Cybercrime : legislation, cases and commentary 9780409341683, 0409341681

Table of contents :
Full Title
Copyright
Foreword
Preface
Table of Cases
Table of Statutes
Table of Contents
Part 1 Introduction
Chapter 1 What is Cybercrime?
Part 2 Unauthorised Access, Modification and Impairment
Chapter 2 Unauthorised Access
Chapter 3 Unauthorised Modification
Chapter 4 Unauthorised Impairment
Part 3 Online Financial and Property Crimes
Chapter 5 Online Fraud and Forgery
Chapter 6 Identity Crimes and Card Skimming
Chapter 7 Online Copyright Crimes
Part 4 Online Child Exploitation and Other Privacy Crimes
Chapter 8 Child Pornography
Chapter 9 Online Child Grooming
Chapter 10 Cyberstalking, Online Harassment and Voyeurism
Part 5 Investigation, Prosecution and Judicial Issues
Chapter 11 Investigating Cybercrime
Chapter 12 Prosecuting and Sentencing Cyber Criminals
Index

Citation preview

Cybercrime Legislation, Cases and Commentary

Gregor Urbas BA (Hons), LLB (Hons), PhD (ANU) Associate Professor of Law, University of Canberra Legal Practitioner, Supreme Court of the Australian Capital Territory and the High Court

LexisNexis Butterworths Australia 2015

AUSTRALIA

ARGENTINA AUSTRIA BRAZIL CANADA CHILE CHINA CZECH REPUBLIC FRANCE GERMANY HONG KONG HUNGARY INDIA ITALY JAPAN KOREA MALAYSIA NEW ZEALAND POLAND SINGAPORE SOUTH AFRICA SWITZERLAND TAIWAN UNITED KINGDOM USA

LexisNexis LexisNexis Butterworths 475–495 Victoria Avenue, Chatswood NSW 2067 On the internet at: www.lexisnexis.com.au LexisNexis Argentina, BUENOS AIRES LexisNexis Verlag ARD Orac GmbH & Co KG, VIENNA LexisNexis Latin America, SAO PAULO LexisNexis Canada, Markham, ONTARIO LexisNexis Chile, SANTIAGO LexisNexis China, BEIJING, SHANGHAI Nakladatelství Orac sro, PRAGUE LexisNexis SA, PARIS LexisNexis Germany, FRANKFURT LexisNexis Hong Kong, HONG KONG HVG-Orac, BUDAPEST LexisNexis, NEW DELHI Dott A Giuffrè Editore SpA, MILAN LexisNexis Japan KK, TOKYO LexisNexis, SEOUL LexisNexis Malaysia Sdn Bhd, PETALING JAYA, SELANGOR LexisNexis, WELLINGTON Wydawnictwo Prawnicze LexisNexis, WARSAW LexisNexis, SINGAPORE LexisNexis Butterworths, DURBAN Staempfli Verlag AG, BERNE LexisNexis, TAIWAN LexisNexis UK, LONDON, EDINBURGH LexisNexis Group, New York, NEW YORK LexisNexis, Miamisburg, OHIO

National Library of Australia Cataloguing-in-Publication entry Author: Title: ISBN: Notes: Subjects: Dewey Number:

Urbas, Gregor. Cybercrime: Legislation, cases and commentary. 9780409341683 (paperback). 9780409341706 (ebook). Includes index. Computer crimes — Law and legislation — Australia. Computer crimes — Cases. Internet — Law and legislation — Australia. 364.1680994

© 2015 Reed International Books Australia Pty Limited trading as LexisNexis. This book is copyright. Except as permitted under the Copyright Act 1968 (Cth), no part of this publication may be reproduced by any process, electronic or otherwise, without the specific written permission of the copyright owner. Neither may information be stored electronically in any form whatsoever without such permission. Inquiries should be addressed to the publishers. Typeset in Minion Pro and Myriad Pro Printed in Australia. Visit LexisNexis Butterworths at www.lexisnexis.com.au

Foreword Over the centuries, the importance of the consistency and predictability of law has fostered a certain conservatism on the part of many lawyers and judges. It has been interesting to observe how the legal profession has learned to cope with digital technology. I recall having heard an anecdote in 1981 about an Australian judge who, at the time, refused to accept a pay cheque that was computer-generated, insisting instead that his be typed out personally. It was perhaps a credit to the gentleman that his demands did not extend to the use of a quill pen. Fast forward to the twenty-first century. Cybercrime, initially an obscure backwater of law and criminology, has come of age. Most law students today will not be in a position to recall what life was like before the advent of personal computers, the Internet, and the World Wide Web. And the scope and velocity of developments in digital technology that they have experienced in their lifetime have been truly breathtaking. Today, it is hardly an exaggeration to suggest that ‘everything depends on software’. Readers of this book will learn that the use of a ‘carriage service’ to commit a crime has nothing to do with a coach-and-four. Recent technological developments have had a dramatic impact on the law, as this book admirably demonstrates. Most cybercrimes are, fundamentally, traditional crimes committed with new means. Unauthorised access to a computer is akin to trespassing. Destruction or damage to digital information is vandalism. Fraud is fraud, whether it takes place online or in a face-toface encounter. A threat is a threat, regardless of the medium by which it is communicated. And offensive materials may exist and be distributed in hard copy as they can be through social media. So why do we need an entire body of legislation to cover cybercrime? In some cases, the law has been insufficiently flexible to embrace certain

crimes. In the physical world, unauthorised access means unauthorised physical access, not electronic access achieved from a remote location. The law of theft was concerned with permanently depriving an owner of her tangible property, not copying strings of 1s and 0s and leaving the originals in place. Erasure of computer files was not quite the same as physical sabotage. And there was no terrestrial analogue to the dissemination of a computer virus. Indeed, in the year 2000, the Philippine Government was unable to charge the person responsible for the release of the ILOVEYOU virus because there was no existing statute relating to his conduct. Then there are circumstances where the law might not adequately express its intentions. Prohibitions on unauthorised access to a computer or computer system do not quite reach those individuals whose access is authorised, but who have used this access for unauthorised purposes. Sometimes laws are framed so broadly, or so vaguely, that they require clarification or ‘reining-in’. Many young people today have taken to social media with such candour and naiveté that they nonchalantly bare their souls (and much else) online. In so doing, they may run afoul of laws prohibiting the possession and distribution of indecent images of children. This is not exactly what our lawmakers had in mind. Cybercrime legislation may also come into being in response to ‘aorta’ demands. When a problem emerges, shrill voices from the public complain ‘Aorta do somethin’ about this’. I recall once conversing with a senior State-level legal bureaucrat whose government had recently introduced offensive-content legislation that struck me as being exceedingly difficult to implement. ‘How will you enforce this?’ I asked. ‘That’s not the point,’ he replied. There are times when governments must be seen to be doing something. New laws are convenient, and it is not surprising that their hasty enactment may result in a flawed product. More work for lawyers. Criminal procedure law must also be adapted to the digital age. One of the most significant differences between cybercrime and terrestrial crime is the nature of evidence. There are differences in the form it takes, how it is stored, where it is located, how it is found, and in the physical limitations

of what it will tell you. Fascinating issues have thus emerged. What authority is required in order to undertake a remote search of a server physically located in a foreign jurisdiction, or to seize data from ‘the cloud’? What measures can, or should be taken to ensure that volatile evidence is preserved? The old adage that ‘cyberspace knows no boundaries’ also has implications for legislation. A cybercrime can be committed against a victim on the other side of the planet as easily as it can against a target next door. So it is that the offender, the victim and the evidence of a cybercrime can be located in three or more jurisdictions. If a person in Melbourne threatens someone in Toronto, where is the crime committed? Who will prosecute? The transnational nature of much cybercrime calls out for international co-operation; in particular, the necessity of harmonisation of substantive criminal law and criminal procedure law. Since cybercrime can be committed at the speed of light, the expedited development of a system of mutual legal assistance has become essential. This book provides not only a welcome introduction to Australian cybercrime law, but also a detailed explication of the Council of Europe’s Convention on Cybercrime, the foremost international instrument available today for the control of cybercrime. I am aware of no other publication that sets out the law of cybercrime in such a lucid and comprehensive manner. A key tenet of criminology is that crime follows opportunity. Today’s generation of law students have observed for themselves how every new technology and every new application has been vulnerable to criminal exploitation. We have already begun to experience the proliferation of interconnected devices, known euphemistically as the ‘Internet of Things’. These developments will often require legislative change in order to adequately control emerging forms of cybercrime. This book will be useful as an up-to-date resource for undergraduate and other teaching, with

inclusion of legislation, case extracts and other materials. Moreover, this book, and the successive editions that the evolution of cybercrime will almost certainly necessitate, will be of benefit not only to lawyers, but also to law enforcement officials and to the wider academic and policy community in steering a path through a complex and changing regulatory landscape. Peter Grabosky Professor Emeritus Australian National University Canberra April 2015

Preface The collection of legislation, cases and materials presented and discussed in Cybercrime: Legislation, Cases and Commentary is intended for use in teaching cybercrime courses, such as those taught at the University of Canberra. The format of the text will be familiar to law students, following the tradition of assembling primary legal materials such as legislation and case extracts, but the book also includes extracts from relevant reports as well as from academic and media articles. The linking commentary is intended to provide context and direction rather than being the main focus of attention. Cybercrime is a relatively new and inter-disciplinary subject, currently taught in only a few Australian law schools. Related aspects of cybersecurity and technological misuse are dealt with in other disciplines, including security studies and criminology, but it is important to understand the legal basis of our responses to cybercrime within this broader context. This collection is thus offered as a resource for both lawfocussed and other teachers and students taking on the challenge of understanding cybercrime. The content is structured around four groupings of topics. First, following an exploration of how cybercrime is defined, come the topics of unauthorised access, modification and impairment. This trio includes ‘hacking’, ‘hacktivism’ and ‘cyberterrorism’ and introduces terminology such as ‘malware’, ‘botnets’ and ‘DDoS attacks’. Second, the discussion turns to financially motivated crimes, such as online fraud and forgery, identity crimes and criminal copyright infringement. The use of ‘spam’ is discussed in this context. The third grouping includes those kinds of cybercrime that most directly affect vulnerable individuals, including child pornography and child grooming, as well as cyberstalking and other forms

of online harassment. This discussion includes recently emerging topics such as ‘sexting’ and ‘revenge porn’. Finally, aspects of investigation, prosecution and sentencing of cybercrime offenders are discussed, including the role played by intermediaries, such as Internet service providers (ISPs), in ‘data retention’. The organisation of these topics follows the leading international agreement in the field, the Council of Europe’s Convention on Cybercrime, to which Australia acceded in 2013. The remaining legal focus is on Australian legislation, primarily the sections in the Criminal Code Act 1995 (Cth) pertaining to computer and telecommunications offences, as well as analogous State and Territory laws and cases illustrating their application. Where appropriate, tables have been used to summarise the main features of legislative provisions. Case extracts have been selected to illustrate the legal issues that arise, and to provide examples of how cybercrime laws operate in practice. Each chapter ends with ‘Questions for consideration’ that may be useful in tutorial or online discussions. I hope that you will find this collection interesting and of value, whether you are using it to teach or to study cybercrime, or as law enforcement or legal professionals. Although it has a decidedly Australian focus, it should be noted that most countries are facing similar cybercrime challenges and many are adapting their laws to respond, with a growing number looking at each others’ laws and harmonising in line with the Convention on Cybercrime. The international nature of the subject is exemplified by the International Perspectives on Cybercrime program I have developed for the University of Canberra, which has included student group visits to the International Cybercrime Research Centre at Simon Fraser University in Vancouver, Microsoft’s Cybercrime Centre in Redmond, Washington, and to further destinations in Asia. Finally, I wish to thank my research colleagues, principally Professor Peter Grabosky at the Australian National University, Canberra, and formerly at the Australian Institute of Criminology, where he and Dr Russell Smith invited me to collaborate on cybercrime projects over a

decade ago. I also give thanks to my wife, Kristina, and our three boys for their patience with me while I try to balance academic work and travel with family commitments. Gregor Urbas Seoul, South Korea June 2015

Table of Cases References are to paragraph numbers

A Abraham Seda Ghati v Sayan [2010] NSWWCCPD 74 …. 2.35 ALW v NSW Trustee and Guardian [2012] NSWADTAP 51 …. 5.20 Anders v Anders (No 2) [2008] FMCAfam 1125 …. 2.32 Ashcroft v Free Speech Coalition 535 US 235 (2002) …. 8.12 Australian Communications and Media Authority v Clarity1 Pty Ltd [2006] FCA 410; [2006] FCA 1399; [2008] FCA 130 …. 4.4, 5.29 — v Mobilegate Ltd — A Company Incorporated in Hong Kong [2009] FCA 539; [2009] FCA 887; [2009] FCA 1225; [2009] FCA 1507; [2009] FCA 1533; [2010] FCA 1197; [2010] FCA 1383 …. 5.29

B Boden v The Queen B55/2002 [2003] HCATrans 828 …. 4.23 Brott v R [1992] HCA 5; (1992) 173 CLR 426 …. 5.21 Brown v Tasmania [2008] TASSC 33 …. 5.16 Butler v R [2012] NSWCCA 54 …. 2.21

C Casilli v Wehrmann [2014] WASC 319 …. 2.10 CL v R [2014] NSWCCA 196 …. 2.21 Cox v Riley [1986] 83 Cr App R 54 …. 3.7 Crowther v Sala [2007] QCA 133 …. 10.9

D Denlay v Commissioner of Taxation [2010] FCA 1434; [2011] FCAFC 63 …. 2.21 DLC Russo v Bartlett, Sinadov and Traikovski (unreported, Victorian Magistrates’ Court at Melbourne (Criminal Division), 29 June 2011) …. 3.26 DPP v Eades [2009] NSWSC 1352 …. 8.21 — v Gianello [2014] VCC 2015 …. 5.20 — v Ly [2014] VCC 1514 …. 7.23 — v Murdoch [1993] 1 VR 406 …. 2.9 — v Sutcliffe [2001] VSC 43 …. 10.10 DPP (Cth) v Rogers [1998] VSC 274; [1998] VSC 48 …. 2.10, 3.14 Dragojlovic v The Queen [2013] VSCA 151 …. 2.10 Duarte, Re (unreported, NSW Local Court, Sydney, 2007) …. 7.22

E Eatock v Bolt [2011] FCA 1103 …. 10.23 Egglishaw v Australian Crime Commission [2006] FCA 819 …. 11.6

F Faheem Khalid Lodhi v R [2007] NSWCCA 360 …. 4.27 Ferrus v Qld Police [2006] QCA 57 …. 5.20 Flanagan v Commissioner of Police [2008] NSWIRComm 11 …. 2.32

G Gilmour v DPP (Cth) [1996] NSWSC 55 …. 2.10, 3.14 Grant v Marshall [2003] FCA 1161 …. 11.12 Griffiths v United States of America [2005] FCAFC 34; [2005] HCATrans 666

