Hacking away:

Computer crime and the common law

---

Published in Nedbank ISS Crime Index
Volume 5 2001
Number 2, March - April

The South African Law Commission is considering draft legislation to criminalise certain kinds of attacks on computers and networks that are presently not adequately dealt with in the law. In addition, it will seek to address certain deficiencies in the search and seizure powers of police officers in the context of computer-related crime. The issues dealt with demonstrate the difficulty in ensuring that rapid technological innovation is matched by appropriate changes to the law.

Consider a major company, operating a sophisticated data network carrying thousands of transmissions a day. Everything the company does moves over its network: clients’ billing details and requests for credit; the internal authorisation, management and recording of employee activities, leave and overtime; sales conducted through the electronic shop window managed by the company. In short, everything relies on the network, without which the company’s activities come to a grinding (virtual) halt.

Virus attacks have serious consequences

Now consider a successful denial-of-service attack on the software that operates the company’s network. Suddenly the system is processing thousands upon thousands of spurious transmissions, clogging the system and crashing the server. While this is happening, every legitimate transmission is simply crowded out under the sheer weight of data moving through the limited bandwidth available.

Worse still, consider the implications if such an attack were mounted on the network managing the flow of information of an essential service such as that of an electricity distributor, train or air transport management agency. Or consider the consequences of an attack on a case management system detailing the nature and timing of the administration of medication to the seriously ill in a major hospital.

These scenarios are neither randomly chosen nor unprecedented: both the Melissa and I Love You viruses that flitted across the world in the past 12 months did exactly this, and, in so doing, caused vast amounts of economic damage to the companies affected.

Now, although there is probably a reasonably strong civil case against the perpetrators of such an attack on a South African business, the question arises as to whether such an attack would attract criminal sanction under the current legal system.

Despite an overwhelming sense that these actions should be regarded as malicious criminal activity, the South African Law Commission believes that under present law no criminal charges would be successfully pursued against the perpetrators. This is due to a gap in statutory provisions not readily filled by the common law.

Common law offers inadequate protection

In October 1998? the Law Commission published an Issue Paper setting out the nature of the problem. It concluded that the common law did not provide for criminal sanctions for the perpetrators of certain computer-related crimes and, furthermore, that the nature of criminal procedure in South African law undermined investigators’ powers of search and seizure in the context of many crimes of this nature.

At the time of writing, the Law Commission was considering draft legislation and a Discussion Document premised on the concerns raised in the issue paper. Assuming that the discussion document passes muster, some of these problems may be resolved within a reasonably short period of time. Nonetheless, the difficulty of providing adequate legal sanctions in the context of rapidly evolving technological development is highlighted by the problems identified by the Commission.

The problem with the present legal framework, as identified by the Law Commission, revolves around two issues.

The first of these is that, while no statutory offence adequately criminalises certain computer-related crimes, the common law also fails to ensure that such actions attract the weight of criminal law. Essentially the problem with common law crimes such as malicious damage to property, trespass and theft is that they evolved under conditions in which crimes were either directed at the body or dignity of the person, or at a person’s physical property. There was simply no need for criminalising actions that damaged non-material property, since for much of the development of our common law, the idea of non-material property was itself inconceivable.

It is for this reason that the development of the concept of intellectual property has generally involved legal innovation either in the interpreting of common law, or in the development of statutory offences such as those associated with copyright infringement.

New legislation

In order to address this deficiency other jurisdictions from the UK to Singapore have adopted laws criminalising certain actions involving the unauthorised breaching of IT systems in order to impair their operation, hinder access to data on these systems, or render them less reliable.

The second issue is that many jurisdictions have had to modify the search and seizure powers of investigators in the light of the difficulty in securing information contained on computers for the purpose of criminal investigations.

Such innovations have been necessary because the existing provisions for the granting of a search warrant have a number of deficiencies in the context of computer-related evidence. Amongst these problems are the following:

Search warrants generally need to specify a physical article that is the object of a search. It is doubtful that the bits and bytes on a computer disk would qualify as an article, rendering it impossible to authorise a search for data saved on a computer.



In general, a search warrant has to specify a precise address for the search. In the context of a computer network, relevant evidence, if located on a network, may not be in a readily identifiable location, and may well be housed outside of the jurisdiction of the court.



Overcoming encryption may necessitate the assistance of the suspect, but it may be difficult to secure such co-operation in the absence of a court order. While that is in process the data may of course be modified, moved or erased by a perpetrator’s accomplice.

The rapid development of IT and its integration into all aspects of modern life present the authorities with a range of challenges, not the least of which is to try to ensure that the law remains relevant to the threats posed by the criminally inclined. It is hoped that by the time this article is published, the Law Commission will have published its long-awaited proposals on how to resolve some of the difficulties it identified in 1998.

Antony Altbeker
School of Public and Development Management, Wits University