Monday, February 18, 2013

Impact of the Criminal Justice Act 2011 on cybercrime law

One of the most important recent developments in Irish criminal law has been the enactment of the Criminal Justice Act 2011 which makes substantial changes to both the substantive and procedural law surrounding offences of dishonesty and "white collar crime" (previously). While the 2011 Act is of very wide application, it has particular significance for computer crime where it creates both duties to report certain types of crime and new police powers to require the handing over of passwords and decryption of files.

Pearse Ryan and Claire O'Brien of Arthur Cox and Andy Harbison of Grant Thornton have produced a very good guide to the effect of the 2011 Act for the Society of Computers and Law (paywalled) and with their kind permission I'm glad to be able to host a copy here:

Cybercrime in Ireland – Recent Legislative Developments

The Criminal Justice Act 2011 (the “2011 Act”) came into effect on 9th August 2011 and was enacted with the aim of granting An Garda Síochána (the Irish national police service) more extensive powers to investigate “serious and complex offences”. (1) The main areas which the 2011 Act deals with are the supply of information at investigation, detention, questioning and the summoning of witnesses.  Much attention has focused on the 2011 Act as a tool in the fight against white collar crime, a topic of much interest since Ireland’s economic crisis.  In the press statement released by the Minister for Justice, Equality and Defence, Mr Alan Shatter, it was stated that the 2011 Act is “an important step in delivering on the Government’s strong commitment to tackle white collar crime as set out in the Programme for Government”.(2)

This article focuses on the 2011 Act as a tool in the fight against cybercrime, a specific sub-species of white collar crime.  While cybercrime may not pose the same threat to national economic well-being as some of the criminal acts, the investigation and accordingly the prosecution of which the 2011 Act was intended to assist, with particular reference to the financial services sector, cybercrime is a material and ever increasing area of criminal activity.  Also, it is an area in which the Gardaí were previously severely hampered in their ability to investigate, with a knock-on effect on prosecutions.

This article follows on from an earlier article entitled ‘Computer Fraud in Ireland’.(3)  

Purpose of 2011 Act


The problems which the 2011 Act attempts to tackle are problems which potentially both significant delay and potentially hamper the investigation and prosecution of white collar crime.  Cybercrime in particular, is frequently orchestrated on a large if not massive scale and in an increasingly complex manner, as technology develops at a rapidly increasing pace. 

The level of resources deployed by organisations to secure their IT systems has increased substantially in recent years.  Correspondingly, the level of technical sophistication necessary to establish a breach in most organisations’ IT networks, and particularly those in the financial services industry, has also had to increase.  Organisations’ cyber-defences now typically take a lot more effort and wherewithal to breach.  Now, more than ever to become a success in cybercrime it is necessary to be intelligent, patient, innovative and well resourced, none of which are characteristics typical of most criminals.  Cybercrime, or at least those areas of it that are more than computerised petty theft, therefore falls increasingly within the domain of organised criminals.(4) 

National authorities responsible for investigation of all forms of cybercrime are almost invariably at a technological disadvantage, as the criminals make the running.  The 2011 Act attempts to go some way towards lessening delays which hamper the investigative process.  

Scope of 2011 Act


Section 3(1) of the 2011 Act brings a number of relevant offences within its ambit, among them Section 9 of the Criminal Justice (Theft and Fraud Offences) Act 2001 (the “2001 Act”) and Sections 2, 3 and 4 of the Criminal Damage Act 1991 (the “1991 Act”).  These offences are summarised below, but are discussed in some detail in the previous article referenced above.

Additionally, Section 3(2) provides that the Minister may, by order, specify as a relevant offence, any arrestable offence relating to criminal acts involving the use of electronic communication networks and information systems or against such networks or systems or both, if the Minister is of the opinion that the nature of the offence is such that it would benefit from the powers conferred on the authorities in the 2011 Act, due to, for example, the complexity of transactions involved and the prolonged period of time usually required for investigation.  It remains to be seen whether any such offences will be specified pursuant to Section 3(2). 

Section 3(2) appears to be a recognition that the 1991 Act and 2001 Act were rendered effectively obsolete by technological innovations quickly after being passed.  Nevertheless, it does not solve the problem that an offence has to be rendered arrestable before it can also be designated as reportable, a problem when Irish authorities have historically had difficulty keeping up with the apparently boundless imaginations of cyber criminals when applied to developing new varieties of IT fraud and cybercrime.

Sections 2 and 3 of the 1991 Act respectively create the offences of damage to, and threat of damage to, property, including damage with an intention to defraud.  Section 4 of the 1991 Act created the offence of possessing anything with intent to damage property with a similar intention to defraud another.   Section 9 of the 2001 Act relates to the dishonest operation of a computer whether within or outside the State with the intention of making a gain, or of causing loss to another. 