…. 12.17

H Hale v R [2011] NSWDC 97 …. 1.12 Hamm v Middleton [1999] FCA 777; (1999) 44 IPR 656 …. 7.23 Hancock v R [2012] NSWCCA 200 …. 6.19 Hart v Commissioner, Australian Federal Police [2002] FCAFC 392 …. 11.4, 11.6 Harts Australia Limited v Commissioner, Australian Federal Police [2002] FCA 245 …. 11.4, 11.6 Henderson v Tasmania; Henderson v R [2012] TASCCA 12 …. 5.16 Hernandez v R [2013] NSWCCA 51 …. 3.27, 4.14 HG v The Queen (1999) 197 CLR 414 …. 12.6 Holland v The Queen [2005] WASCA 140 …. 8.14, 8.20

I Interville Technology Pty Ltd v Commonwealth Office of the Director of Public Prosecutions [2009] FCA 481 …. 7.22

J Johnston v Commissioner of Police [2007] NSWIRComm 73; [2007] NSWIRComm 293 …. 2.32 Johnstone v Tasmania [2011] TASCCA 9 …. 5.16 Jones v Toben [2002] FCA 1150 …. 10.23 — v — [2009] FCA 354 …. 10.23 Justins v R [2010] NSWCCA 242 …. 2.22

K Kawada v Kawada (No 2) [2011] FamCA 658 …. 2.35

Kennedy v Baker [2004] FCA 562 …. 11.6 Kennison v Daire (1986) 160 CLR 129 …. 5.17, 6.17

L Larkin v The Queen [2012] WASCA 238 …. 3.20 Le v The Queen [2007] FCA 1463 …. 7.22 Lodhi v Attorney General of New South Wales [2013] NSWCA 433 …. 4.27 — v The Queen [2008] HCATrans 225 …. 4.27 Ly v Jenkins [2001] FCA 1640 …. 7.23 — v The Queen [2014] FCAFC 175 …. 7.23

M McCulloch v Tasmania [2010] TASCCA 21 …. 5.16 McEwen v Simmons [2008] NSWSC 1292 …. 8.13, 8.22 Minehan v R [2010] NSWCCA 140 …. 8.30 Molloy v McAdam [2008] FMCAfam 739 …. 2.35 Monis v The Queen [2013] HCA 4 …. 10.8 Morgan v Commissioner of Police [2011] NSWCA 134 …. 2.32 — v R [2014] NSWCCA 284 …. 4.14

N Ng, Tran and Le, Re (unreported, NSW Local Court, Sydney, December 2003) …. 7.11

R R v Assange [1996] VSC 60; [1996] VICSC 60; [1997] 2 VR 247 …. 2.11, 2.12 — v Bala [2004] NSWCCA 345 …. 2.21 — v Barrie [2012] SASCFC 124 …. 9.28, 11.30

— v Benbow [1991] TASSC 1992 …. 5.16 — v Bin Li and Kun Wang [2013] NSWDC 211 …. 5.23 — v Boden [2002] QCA 164 …. 2.12, 4.22, 4.23 — v Briggs [2013] QCA 110 …. 10.9 — v Brislan (1935) 54 CLR 262 …. 1.11 — v Burdon; Ex p A-G (Qld) [2005] QCA 147; (2005) 153 A Crim R 104 …. 9.21, 9.23 — v Columbus [2007] QCA 396 …. 2.28 — v Cooper [2012] ACTCA 9 …. 8.29 — v Fuller [2010] NSWCCA 192 …. 9.20, 9.24 — v Gajjar [2008] VSCA 268 …. 9.24, 9.32 — v Gedling [2007] SADC 124 …. 9.23 — v Gent [2005] NSWCCA 370; 162 A Crim R 29 …. 8.20 — v Goggins [2014] VCC 1086 …. 9.32 — v Gopurenko [2014] QCA 255 …. 5.20 — v Hampson [2011] QCA 132 …. 3.32, 10.13 — v Henderson [2009] ACTCA 20 …. 10.3 — v Idolo [1998] VSC 276; [1998] VICSC 57 …. 5.19 — v Illingworth [2014] QDC 229 …. 5.24 — v JM and SM [2010] NSWDC 318 …. 8.31 — v Justins [2008] NSWSC 1194 …. 10.22 — v Justins [2011] NSWSC 568 …. 10.22 — v Kennings [2004] QCA 162 …. 9.21, 9.24 — v Klinkermann [2013] VSC 65 …. 10.22 — v Larkin and Shee (unrep. District Court of WA, 2011) …. 3.20 — v Lodhi [2006] NSWSC 691 …. 4.27 — v McDonald and Deblaquiere [2013] ACTSC 122 …. 10.30

— v Moylan [2014] NSWSC 944 …. 6.28 — v Nielsen [2012] QSC 29 …. 10.22 — v Oliver [2003] 1 Cr App P 28 …. 8.25 — v PJ [2006] ACTSC 37 …. 1.11 — v Priest [2011] ACTSC 18 …. 9.22, 9.25–9.28, 11.30 — v Qian Lin [2014] NSWCCA 254 …. 5.23 — v Ritson (1869) LR 1 CCR 200 …. 5.21 — v Sharpe [2001] 1 SCR 45 …. 8.14 — v Shetty [2005] QCA 225 …. 9.19, 9.21, 9.24 — v Silva [2009] ACTSC 108 …. 8.15, 8.25 — v Stevens [1999] NSWCCA 69 …. 2.10 — v Stubbs [2009] ACTSC 63 …. 1.11, 8.17, 9.21, 9.23, 9.27, 9.28, 11.30 — v Tahiraj [2014] QCA 353 …. 2.22, 12.8, 12.22 — v TW [2011] ACTCA 25 …. 8.31 — v Walker [2008] NZHC 1114 …. 4.3 — v Whiteley (1991) 93 Cr App R 25 …. 1.9, 3.7 — v Zehir (1998) 104 A Crim R 109 …. 6.18 Rhatigan v Forbes [2009] WASC 368 …. 2.10 Ridgeway v The Queen (1995) 184 CLR 19 …. 9.26, 9.28 Ridley v R [2008] NSWCCA 324 …. 5.18 Roadshow Films Pty Ltd v iiNet Ltd [2012] HCA 16 …. 7.24 Russell & Russell [2012] FamCA 99 …. 2.35

S Salter v DPP [2008] NSWSC 1325 …. 2.9 — v Director of Public Prosecutions [2009] NSWCA 357; [2011] NSWCA 190 …. 2.32

Sayed v The Queen [2012] WASCA 17 …. 5.18 Senton by his litigation guardian the Public Advocate of the Australian Capital Territory v Steen [2014] ACTSC 63 …. 5.20 SJ v The Queen [2012] VSCA 237 …. 8.20 Snell v Pryce (unreported, No SC 458 of 1989, NT Supreme Court) …. 2.10 Sutcliffe v DPP [2003] VSCA 34 …. 10.11

T Toben v Jones [2003] FCAFC 137 …. 10.23

U United States of America v Griffiths [2004] FCA 879 …. 5.15, 12.17 United States v Irey, 612 F.3d 1160 (11th Cir, 2010) …. 8.27, 8.32 Universal Music Australia Pty Ltd v Sharman License Holdings Ltd [2005] FCA 1242 …. 7.24

V Vu v New South Wales Police Service [2007] FCA 1508 …. 7.22

W Websyte Corporation Pty Ltd v Alexander [2012] FCA 69 …. 3.13 — v — (No 2) [2012] FCA 562 …. 3.13 Williams v Keelty [2001] FCA 1301 …. 11.6

Y Yardborough & Chesterman [2014] FCCA 446 …. 2.16, 2.32, 3.13

Table of Statutes References are to paragraph numbers Commonwealth Acts Interpretation Act 1901 …. 5.22, 6.29 s 2B …. 5.22 s 2C …. 6.29 Australian Capital Territory (Self-Government) Act 1988 …. 10.22 s 23 …. 10.22 Australian Crime Commission Act 2002 …. 11.27 Australian Federal Police Act 1979 …. 11.1 s 8 …. 11.1 Australian Security Intelligence Organisation Act 1979 …. 4.31 Circuit Layouts Act 1989 …. 7.2 Competition and Consumer Act 2010 …. 7.2 Copyright Act 1968 …. 5.22, 7.2, 7.3, 7.9–7.11, 7.14–7.18, 7.20–7.23 Pt V …. 7.2, 7.9, 7.14, 7.16, 7.17, 7.20 Pt V Div 2AA …. 7.20 Pt V Div 5 …. 7.9, 7.14, 7.16, 7.17 Pt V Div 5(B) …. 7.9, 7.16 Pt V Div 5(C) …. 7.17 Pt VAA …. 7.2 Pt VAA Div 3 …. 7.2 Pt IX …. 7.9

Pt XIA …. 7.2 Pt XIA Div 3 …. 7.2 s 10 …. 5.22, 7.9, 7.15 s 31 …. 7.9 s 36 …. 7.9 s 132AC …. 7.16 s 132AD …. 7.14, 7.17, 7.18 s 132AD(1) …. 7.19 s 132AD(3) …. 7.19 s 132AD(5) …. 7.19 s 132AE …. 7.14, 7.17 s 132AF …. 7.14, 7.17 s 132AG …. 7.14, 7.17 s 132AH …. 7.14, 7.17 s 132AI …. 7.14, 7.17 s 132AJ …. 7.14, 7.17 s 132AJ(1) …. 7.23 s 132AK …. 7.14, 7.17 s 132AL …. 7.14, 7.17 s 132AM …. 7.14, 7.17 s 133B …. 7.14, 7.18 s 248SA …. 7.14 Copyright Amendment Act 2006 …. 7.14, 7.16 Copyright Regulations 1969 …. 7.14, 7.18 Pt 6A …. 7.14, 7.18 Corporations Act 2001 …. 5.14, 6.28 Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 ….

2.9 Crimes Act 1914 …. 1.0, 1.11, 1.16, 2.10, 3.14, 3.18, 4.11, 4.31, 5.19, 5.28, 6.24, 7.19, 7.23, 9.28, 11.1, 11.3, 11.10, 11.12, 11.13, 11.24, 11.30, 12.4, 12.19, 12.21 Pt IAB …. 9.28, 11.30, 12.19, 12.20 Pt IAC …. 9.28, 11.30 Pt IAD …. 12.4 Pt ID …. 11.10 Pt VIA …. 1.16, 3.14 Pt VIIB …. 6.24 s 3K …. 11.3, 11.4, 11.6 s 3K(1) …. 11.4, 11.6 s 3K(2) …. 11.4 s 3K(2)(a) …. 11.6 s 3K(3) …. 11.4 s 3L …. 11.5, 11.6 s 3L(1) …. 11.7 s 3L(4) …. 11.6 s 3L(6) …. 11.6 s 3LA …. 11.9, 11.10, 11.24 s 3LAA …. 11.8 s 3LB …. 11.11 s 3M …. 11.12 s 4AA …. 5.28, 7.19 s 4B …. 7.19 s 15YI …. 12.4 s 15YJ …. 12.4

s 16A …. 12.19 s 16A(1) …. 7.23 s 16A(2) …. 7.23 s 16AAA …. 12.21 s 16D …. 12.20 s 19AC …. 7.23 s 76A …. 3.14 s 76B …. 3.14 s 76C …. 3.14, 3.18 s 76D …. 3.14 s 76E …. 3.14, 5.19 s 76F …. 3.14 Crimes Amendment (Controlled Operations) Act 1996 …. 9.28 Crimes (Currency) Act 1981 …. 5.24 Crimes Legislation Amendment Act 1989 …. 3.14 Crimes Legislation Amendment (Law Enforcement Integrity, Vulnerable Witness Protection and Other Measures) Act 2013 …. 12.21 Crimes Legislation Amendment (Serious and Organised Crime) Act (No 2) 2010 …. 11.8, 11.9 Crimes Legislation Amendment (Serious Drugs, Identity Crime and Other Measures) Act 2012 …. 6.21 Crimes Legislation Amendment (Sexual Offences Against Children) Act 2010 …. 9.10, 9.11, 12.9 Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Act (No 2) 2004 …. 1.11, 2.23, 6.16, 8.8, 9.10, 9.12, 9.13, 10.5 Criminal Code Act 1995 …. 1.0, 1.11, 1.12, 1.16, 1.17, 2.10, 2.16, 2.17, 2.19–2.26, 2.28, 2.30, 3.13–3.15, 3.17–3.19, 3.21, 3.24, 3.27, 3.33, 4.6–4.8, 4.10, 4.11, 4.14, 4.24–4.26, 4.29, 4.30, 4.35, 5.14, 5.18, 5.23, 6.16, 6.19,

6.20, 6.23, 6.24, 6.26–6.28, 7.9, 7.10, 7.19, 7.20, 8.8, 8.9, 8.11, 8.13–8.15, 8.17, 8.19, 8.22, 8.24, 9.9–9.11, 9.17, 9.18, 9.22, 9.24, 9.30, 9.32, 10.2, 10.5, 10.8, 10.9, 10.12, 10.21, 10.30, 11.1, 11.2, 11.20, 11.27, 11.29, 11.30, 12.1, 12.4, 12.9, 12.15, 12.25 Pt 5.1 …. 4.29 Pt 5.3 …. 4.24 Pt 7.3 …. 5.14 Pt 7.7 …. 5.14, 5.23 Pt 9.5 …. 6.20, 6.23 Pt 10.6 …. 1.11, 2.17, 2.21, 2.23, 3.13, 8.8, 9.10, 10.5, 10.12, 12.9, 12.15 Pt 10.7 …. 1.11, 1.16, 1.17, 2.17, 2.21, 3.15, 10.12, 11.27, 12.9, 12.15 Pt 10.8 …. 6.16, 6.17, 6.23 Pt 5.1 Div 91 …. 4.30 Pt 5.3 Div 100 …. 4.24 Pt 5.3 Div 101 …. 4.25 Pt 5.3 Div 102 …. 4.26 Pt 5.3 Div 103 …. 4.26 Pt 5.3 Div 104 …. 4.26 Pt 5.3 Div 105 …. 4.26 Pt 7.2 Div 271 …. 9.10 Pt 7.2 Div 272 …. 8.8, 9.10 Pt 9.5 Div 372 …. 6.21 Pt 9.5 Div 375 …. 6.26, 12.25 Pt 9.5 Div 376 …. 6.27 Pt 10.5 Div 471 …. 9.10 Pt 10.6 Div 474 …. 11.27, 11.30, 12.4 Pt 10.7 Div 477 …. 2.19, 3.17, 3.24, 4.9, 4.12, 4.13

