23 July 2001
Inquiry into the Provisions of the Cybercrime Bill 2001
This is a submission to the [Australian] Senate Legal and Constitutional Committee Inquiry into the Provisions of the Cybercrime Bill 2001.
Electronic Frontiers Australia (EFA) is a non-profit national organisation formed to protect and promote the civil liberties of users and operators of computer based communications systems. EFA was formed in January 1994 and incorporated under South Australian law in May 1994.
Our major goals are to advocate the amendment of laws and regulations in Australia and elsewhere (both current and proposed) which restrict free speech, and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems. EFA is independent of government and commerce and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting civil liberties.
Changes to the existing 1989 computer offence provisions in the Crimes Act 1914 are no doubt well overdue. The proliferation of personal computers amd computer networks since that time have created a totally different and more complex legal environment. However, these very changes have also meant that computers are now everyday household items treated not very differently from the household television set. Local area networks, of both the wired and wireless variety, are now becoming common within households and small businesses, making the traditional definition of a telecommunications service somewhat overbroad.
A legislative proposal that treats all computers as equal is therefore fraught with danger, especially as many of the offences proposed do not require an element of damage, physical or monetary, as a prerequisite for imposing criminal liability. Great care therefore need to be exercised to ensure that the new offence provisions have adequately addressed this changed operating environment and that they do not criminalise trivial offences or innocent behaviour.
EFA is concerned that a number of changes have been made to the Model Criminal Code ("the MCC") which have not been justified in the Explanatory Memorandum. We note that the same changes have not been made in the recently passed NSW legislation, which makes something of a mockery of the concept of a uniform national Code. While it may be the case that some differences between State and Commonwealth law are necessary (e.g. to cover offences against the Commonwealth), this factor alone does not explain most of the changes made.
Our major concerns with the proposed legislation are the assistance order provisions in Schedule 2. The provisions present controversial issues and major difficulties which have been totally ignored in the face of the Bill and in the Explanatory Memorandum.
Many of the problems and security breaches that are being experienced with computer systems today are the result of inadequate security protections, faulty or insecure software, or poorly qualified operators. If confidential information were left lying around in a public place, would we charge the finder with a criminal offence? Yet the equivalent summary offence of unauthorised access (478.1) in the Bill does exactly that. Furthermore, the traditional concepts of cause, knowledge, malicious intent and actual damage appear to be absent from many of the offence provisions.
We will now comment on some specific concerns about the proposed Bill.
477.1 Unauthorised access, impairment or impairment with intent to commit a serious offence
Paragraph 477.1 (2) provides for absolute liability to be applied to paragraph 1(b). Absolute liability removes the defence of mistake of fact (Criminal Code Act 1995, s.6.2), yet no case has been made out as to why absolute liability, or even strict liability, should apply to this element of the offence. This provision does not appear in the corresponding paragraph of the Model Criminal Code (MCC) 4.2.4.
Paragraph (3) adds a further provision that is not in the MCC, namely that the prosecution does not need to prove that the defendent knew it was an offence against a Commonwealth, State or Territory law, or a serious offence. This begs the question as to whether intent (477.1 1(d)) can be proven in the absence of mens rea.
The same criticisms apply to paragraph (5).
477.2 Unauthorised modification of data to cause impairment
Paragraph 1(c) removes the element of intent which is present in the corresponding MCC paragraph 4.2.5. No explanation for this change is offered in the Explanatory Memorandum.
The absolute liability provision of paragraph 2 has not been properly justified, and it does not appear in the MCC.
Paragraph (3) (guilty even if no impairment) is also absent from MCC paragraph 4.2.5, again without explanation in the Explanatory Memorandum.
It is also noted that the alternate offence of damaging property is omitted from paragraph 4, whereas it appears in the corresponding MCC paragraph 4.2.5 2(a). This raises the question as to the appropriateness of some of these offences. The correspondence with property damages offences in the physical world appears to be absent, and serious offences are being created even in the absence of actual monetary or physical damage.
477.3 Unauthorised impairment of electronic communication
The elements of intent, or even recklessness, both of which are present in the corresponding MCC paragraph 4.2.6 are completely absent from this section. This is a serious omission for an offence that carries a 10 year prison term.
Absolute liability applies in paragraph 2, without due explanation. Again this is a departure from the provisions of the MCC.
Similarly, the alternative damages offence has been removed, and our comments about this in the previous section are reaffirmed.
478.1 Unauthorised access to, or modification of, restricted data
The corresponding MCC paragraph (Summary Offence), is overbroad in that it could be applied to access without damage or criminal intent in a private computer network. 478.1 (1)(d) appears to be an attempt to narrow the offence to Commonwealth computers or computers accessed by means of a telecommunications service, but the offence is still too broad. Under the definition of a telecommunications service, private networks, and even wired or wireless networks within households are encompassed by this offence.
This matter starkly illustrates the problems in trying to create offences around a technology that is now a common household item. While the courts may be expected to identify the Parliament's intent to only criminalise genuine offences, the fact remains that the wording of the law is hopelessly inadequate. Legislators have a responsibility to create law that is unambiguous, rather than leave it to the courts to determine what was really intended.
The same objections as previously apply to the absolute liability provision in 478.1 (2). Again, this is not in the MCC.
478.3 Possession or control of data with intent to commit a computer offence
The offence provision here is overbroad. The notion of possession with intent in relation to intangible items needs careful treatment in order to ensure that innocent behaviour is not criminalised. Most of the software tools which are presumably the target of this provision have legitimate uses for testing computer security. Criminal intent is likely to be far more difficult to prove than with the supposedly analagous physical crime of going equipped for burglary, particularly as the location in which the alleged offence occurred is a key element of the latter offence.