It is notable that Section 5 of the 1991 Act remains outside of the remit of the 2011 Act.  Section 5 is a computer-specific offence and deals with persons who, without lawful excuse, operate a computer within the State with intent to access any data kept either within or outside the State, or outside the State with intent to access any data kept within the State, whether or not any data is actually accessed.  Given the specific acknowledgements in the 2011 Act of the role played by technology in serious and complex offences, it is surprising that Section 5, with its obvious focus on hacking and data security has been excluded from its application.  It is possible that the drafters of the 2011 Act doubted the ability of citizens to reliably and accurately identify the kind of offences covered under Section 5 of the 2001 Act, which would render any legal obligation to report such offences excessively onerous.  Hacking offences can be difficult to identify where the perpetrators intention was to remain undetected, which is frequently the case and particularly with more sophisticated hacking.  It might also be noted that resource allocation to the Gardai’s Computer Crime Investigation Unit have failed to keep up with growth rates in IT usage over recent years.  An obligation to report computer offences would thus not necessarily be reflected in an increase in investigative activity.

Key Provisions of 2011 Act


Under Section 15 of the 2011 Act a member of the Garda Síochána may apply to a judge of the District Court for an order to make available particular documents or described documents available or to give information for the purposes of the investigation of a relevant offence.  In the case of documents being handed over under this section which are illegible or inaccessible, the court order may also stipulate that any relevant access or passwords be given.  Failure to provide passwords can be punished by a fine or prison term of up to 12 months on summary conviction or 2 years on indictment. 

Requiring passwords is a significant power, given that without the key the lock remains unopened.  Investigation of cybercrime offences can clearly be substantially frustrated by the lack of access to encrypted documents, as demonstrated, for example, in recent Garda investigations at Anglo Irish Bank.(5)  This section provides the Gardai with considerable additional leverage.  The 2001 Act only allowed for penalty of IR£500 or 6 months for failure to disclose passwords and as far as we are aware these penalties were never imposed.

The Superior Courts in Ireland have on occasion in recent years issued Anton Pillar Orders and other civil warrants which required individuals to disclose passwords to representatives of Civil plaintiffs, under threat of being held in contempt and summarily jailed.  In practice this has meant that private persons have potentially had more scope to force other parties to disclose their password than have the police.  A fact of necessary concern to Gardai.

Section 16 deals with the assertion of privilege over documents which fall subject to an application under Section 15 and allows for the Garda Síochána to apply for a determination as to whether privilege can be claimed, which application may be made in camera.  This provision will be of benefit in the context of the speed at which cybercrime offences can become opaque and tackles a significant area of delay in criminal prosecution. 

Section 18 of the 2011 Act allows for certain reasonable presumptions to be made in the context of the Criminal Evidence Act 1992 in relation to the authorship or exchange of documents by virtue of the circumstances in which the document is found or purports to be exchanged.  In IT forensics, it is typically relatively straightforward for expert investigators to establish that actions were carried out on a computer by persons using a particular user account or other privileges.  It has historically been far more difficult to link specific individuals with user accounts – to place their hands on the keyboard.  The new provision allows the Courts to assume that the individual in possession of a certain set of user credentials was the same person who carried out any acts on the computer using those credentials.  It is up to the defence to demonstrate that others might have been able to use the same credentials to carry out a crime.  These provisions will be of particular relevance to the use of electronic documents in the course of investigation and the use of evidence in criminal trials. 

Under Section 19(1) of the 2011 Act it is an offence for a person to withhold information which they believe might be of material assistance in preventing the commission by another person of a relevant offence or securing the apprehension, prosecution or conviction of any person for a relevant offence and the person fails without reasonable excuse to disclose the information to the Gardaí.  This offence attracts a penalty of a class A fine (maximum €5,000) and/or 12 months imprisonment on summary conviction and an unlimited fine and/or imprisonment not exceeding a period of five years on conviction on indictment.  The Gardaí may arrest and detain, for up to 24 hours, an individual without a warrant if they are suspected of withholding information.(6)  

It is our understanding that this obligation may apply retrospectively so that, in theory, matters that individuals and organisations might have thought long closed should be reported to the Gardai regardless.  This is an area of concern amongst those likely obliged to report offences, although not an area that has attracted much public comment.

Section 19 is the provision of the 2011 Act which has attracted most attention within the public and private sectors.  This provision represents a clarification in the law, creating for the first time a specific obligation to report relevant information to the authorities.  While this provides obvious advantages for the Garda Síochána in investigation of serious crime, it has caused a degree of concern to public and private sector organisations, who may now be guilty of an offence if they fail to report information covered by the provision.  This could potentially apply in circumstances of omission by default, where the organisation may not be actively aware that relevant information is in their possession.  While it is assumed that the normal rules in relation to knowledge and possession of evidence, together with normal Gardai operational practice and procedure, will apply in the application of this Section, there is an element of doubt here which is a cause for concern amongst public and private sector organisations who may be have suffered cybercrime, together with third parties, such as IT security or forensics consultants brought in to investigate technical aspects of an incident, which may take some time to be identified as a crime.  This Section was introduced to solve a perceived problem, but the tariffs applicable to the new offence in particular have caused disquiet amongst those under an obligation to report.