Pt 10.7 Div 478 …. 2.30 s 4.1 …. 2.20 s 5.1 …. 2.20, 7.19 s 5.2(3) …. 2.20 s 5.4 …. 7.19, 9.17 s 5.5 …. 7.19 s 5.6 …. 2.20, 2.25, 3.18, 4.10, 7.19, 9.17 s 6.1 …. 7.19 s 6.2 …. 2.25 s 9.2 …. 2.25, 7.19 s 11.1 …. 2.26, 4.29 s 11.2 …. 3.33 s 11.4 …. 2.26, 4.29 s 11.5 …. 2.26, 4.29 s 11.5(1) …. 3.19 s 13.4 …. 9.11 s 15.1 …. 12.15 s 80.2C …. 4.29 s 91.1(1) …. 4.30 s 91.1(2) …. 4.30 s 91.1(3) …. 4.30 s 91.1(4) …. 4.30 s 91.1(5) …. 4.30 s 91.1(6) …. 4.30 s 91.1(7) …. 4.30 s 100.1 …. 4.24–4.26 s 101.1(1) …. 4.25

s 100.1(2)(f) …. 4.25 s 101.1(2) …. 4.25 s 101.2 …. 4.26 s 101.3 …. 4.26 s 101.4 …. 4.26 s 101.5 …. 4.26 s 101.6 …. 4.26 s 133.1 …. 5.18 s 134.1 …. 5.14 s 134.2 …. 5.14 s 135.1 …. 5.14 s 135.2 …. 5.14 s 135.4 …. 5.14 s 136.1 …. 5.14 s 137.1 …. 5.14 s 137.2 …. 5.14 s 144.1 …. 5.23 s 144.1(3) …. 5.23 s 145.1 …. 5.23 s 145.2 …. 5.23 s 145.3 …. 5.23 s 145.4 …. 5.23 s 145.5 …. 5.23 s 370.1 …. 6.20, 6.23 s 370.2 …. 6.20 s 372.1 …. 6.21 s 372.1A …. 6.21, 6.22

s 372.2 …. 6.23 s 372.3 …. 6.23 s 375.1 …. 6.26 s 375.2 …. 6.26 s 375.3 …. 6.27 s 375.4 …. 6.27 s 400.6 …. 2.28 s 424.25 …. 7.20 s 471.12 …. 10.8 s 473.1 …. 1.12, 2.17, 2.24, 2.25, 8.9–8.11, 8.15, 10.7 s 473.4 …. 8.10, 8.11, 8.13, 10.6, 10.7 s 474.2 …. 12.9 s 474.4 …. 2.37, 12.9 s 474.5 …. 9.22 s 474.6 …. 12.9 s 474.14 …. 2.16, 2.23, 2.25–2.29, 3.13, 7.10, 12.9 s 474.14(1) …. 2.24, 2.26–2.28 s 474.14(2) …. 2.24, 2.26, 2.27 s 474.14(4) …. 2.25 s 474.14(5) …. 2.26 s 474.14(6) …. 2.26 s 474.15 …. 10.5, 12.9 s 474.16 …. 10.5, 12.9 s 474.17 …. 9.22, 10.2, 10.5, 10.7, 10.9, 10.12, 10.13, 10.30, 10.31, 12.9 s 474.17(1) …. 10.9 s 474.18 …. 12.9 s 474.19 …. 8.17, 8.19, 12.9

s 474.19(1)(a)(i) …. 2.22, 8.13 s 474.19(1)(a)(iv) …. 2.22 s 474.20 …. 8.17, 8.19, 12.9 s 474.21 …. 8.17–8.19 s 474.22 …. 8.18, 12.9 s 474.22(1)(a)(i) …. 2.22 s 474.23 …. 8.18, 12.9 s 474.24 …. 8.18 s 474.24A …. 12.9 s 474.24B …. 8.18 s 474.24C …. 8.22 s 474.25 …. 8.24, 11.20 s 474.25A …. 9.11, 9.18, 12.9 s 474.25A(1) …. 9.11 s 474.25A(2) …. 9.11 s 474.25B …. 9.11 s 474.26 …. 9.9, 9.12–9.14, 9.18, 9.19, 9.21, 9.22, 9.24, 12.9 s 474.26(1) …. 2.22 s 474.27 …. 9.9, 9.13, 9.14, 9.18, 9.19, 9.24, 12.9 s 474.27(3) …. 9.9 s 474.27A …. 9.13, 9.15, 9.19, 9.30, 12.9 s 474.28 …. 9.11 s 474.28(1) …. 9.18 s 474.28(3) …. 9.19 s 474.28(9) …. 9.20 s 474.29 …. 9.11, 9.18 s 474.29(1) …. 9.11

s 474.29A …. 10.21, 10.22 s 474.29A(3) …. 10.22 s 474.29A(4) …. 10.22 s 474.29B …. 10.21 s 475.2 …. 10.12, 12.15 s 476.1 …. 2.16, 2.17, 3.13, 3.15, 3.27, 4.6, 4.7 s 476.1(2) …. 2.18, 4.14 s 476.2 …. 2.16, 2.17, 3.13, 3.15, 4.6, 4.7, 11.29 s 476.2(1) …. 2.18 s 476.2(3) …. 3.16 s 476.2(4) …. 2.18 s 476.3 …. 10.12, 12.15 s 477.1 …. 2.16, 2.19–2.23, 2.26, 2.27, 2.30, 3.13, 3.14, 4.6, 4.8, 7.10, 12.9 s 477.1(1) …. 2.20, 2.22 s 477.1(1)(a)(iii) …. 4.8 s 477.1(1)(c) …. 2.20, 4.8 s 477.1(1)(d) …. 4.8 s 477.1(3) …. 2.20 s 477.1(4) …. 2.20 s 477.1(7) …. 2.20 s 477.1(8) …. 2.20 s 477.1(9) …. 2.20 s 477.2 …. 3.13, 3.17–3.19, 3.21, 3.22, 3.33, 7.10, 12.9 s 477.2(1) …. 3.18, 3.19 s 477.2(1)(b) …. 3.18 s 477.2(1)(c) …. 3.18 s 477.2(2) …. 3.17

s 477.2(3) …. 3.18 s 477.3 …. 4.6, 4.9, 4.10, 4.13, 4.35, 12.9 s 477.3(1)(b) …. 4.10 s 477.3(2) …. 4.9 s 478.1 …. 2.16, 2.18, 2.30–2.32, 3.13, 3.24, 3.33, 4.13, 7.10, 12.9 s 478.1(1)(a) …. 2.32 s 478.1(2) …. 2.30, 3.24 s 478.2 …. 4.6, 4.11, 12.9 s 478.3 …. 2.16, 3.13, 4.6, 4.12, 4.13, 12.9 s 478.4 …. 2.16, 3.13, 4.6, 4.12, 12.9 s 480.1 …. 5.18, 6.23 s 480.1(1) …. 6.16 s 480.4 …. 6.17, 6.19 s 480.5 …. 6.17 s 480.6 …. 6.17 s 743.5 …. 7.20 Criminal Code Amendment (Suicide Related Material Offences) Act 2005 …. 10.21 Criminal Code Amendment (Theft, Fraud, Bribery and Related Offences) Act 2000 …. 5.14 Customs Act 1901 …. 1.11, 1.16, 5.24, 8.14, 11.1, 11.5, 11.8, 11.9, 11.11, 11.12 s 200 …. 11.3 s 201 …. 11.5 s 201A …. 11.9 s 201B …. 11.11 s 202 …. 11.12 s 233BAB …. 8.14

Customs Regulations …. 8.14 reg 4A(1)(b) …. 8.14 Cybercrime Act 2001 …. 1.0, 1.11, 1.16, 1.17, 2.17, 2.19, 2.30, 2.31, 3.15, 3.17, 3.21, 4.9, 11.1, 11.3, 11.5, 11.9, 11.11, 11.12 s 477(1) …. 3.21 s 477(2) …. 3.21 Cybercrime Legislation Amendment Act 2012 …. 1.17, 2.19, 2.20, 2.23, 2.30, 3.17, 3.24, 4.8, 4.9, 6.16, 11.18, 11.27 Death Penalty Abolition Act 1973 …. 12.20 Defence Act 1903 …. 4.31 Defence Force Discipline Act 1982 …. 4.31 Designs Act 2003 …. 7.2 Director of Public Prosecutions Act 1983 …. 12.1 Enhancing Online Safety for Children Act 2015 …. 10.16, 10.18, 10.19, 12.25 Pt 3 …. 10.19 Pt 4 …. 10.19 Pt 5 …. 10.19 Pt 6 …. 10.19 s 5 …. 10.17 s 18 …. 10.18 Evidence Act 1995 …. 2.32, 9.18, 9.22, 9.26, 11.11, 12.6 s 79 …. 12.6 s 128 …. 11.10 s 138 …. 2.32, 9.22, 9.26, 11.11 s 138(1) …. 9.26 s 141 …. 9.18 Evidence Amendment Act 2008 …. 12.6

Extradition Act 1988 …. 2.25, 12.16, 12.17 Family Law Act 1975 …. 10.5 s 4AB …. 10.5 s 68C …. 10.5 s 114AA …. 10.5 Income Tax Assessment Act 1997 …. 5.14 Law and Justice Legislation Amendment (Identity Crimes and Other Measures) Act 2011 …. 6.21 Mutual Assistance in Criminal Matters Act 1987 …. 12.16 National Security Information (Criminal and Civil Proceedings) Act 2004 …. 4.31 Northern Territory (Self-Government) Act 1978 …. 10.22 s 5A …. 10.22 Patents Act 1990 …. 7.2 Plant Breeder’s Rights Act 1994 …. 7.2 s 74 …. 7.2 Privacy Act 1988 …. 3.22 Racial Discrimination Act 1975 …. 10.23, 10.25 s 18C …. 10.23 Security Legislation Amendment (Terrorism) Act 2002 …. 4.26 Social Security (Administration) Act 1999 …. 5.14 Spam Act 2003 …. 4.4, 5.27, 5.28 s 4 …. 5.27 s 5 …. 5.27 s 6 …. 5.27 s 16 …. 5.28 s 17 …. 5.28

s 18 …. 5.28 s 20 …. 5.28 s 21 …. 5.28 s 22 …. 5.28 s 27 …. 5.28 Surveillance Devices Act 2004 …. 11.11, 11.28, 11.29 Telecommunications Act 1997 …. 1.11, 1.12, 2.24, 7.20, 8.17, 8.24, 11.19, 11.20 s 7 …. 8.17 s 313 …. 8.24, 11.19, 11.20 s 313(1) …. 8.24 s 313(3) …. 11.20 Telecommunications (Interception and Access) Act 1979 …. 2.33, 2.35, 2.37, 2.38, 6.24, 11.18, 11.19, 11.21, 11.26, 11.27 Ch 3 …. 11.18 Ch 4 …. 11.18 Pt 2–2 …. 2.36, 11.26 Pt 2–3 …. 2.36, 11.26 Pt 2–4 …. 2.36, 11.26 Pt 2–5 …. 2.36, 11.26 Pt 3–1 …. 11.18 Pt 3–1A …. 11.18 Pt 3–2 …. 2.36, 11.26 Pt 3–3 …. 2.36, 11.26 Pt 4–1 …. 11.21 Pt 4–1 Div 4C …. 11.21 Pt 5–1A …. 11.21

Pt 5–3 Div 1 …. 11.21 s 5 …. 2.33, 11.18 s 5D …. 11.27 s 7 …. 2.34 s 7(1) …. 2.35 s 105 …. 2.35 s 172 …. 11.18 s 180G …. 11.21 s 187A …. 11.21 s 187AA …. 11.21 s 187B …. 11.21 s 187BA …. 11.21 s 187C …. 11.21 Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 …. 11.21 Therapeutic Goods Act 1989 …. 5.24 Trade Marks Act 1995 …. 7.2, 7.9, 7.21–7.23 Pt 14 …. 7.2 s 148(1) …. 7.23 Trade Practices Act 1974 …. 7.2 Australian Capital Territory Crimes Act 1900 …. 8.11, 8.19, 9.9, 10.2, 10.4, 10.20, 10.30 s 17 …. 10.20 s 35 …. 10.2, 10.4 s 35(3) …. 10.2 s 35(4) …. 10.2

s 35(5) …. 10.2 s 60(1) …. 10.30 s 64 …. 8.19 s 64(5) …. 8.11 s 64A …. 8.19 s 65 …. 8.19 s 65(3) …. 8.19 s 66(1) …. 9.9 s 66(2) …. 9.9 Crimes (Assumed Identities) Act 2009 …. 9.28 Crimes (Child Sex Offenders) Act 2005 …. 8.32 Crimes (Controlled Operations) Act 2008 …. 9.28 Criminal Code 2002 …. 2.16, 2.31, 3.13, 4.6, 4.14, 5.14, 5.18, 5.23 Pt 3.3 …. 5.14 Pt 3.6 …. 5.14, 5.23 s 325 …. 5.18 s 326 …. 5.14 s 332 …. 5.14 s 333 …. 5.14 s 334 …. 5.14 s 335 …. 5.14 s 336A …. 5.14 s 337 …. 5.14 s 338 …. 5.14 s 339 …. 5.14 s 346 …. 5.23 s 347 …. 5.23

s 348 …. 5.23 s 349 …. 5.23 s 412 …. 2.16, 3.13, 4.6 s 413 …. 2.16, 3.13, 4.6, 4.14 s 414 …. 2.16, 3.13, 4.6 s 415 …. 2.16, 3.13, 4.6 s 416 …. 3.13 s 417 …. 4.6 s 418 …. 2.16, 3.13, 4.6 s 419 …. 2.16, 3.13, 4.6 s 420 …. 2.16, 2.31, 3.13 s 421 …. 4.6 Criminal Code (Theft, Fraud, Bribery and Related Offences) Amendment Act 2004 …. 5.14 Criminal Proceedings Legislation Amendment Act 2011 …. 8.29 Human Rights Act 2004 …. 9.26 s 21 …. 9.26 New South Wales Crimes Act 1900 …. 2.16, 2.21, 2.31, 2.32, 3.13, 3.21, 3.27, 4.6, 4.14, 5.14, 5.18, 5.23, 6.21, 6.28, 8.4, 8.11, 8.13, 8.19, 9.9, 10.22, 10.28 Pt 3 Div 15B …. 10.28 Pt 4AA …. 5.14 Pt 4AB …. 5.14, 6.21 Pt 5 …. 5.14, 5.23 s 4(1) …. 2.21 s 31B …. 10.22

s 61JA …. 8.4 s 66EB …. 9.9 s 66EB(3) …. 9.9 s 91FA …. 8.11 s 91FB …. 8.11 s 91FB(3) …. 8.13 s 91G …. 8.19 s 91H …. 8.19 s 91H(3) …. 8.13 s 91HA …. 8.19 s 91I …. 10.28 s 91J …. 10.28 s 91K …. 10.28 s 91L …. 10.28 s 91M …. 10.28 s 192B …. 5.18 s 192E …. 5.14 s 192F …. 5.14 s 192G …. 5.14 s 192H …. 5.14 s 250 …. 6.28 s 253 …. 5.23, 6.28 s 254 …. 5.23 s 255 …. 5.23 s 256 …. 5.23 s 308 …. 2.16, 4.6 s 308A …. 2.16, 3.13, 4.6, 4.14

s 308B …. 2.16, 3.13, 4.6 s 308C …. 2.16, 2.21, 3.13, 4.6 s 308C(3) …. 2.21 s 308D …. 3.13, 3.21 s 308E …. 3.27, 4.6, 4.14 s 308F …. 2.16, 3.13, 4.6 s 308G …. 2.16, 3.13, 4.6 s 308H …. 2.16, 2.31, 2.32, 3.13 s 308I …. 4.6 Crimes Amendment (Child Pornography and Abuse Material) Act 2010 …. 8.29 Crimes Amendment (Fraud, Identity and Forgery Offences) Act 2009 …. 5.14, 6.21 Crimes Amendment (Sexual Offences) Act 2008 …. 10.29 Crimes Amendment (Sexual Procurement or Grooming of Children) Act 2007 …. 9.9 Crimes (Domestic and Personal Violence) Act 2007 …. 10.4 s 13 …. 10.4 Evidence Act 1995 …. 2.32 s 138 …. 2.32 Law Enforcement and National Security (Assumed Identities) Act 2010 …. 9.28 Law Enforcement (Controlled Operations) Act 1997 …. 9.28 Northern Territory Criminal Code Act …. 2.10, 2.16, 3.13, 4.6, 5.14, 5.23, 6.21, 8.11, 8.19, 9.9, 10.4 Pt IV …. 5.14

