) For a person who commits arbitrarily accessing an automated computer system, if opportunity for an outsider to acquire the information entered into the system is caused thereby, the applicable sentence is custodial arrest, or a fine not exceeding eighty times of monthly wage.

(2) For a person who commits the same acts, if breaching of computer software protective systems or accessing of communications lines is associated therewith, the applicable sentence is deprivation of liberty for a term not exceeding one year, or a fine not exceeding one hundred and fifty times the minimum monthly wage.

(This translation is official)

 

LUXEMBOURG

The Act of July 15th, 1993, relating to the reinforcement of the fight against financial crime and computer crime.

Section VI - concerning certain infractions in computer material.

Article 509-1- Whoever fraudulently gains access or supports, wholly or in part, a system of data processing, shall be punished with imprisonment from two months until one year, or a fine from 10.000 to 250.000 F, or both.

The suppression or modification of the data contained in the system, or the alteration of the function of said system, is punishable by imprisonment from two to two years, and a fine from 50.000 to 500.000 F.



MALAYSIA

COMPUTER CRIMES ACT 1997.

PART II

OFFENCES

3 (1) A person shall be guilty of an offence if

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;

a. the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the function that that is the case.

(2) The intent a person has to have to commit an offence under this section need not be directed at -

(a) any particular program or data;

(b) a program or data of any particular kind; or

(c) a program or data held in any particular computer.

1. A person guilty of an offence under this section shall on conviction be liable to a fine not exceeding fifty thousand ringgit or to imprisonment not exceeding five years or to both.

 

MALTA

CHAPTER 426

ELECTRONIC COMMERCE ACT

AN ACT to provide in relation to electronic commerce and to provide for matters connected therewith or ancillery thereto.

PART VIII

COMPUTER MISUSE

Unlawful access to, or use of, information.

337 (C) (1) A person who without authorisation does any of the folloowing acts shall be guilty of an offence against this article -

(a) uses a computer or any other device or equipment to access any data, software or supporting documentation held in that computer or on any other computer, or uses, copies or modifies any such data, software or supporting documentation;

(b) outputs any data, software or supporting documentation from the computer in which it is held, whether by having it displayed or in any other manner whatsoever;

(c) copies any data, software or supporting documentation to any storage medium other than that in which it is held or to a different location in the storage medium in which it is held;

(d) prevents or hinders access to any data, software or supporting documentation;

(e) impairs the operation of any system, software or the integrity or reliability of any data;

(f) takes possession of or makes use of any data, software or supporting documentation;

(g) installs, moves, alters, erases, destroys, varies or adds to any data, software or supporting documentation;

(h) discloses a password or any other means of access, access code or other access information to any unauthorised person;

(i) uses another person's access code, password, user name, electronic mail address or other means of access or identification information in a computer;

(j) discloses any data, software or supporting documentation unless this is required in the course of his duties or by any other law.

(2) For the purpose of this Sub-title:

(a) a person shall be deemed to act without authorisation if he is not duly authorised by an entitled person;

(b) a person shall be deemed to be an entitled person if the person himself is entitled to control the activities defined in paragrphs (a) to (j) of subarticle (1) or in paragraphs (a) and (b) of article 4 of this Sub-title.

(3) For the purpose of subarticle (1):

(a) a person shall be deemed to have committed an offence irrespective of whether in the case of any modification, such modification is intended to be permanent or temporary;

(b) the form in which any software or data is output and in particular whether or not it represents a form in which, in the case of software, it is capable of being executed or, in the case of data, it is capable of being processed by a computer, is immaterial.

(4) For the purposes of paragraph (f) of subarticle (1), a person who for the fact that he has in his custody or under his control any data, computer software or supporting documentation which he is not authorised to have, shall be deemed to have taken possession of it.

Offences and Penalties.

337 (F) (1) Without prejudice to any other penalty established under this Sub-title, any person who contravenes any of the provisions of this Sub-title shall be guilty of an offence and shall be liable on conviction to a fine (multa) not exceeding ten thousand liri or to imprisonment for a term not exceeding four years, or to both such fine and imprisonment.

(2) Where any such offence constitutes an act which is in any way detrimental to any function or activity of Government, or hampers, impairs or interrupts in any manner whatsoever the provision of any public service or utility, whether or not such service or utility is provided or operated by any Government entity, the penalty shall be increased to a fine (multa) of not less than one hundred liri and not exceeding fifty thousand liri or to imprisonment for a term from three months to ten years, or both such fine and imprisonment.

