Cracking down on the hack-pack

After Timothy Allen Lloyd was demoted by his employers in New Jersey in the US, he must have realised that even after nine years…

After Timothy Allen Lloyd was demoted by his employers in New Jersey in the US, he must have realised that even after nine years service it was only a matter of time before he was fired. So he wrote a small program, loaded it on to his employer's computer system, tested it and waited. Two weeks after he was fired, his "time-bomb" went off, deleted all of his employer's most important programs and cost the company more than $10 million. He was discovered, prosecuted, and in May 2000 convicted by the US Federal Courts. Although the direct disruption and commercial damage caused by hackers or cyber-criminals can be considerable, the fear that they engender in society may be of greater significance.

Despite the fact that the US has laws and enforcement mechanisms that are far superior to those available in Ireland, a recent survey suggests more than two-thirds of Americans remain concerned about the danger posed by this threat. Fear of cyber-crime could stop Irish people going online and engaging in e-commerce. There is also a danger that if Ireland's laws on e-commerce are seen as being lax, then our ambitions to become a European e-commerce hub may be damaged.

One possible solution is proposed by Section 9 of the Criminal Justice (Theft and Fraud Offences), Bill, 2000, which provides: "A person who dishonestly, whether within or outside the State, operates or causes to be operated a computer with the intention of making a gain for himself or herself or another, or of causing loss to another is guilty of an offence."

On conviction a sentence of up to 10 years' imprisonment can be imposed, which is a very heavy sentence - double the maximum penalty that could be imposed on a conviction for an assault causing harm. The section is deliberately drafted very broadly, so it can be applied to new and as yet unforeseen technologies. But if it became law in its current form, it might cause a variety of problems.

READ MORE

Firstly, it appears to discriminate against computer users: somebody who dishonestly sells pirated music over the Internet using a computer could face a 10-year sentence under this proposal, but a competitor selling them out of a suitcase on O'Connell Street would face a maximum of only five years under the Copyright and Related Rights Act 2000. Such discrimination would be contrary to the commitment given in the 1998 Joint Irish and US Communique on Electronic Commerce that: "Where legislative action is necessary it should not be to the advantage or disadvantage of electronic commerce . . ."

Secondly, the proposal might have other unintended commercial effects. Many who got burned in the recent dot.com boom could have said that the promoters of various dud e-businesses were dishonestly operating computers with the intent of causing immense gain to themselves and losses to anybody who got stuck with their stock. In the US, the dramatic fall in the share price of such firms has spawned a rash of civil lawsuits, and if the above proposal became law, similarly aggrieved Irish shareholders could seek criminal prosecutions. The proposal is so broad that it may be impossible to know where free-market capitalism ends and dishonest gain begins.

Finally, it may be very difficult to define what would constitute an offence under the proposal; this will create problems for computer users who may become wary of technological or commercial innovations that might be subsequently held to be offences. But any criminal prosecutor would face the same burden, and as prosecutions of cyber-crimes are extremely difficult, complex and expensive, this extra burden might discourage them.

A more successful approach might be to narrowly define a variety of computer and Internet related offences as is done by the US Federal Code. This is suggested in the Draft Convention on Computer Crime, published by the Council of Europe in April, which provides for several offences relating to: illegal access; illegal interception; data interference; system interference; the possession of illegal devices; and computer related fraud and forgery.

Honest computer users could then avoid unwittingly committing crimes, and the prosecution of dishonest users would become easier.

Denis Kelleher BL is a practising barrister and co-author with Karen Murray of IT Law in the European Union, Sweet & Maxwell (London) 1999 and Information Technology Law in Ireland, Butterworths (Dublin), 1997. deniskelleher@ireland.com