Pt IV Div 2 …. 5.14 Pt IV Div 2A …. 5.14 Pt IV Div 4 …. 5.14 Pt IV Div 7 …. 5.14 Pt VII …. 6.21 Pt VII Div 2A …. 6.21 s 125A …. 8.11 s 125B …. 8.19 s 125E …. 8.19 s 131 …. 9.9 s 132 …. 9.9 s 189 …. 10.4 s 222 …. 2.10 s 227 …. 5.14 s 258 …. 5.23 s 276 …. 2.16, 3.13, 4.6 s 276A …. 2.16, 3.13, 4.6 s 276B …. 2.16 s 276C …. 3.13 s 276D …. 4.6 Criminal Code Amendment (Identity Crime) Act 2014 …. 6.21 Summary Offences Act …. 5.14 s 60A …. 5.14 Queensland Crime and Misconduct Act 2001 …. 9.28 Pt 6A …. 9.28

Pt 6B …. 9.28 Criminal Code Act 1899 …. 2.4, 2.16, 2.22, 3.13, 4.6, 4.23, 5.14, 5.23, 6.21, 8.11, 8.19, 9.9, 9.21, 10.4 Ch 33A …. 10.4 s 207A …. 8.11 s 218A …. 9.9, 9.21 s 228A …. 8.19 s 228B …. 8.19 s 228C …. 8.19 s 228D …. 2.22, 8.19 s 228E …. 8.19 s 359A …. 10.4 s 359B …. 10.4 s 359C …. 10.4 s 359D …. 10.4 s 359E …. 10.4 s 359F …. 10.4 s 408C …. 5.14 s 408D …. 4.23, 6.21 s 408E …. 2.4, 2.16, 3.13, 4.6 s 488 …. 5.23 s 510 …. 5.23 Criminal Code and Civil Liability Amendment Act 2007 …. 6.21 Police Powers and Responsibilities Act 2000 …. 9.28 Ch 11 …. 9.28 Ch 12 …. 9.28

South Australia Criminal Investigation (Covert Operations) Act 2009 …. 9.28, 11.30 Criminal Law Consolidation Act 1935 …. 2.16, 3.13, 4.6, 5.14, 5.17, 5.23, 6.21, 8.11, 8.19, 9.9, 9.23, 10.4 Pt 5A …. 5.14, 5.23, 6.21 s 19AA …. 10.4 s 62 …. 8.11 s 63 …. 8.19 s 63A …. 8.19 s 63A(2) …. 8.19 s 63B …. 9.9, 9.23 s 63B(3) …. 9.23 s 86B …. 2.16, 3.13, 4.6 s 86C …. 2.16, 3.13, 4.6 s 86E …. 2.16, 3.13, 4.6 s 86F …. 2.16, 3.13, 4.6 s 86I …. 2.16, 3.13, 4.6 s 131 …. 5.17 s 139 …. 5.14 s 140 …. 5.14, 5.23 s 141 …. 5.14, 5.17, 5.23 s 142 …. 5.14, 5.23 Criminal Law Consolidation (Child Pornography) Amendment Act 2004 …. 9.23 Criminal Law Consolidation (Identity Theft) Amendment Act 2003 …. 6.20, 6.21 Criminal Law Consolidation (Offences of Dishonesty) Amendment Act 2002 …. 5.17

Criminal Law (Undercover Operations) Act 1995 …. 9.28 Tasmania Crime (Confiscation of Profits) Act 1993 …. 5.16 s 67(2) …. 5.16 Criminal Code Act 1924 …. 2.16, 3.13, 4.6, 5.14, 5.16, 5.23, 5.29, 8.11, 8.19, 9.9, 10.4 Ch XXVIII …. 5.14 Ch XXVIIIA …. 5.14 Ch XXX …. 5.14 Ch XXXII …. 5.14, 5.23 s 1A …. 8.11 s 125D …. 9.9 s 130 …. 8.19 s 130A …. 8.19 s 130B …. 8.19 s 130C …. 8.19 s 130D …. 8.19 s 130E …. 8.19 s 192 …. 10.4 s 250 …. 5.14, 5.16 s 251 …. 5.14 s 252 …. 5.14 s 252A …. 5.14, 5.16 s 253 …. 5.14 s 253A …. 5.14 s 254 …. 5.14

s 257A …. 2.16, 3.13, 4.6 s 257B …. 5.14, 5.16, 5.29 s 257C …. 3.13, 4.6 s 257D …. 2.16 s 257E …. 3.13 s 258 …. 5.16 s 278 …. 5.16, 5.23 s 279 …. 5.16 s 288 …. 5.16 s 296(1)(a) …. 5.16 s 299 …. 5.16 Police Powers (Assumed Identities) Act 2006 …. 9.28 Police Powers (Controlled Operations) Act 2006 …. 9.28 Victoria Crimes Act 1958 …. 2.16, 2.31, 3.13, 3.26, 4.6, 5.14, 5.19, 5.23, 8.11, 8.19, 9.9, 9.32, 10.4, 10.11, 10.22 Pt 1 …. 6.21 Pt 1 Div 2AA …. 6.21 s 6B …. 10.22 s 21A …. 10.4, 10.11 s 49B …. 9.9 s 49B(2) …. 9.9 s 67A …. 8.11 s 68 …. 8.19 s 68(1A) …. 8.19 s 68(2) …. 8.19

s 68(3) …. 8.19 s 68(4) …. 8.19 s 69 …. 8.19 s 69(2) …. 8.19 s 70(2) …. 8.19 s 70(3) …. 8.19 s 70(4) …. 8.19 s 70(5) …. 8.19 s 70(6) …. 8.19 s 70AAA …. 8.19 s 81 …. 5.14, 5.19 s 82 …. 5.14 s 83A …. 5.23 s 83B …. 5.23 s 247A …. 2.16, 3.13, 4.6 s 247B …. 2.16, 3.13, 4.6 s 247C …. 3.13, 3.26 s 247D …. 4.6 s 247E …. 2.16, 3.13, 4.6 s 247F …. 2.16, 3.13, 4.6 s 247G …. 2.16, 2.31, 3.13 s 247H …. 4.6 Crimes Amendment (Grooming) Act 2014 …. 9.9 Crimes Amendment (Identity Crime) Act 2009 …. 6.21 Crimes Amendment (Sexual Offences and Other Matters) Act 2014 …. 8.23, 9.9 Crimes (Assumed Identities) Act 2004 …. 9.28

Crimes (Controlled Operations) Act 2004 …. 9.28 Racial and Religious Tolerance Act 2001 …. 10.25 s 24 …. 10.25 s 25 …. 10.25 Summary Offences Act 1966 …. 2.9, 8.23, 9.32, 10.29 s 9A …. 2.9 s 40 …. 8.23 s 41DA …. 8.23 s 41DB …. 8.23 Summary Offences Amendment (Upskirting) Act 2007 …. 10.29 Western Australia Criminal Code Act Compilation Act 1913 …. 2.16, 3.13, 4.6, 5.14, 5.23, 6.21, 8.11, 8.19, 9.9, 10.4 Ch LI …. 6.21 Ch XL …. 5.14, 5.23 Ch XLI …. 5.14, 5.23 Ch XLII …. 5.14, 5.23 s 204B …. 9.9 s 217 …. 8.19 s 217A …. 8.11 s 218 …. 8.19 s 219 …. 8.19 s 220 …. 8.19 s 221A …. 8.19 s 338D …. 10.4 s 338E …. 10.4

s 409 …. 5.14 s 440A …. 2.16, 3.13, 4.6 s 473 …. 5.23 Criminal Investigation (Covert Powers) Act 2012 …. 9.28 INTERNATIONAL Canada Criminal Code …. 9.0 s 172.1 …. 9.0 Philippines Electronic Commerce Act 2000 …. 2.4 s 33 …. 2.4 United Kingdom Computer Misuse Act 1990 …. 1.9, 3.7 s 1 …. 3.7 s 2 …. 3.7 s 3 …. 3.7 Criminal Damage Act 1971 …. 3.7 s 1 …. 3.7 United States of America CAN-SPAM Act 2003 …. 5.27 Prosecutorial Remedies and Other Tools to End the Exploitation of Children Today (PROTECT) Act of 2003 …. 8.12

Contents Foreword Preface Table of Cases Table of Statutes

Part 1

Introduction

Chapter 1 What is Cybercrime? Part 2

Unauthorised Access, Modification and Impairment

Chapter 2 Unauthorised Access Chapter 3 Unauthorised Modification Chapter 4 Unauthorised Impairment Part 3

Online Financial and Property Crimes

Chapter 5 Online Fraud and Forgery Chapter 6 Identity Crimes and Card Skimming Chapter 7 Online Copyright Crimes Part 4

Online Child Exploitation and Other Privacy Crimes

Chapter 8 Child Pornography Chapter 9 Online Child Grooming

Chapter 10 Cyberstalking, Online Harassment and Voyeurism Part 5

Investigation, Prosecution and Judicial Issues

Chapter 11 Investigating Cybercrime Chapter 12 Prosecuting and Sentencing Cyber Criminals Index

[page 1]

Part 1 Introduction

[page 3]

Chapter 1 What is Cybercrime?

Chapter contents Definitions Cybercrime laws

1.0 1.9

Questions for consideration

Definitions 1.0 The study of cybercrime begins with its definition. First, it is useful to note that the term ‘cybercrime’ is neither universally adopted nor precisely defined in legal analysis, despite the occasional reference in legislation.1 Rather, terminology has evolved along with the development of computers and related technology, with recognition of their potential for criminal misuse:2 As computers developed, so did also crimes associated with their use. Mankind will always have to live with criminal activity, and as a result of the conversion to computer usage, new methods of perpetrating crime occurred. The term computer crime or computer-related crime [emphasis added] was used as a description of this new phenomenon.

1.1 A pioneering study by Sieber (1998) listed six ‘waves’ of legal responses to computer-related crime dating from the 1970s:3 1.

protection of privacy (eg, criminalising intrusions into public databases containing citizens’ information);

2.

economic criminal law (eg, dealing with online fraud and theft, including commercial espionage);

3.

protection of intellectual property (eg, extending patent, copyright and trade mark protection to the online realm);

[page 4] 4.

illegal and harmful contents (eg, focussing on online hate speech, racial vilification, child pornography, etc);

5.

criminal procedural law (eg, allowing search and seizure of computers and data, cross-border flows of information between law enforcement agencies, mutual legal assistance and extradition of suspects);

6.

security law (eg, recognising that computer systems support national critical infrastructure to such an extent that cyber-attacks may constitute security threats or even acts of war, especially if backed by nation states). 1.2 It will be seen from the above list that the focus of these early concerns with computer-related crimes was not very different from preexisting laws, both civil and criminal, around such interests as privacy, property and security. Brenner (2001) offered an analysis of cybercrime using the traditional criminal law categories of crimes against persons, crimes against property, crimes against morality, crimes against the administration of justice and crimes against the state. Her analysis suggested that many ‘real world’ crimes, including physical harm offences such as homicide, could be committed by computer-related or ‘virtual’ means:4 It would, for example, be possible to commit homicide by hacking into the computer system of a hospital and altering the records establishing the type and dosage of medication a patient is to receive so that the patient actually receives a lethal dose of medication. This is a traditional offense – murder – being committed in a non-traditional fashion, by a perpetrator who may be hundreds or even thousands of miles away from the victim at the time death occurs. As such, it is certainly an example of the ‘remote perpetrator’ scenario …

1.3 Crimes involving computers and related communications technologies, such as the World Wide Web (www) and the Internet, subsequently came to be discussed, particularly in criminological writing, using terms as varied as: computer crime;5

computer-related crime;6 [page 5] digital crime;7 electronic crime or e-crime;8 virtual crime;9 Internet crime;10 online crime;11 hi-tech crime or technology-enabled crime.12 1.4 These descriptors have been largely replaced by the term ‘cybercrime’, used initially in novels and media stories, and subsequently in academic analysis:13 [page 6] First coined by William Gibson (1982) and then popularized in his 1984 novel Neuromancer, the term ‘cyberspace’ became a popular descriptor of the mentally constructed virtual environment within which networked computer activity takes place. ‘Cybercrime’ broadly describes the crimes that take place within that space and the term has come to symbolize insecurity and risk online. By itself, cybercrime is fairly meaningless because it tends to be used metaphorically and emotively rather than scientifically or legally, usually to signify the occurrence of harmful behaviour that is somehow related to the misuse of a networked computer system …

1.5 As noted, ‘cybercrime’ is not a precise technical or legal term, which is regarded by some commentators as ‘problematic as it impacts every facet of prevention and remediation’.14 Therefore, criminologists have sought to provide some greater content and precision through expanded definitions:15 The concept of cybercrime we have chosen to adopt derives from the now widely accepted

conception of cybercrime as entailing conduct proscribed by legislation and/or common law as developed in the courts, that: involves the use of digital technologies in the commission of the offence; or is directed at computing and communications technologies themselves; or is incidental to the commission of other crimes.