 

MAURITSIUS

The Information Technology (Miscellaneous Provision) Act 1998

Act No. 18 of 1998

Penal Code Section 369A. Computer misuse

Any person who -

(a) wilfully and in defiance of the rights of another person, impedes or tampers with the operation of a computer;

(b) wilfully and in defiance of the rights of another person, directly or indirectly introduces data into a computer or suppresses or modifies any data which it contained or the method of treatment or transmission of such data;

(c) knowingly makes use of a document referred to in paragraph (c);

(e) without the consent of the person to whom a computer is entrusted, gains access to, or so maintains himself in, the computer,

shall commit an offence and shall, on conviction, be liable to penal servitude for a term not exceeding 10 years and to a fine not exceeding 100,000 rupees.

369A. Aggravating circumstance.

A person who commits an offence under section 369A(e) shall, on conviction, be liable to penal servitude for a term not exceeding 20 years and to a fine not exceeding 200,000 rupees where, as a result of the commission of the offence, data contained in the computer is suppressed or modified or the operation of the computer is altered.

 

MEXICO

Penal Code Part 9

Chapter II

Articles 211 bis 1: Whoever without authorization modifies, destroys or causes loss of information contained in computer systems or computer equipments protected by security measures, shall be liable to imprisonment for a term of six months to two years and to fines of one hundre to three hundred days.

Whoever without authorization obtains access to or copies information contained in computer systems or computer equipments protected by security measures, shall be liable to imprisonment for a term of three months to one year and to fines of fifty to one hundred and fifty days.

Articles 211 bis 2: Whoever without authorization modifies, destroys or causes loss of information contained in governmental computer systems or computer equipments protected by security measures, shall be liable to imprisonment for a term of one year to four years and to fines of one hundred to six hundred days.

Whoever without authorization obtains access to or copies information contained in governmental computer systems or equipments protected by security measures, shall be liable to imprisonment for a term of six months to two years and fines of one hundred to three hundred days.

Article 211 bis 4: Whoever without authorization modifies, destroys or causes loss of information contained in computer systems or computer equipments of institutions as part of the financial system protected by security measures, shall be liable to imprisonment for a term of six months to four years and fines of one hundred to six hundred days.

Whoever without authorization obtains access to or copies information contained in computer systems or computer equipments of institutions as part of the financial system protected by security measures, shall be liable to imprisonment for a term of three months to two years and fines of fifty to three hundred days.

 

THE NETHERLANDS

Criminal Code Article 138a:

Any person who intentionally and unlawfully accesses an automated system for the storage or processing of data, or part of such a system, shall be liable, as guilty of breach of computer peace, to term of imprisonment not exceeding six months or a fine of 10.000 guilders if he:

(a). Breaks through a security system, or

(b). obtains access by a technical intervention, with the help of false signals or a false key or by acting in a false capacity.

 

NEW ZEALAND

No special penal legislation, but

The Crimes Amendment (No 6) Bill is pending in the Parliament. This Bill includes sections on

Crimes Involving Computers:

Section 305ZD: Interpretation

Section 305ZE: Accessing computer system for dishonest purpose.

Section 305ZF: Damaging or interfering with computer system.

Section 305FA: Accessing computer system without authorisation

 

NORWAY

Penal Code § 145:

Any person who unlawfully opens a letter or other closed document or in a similar manner gains access to its contents, or who breaks into another persons locked depository shall be liable to fines or to imprisonment for a term not exceeding 6 months.
The same penalty shall apply to any person who by breaking a protective device or in a similar manner, unlawfully obtains access to data or programs which are stored or transferred by electronic or other technical means.
If damage is caused by the acquisition or use of such unauthorized knowledge, or if the felony is committed for the purpose of obtaining for any person an unlawful gain, imprisonment for a term not exceeding 2 years may be imposed.
Accomplices shall be liable to the same penalty.
Public prosecution will only be instituted when the public interest so requires.