It should be noted that Section 19 has essentially reinstated the offence of Misprision, which had been removed from Irish law by the Criminal Law Act 1997(7), for all but terrorist offences.(8)  Misprision was formerly a common law misdemeanour committed by a person who knew that a felony had been committed but did not give information which could lead to the felon’s arrest.(9)  Minister Shatter stated at the Second Stage reading of the 2011 Act, in relation to Section 19, that “this particular offence is of major importance, as its creation in the Bill will ensure that those who become aware of persons engaging in white collar crime are under an obligation to bring what they know to the attention of the Garda Síochána” .(10)

One provision the 2011 Act does not include is any allowance to provide additional resources to the Gardai to investigate the offences which it is intended be reported to them under its provisions.  Nor has the Government allocated any additional resources to the Garda Bureau of Fraud Investigation or to the Garda Computer Crime Unit in response to this new legislation.  As a consequence it appears the main effect of the Act may be to deluge the law enforcement authorities with reports of possible offences without providing them any means to investigate them.  It is therefore very much an open question whether in this regard the 2011 Act is anything more than a ‘paper tiger’.

2011 Act Overview and Summary

The 2011 Act introduces a wide arsenal of powers aimed at aiding the investigation of serious offences which in the context of cybercrime are generally long overdue and are to be welcomed.  The quite serious tariffs applicable under Section19 have been less welcomed by those likely to suffer cybercrime as well as the IT forensics sector, who may be ones who discover the crime. 

While the 2011 Act incorporates approximately 130 offences into its remit, one significant omission is reference to Section 5 of the 1991 Act, which relates to unauthorised use of a computer with intent to access data, which was intended to deal with hacking.  The reason for this omission is assumed to be attributed to the same logic which associates the offence under the 1991 Act with damage to property and applies comparatively small tariffs.  Under the 1991 Act a general offence relating to damage to property is stated, with property defined to include data.  This is thus a fairly basic cybercrime related offence.  Notwithstanding, the relative merits of Section 5 of the 1991 Act, by omitting reference to it the 2011 Act has disregarded one of the main types of cybercrime offence, namely hacking (albeit a particular type of hacking) that the new broad powers of investigation would seem to have been intended to tackle. 

Significant steps have been taken by the 2011 Act to make inroads on issues which hamper the effective investigation of complex and technical crimes.  This is welcome.  However, overall the law applicable to substantive cybercrime offences, as set out in the 1991 Act and 2001 Act, requires significant revision, to update what are by now elderly offences.  Without a more focused and sophisticated legislative framework cybercrime will remain an area where the law lags behind the crime. 

Pearse Ryan is a partner in the Technology & Life Sciences Group at Arthur Cox, Dublin, specialising in IT, outsourcing, cloud computing and IT security issues.  Claire O’Brien is a trainee solicitor in the Technology & Life Sciences Group at Arthur Cox, Dublin.

Andy Harbison is a Director – IT Forensic Lead, Forensic & Investigation Services, at Grant Thornton, Dublin, specialising in computer forensics and electronic discovery.

Pearse and Andrew wish to express their thanks to Claire for her valuable contribution to this article.

Footnotes:


  1.   Criminal Justice Bill 2011 Second Stage Speech (Dáil) on Wednesday, 18 May 2011Minister for Justice, Equality and Defence, Mr Alan Shatter, T.D.
  2.   Press release of the Minister for Justice, Equality and Defence, Mr Alan Shatter T.D http://www.justice.ie/en/JELR/Pages/CrimJustBill2011_PR
  3.   Article published by the Society for Computers & Law, available at: http://www.scl.org/site.aspx?i=ed16653.  Also available at:  http://www.arthurcox.com/who-we-are/our-people/pearse-ryan.html
  4.   For example, 21/12/12 story entitled ‘Facebook helps FBI take down $850m cyber-gang’, available at: http://www.finextra.com/News/FullStory.aspx?newsitemid=24372
  5.   See: http://www.independent.ie/national-news/anglo-chiefs-facing-quiz-on-missing-passwords-2413749.html
  6.   For a general discussion of S19 see:  http://www.arthurcox.com/uploadedFiles/Publications/Publication_List/Arthur%20Cox%20-%20The%20Criminal%20Justice%20Act%202011,%20September%202011.pdf
  7.   In this Act, Section 3 abolishes the distinction between felony and misdemeanour, thereby abolishing the felony of misprision.
  8.   Section 9 of the Offences Against the State Act, 1998 creates an offence similar to misprision.  In this section it is an offence to withhold information which a person knows or believes might be of material assistance in preventing the commission of a serious offence or securing the apprehension  prosecution or conviction of any other person for a serious offence,
  9.   See for example Sykes v. DPP [1961] 3 All ER.
  10.   http://debates.oireachtas.ie/dail/2011/05/18/00025.asp

3 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. The Cyber laws that are coming into place are much like a using a sledge hammer to knock in a tack nail. It's almost like these lawmakers don't quite know what to do so they are overreaching and clamping down on these activities. Strangling creativity and all that the web is supposed to be. Draconian at best.

    ReplyDelete
  3. Thanks for your great information, the contents are quiet interesting.I will be waiting for your next post.
    jobs in life Sciences

    ReplyDelete