1.6 Examples of the above three categories abound. The first, in which digital technologies are used in the commission of a criminal offence, includes online fraud and other financially motivated crimes, personal crimes such as cyberstalking and online child exploitation, and criminal damage or harm caused by means of a cyber-attack, potentially including cyberterrorism. The second category includes attacks against computers and data more directly, widely known as ‘hacking’, as well as the use of malicious software or ‘malware’, botnets and other tools used to gain unauthorised access to and compromise computer systems. The third category might include the use of Internet communications, encryption or steganography to plan, organise or hide the evidence of any crime. 1.7 Evidently, these categories can overlap, as well as being interconnected with other, more traditional, forms of crime. This raises a favourite discussion topic of some criminologists, which is whether cybercrime represents genuinely new forms of criminality, or is merely the result of criminals adopting modern technologies to do what they have always done — to steal, defraud, damage and injure. The debate is encapsulated in the titles ‘New Wine, No Bottles?’ [page 7] and ‘Old Wine in New Bottles?’ used in seminal articles. Grabosky (2001), in arguing for the second view, stated:16 I suggest that ‘virtual criminality’ is basically the same as the terrestrial crime with which we are familiar. To be sure, some of the manifestations are new. But a great deal of crime committed with or against computers differs only in terms of the medium. While the technology of the medium, and particularly its efficiency, may be without precedent, the crime

is fundamentally familiar. It is less a question of something completely different than a recognizable crime committed in a completely different way.

1.8 While it may be true that many, if not all, types of cybercrime have a familiar ‘terrestrial’ counterpart, it does not follow that existing laws defining the latter as offences can necessarily be applied without substantial amendment to the online environment. Leaving aside the complications of jurisdiction where cybercrime is committed across national borders, cybercrimes can raise new legal problems.

Cybercrime laws 1.9 As noted above, part of the definition of ‘cybercrime’ is that the conduct under consideration must in fact be a crime, or ‘conduct proscribed by legislation and and/or common law as developed in the courts’.17 In some cases, the computer-related aspect of criminal offending presents no legal difficulties. When fraudsters operating the ‘Nigerian 419’ and similar scams migrated from hand-written or photocopied letters to email, for example, they could still be prosecuted under existing fraud offences, as long as they could be identified and charged.18 It should be noted, of course, that fraudsters using this or other scams can be of any nationality.19 However, the emergence of computer crimes such as ‘hacking’ and virus dissemination posed greater challenges to investigators and courts.20 [page 8] 1.10

The now infamous example of the ‘Love Bug’ virus illustrates:21

In early May of 2000, a computer virus known as the ‘love bug’ emerged and spread rapidly around the globe. According to one report, the virus, which was designed to disseminate itself and to destroy various kinds of files on a victim’s computer, ‘infected at least 270,000 computers in the first hours’ after it was released. The ‘love bug’ forced the shutdown of

computers at large corporations such as Ford Motor Company and Dow Chemical Company, as well as the computer system at the House of Lords. After security experts determined that the virus had come from the Philippines, investigators from the Philippines and from the United States set about tracking down the person(s) who created and disseminated it. They were frustrated in this effort by the Philippines’ lack of computer crime laws: For one thing, it took days for investigators to obtain a warrant to search the home of their primary suspect; local prosecutors had to comb through Philippines statutes to find laws that might apply to the dissemination of the virus, and then had to persuade a judge to issue a search warrant on the basis of one possibility. For another, when a suspect — Onel de Guzman — was eventually apprehended, there were no laws criminalizing what he had done. The Philippines had no statutes making it a crime to break into a computer system, to disseminate a virus or other harmful software or to use a computer in an attempt to commit theft. Lacking the ability to charge de Guzman with precisely what he had done — e.g., with disseminating a virus — Philippine prosecutors charged him with theft and with violating a statute that covered credit card fraud. Those charges were eventually dropped after the Department of Justice determined that ‘the credit card law [did] not apply to computer hacking and that investigators did not present adequate evidence to support the theft charge’.

1.11 At around the same time, Australia was in the process of modernising its computer crime laws, particularly at the Commonwealth level. The Cybercrime Act 2001 (Cth) updated existing offences which were directed at the protection of Commonwealth computers and data, and moved these to the Criminal Code Act 1995 (Cth).22 However, in so doing, it added new offences that were not limited to Commonwealth computers and data, instead relying on the Commonwealth’s constitutional legislative power over [page 9] telecommunications.23 In a prescient judgment more than six decades earlier, the then Chief Justice of the High Court stated:24 The common characteristic of postal, telegraphic and telephonic services, which is relevant in this connection is, in my opinion, to be found in the function which they perform. They are, each of them, communication services. This is also the characteristic of a broadcasting service in all its forms, which is therefore, in my opinion, a ‘like service’ within the meaning of sec. 51(v) of the Constitution. If a new form of communication should be discovered, it too might be made the subject of legislation as a ‘like service’.

1.12 Thus, the fact that almost all computers, as well as portable devices such as mobile phones and tablets, are nowadays connected to telecommunications networks, including the Internet, gives the Commonwealth legislation very wide application.25 The analysis undertaken in subsequent chapters of this book therefore concentrates on Commonwealth laws, though mentioning State and Territory laws, and occasionally foreign laws, mainly to highlight variations.26 In practice, both Commonwealth and State/Territory laws are often used in prosecuting offenders. 1.13 At the international level, despite some developmental policy work on computer-related crime by the Organization for Economic Cooperation and Development (OECD) and the United Nations, the most widely recognised multilateral agreement to date is the Council of Europe’s Convention on Cybercrime, which came into force in 2004 for those countries that had signed [page 10] and ratified it. Australia signed and ratified in 2012 and the Convention on Cybercrime came into force for Australia on 1 March 2013.27

Council of Europe Convention on Cybercrime The Council of Europe’s Convention on Cybercrime was opened for signature in November 2001. Signatories include over 40 European countries, as well as (nonmember states of the Council of Europe) Canada, Japan, South Africa and the United States. The convention required five ratifications to come into force, which occurred on 1 July 2004 … The comprehensive substantive and procedural provisions of the convention are designed to assist with the harmonisation process, while affording adequate protection for due process and human rights. Categories of cybercrime offences and liability dealt with in Chapter II of the Convention include: offences against the confidentiality, integrity and availability of computer data and

systems: — illegal access — illegal interception — data interference — system interference — misuse of devices computer-related offences: — computer-related forgery — computer-related fraud content-related offences: — offences related to child pornography offences related to copyright infringement and related rights ancillary liability and sanctions: — attempt and aiding or abetting — corporate liability — sanctions and measures. Chapter II goes on to canvass procedural matters such as collection and preservation of evidence, production orders, search and seizure, data interception and jurisdictional issues. In particular, the procedural provisions cover: expedited preservation of stored data expedited preservation and partial disclosure of traffic data production orders [page 11] search and seizure of stored computer data real-time collection of data traffic interception of content data jurisdiction. Chapter III deals with mechanisms for international cooperation, such as extradition and mutual assistance. These provisions supplement existing multilateral and bilateral treaties and arrangements. In particular, the following issues are covered: extradition mutual assistance spontaneous information procedures for mutual assistance in the absence of international agreements confidentiality and limitation on use expedited preservation of stored data

expedited disclosure of preserved traffic data mutual assistance regarding accessing of stored data transborder access to stored data with consent or where publicly available mutual assistance regarding real-time collection of traffic data mutual assistance regarding interception of content data 24/7 network. There is also an optional protocol to the convention, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems. Particular provisions of the optional protocol deal with: dissemination of racist and xenophobic material through computer systems racist and xenophobic motivated threats racist and xenophobic motivated insults denial, gross minimisation, approval or justification of genocide or crimes against humanity aiding and abetting. Source: G Urbas and K-K R Choo, ‘Resource Materials on Technology-Enabled Crime’, Technical and Background Paper no. 28, Australian Institute of Criminology, 2008.

1.14 The Convention on Cybercrime deals with only the main types of crime that may be committed online. Crimes not referred to in its substantive provisions include: [page 12] cyberterrorism: the use of computer networks to attack critical infrastructure in furtherance of a political, religious or ideological cause;28 child grooming: using the Internet to procure under-age children for sex;29 cyberstalking/cyber-bullying: using the Internet or mobile phones to stalk or harass another person by sending offensive messages or circulating or posting unwanted images of a victim online;30 spam: unsolicited email usually offering goods or services, often as part of

a scam.31 1.15 Some commentators have also noted that instruments such as the Convention on Cybercrime reflect the state of technology at the time of their drafting, which can quickly become outdated:32 The Convention was negotiated and written in the earlier days of cybercrime — the late 1990s — with a final draft introduced in 2001. The Convention entered into force on 7 January 2004. Since then the craft and technologies involved in cybercrime have evolved so as to render many of the Convention’s provisions of limited relevance. Many cybercrimes are committed using modern cybercrime tools such as malicious software (‘malware’), botnets, onion routing and others. These technologies are used with obfuscation, anonymity, computational power and deniability of traceback to the source in mind. The use of many forms of malware and botnets allows criminals to avoid technical controls such as antivirus software and internet filters, as well as to avoid law enforcement. The Convention entered into force the same year that the malware landscape became monetised and thus moved from the realm of the curious hacker to one of commercialisation and profitability. Organised criminal groups became involved in malware and botnets at this time. Later in 2004 new technologies were unveiled at technology conferences giving criminals such excellent tools as Tor (the ability to onion route allowing no traceback), TrueCrypt (a deniable encryption software) and virtual private network services. With money as an emerging motif in malware and botnet deployment along with the rapid advancement of obfuscation technologies, the ability to collect evidence and traceback to the perpetrator of an economic crime has become extremely difficult.

[page 13] 1.16 Nonetheless, the Convention on Cybercrime remains the paramount international agreement on cybercrime and the law enforcement response, and is therefore referred to throughout the analysis that follows. Its influence on the development of Australian cybercrime laws is highly significant, particularly in two historical stages. The first was the initial drafting of the Cybercrime Act 2001 (Cth):33 This Bill would amend the Criminal Code Act 1995 (Criminal Code) by adding new Part 10.7, which contains new updated computer offences based on the January 2001 Model Criminal Code Damage and Computer Offences Report developed through Commonwealth, State and Territory cooperation as a model for national consistency. The existing offences in Part VIA of the Crimes Act 1914 (Crimes Act), which were enacted in 1989 and pre-date existing technology, would be repealed. The Bill would also enhance investigation powers relating to the search and seizure of

electronically stored data by amendments to the Crimes Act and Customs Act 1901 (Customs Act). The amendments build on experience since the existing provisions were enacted in 1994 and take into account the draft Council of Europe Convention on Cybercrime.

1.17 The second important stage was Australia’s accession to the Convention on Cybercrime with effect from 1 March 2013. Prior to this, a period of consultative review of Commonwealth, State and Territory cybercrime laws was conducted to assess the nation’s readiness to join as a non-European signatory.34 This resulted in the Cybercrime Legislation Amendment Act 2012 (Cth), which explicitly refers to the Convention on Cybercrime in its long title.35 The Explanatory Memorandum states:36 The main purpose of this Bill is to make amendments necessary to facilitate Australia’s accession to the Council of Europe Convention on Cybercrime (the

[page 14] Convention) … Only after Australian legislation is compliant can Australia accede to the Convention. Cybercrime is a growing threat to Australian consumers, businesses and government. The international nature of cybercrime is such that no nation alone can effectively combat the problem. It is essential that Australia has in place appropriate arrangements, both domestically and internationally, to be in the best possible position to combat cybercrime. The Convention is the first international treaty on crimes committed either against or via computer networks, dealing particularly with online fraud, offences related to child pornography and unauthorised access, use or modification of data stored on computers. The Convention’s main objective is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation. The Convention also contains a series of powers and procedures relating to accessing important evidence of cybercrimes, including by way of mutual assistance.

1.18 In considering how laws, both internationally and domestically, might continue to evolve in the future, it is worth reflecting on the key features that make cybercrime such a challenge:37 Scale: the Internet allows user communication with an estimated 2.4 billion people, or around 35% of the global population.

Accessibility: small-scale, portable, easy-to-use devices allow practically anyone to communicate online and, with few if any advanced skills, to put this to misuse — and if skills or tools are needed, they can readily be acquired online. Anonymity: online identity may be concealed through the use of proxy servers, anonymisers, spoofed email or IP addresses, encryption tools and plain old lying. Portability and transferability: huge amounts of data now reside on small personal devices, such as smartphones, where the same amount of data would once have required rooms filled with banks of servers. Global reach: the Internet provides ready access to a world of targets, such as data or victims, presenting huge challenges for territorially based law enforcement. Absence of capable guardians: adopting the ‘routine activity theory’ approach, crime depends on a supply of motivated offenders, the availability of suitable targets, and the absence of capable guardians — in this case, including public surveillance of private data, networks and online activities. [page 15] 1.19 These features of cybercrime mean that innovative policies and legal approaches are required, as well as far greater international harmonisation of laws and co-operation of law enforcement activities than has historically been the norm. While progress in the past few decades has been significant, the next decade and beyond will undoubtedly shape the ways in which we understand and deal with cybercrime into the future.38

[page 16]

Questions for consideration 1.

In R Smith, P Grabosky and G Urbas, Cyber Criminals on Trial, Cambridge University Press, 2004, p 7, the following classification of cybercrimes is offered: The concept of cybercrime we have chosen to adopt derives from the now widely accepted conception of cybercrime as entailing conduct proscribed by legislation and/or common law as developed in the courts, that: involves the use of digital technologies in the commission of the offence; or is directed at computing and communications technologies themselves; or is incidental to the commission of other crimes. Give an example of each of these three categories, noting that they may overlap. Are there any examples of cybercrime that do not fall within this classification?

2.

In view of the requirement (above) that cybercrime be ‘proscribed by [the] law’, it is a problem when jurisdictions take different approaches on what to criminalise, leading to the creation of gaps in the law’s coverage. As noted by G Urbas and P Grabosky in ‘Cybercrime and Jurisdiction in Australia’ (Ch 4 of B-J Koops and S W Brenner (eds), Cybercrime and Jurisdiction: A Global Survey, TCM Asser Press, The Hague, 2006), p 47: Given the generally borderless nature of cyberspace, it is clear that crimes involving computers may involve offenders located in one jurisdiction (or several), victims located in another (or several others), facilitated using technology in yet others, and possibly having effects in still other jurisdictions. How can such gaps be minimised or eliminated so as to provide a more global response?

3.

In ‘Criminal Law and Cyberspace as a Challenge for Legal Research’ (2012) 9(3) Scripted, B-J Koops argues that (notes omitted): Cyberspace should interest everyone who is involved in criminal law. The classic view of cybercrime, centred on the lonesome, nerdy hacker, is largely based on fiction, a fiction from the 1980s and 1990s. Reality has changed dramatically, causing a step-change in cybercrime and its consequences for the ‘real world’. Cybercrime is no longer about peer reputation among whiz kids, it’s all about money — big money. A considerable black market caters for all kinds of criminals, where you can buy a bunch of credit-card numbers (including the codes on the back) for a couple of dollars, or rent a network of zombie computers for an hour to spread your spam or block your favourite villain’s website. Moreover, as the Internet integrates seamlessly into our economy, politics, and social life, any attack on or from cyberspace is an attack on the real world. Cybercrime is real crime, and increasingly, real crime has a cyber-element to it.

