A recent series of successful prosecutions involving wilful damage to computers has shown that, despite the lack of specific computer crime legislation, not all attacks on computers are free from prosecution.
For a wilful damage prosecution to succeed, the offender must have wilfully caused damage to the property concerned. In addition, the property must be of a tangible nature.
In the case of computers, however, the “damage” may not always be tangible, as in the case of erasing of data. The damage is often (given some time and effort) reversible with no permanent harm.
However, despite these difficulties, a number of cases have shown damage may include not only permanent or temporary physical harm but also permanent or temporary impairment of the value or usefulness of the property.
In a UK case, a hacker gained unauthorised access to a computer network and altered data contained on the disks in the system, causing a number of computers to fail.
The defence had argued that, because the data stored on the disk was not of a physical nature, the removal of the data could not amount to damage as defined in the UK Criminal Damage Act. The court rejected this argument, stating the act simply required proof that tangible property had been damaged; it was not necessary that the damage itself should also be tangible. The court also found the altering of the magnetic particles causing impairment to the value or usefulness of the disk to the owner was sufficient to amount to wilful damage.
In another UK case, the defendant had deliberately erased a computer programme from a plastic circuit card of a computerised saw so as to render the saw temporarily inoperable. Although the damage to the saw was not permanent, the significant labour, time and expense involved in restoring the programs onto the circuit card was sufficient to amount to damage.
The approach taken by the UK courts has subsequently received approval in a number of New Zealand decisions. Some commentators would argue that based on these cases, no further legislation is required in this area.
While the cases provide some degree of discouragement from committing crimes against computers, in our view they do not go far enough.
First, a number of the existing terms within the Crimes Act are outdated and/or non-specific. In a fraud case currently before the Court of Appeal, the court has been asked to determine whether the use of the word “document” in section 229A of the Crimes Act includes data stored on a computer. The Court of Appeal’s decision is crucial to the case, given that all three charges against the appellant relied on the presumption that a “document” included computer data.
Secondly, wilful damage does not extend to forms of computer attack that do not include an element of damage. Cyber invasion ("passive" hacks) does not result in damage to the computer; however, in the absence of criminal discouragement businesses are forced to spend heavily on computer security to protect their systems.
The enactment of the Crimes Amendment Bill (No 6) is expected to bring greater certainty to the area of computer crime and in particular to those offences relating to computer intrusion.
However, each of the offences under the bill requires that the offender must have accessed the computer system “without authority”. This contrasts with criminal damage, where there is no requirement to show access was authorised.
The interpretation of the term “without authority” is likely to cause some difficulty. For example, it is possible that a person with authority to access a computer system may use this authority to intentionally damage it. On a strict interpretation of the proposed legislation, that person would not have committed an offence.
If such an interpretation is followed in the courts, there may still be room for the use of wilful damage prosecutions where the damage was caused by a person with authorised access.
Another interesting outcome of the wilful damage decisions could be their application to distributed denial of service attacks. With the focus of the proposed legislation on accessing a computer system and the interference of data or software stored on a computer system, a DDOS attack might fail to qualify as an offence. However, on the interpretation of the above cases, prosecutors could still argue a DDOS attack amounted to wilful damage.
While the enactment of the new bill will provide greater scope for prosecution of computer criminals, it seems likely existing offences such as wilful damage will continue to have a role in this area.
Parkinson is a partner and Compton a solicitor for Clendon Feeney.