The equivalent offences in Article 6 of the draft Council of Europe Convention incorporate safety provisions, which include a specific statement that the offence is aimed only at tools which could be used to commit substantive computer offences, and an acknowledgement that such tools can also have legitimate purposes. Furthermore, parties to the convention are not obliged to implement the possession offence (see Article 6.3), and a provision is made that parties may also require a number of such items to be possessed before criminal liabliity attaches (Article 6.1.b).
Similar protections need to be built into the corresponding offences in the Cybercrime Bill. We have corresponding concerns in relation to the production and supply offence 478.4.
Schedule 2 - Law Enforcement powers relating to electronically stored data
The comments here apply to proposed section 3LA of the Crimes Act 1914 and proposed section 201A of the Customs Act 1901. These sections give identical powers to law enforcement agencies operating under the respective Acts.
The drafters of the Model Criminal Code, while recognising that new law enforcement powers may be required, declined to specify what those powers should be. The MCC Report stated (in Chapter 4):
In common with other chapters of the Model Criminal Code, Chapter 4 makes
no provision for enforcement. There appears to be pressing need for
specialised enforcement provisions. The issues involved are both difficult on a
technical level and controversial in relation to the protection of individual human
rights and the rights of corporate entities.
The proposals in the Bill are indeed controversial. The matter of assistance orders is aimed squarely at the problems presented by security passwords and, more particularly, encrypted data. To the best of our knowledge, the only other country that has previously tried to address this problem with specific legislation is the U.K. with its highly reviled and controversial Regulation of Investigatory Powers Bill 2000, more commonly known as the R.I.P. Bill.
One of the major problems with this Bill was its cursory treatment of the requirement for persons to reveal encryption keys (in Part III - Investigation of Electronic Data Protected by Encryption etc.).
There may sometimes be legitimate reasons why a private key or plain text could not be handed over to a law enforcement agency, and it would be difficult for the subject of an assistance order to provide proof that they did not possess or have access to a key or plain text. The prospect of users of encryption being jailed despite having genuinely lost their private keys is a major and quite legitimate concern. EFA submits that the proposed legislation should provide an indication as to how those served with assistance orders requiring plain text or encryption keys can successfully demonstrate that they cannot comply with the notice.
Furthermore, we point out that the 1997 OECD cryptography guidelines, which Australia has adopted, specifically recognize the fundamental right of privacy in relation to encrypted data:
Article 5. The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods.
A further problem is that a single encryption key often serves the dual purpose of ensuring confidentiality and providing secure authentication of the signatory to a document (through a digital signature). Revealing the key (or the passphrase therto) can therefore compromise the integrity of the owner's digital signature. (It should be noted that the person on whom the assistance order is served is not necessarily assumed to be guilty of an offence).
Clearly there is tension between privacy rights and legitimate law enforcement needs. An approach needs to be found that balances these issues, or at least recognises in the law that an offence is not automatically criminalised in the event of failure to provide assistance.
In its present implementation, the law enforcement provisions in the Bill totally fail to address these potential problems, or even acknowledge that the measures proposed are controversial. The Bill's drafters are well aware of the complex issues involved here. In 1996 the Attorney-General's Department commissioned a former ASIO Deputy Director-General, Mr. Gerard Walsh, to research the issues. His report, Review of Policy relating to Encryption Technologies, although clearly intended for public comment, was suppressed by the department. After an extended Freedom of Information battle, EFA eventually obtained a heavily censored version of the report, but the full report eventually came to light and has been published on the EFA website. If Committee members are unaware of the controversial issues surrounding this matter, we would strongly urge them to read this report.
The law enforcement provisions may also have the effect of over-riding the common law privilege against self-incrimination. This situation could arise where a person was compelled to reveal a password or encryption key as a requirement of an assistance order. The right to silence is a long-standing right in most jurisdictions and it is unacceptable that it should be potentially over-ridden in the Bill without strong justifictation or even acknowledgement.
We note that law enforcement matters are currently being investigated by the Joint Committee on the National Crime Authority Inquiry into The Law Enforcement Implications of New Technology. EFA recommends that this provision in the Bill should be referred to that committee for proper consideration amongst other proposals for law enforcement in relation to new technology.
EFA's major recommendations are as follows:
- The law enforcement amendments concerning assistance orders should be set aside until a full and proper assessment has been made of the legal issues involved in relation to forced release of encryption keys.
- The absolute liability provisions of the Bill should be removed.
- Cause, knowledge, malicious intent and actual damage should be established as prerequisites in respect of all of the proposed new offence provisions.
- Safeguards need to be added to the preparatory possession offences along the lines of those in the draft CoE Convention.
- The government should be called upon to justify all departures from the Model Criminal Code.
- The legislation should be carefully scrutinised to ensure that innocent behaviour is not criminalised.
U.K. Regulation of Investigatory Powers Act 2000
European Committee on Crime Problems (CDPC)
Final Activity Report, 29 June 2001.
Draft Convention on Cyber-Crime.
European Committee on Crime Problems (CDPC)
Final Activity Report, 29 June 2001.
Draft Convention on Cyber-Crime.
OECD Cryptography Policy Guidelines (1997)
Joint Committee on the National Crime Authority
Inquiry into The Law Enforcement Implications of New Technology
Model Criminal Code Officers Committee of the Standing Committee of Attorneys-General.
Model Criminal Code. Chapter 4 - Damage and Computer Offences - Report. January 2001
Review of Policy relating to Encryption Technologies (The