Is the distinction between ‘cybercrime’ and ‘real crime’ still (if it ever was) useful? Should the focus be more on offender motivation and harm to victims, and less on the tools and technologies adopted to carry out crimes? Whose responsibility is it to respond to cybercrime so as to reduce the harms it causes? 1.

The Cybercrime Act 2001 (Cth), which updated Australian Commonwealth laws on computer misuse and moved them from the Crimes Act 1914 (Cth) to the Criminal Code Act 1995 (Cth), is one of only a few early pieces of legislation worldwide to use the term ‘cybercrime’. The main international agreement is the Council of Europe’s Convention on Cybercrime, which was being finalised at much the same time and presumably inspired the Australian legislature to adopt the term.

2.

Judge Stein Schjolberg, The History of Cybercrime: 1976–2014, Ch 2: ‘The History of Computer Crime and Cybercrime’: .

3.

U Sieber, Legal Aspects of Computer-Related Crime in the Information Society — COMCRIME Study, 1998: .

4.

S W Brenner, ‘Cybercrime Investigation and Prosecution: The Role of Penal and Procedural Law’ [2001] Murdoch University Electronic Journal of Law 8 at [17].

5.

A Bequai, How to Prevent Computer Crime — A Guide for Managers, Wiley & Sons, New Jersey, 1983; D Icove, K Seger and W VonStorch, Computer Crime: A Crimefighter’s Handbook, National Criminal Justice Reference Service, California, 1995; D B Parker, Fighting Computer Crime: A New Framework for Protecting Information, Wiley & Sons, New York, 1998; E Casey, Handbook of Computer Crime Investigation: Forensic Tools and Technology, Academic Press, Elsevier, 2002. Note that the main division of the United States Department of Justice that deals with cybercrime is still called the Computer Crime and Intellectual Property Section (CCIPS): .

6.

S Shackelford, ‘Computer-Related Crime: An International Problem in Need of an International Solution’ (1992) 27 Texas International Law Journal 479; U Sieber, The International Handbook on Computer Crime: Computer-Related Economic Crime and the Infringements of Privacy, Wiley & Sons, New York, 1986; U Sieber, Legal Aspects of Computer-Related Crime in the Information Society — COMCRIME Study, 1998; P Stephenson and K Gilbert, Investigating Computer-Related Crime, 2nd ed, Taylor and Francis, 2013.

7.

N Barrett, Digital Crime: Policing the Cybernation, National Criminal Justice Reference Service, California, 1997; R Power, Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace, Macmillan Press, 2000; R Bryant, Investigating Digital Crime, Wiley & Sons, 2008.

8.

National Institute of Justice, Electronic Crime Scene Investigation: A Guide for First Responders, US Department of Justice, Washington, 2001; B Etter, Forensic Challenges of E-Crime, Australasian Centre for Policing Research, 2001; P Grabosky, Electronic Crime, Geis Master Series in Criminology, Prentice-Hall, 2007; R Smith, N Wolanin and G Worthington, ‘e-Crime Solutions and Displacement’, Trends and Issues in Crime and Criminal Justice no. 243, Australian Institute of Criminology, January 2003.

9.

S W Brenner, ‘Is There Such a Thing as Virtual Crime?’ (2001) California Criminal Law Review; B A Howell, ‘Thinkpiece: Real World Problems of Virtual Crime’ (2004) 7 Yale Journal of Law and Technology 103; F G Lastowka and D Hunter, ‘Virtual Crimes’ (2004–2005) 49 New York Law

School Law Review 293; O S Kerr, ‘Virtual Crime, Virtual Deterrence: A Skeptical View of SelfHelp, Architecture, and Civil Liability’ (2005) 1 Journal of Law, Economics and Policy 197. 10. P Csonka, ‘Internet Crime: The Draft Council of Europe Convention on Cyber-Crime: A Response to the Challenge of Crime in the Age of the Internet?’ (2000) 16(5) Computer Law and Security Review 329; Y Jewkes and M Yar (eds), Handbook of Internet Crime, Willan Publishing, 2010; M Taylor and E Quayle, Child Pornography: An Internet Crime, Brunner-Routledge, 2003. 11. Y Jewkes, Crime Online, Willan Publishing, 2007; T Moore, R Clayton and R Anderson, ‘The Economics of Online Crime’ (2009) 23(3) The Journal of Economic Perspectives 3; J L McMullan and A Rege, ‘Online Crime and Internet Gambling’ (2010) 24 Journal of Gambling Issues 54. 12. P Norman, ‘Policing “High Tech Crime” in the Global Context: The Role of Transnational Policy Networks’ in D Wall (ed), Crime and the Internet: Cybercrimes and Cyberfears, Routledge, London, 2001; S McQuade, ‘Technology-Enabled Crime, Policing and Security’ (2006) 32(1) Journal of Technology Studies; K-K R Choo, R Smith and R McCusker, ‘The Future of Technology-Enabled Crime in Australia’, Trends and Issues in Crime and Criminal Justice no. 341, Australian Institute of Criminology, July 2007; G Urbas and K-K R Choo, ‘Resource Materials on Technology-Enabled Crime’, Technical and Background Paper no. 28, Australian Institute of Criminology, 2008. Note that both the National Hi-Tech Crime Unit (NHTCU) in the United Kingdom and the Australian Hi-Tech Crime Centre (AHTCC) have been renamed since being established in 2001 and 2003 respectively, but that the Australian Federal Police (AFP) still refers to ‘high-tech crime’ as a subset of cybercrime involving computer intrusions, unauthorised modification or destruction of data, and the use of botnets: . 13. D Wall, Cybercrime: The Transformation of Crime in the Information Age, Polity Press, Cambridge, 2007, Ch 2: ‘Understanding Crime in the Information Age’, ‘Why Call it “Cybercrime”?’, p 10; see also D Thomas, T Douglas and B Loader (eds), Cybercrime: Law Enforcement, Security and Surveillance in the Information Age, Routledge, 2000; S McQuade, Understanding and Managing Cybercrime, Prentice Hall, 2006; M Yar, Cybercrime and Society, 2nd ed, Sage Publications, 2013. Note that there is some variation as to the spelling: as the single word ‘cybercrime’, the compound ‘cyber crime’ or the hyphenated ‘cyber-crime’; for a discussion, see R Smith, P Grabosky and G Urbas, Cyber Criminals on Trial, Cambridge University Press, 2004, p 6. 14. S Gordon and R Ford, ‘On the Definition and Classification of Cybercrime’ (2006) 2(1) Journal of Computer Virology 13. These authors adopt a ‘continuum of cybercrime’ from ‘technology crime’ to ‘people crime’, with a focus on the use of ‘crimeware’ to perpetrate various types of crime. The use of such malicious software or ‘malware’ is discussed further in Chapter 3. 15. R Smith, P Grabosky and G Urbas, Cyber Criminals on Trial, Cambridge University Press, 2004, p 6; see also S W Brenner, Cybercrime: Criminal Threats from Cyberspace, Greenwood Publishing, 2010, Ch 3: ‘Three Categories of Cybercrime’. 16. P Grabosky, ‘Virtual Criminality: Old Wine in New Bottles?’ (2001) 10(2) Social and Legal Studies 243; see also S W Brenner, ‘Cybercrime Metrics: Old Wine, New Bottles?’ (2004) 9(13) Virginia Journal of Law and Technology 1; and, for the contrary view, see D Wall, ‘Cybercrimes: New Wine, No Bottles?’ in P Davies, P Francis and V Jupp (eds), Invisible Crimes: Their Victims and Their Regulation, MacMillan, London, 1999. 17. R Smith, P Grabosky and G Urbas, Cyber Criminals on Trial, note 15 above. 18. R Smith, M Holmes and P Kaufman, ‘Nigerian Advance Fee Fraud’, Trends and Issues in Crime

and Criminal Justice no. 121, Australian Institute of Criminology, July 1999; see also Australian Consumer and Competition Commission (ACCC), ‘ScamWatch: “Nigerian 419” scams’: . 19. Federal Bureau of Investigation (FBI), ‘Common Fraud Schemes: Nigerian Letter or “419” Fraud’: ; and United States Department of Justice, ‘Ten Defendants Indicted in “Nigerian 419” Scam That Falsely Promised Inheritance Money to Victims’, media release, 7 March 2011: . 20. For an early example of ‘hacking’ prosecuted under English criminal damage provisions, see R v Whiteley (1991) 93 Cr App R 25; the Computer Misuse Act 1990 (UK) was created in response to the difficulty of proving such cases without legislation explicitly dealing with computer technology. 21. S W Brenner, ‘Cybercrime Investigation and Prosecution: The Role of Penal and Procedural Law’ [2001] Murdoch University Electronic Journal of Law 8 at [5]–[6] (notes omitted); see also G Urbas, ‘Criminalising Computer Misconduct: Some Legal and Philosophical Problems’ (2006) 14(1) Asia Pacific Law Review 95, which notes that ‘[t]he Love Bug episode prompted the Philippines legislature within weeks to introduce new laws relating to electronic commerce … a penalty of six months’ to three years’ imprisonment applies to “hacking”, “cracking” and computer virus offences, with fines ranging to a maximum commensurate to the damage incurred’. 22. The Cybercrime Act 2001 (Cth) added to the Criminal Code Act 1995 (Cth) a new Part 10.7 — Computer offences, as well as new search and seizure provisions to the Crimes Act 1914 (Cth) and Customs Act 1901 (Cth). Part 10.6 — Telecommunications services was added by the Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Act (No. 2) 2004 (Cth) with effect from 1 March 2005. (Both Pts 10.6 and 10.7 are discussed in more detail in Chapters 2–4, and the search and seizure provisions are discussed in Chapter 11.) 23. The Commonwealth of Australia’s Constitution s 51(v) gives the Commonwealth Parliament the power to make laws with respect to ‘postal, telegraphic, telephonic, and other like services’. The references to ‘telecommunications’ initially introduced by the Cybercrime Act 2001 (Cth) have in subsequent amendments mostly been replaced by the term ‘carriage service’, which is defined as in the Telecommunications Act 1997 (Cth): ‘“carriage service” means a service for carrying communications by means of guided and/or unguided electromagnetic energy’. This includes telephone networks and the Internet: see R v Stubbs [2009] ACTSC 63 (26 May 2009) at [6]–[7], per Higgins CJ (a case discussed further in Chapters 8 and 9). 24. R v Brislan (1935) 54 CLR 262, per Latham CJ. 25. The term ‘telecommunications network’ is defined in s 473.1 of the Criminal Code Act 1995 (Cth) to mean, as in the Telecommunications Act 1997 (Cth), ‘a system, or series of systems, that carries, or is capable of carrying, communications by means of guided and/or unguided electromagnetic energy’. The closely related term ‘carriage service’, used in many Pt 10.6 and 10.7 offences, is also defined through the Telecommunications Act 1997 (Cth) as ‘a service for carrying communications by means of guided and/or unguided electromagnetic energy’. Despite the similarity of definitions, it may be that services such as the Internet are distinguishable from carriage services: Hale v R [2011] NSWDC 97 (11 March 2011). Nonetheless, any use of the Internet must entail use of a carriage service, though the converse is not necessarily true (eg, using a telephone network is also using a carriage service). The Explanatory Memorandum to the Crimes

Legislation Amendment (Telecommunications Offences and Other Measures) Act (No 2) 2004 (Cth) identified as uses of a carriage service ‘making a telephone call, sending a message by facsimile, sending an SMS message, or sending a message by email or some other means using the Internet’. 26. For a more complete analysis of Australian cybercrime laws, see G Urbas, ‘Cybercrime’ in Halsbury’s Laws of Australia, [130-2500]–[130-25205], LexisNexis, 2013. 27. As well as over 40 European signatories, Canada, Japan, South Africa and the United States were also early signatories, though Canada and South Africa are yet to ratify. 28. J Clough, Principles of Cybercrime, Cambridge University Press, 2010, pp 11–13; G Urbas, ‘CyberTerrorism and Australian Law’ (2005) 8(1) Internet Law Bulletin 5; G Urbas, ‘A Tangled Web: Cybercrime, Terrorism and the Internet’, (2012) 15(3) Internet Law Bulletin 54. The topic of cyberterrorism is discussed in Chapter 4. 29. J Clough, Principles of Cybercrime, note 28 above, Ch 11; G Urbas, ‘Look Who’s Stalking: Cyberstalking, Online Vilification and Child Grooming Offences in Australian Legislation’ (2008) 10(6) Internet Law Bulletin 62. Child grooming is discussed in Chapter 9. 30. J Clough, Principles of Cybercrime, note 28 above, Ch 12; G Urbas, ‘Look Who’s Stalking’, note 29 above. Stalking, harassment and voyeurism are discussed in Chapter 10. 31. J Clough, Principles of Cybercrime, note 28 above, Ch 9. This topic is dealt with in Chapter 6. 32. A Maurushat, ‘Australia's Accession to the Cybercrime Convention: Is the Convention Still Relevant in Combating Cybercrime in the Era of Botnets and Obfuscation Crime Tools?’, University of New South Wales Legal Research Series, 2011. 33. Parliament of Australia, Revised Explanatory Memorandum to the Cybercrime Bill 2001; see also S Bronitt and M Gani, ‘Shifting Boundaries of Cybercrime: From Computer Hacking to Cyberterrorism’ (2003) 27 Criminal Law Journal 303. 34. Countries outside Europe to have signed or ratified the Convention on Cybercrime were Canada (signed in 2001 though not ratified), Japan (signed in 2001 and ratified in 2012), South Africa (signed in 2001 though not ratified) and the United States of America (signed in 2001 and ratified in 2007). Other countries to sign and ratify recently include the Dominican Republic (2013), Mauritius (2013) and Panama (2014). The Commonwealth Attorney-General’s Department released a public consultation document, Outline of the Articles of the Council of Europe Convention on Cybercrime and Australia’s Compliance, on 17 February 2011, followed by a referral to the Parliamentary Joint Standing Committee of Treaties; see also G Urbas and Y Chang, ‘Australia’s Proposed Accession to the Council of Europe Convention on Cybercrime’, submission dated 14 March 2011: . 35. Cybercrime Legislation Amendment Act 2012 (Cth), Long Title: ‘An Act to implement the Council of Europe Convention on Cybercrime, and for other purposes’. 36. Parliament of Australia, Explanatory Memorandum to the Cybercrime Legislation Amendment Bill 2011, Outline. 37. As discussed in J Clough, Principles of Cybercrime, note 28 above, pp 5–8, citing R Smith, P Grabosky and G Urbas, Cyber Criminals on Trial, p 2. 38. The contentious issue of estimating the ‘costs’ of cybercrime is discussed in R Anderson et al,

‘Measuring the Cost of Cybercrime’ in R Böhme (ed), The Economics of Information Security and Privacy, Springer, 2013. Australian estimates of the costs of various types of crime are available through victimisation surveys such as those discussed in R Smith et al, ‘Counting the Costs of Crime in Australia: A 2011 Estimate’, Research and Public Policy Series no. 129, Australian Institute of Criminology, 2014. The Australian Parliament’s Inquiry into Cyber Crime in 2010 leading to the report Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime (House of Representatives Standing Committee on Communications, Commonwealth of Australia, Canberra, 2010), in Ch 2, ‘Nature, Prevalence and Impact of Cyber Crime’, noted AIC estimates for 2006–07 of over $500 million in direct losses to Australian businesses (at 2.104), with a 2009 survey indicating expenditure on computer security measures of between one and two billion dollars (at 2.103).