Penal Code § 151 b:

Any person who by destroying, damaging, or putting out of action any data collection or any installation for supplying power, broadcasting, telecommunication, or transport causes comprehensive disturbance in the public administration or in community life in general shall be liable to imprisonment for a term not exceeding 10 years.
Negligent acts of the kind mentioned in the first paragraph shall be punishable by fines or imprisonment for a term not exceeding one year.
Accomplices shall be liable to the same penalty.

Penal Code § 261:

Any person who unlawfully uses or disposes of any chattel that belongs to another person and thereby obtains for himself or another a considerable gain, or inflicts on the person entitled thereto a considerable loss, shall be liable to imprisonment for a term not exceeding three years. The penalty for aiding and abetting is the same. Under especially extenuating circumstances fines may be imposed.
A public prosecution will only be instituted when requested by the aggrieved person unless it is required in the public interest.

Penal Code § 291:

Any person who unlawfully destroys, damages, renders useless or wastes an object that wholly or partly belongs to another shall be guilty of vandalism.
The penalty for vandalism shall be fines or imprisonment for a term not exceeding one year. An accomplice shall be liable to same penalty.
A public prosecution will only be instituted when requested by the aggrieved person unless it is required in the public interest.

 

POLAND

The Penal Code:

Article 267. § 1. Whoever, without being authorised to do so, aquires information not destined for him, by opening a sealed letter, or connecting to a wire that transmits information or by breaching electronic, magnetic or other special protection for that information

shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to 2 years.

§ 2. The same punishment shall be imposed on anyone, who, in order to aquire information to which he is not authorised to access, installs or uses tapping, visual detection or other special equipment.

§ 3. The same punishment shall be imposed on anyone, who imparts to another person the information obtained in the manner specified in § 1 or 2 discloses to another person.

§ 4. The prosecution of the offence specified in § 1 - 3 shall occur on a motion of the injured person.

 

Article 268. § 1. Whoever, not being himself authorised to do so, destroys, damages, deletes or alters a record of essential information or otherwise prevents or makes it significantly difficult for an authorised person to obtain knowledge of that information,

shall be subject to a fine, the penalty of liberty or the penalty of deprivation of liberty for up to 2 years.

§ 2. If the act specified in § 1 concerns the record on an electronic information carrier, the perpetrator shall be subject to the penalty of deprivation of liberty for up to 3 years.

§ 3. Whoever, by committing an act specified in § 1 or 2, causes a significant loss of property

shall be subject to the penalty of deprivation of liberty for a term of between 3 months and 5 years.

§ 4. The prosecution of the offence specified in § 1-3 shall occur on a motion of the injured person.

Article 269. §1. Whoever destroys, deletes or changes a record on an electronic information carrier, having a particular significance for national defense, transport safety, operation of the government or other state authority or local government, or interferes with or prevents automatic collection and transmission of such information, shall be subject to the penalty of deprivation of liberty for a term of between 6 months and 8 years.

§ 2. The same punishment shall be imposed on anyone, who commits the act specified in §1 by damaging a device used for the automatic processing, collection or transmission of information.

 

PORTUGAL

Criminal Information Law of August 17, 1991:

Chapter 1 Article 7:

1 - Any person who, without authorization obtains for himself or another person an unlawful gain or use by any manner accessing an information system or network, shall be sentenced to imprisonment not exceeding one year, or to a fine and imprisonment not exceeding 120 days.

2 - Imprisonment not exceeding three years or a fine if the person concerned obtains access to information by breaking the security rules.

3 - Imprisonment for a term of one year not exceeding five years when:

(a) the person concerned by obtaining access to information acquires knowledge of trade secrets or confidential data protected by law,
(b)the gain or use results in comprehensive values.

 

PHILIPPINES

REPUBLIC ACT NO.8792

AN ACT PROVIDING FOR THE RECOGNITION AND USE OF ELECTRONIC COMMERCIAL AND NON-COMMERCIAL TRANSACTIONS, PENALTIES FOR UNLAWFUL USE THEREOF, AND OTHER PURPOSES

PART V: FINAL PROVISIONS

Sec. 33. Penalties. - The folowing Acts shall be penalized by fine and/or imprisonment, as follows:

a) Hacking or cracking which refers to unauthorized access into or interference in a computer system/server or information and communication system; or any access in order to corrupt, alter, steal or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information and communications system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data messages or electronic document shall be punished by a minimum fine of one hundred thousand pesos (P100,000.00) and a maximum commensurate to the damage incurred and a mandatory imprisonment of six (6) months to three (3) years.