[page 17]

Part 2 Unauthorised Access, Modification and Impairment

[page 19]

Chapter 2 Unauthorised Access

Chapter contents Terminology Convention on Cybercrime Australian laws

2.1 2.5 2.15

Questions for consideration

2.0 This chapter deals with unauthorised access to computers and data, more popularly known as ‘hacking’, as well as unauthorised interception. The first can be conceptualised as unauthorised intrusion into the functioning or contents of a computer or computer system, while the latter involves unauthorised intrusion into the contents of computer-based transmissions of data. Provisions of the Council of Europe’s Convention on Cybercrime are introduced, followed by a more detailed discussion of Australian legislation and cases.

Terminology 2.1 It should be noted at the outset that the term ‘hacking’ does not have a universally agreed definition, and that its meaning has shifted over time:1 A few decades ago, the terms ‘hacker’ and ‘hacking’ were known only to a relatively small number of people, mainly those in the technically specialised world of computing. Today they have become ‘common knowledge’, something with which most people are familiar, if only through hearsay and exposure to mass media and popular cultural accounts. Current discussion has coalesced around a relatively clear-cut definition, which understands hacking as: ‘the unauthorised access and subsequent use of other people’s computer systems’ … It is this widely accepted sense of hacking as ‘computer break-in’, and of its perpetrators as ‘breakin artists’ and ‘intruders’, that structures most media, political and criminal justice responses.

[page 20]

However, the term has in fact undergone a series of changes in meaning over the years, and continues to be deeply contested, not least amongst those within the computing community. The term ‘hacker’ originated in the world of computer programming in the 1960s, where it was a positive label used to describe someone who was highly skilled in developing creative, elegant and effective solutions to computing problems. A ‘hack’ was, correspondingly, an innovative use of technology (especially the production of computer code or programmes) that yielded positive results and benefits. On this understanding, the pioneers of the Internet, those who brought computing to ‘the masses’, and the developers of new and exciting computer applications (such as video gaming), were all considered to be ‘hackers’ par excellence, the brave new pioneers of the ‘computer revolution’ … This earlier understanding of hacking and its ethos has since largely been over-ridden by its more negative counterpart, with its stress upon intrusion, violation, theft and sabotage. Hackers of the ‘old school’ angrily refute their depiction in such terms, and use the term ‘cracker’ to distinguish the malicious type of computer enthusiast from hackers proper. Interestingly, this conflict between the ‘old’ and ‘new’ is often presented in inter-generational terms, with the ‘old school’ lamenting the ways in which today’s ‘youngsters’ have lost touch with the more principled and idealistic motivations of their predecessors.

2.2 This variation in the meaning of ‘hacker’ is reflected in subgroupings such as ‘White Hat’ and ‘Black Hat’, which have been adopted to distinguish those who obtain unauthorised access to computers and computer data for beneficial or altruistic purposes from those who do so for negative profit-driven or destructive purposes:2 The most common categorization scheme is to categorize hackers by their intentions, with the most popular-used terms being White Hat, Black Hat, and Grey Hat … White Hats typically work for security corporations and are assigned the task of improving and securing computer services by identifying and fixing security flaws. Black Hats, on the other hand, are those that use their computer skills to cause problems for others. This term can encompass a range of motivations, including those who direct their negative actions at a specific company or group (i.e. angry hackers), those with lower levels of skill but use hacking tools to cause mischief for fun (i.e. script kiddies), and those who are interested in political and economic upheaval and view technology as the means to accomplish this goal (i.e. agenda hackers). Finally, Grey Hats are independent security experts and consultants who are quite often reformed Black Hats.

[page 21] 2.3 Related terms such as ‘hactivism’ have been adopted to denote hacking for a political or activist purpose, which may in some

circumstances amount to a terrorist attack (discussed further in the following chapters):3 [H]activism refers to the marriage of hacking and activism. It covers operations that use hacking techniques against a target’s Internet site with the intent of disrupting normal operations but not causing serious damage. Examples are web sit-ins and virtual blockades, automated email bombs, web hacks, computer break-ins, and computer viruses and worms.

2.4 It should be noted that terms such as ‘hacking’ and ‘hacktivism’ lack legal precision, even though they are widely used in popular discussions and media reporting. Legislation defining cybercrime offences tends to avoid using such terms.4 Rather, the preferred terminology in international and domestic legal instruments is ‘illegal’ or ‘unauthorised’ access and interception.

Convention on Cybercrime 2.5 The Council of Europe’s Convention on Cybercrime deals with illegal access to computer systems as its first substantive offence, followed by illegal interception:5 Article 1 — Definitions For the purposes of this Convention: a

b

‘computer system’ means any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data; ‘computer data’ means any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function;

… [page 22] Article 2 — Illegal access Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally,

the access to the whole or any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computer system that is connected to another computer system. Article 3 — Illegal interception Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. A Party may require that the offence be committed with dishonest intent, or in relation to a computer system that is connected to another computer system.

2.6 The key elements of illegal access and illegal interception under the Convention on Cybercrime are: access to a computer system or any part of a computer system, or interception of non-public (ie, private) transmissions of computer data; committed intentionally (ie, not through inadvertence or accident); illegal or without right (ie, not permitted by a person with authority over the computer system or data, or under a law).

(i)

Unauthorised access

2.7 Access to a computer or computer system is generally obtained by making it perform a function that allows a person to see, use or copy the data contained in the computer or system, or to run any of its programs. This may be achieved by logging in to a computer or device, typing in a password or other access code, moving a cursor and clicking onto icons or links, typing in a URL or search term, running a program, or otherwise using a computer in a way that it is designed to operate. Some such acts involve physical movements, but it may be possible to obtain access through automated means; for example, through the use of ‘hacking tools’ that, once activated, seek out and obtain access to all computers connected to a network.6

[page 23] 2.8 The Explanatory Report to the Convention on Cybercrime makes clear that access to a computer system may be achieved remotely:7 ‘Access’ comprises the entering of the whole or any part of a computer system (hardware, components, stored data of the system installed, directories, traffic and content-related data). However, it does not include the mere sending of an e-mail message or file to that system. ‘Access’ includes the entering of another computer system, where it is connected via public telecommunication networks, or to a computer system on the same network, such as a LAN (local area network) or Intranet within an organisation. The method of communication (e.g. from a distance, including via wireless links or at a close range) does not matter.

2.9 The use of the term ‘enter’ in relation to a computer or computer system suggests an analogy with physical entry or intrusion, which, if unauthorised, constitutes the tort or crime of trespass.8 A person’s access may be unauthorised either because the person has no permission at all to have access, or where the person is authorised for a specific purpose in the course of employment or otherwise, but exceeds that authorisation. As pointed out by Hayne J in interpreting the (since repealed) Victorian offence of ‘computer trespass’:9 In my view, the section does not distinguish between what are colloquially known as ‘hackers’ (defined in the 2nd Edition of the Oxford English Dictionary as ‘a person who uses his skill with computers to try to gain unauthorised access to computer files or networks’) and persons who have some authority of some kind to enter the computer system. Rather, the section invites attention to whether the particular entry or gaining of access to the computer system was with or without lawful authority. Where, as is the case here, the question is whether the entry was with permission, it will be important to identify the entry and to determine whether that entry was within the scope of the permission that had been given. If the permission was not subject to some express or implied limitation which excluded the entry from its scope, then the entry will be with lawful justification but if the permission was subject to an actual, express or implied limitation which excluded the actual entry made, then the entry will be ‘without lawful authority to do so’.

2.10 Most of the earliest computer crime prosecutions in Australia were brought against employees who had exceeded their authorised access to restricted databases, such as those operated by government departments or

[page 24] the police.10 For example, the following case was a prosecution in relation to unlawfully obtaining confidential information under s 222 of the Northern Territory’s Criminal Code Act:11

Snell v Pryce (Unrep. No. SC 458 of 1989, NT Supreme Court) at [1], [3], [6]–[9] Angel J: On 14 April 1989, the appellant was convicted of a charge that between the18th day of February 1988 and the 12th day of March 1988, at Darwin in the Northern Territory of Australia, she unlawfully abstracted confidential information from a computer with intent to use it to obtain an advantage for another contrary to section 222 of the Criminal Code. Having entered a conviction the learned Special Magistrate released the appellant on a bond, on her own recognizance, to be of good behaviour for 12 months. Section 222 of the Criminal Code provides: Any person who unlawfully abstracts any confidential information from any register, document, computer or other repository of information with intent to cause loss to a person or with intent to publish the same to a person who is not lawfully entitled to have or to receive it, or with intent to use it to obtain a benefit or advantage for himself or another, is guilty of a crime and is liable to imprisonment for 3 years At the time of the alleged offence, the appellant was employed as a public servant in the communications section of the Police Department. Located deep within the police headquarters at Berrimah is the communications room which is not fenestrated. To gain access to that part of the police building, a person must first pass through a security door in the reception area of police headquarters by use of a magnetic card, thence to a communication area which is designated ‘restricted area’, from where one enters the communications room through a door opened with a key. Within the communications room is a computer. Access to the computer is restricted. In order to use the computer a person must insert, first, his or her (I lapse into computer jargon) ‘user identification’, and secondly a password known only to that person. It is physically impossible for a member of the public to enter the communications room; only authorised personnel have access to that room and only persons with appropriate facilities can use the computer once there. [page 25]

… In what can only be described as a flagrant breach of the terms of her employment and a deplorable breach of faith, the appellant, contrary to the express instructions of her superiors and contrary to the dictates of the computer manual, the contents of which were well known to her, extracted certain names and addresses and some dates of birth from the computer, which information she passed on to her defacto husband. He was a licensed enquiry agent seeking certain persons’ whereabouts, apparently to assist him to serve process.

2.11 By contrast, instances of external unauthorised access, which is arguably what is most often meant by the term ‘hacking’, appear to be less often prosecuted. This may be a function of variables such as the availability of evidence and the identification of offenders, rather than just the applicability of criminal laws:12 Early attempts to regulate hacking seemingly laboured under the impression that the only rules that applied were legal rules. Thus, despite the absence of empirical data showing that hacking was an actual and serious legal threat to society, legislators around the world enacted computer fraud and misuse statutes that criminalised various acts of hacking, particularly unauthorised access to a computer … Some studies have shown, however, that these antihacking statutes have mostly been used against disloyal and disgruntled employees and only seldom in relation to anonymous hackers who break into a company’s computer system, the oft-cited bogeyman of computer abuse laws …

2.12 Some instances of hacking involve no more than curious teenagers or ‘script kiddies’, thrilled by the challenge of obtaining unauthorised access to high-profile targets such as government or military sites, with no consequent damage being done or at least intended.13 However, other examples are much more destructive, such as the exploits in February 2000 of ‘MafiaBoy’ who, while still at school in Quebec, Canada, created a program that launched a denial-of-service attack that brought down the websites of Yahoo, Ebay, CNN, Amazon and Dell.14 In an Australian case from around the same time, [page 26] a disgruntled ex-employee of a company controlling a Queensland

sewerage treatment facility hacked into its computers and caused raw sewage to be released into local waterways.15

(ii) Unauthorised interception 2.13 The counterpart to unauthorised access is unauthorised interception, being an intrusion into the privacy of communications. This is traditionally criminalised under ‘wiretapping’ and similar telecommunications interception laws, with exceptions for law enforcement bodies engaged in investigations that require covert recording of conversations, usually under the authority of a court-issued warrant. The Explanatory Memorandum to the Convention on Cybercrime makes clear that the scope of ‘illegal interception’ in Art 3 is limited to interception of private transmissions by technical means:16 Interception by ‘technical means’ relates to listening to, monitoring or surveillance of the content of communications, to the procuring of the content of data either directly, through access and use of the computer system, or indirectly, through the use of electronic eavesdropping or tapping devices. Interception may also involve recording. Technical means includes technical devices fixed to transmission lines as well as devices to collect and record wireless communications. They may include the use of software, passwords and codes. The requirement of using technical means is a restrictive qualification to avoid overcriminalisation. The offence applies to ‘non-public’ transmissions of computer data. The term ‘non-public’ qualifies the nature of the transmission (communication) process and not the nature of the data transmitted. The data communicated may be publicly available information, but the parties wish to communicate confidentially. Or data may be kept secret for commercial purposes until the service is paid, as in Pay-TV. Therefore, the term ‘non-public’ does not per se exclude communications via public networks. Communications of employees, whether or not for business purposes, which constitute ‘non-public transmissions of computer data’ are also protected against interception without right under Article 3 …

2.14 Prohibitions under Australian law against both unauthorised access to computer data, including stored communications, and unauthorised interceptions are discussed below. Unauthorised modification and impairment are dealt with in Chapters 3 and 4, respectively. Procedural aspects of warrants used in law enforcement investigations, including stored communications, surveillance devices and

telecommunications interception warrants, are discussed further in Chapter 12. [page 27]

Australian laws 2.15 The main unauthorised access and interception provisions discussed below are those under Commonwealth law, with some reference also to State and Territory laws, some of which are direct counterparts to the Commonwealth offences.17

(i)

Unauthorised access

2.16 Unauthorised access is a principal concern of Australian cybercrime legislation.18 The following table outlines the main unauthorised access offences across all Australian jurisdictions (Table 2.1). Table 2.1: Commonwealth, State and Territory unauthorised access offences

Provision

CTH19

Criminal Code Act 1995 s 477.1 (Unauthorised access, modification or impairment with intent to commit a serious offence)

Physical elements

Fault elements

Maximum penalty

Causing any unauthorised access to data held in a computer

Intention by that access to commit or facilitate a serious offence, knowing the access is unauthorised

As for the serious offence (imprisonment for five years or more)

Criminal Code Act 1995 s 478.1 (Unauthorised access to, or modification of, restricted data)

Intention to Causing any cause the unauthorised access, access to knowing it to restricted data be unauthorised

Imprisonment for two years

[page 28] Provision

ACT20

Criminal Code 2002 s 415 (Unauthorised access, modification or impairment with intent to commit serious offence) Criminal Code 2002 s 420 (Unauthorised access to or modification of restricted data) Crimes Act 1900 s 308C (Unauthorised