 

SINGAPORE

Chapter 50A: Computer misuse Act.

Unauthorised access to computer material.

Section 3 - (1) Any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer shall be guilty of an offense and shall be liable on conviction to a fine not exceeding $ 5.000 or to imprisonment for a term not exceeding 2 years or to both and, in case of a second or subsequent conviction, to a fine not exceeding $ 10.000 or to imprisonment for a term not exceeding 3 years or to both.

(2) If any damage is caused as a restut of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $ 50.000 or to imprisonment for a term not exceeding 7 years or to both.

Section 4: Access with intent to commit or facilitate commission of offence.

(1) Any person who causes a computer to perform any function for the purpose of securing access to any program or data held in any computer with intent to commit an offence to which this section applies, shall be guilty of an offence.

(2) This section shall apply to an offence involving property, fraud, dishonesty or which causes bodily harm and which is punishable on conviction with imprisonment for a term of not less than 2 years.

(3) Any person guilty of an offence under this section shall be liable on conviction to a not exceeding $ 50.000 or to imprisonment for a term not exceeding 10 years or to both.

 

SOUTH AFRICA

THE ELECTRONIC COMMUNICATIONS AND TRANSACTIONS ACT of July 31 2002 (Act No. 25, 2002)

CHAPTER XIII

CYBER CRIME

Unauthorised access to, interception of or interference with data.

86. (1) Subject to the Interception and Monitoring Prohibition Act, 1992 (Act No. 127 of 1993), a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence.

(2) A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence.

(3) A person who unlawfully produces, sells, offers to sell, procures for use, designs, adapts for use, distributes or possess any device, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilise such item to contravene this section, is guilty of an offence.

(4) A person who utilises any device or computer program mentioned in subsection (3) in order to unlawfully overcome security measures designed to protect such data or access thereto, is guilty of an offence.

(5) A person who commits any act described in this section with the intent to interfere with access to an information system so as to constitute a denial, including a partial denial, of service to legitimate users is guilty of an offence.

Penalties

88. (1) A person convicted of an offence referred to in sections 37(3), 40(2), 58(2), 80(5), 82(2) or 86(1), (2) or (3) is liable to a fine or imprisonment for a period not exceeding 12 months.

(2) A person convicted of an offence referred to in sections 86(4) or (5) or section 87 is liable to a fine or imprisonment for a period not exceeding five years.

 

SPAIN

No special penal legislation, but the following provisions in the Penal Code may be applicable:

Title X

CRIMES AGAINST PRIVACY, THE RIGHT TO FREEDOM FROM INJURY TO REPUTATION AND DOMESTIC PRIVACY

CHAPTER 1

Dicovery and revelation of secrets:

Article 197

SECTION 1 ON FRAUD

Article 264 no.2

 

SWEDEN

Penal Code Chapter 4, Section 9 c:

A Person who, in cases other than than those defined in Section 8 and 9, unlawfully obtains access to a recording for automatic data processing or unlawfully alters or erases or inserts such a recording in a register, shall be sentenced for breach of data secrecy to a fine or imprisonment for at most two years., unless the deed is criminalized in the Criminal Code or in the 1990 Protection of Trade Secrets Act. A recording in this context includes even information that is being processed by electronic or similar means for use with automatic data processing. (Law 1998:206)

Attempt and preparation shall be punished as stated in Chapter 23 of the Criminal Code, unless the completed crime would have been regarded as a petty.

 

SWITZERLAND

Penal Code Article 143bis: Unauthorized access to data processing system.

Anyone, who without authorization, and without the intent of procuring an unlawful gain, accesses a data processing system which are specially protected against unauthorized access, by electronic devices, shall be sentenced to imprisonment or fines.

 

TUNISIA

No special penal legislation.

 

TURKEY

Penal Code Section 525/a:

Any person who unlawfully obtains programs, data or any other components from an automated data processing system, shall be sentenced to imprisonment from one to three years and a heavy fine ranging from one to fifteen million Turkish Liras.

Any person who uses, transmits or reproduces a program, data or any other component within an automated data processing system with intent to cause loss to another shall be sentenced to the same penalty stated above.

 

UNITED KINGDOM

Computer Misuse Act 1990

1990 Chapter 18

Unauthorized access to computer material:

1.

(1) A person is guilty of an offense if-

(a) he causes a computer to perform any function with the intent to secure access to any program or data held in any computer,
(b) the access he intends to secure is unauthorized, and
(c) he knows at the time when he causes the computer to perform the function that that is the case.

(2) The intent a person has to have to commit an offense under this section need not to be directed at:

(a) any particular program or data,
(b) a program or data of any particular kind, or
(c) a program or data held in any particular computer.

(3) A person guilty of an offense under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

2.

(1) A person is guilty of an offense under this section if he commits an offense under section 1 above (" the unauthorized access offense") with intent

(a) to commit an offense to which this section applies; or
(b) to facilitate the commission of such an offense ( whether by himself or by any other person); and the offense he intends to commit or facilitate is referred to below in this section as the further offense.

(2) This section applies to offences

(a) for which the sentence is fixed by law; or
(b) for which a person of twenty-one years of age or over (not previously convicted) may be sentenced to imprisonment for a term of five years (or, in England and Wales, might be so sentenced but for the restrictions imposed by section 33 of the Magistrates Courts Act 1980).

(3) It is immaterial for the purposes of this section whether the further offense is to be committed on the same occasion as the unauthorized access offense or on any future occasion.

(4) A person may be guilty of an offense under this section even though the facts are such that the commission of the further offense is impossible.

(5) A person guilty of an offense under this section shall be liable

(a) on summary conviction, to imprisonment for a term not exceeding the statutory maximum or to both; and
(b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.


3.

(1) A person is guilty of an offense if -

(a) he does any act which causes an unauthorized modification of the contents of any computer; and -
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.

(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any and by so doing -

(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.

(3) The intent need not be directed at-

(a) any particular computer;
(b) any particular program or data or program or data of any particular kind; or
(c) any particular modification or a modification of any particular kind.

(4) For the purposes of subsection (1)(b) above the requisite knowledge is knowledge that any modification he intends to cause is unauthorized.

(5) It is immaterial for the purposes of this section whether an unauthorized modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be, permanent or merely temporary.

(6) For the purposes of the Criminal Damage Act 1971 a modification of the contents of a computer shall not be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition.

(7) A person guilty of an offense under this section shall be liable-

(a) on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum or to both; and
(b) on conviction on indictment, to imprisonment for a term not exceeding five years or to a fine or to both.

 

UNITED STATES

Federal legislation:

(updated April 15, 2002)

UNITED STATES CODE

TITLE 18. CRIMES AND CRIMINAL PROCEDURE

PART I -CRIMES

CHAPTER 47-FRAUD AND FALSE STATEMENTS

(As amended October 3, 1996)

Section 1030. Fraud and related activity in connection with computers.

(a) Whoever-

(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains-

(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

(B) information from any department or agency of the United States; or

(C) information from any protected computer if the conduct involved an interstate or foreign communication;

(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;

(4) knowingly and with the intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $ 5.000 in any one-year period;

(5) (i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(ii) intentionally accesses a protected computer without authorization, and as a result of such conduct recklessly causes damage; or

(iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and

(B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused)--

(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least USD 5,000 in value;

(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;

(iii) physical injury to any person;

(iv) a threat to public health or safety; or

(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defence, or national security;

(6) knowingly and with intent to defraud traffics ( as defined in section 1029 ) in any password or similar information through which a computer may be accessed without authorization, if

(A) such trafficking affects interstate or foreign commerce; or

(B) such computer is used by or for the Government of the United States;

(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer; shall be punished as provided in subsection (c) of this section.

(b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.

(c) The punishment for an offense under subsection (a) or (b) of this section is--

See http://www.usdoj.gov/criminal/cybercrime/1030_new.html

 

(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State or of an intelligence agency of the United States.

Similar special penal legislation in numerous states in the United States.


See a legislative analysis: http://www.usdoj.gov/criminal/cybercrime/1030_anal.html__

 

VENEZUELA

SPECIAL STATUTE AGAINST COMPUTER RELATED CRIMES

(As published in the Official Gazette of the Bolivarian republic of Venezuela, October 30, 2001)

Title II

Of the crimes against systems using information technology

Article 6. - Unlawful access. Any person who, without the due authorisation or exceeding any he (she) may have obtained, accesses, intercepts or uses a system using information technologies, shall be punished with prison from one to five years and fine from ten to fifty tax units.

Article 9. Unlawful access or sabotage to protected systems. The penalties provided in the former articles shall be increased by from a third to half, when the therein provided actions or their effects affected any of the components of a system using information technologies protected by security measures, meant for public functions or containing personal or property information of individuals or bodies corporate.

 

IV. LAW COMES TO CYBERSPACE


In the USA a Working Group was established in1999, in order to provide an initial analysis of legal and policy issues surrounding the use of the Internet to commit unlawful acts.. The Working Group's report was published in March 2000 and recommended three approaches for addressing unlawful conduct on the Internet:

"1. Any regulation of unlawful conduct involving the use of the Internet should be analyzed through a policy framework that ensures that online conduct is treated in a manner consistent with the way offline conduct is treated, in a technology-neutral manner, and in a manner that accounts for other important societal interests such as privacy and protection of civil liberties.

2. Law enforcement needs and challenges posed by the Internet should be recognized as significant, particularly in the areas of resources, training, and the need for new investigative tools and capabilities, coordination with and among federal, state, and local law enforcement agencies, and coordination with and among our international counterparts.

3. There should be continued support for private sector leadership and the development of methods - such as "cyberethics" curricula, appropriate technological tools, and media and other outreach efforts - that educate and empower Internet users to prevent and minimize the risks of unlawful activity."

The full text of the report: "The Electronic Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet" can be found at

http://www.usdoj.gov/criminal/cybercrime/unlawful.htm

An international conference on computer crime: "Internet as the scene of crime", was held in Oslo, Norway, May 29-31, 2000, organized by Okokrim (The National Authority for Investigation and Prosecution of Economic and Environmental Crime in Norway).

One of the opening remarks at the conference was held by US Assistant Attorney General James K. Robinson, see

http://www.usdoj.gov/criminal/cybercrime/roboslo.htm

 

Privacy as a legal right is recognized in most countries, but with some differences with regard to differences in legal and cultural traditions. Many countries are in the process of adopting privacy protection laws to assure compability with standards and obligations in international agreements or guidelines, but also caused by the concerns for the Cyberspace technologies. In some observers opinion, the concern over privacy violations is now greater than at any time in recent history. Mechanisms for protecting privacy in Cyberspace could also be based on self regulation, in which private industry and companies develops codes of conduct and practices. In most countries such self regulations are working together with regulation in order to ensure an efficient privacy protection. The problem is to establish the balance between the two mechanisms.

In the discussion of the balance between regulation and self reulation we must never forget what Internet is all about, as expressed by the U.S. Supreme Court in a decision on June 26, 1997:

"The record demonstrates that the growth of the Internet has been and continues to be phenomenal. As a matter of constitutional tradition, in the absence of evidence of the contrary, we presume that governmental regulation of the content of speech is more likely to interfere with the free exchange of ideas than to encourage it. The interest in encouraging freedom of expression in a democratic society outweights any theoretical but unproven benefit of censorship."

 

FOOTNOTES:

1. A group of experts met at the OECD in Paris on May 30, 1983: Mme C.M.Pitrat, France, Mr. M. Masse, France, Mr.A. Norman, United Kingdom, Mr. S. Schjolberg, Norway, Mr. B. de Schutter, Belgium, and Mr. U. Sieber, Germany. These" founders " of the harmonization of European computer crime legislation recommended that the OECD should take an initiative. An expert committee was established, and recommended in September 18, 1986 through the ICCP-Committee a common denominator between the different approaches taken by the Member countries.

2. Computer-related crime: Recommendation No. R (89) 9, adopted by the Committee of Ministers of the Council of Europe on 13 September 1989 and Report by the European Committee on Crime Problems. ( Published in Strasbourg 1990 )

3. See Ulrich Sieber: The International Emergence of Criminal Information Law, 1991.

4. See Ulrich Sieber (ed.): Information Technology Crime - National Legislation's and International Initiatives, 1994.

5. Council of Europe: Recommendation No. R (95) 13 Concerning Problems of Criminal Procedural Law connected with Information Technology, adopted by the Committee of Ministers on 11 September 1995.

6. See note 4 page 551.

TOP OF PAGE

Please send comments and information about legislation to:
Stein Schjolberg