Physical elements

Fault elements

Causing unauthorised access to data held in a computer

Intention to commit or As for the enable a serious serious offence offence, (imprisonment knowing the for five years or access is more) unauthorised

Causing unauthorised access to restricted data held in a computer

Intention to cause the access, knowing it to be unauthorised

Causing any unauthorised

Intention to commit or

Maximum penalty

Imprisonment for two years or 200 penalty units or both

As for the

NSW21

access, modification or impairment with intent to commit serious indictable offence) Crimes Act 1900 s 308H (Unauthorised access to or modification of restricted data held in computer)

computer function (defined to include unauthorised access)

facilitate a serious offence, knowing the access is unauthorised

Causing any unauthorised access to restricted data held in a computer

Intention to cause the access, knowing it to be unauthorised

serious offence (imprisonment for five years or more)

Imprisonment for two years

[page 29] Provision

NT22

Physical elements

Fault elements Intent to cause loss or harm to Unlawfully the person accessing data entitled to the Criminal Code held in a data or a third Act s 276B computer, or person, or gain (Unlawful using data that a benefit or access to data) has been advantage accessed personally or unlawfully for a third party

Maximum penalty

Imprisonment for 10 years

QLD

Using a Criminal Code restricted Act 1899 s 408E computer (Computer without the hacking and consent of the misuse) computer’s controller

SA23

Criminal Law Consolidation Act 1935 s 86E (Use of computer with intention to commit, or facilitate the commission of, an offence) Criminal Law Consolidation Act 1935 s 86F (Use of computer to commit, or facilitate the commission of, an offence outside the State)

Using a computer to cause (directly or indirectly) unauthorised access to computer data

Not specified

Intention by that access to commit or facilitate a serious offence, knowing the access is unauthorised

Intention by that access to Using a commit or computer to facilitate a cause (directly prohibited act or indirectly) in another unauthorised jurisdiction, access to knowing the computer data access is unauthorised

Imprisonment for two years; five years if causing damage or obtaining a benefit; 10 years where value is over $5000

As for the serious offence (imprisonment for five years or more)

As for the prohibited act (imprisonment for five years or more)

[page 30] Provision

TAS24

VIC25

Criminal Code Act 1924 s 257D (Unauthorized access to a computer) Crimes Act 1958 s 247B (Unauthorised access, modification or impairment with intent to commit serious offence)

Fault elements

Not specified

Maximum penalty A general maximum penalty of 21 years applies to Criminal Code offences

Intention to commit or facilitate a serious offence, knowing the access is unauthorised

As for the serious offence (imprisonment for five years or more)

Intention to cause the access, knowing it to be unauthorised

Imprisonment for two years

Unlawfully Criminal Code using (defined Act to include Compilation accessing Act 1913 s information in) Not specified 440A a restricted-

Imprisonment for two years; five years if causing damage or obtaining a

Crimes Act 1958 s 247G (Unauthorised access to or modification of restricted data)

WA

Physical elements Unlawfully and intentionally gaining access to a computer or computer system Causing any unauthorised computer function (defined to include unauthorised access to data held in a computer) Causing any unauthorised access to restricted data held in a computer

(Unlawful use of computer)

access computer system

benefit; 10 years where value is over $5000

Sources: Australasian Legal Information Institute (AustLII): ; State and Territory legislative databases.

[page 31] 2.17 Commonwealth unauthorised access, modification and impairment offences are contained in Pt 10.7 of the Criminal Code Act 1995 (Cth), which was initially added by the Cybercrime Act 2001 (Cth). The following definitions apply:26 476.1 Definitions (1) In this Part: access to data held in a computer means: (a) the display of the data by the computer or any other output of the data from the computer; or (b) the copying or moving of the data to any other place in the computer or to a data storage device; or (c) in the case of a program—the execution of the program. … unauthorised access, modification or impairment has the meaning given in section 476.2. (2) In this Part, a reference to: (a) access to data held in a computer; or (b) modification of data held in a computer; or (c) the impairment of electronic communication to or from a computer; is limited to such access, modification or impairment caused, whether directly or indirectly, by the execution of a function of a computer. 476.2 Meaning of unauthorised access, modification or impairment (1) In this Part: (a) access to data held in a computer; or

(b) modification of data held in a computer; or (c) the impairment of electronic communication to or from a computer; or (d) the impairment of the reliability, security or operation of any data held on a computer disk, credit card or other device used to store data by electronic means; by a person is unauthorised if the person is not entitled to cause that access, modification or impairment. [page 32] (2) Any such access, modification or impairment caused by the person is not unauthorised merely because he or she has an ulterior purpose for causing it. (3) For the purposes of an offence under this Part, a person causes any such unauthorised access, modification or impairment if the person’s conduct substantially contributes to it. (4) For the purposes of subsection (1), if: (a) a person causes any access, modification or impairment of a kind mentioned in that subsection; and (b) the person does so: (i) under a warrant issued under the law of the Commonwealth, a State or a Territory; or (ii) under an emergency authorisation given to the person under Part 3 of the Surveillance Devices Act 2004 or under a law of a State or Territory that makes provision to similar effect; or (iii) under a tracking device authorisation given to the person under section 39 of that Act; the person is entitled to cause that access, modification or impairment.

2.18 Access obtained through non-electronic means, such as ‘shoulder surfing’ to view another person’s computer activity, are arguably excluded in virtue of s 476.1(2). However, the same may not apply where access is obtained, for example, through using another person’s password without that person’s consent.27 It should also be noted that a law enforcement officer acting under a warrant will be ‘entitled’ to cause access within the meaning of s 476.2(1), under subs (4). Telecommunications interception and other warrants are discussed in Chapter 12. 2.19

The first substantive offence added to the Criminal Code Act 1995

(Cth) by the Cybercrime Act 2001 (Cth) deals with unauthorised access, modification and impairment together:28 477.1 Unauthorised access, modification or impairment with intent to commit a serious offence Intention to commit a serious Commonwealth, State or Territory offence (1) A person is guilty of an offence if: (a) the person causes: [page 33] (i) any unauthorised access to data held in a computer; or (ii) any unauthorised modification of data held in a computer; or (iii) any unauthorised impairment of electronic communication to or from a computer; and (c) the person knows the access, modification or impairment is unauthorised; and (d) the person intends to commit, or facilitate the commission of, a serious offence against a law of the Commonwealth, a State or a Territory (whether by that person or another person) by the access, modification or impairment. (3) In a prosecution for an offence against subsection (1), it is not necessary to prove that the defendant knew that the offence was: (a) an offence against a law of the Commonwealth, a State or a Territory; or (b) a serious offence. Penalty (6) A person who is guilty of an offence against this section is punishable, on conviction, by a penalty not exceeding the penalty applicable to the serious offence. Impossibility (7) A person may be found guilty of an offence against this section even if committing the serious offence is impossible. No offence of attempt (8) It is not an offence to attempt to commit an offence against this section. Meaning of serious offence (9) In this section: serious offence means an offence that is punishable by imprisonment for life or a period of 5 or more years.

2.20 The first thing to note about s 477.1 is that it actually contains three forms of the offence, depending on whether the act committed is causing unauthorised access, modification or impairment.29 In each case, the physical [page 34] element of the offence is best characterised as bringing about a result, while the lack of authorisation is best understood as a circumstance.30 The ‘default’ fault element of recklessness would therefore apply, meaning that the prosecution must prove that the defendant was at least reckless as to causing unauthorised access, modification or impairment.31 However, this fault element is displaced in relation to the lack of authorisation, in virtue of para (1)(c), so that actual knowledge must be proved. Moreover, the prosecution must also prove the intention to commit or facilitate a Commonwealth, State or Territory offence by the access, modification or impairment, presumably by evidence that shows the defendant’s criminal objective.32 However, because of subs (3), the prosecution does not have to prove that the offence intended was known by the defendant to be a serious offence under Commonwealth, State or Territory law, as defined in subs (9). It is noteworthy that impossibility is no bar to prosecution, as set out in subs (7), though attempt to commit an offence under s 477.1 is excluded under subs (8). 2.21 The reach of s 477.1 is potentially wide because it applies to a range of ‘hacking’ and similar activity that is designed to perpetrate or facilitate any serious crime, even if this is a State or Territory rather than a Commonwealth offence. For example, obtaining unauthorised access to online information to be used in defrauding someone may fall under this Commonwealth provision, despite the fact that fraud is generally prosecuted as a State or Territory crime (unless it involves fraud against the

Commonwealth).33 Similarly, hacking into a person’s computer in order to stalk or intimidate him or her may be amenable to prosecution under s 477.1, even though stalking and intimidation are generally State and Territory offences (discussed further in Chapter 10).34 [page 35] State and Territory laws include analogues to s 477.1, such as s 308C of the Crimes Act 1900 (NSW) which prohibits unauthorised access, modification or impairment with intent to commit a serious indictable offence.35 2.22 A case involving the use of s 477.1 in the context of a child exploitation prosecution illustrates how offenders can use hacking software to further their illegal manipulation of vulnerable victims. The case also provides a detailed account of the forensic work done by police investigators to establish the operation of the malware involved, and to connect it convincingly to the defendant.36 The defence case theory was that a third person was responsible for the acts committed through the defendant’s computer, which was evidently rejected by the jury despite the defendant calling his own expert witness to explain how this might have been possible.37 In this appeal, the defendant’s conviction on multiple charges was upheld:

R v Tahiraj [2014] QCA 353 (19 December 2014) at [1], [6]–[8], [26]–[30] (notes omitted) Margaret McMurdo P: The appellant, Luan Tahiraj, was convicted on 12 June 2013 after a three-and-a-half week trial of using a carriage service to procure a person under 16 years of age contrary to s 474.26(1) Criminal Code Act 1995 (Cth) (counts 1 and 6); unauthorised access to a computer with intent contrary to s 477.1(1) Criminal Code (Cth) (count 2); using a carriage service to make child pornography material available contrary to s 474.19(1)(a)(iv) Criminal Code (Cth) (count 3); using a carriage service to access child pornography material contrary to

[page 36] s 474.19(1)(a)(i) Criminal Code (Cth) (count 4); using a carriage service to access child abuse material contrary to s 474.22(1)(a)(i) Criminal Code (Cth) (count 5); and knowingly possessing child exploitation material contrary to s 228D Criminal Code Act 1899 (Qld) (count 7) … The prosecution case was particularised as follows. The appellant, using the profile name ‘Tick Tock’, ‘used the carriage service TPG/Soul to procure [the 13 year old A] … to engage in or submit to sexual activity with himself.’ The procurement was as depicted in a video file titled kkkk. avi. (count 1) The appellant used the same carriage service ‘to cause an authorised access of data, to or from [A’s] computer … by way of malware, including a remote administration tool named Poison Ivy, with the intention of committing an offence, namely, an offence against s 474.26(1) of the Criminal Code (Commonwealth).’ (count 2) … Brooke Ellis, a detective senior constable with the AFP went to the appellant’s house on 8 April 2009 and took possession of the Toshiba laptop, Seagate hard drive and Verbatim hard drive. Gerard Murphy, a forensic computer examiner employed by the AFP, also attended the appellant’s house that day. The Toshiba laptop was in standby mode. When he opened it, a Firefox web browser was running, displaying emails for the Gmail account ‘[email protected]’. The program Windows Live Messenger was not logged in, but it displayed emails for the account ‘[email protected]’. He examined the Toshiba laptop’s hard drive and the Seagate hard drive. Alexander Tilley, a technical specialist in the cybercrime team of the AFP, gave evidence which included the following. Between November 2008 and April 2009 he was assigned to monitor the website ‘unkn0wn.ws’. He saw a message posted by someone with the username ‘Rofles’ … These messages related to the video ‘kkkk. avi’, the subject of count 3, which was uploaded to the Internet website, RapidShare. Mr Tilley accessed the video and ultimately identified the girl in it as A. He apprehended that ‘Rofles’ was an Australian and contacted RapidShare which confirmed that the video was uploaded on 8 January 2009 from the appellant’s IP address. The AFP monitored that IP address between 27 February 2009 and 9 April 2009. Mr Tilley went to the appellant’s house on 8 April 2009 and found the various computer equipment in the appellant’s bedroom. He later examined the appellant’s laptop and A’s computer and found that the Poison Ivy files on the appellant’s laptop matched a file on A’s computer. He identified that the appellant’s laptop had used Poison Ivy to hack into A’s computer and 133 others. He connected the data on these computers back to the appellant’s laptop. A’s computer was configured so that Poison Ivy would automatically start when it was switched on, without any voluntary act from A.

[page 37] 2.23 Amendments made to the Criminal Code Act 1995 (Cth) in 2004 added a new offence similar to s 477.1 though considerably broader in its scope:38 474.14 Using a telecommunications network with intention to commit a serious offence (1) A person is guilty of an offence if: (a) the person: (i) connects equipment to a telecommunications network; and (ii) intends by this to commit, or to facilitate the commission of, an offence (whether by that person or another person); and (b) the offence is: (i) a serious offence against a law of the Commonwealth, a State or a Territory; or (ii) a serious offence against a foreign law. (2) A person is guilty of an offence if: (a) the person uses equipment connected to a telecommunications network in the commission of, or to facilitate the commission of, an offence (whether by that person or another person); and (b) the offence is: (i) a serious offence against a law of the Commonwealth, a State or a Territory; or (ii) a serious offence against a foreign law. (3) A person who is guilty of an offence against subsection (1) or (2) is punishable, on conviction, by a penalty not exceeding the penalty applicable to the serious offence. (4) Absolute liability applies to paragraphs (1)(b) and (2)(b). Note: For absolute liability, see section 6.2. (5) A person may be found guilty of an offence against subsection (1) or (2) even if committing the serious offence is impossible. (6) It is not an offence to attempt to commit an offence against subsection (1) or (2).

[page 38]

2.24 This provision breaks down into two discrete offences, differing slightly as to the physical element of connecting to a telecommunications network:39 Section 474.14(1) applies where the person connects equipment to a telecommunications network (thus providing the constitutional basis for a Commonwealth offence), coupled with an intention to commit or facilitate a serious Commonwealth, State, Territory or foreign offence. Section 474.14(2) applies where the person uses equipment already connected to a telecommunications network, coupled with an intention to commit or facilitate a serious Commonwealth, State, Territory or foreign offence. 2.25 The fact that a telecommunications network is involved is a circumstance to which the ‘default’ fault element of recklessness would apply, while absolute liability attaches under subs (4) to the fact that the intended offence is a serious Commonwealth, State, Territory or foreign offence.40 The definition of a ‘serious offence’ for this purpose is, again, one punishable by imprisonment for life or five years or more, though for s 474.14 this may be a foreign rather than an Australian offence.41 The reason for including this feature in s 474.14 is explained thus:42 Serious offence against a foreign law is defined to mean an offence against a law of a foreign country constituted by conduct that, if it had occurred in Australia, would have constituted a serious offence against a law of the Commonwealth, a State or a Territory. A simple example of an offence that would come within this definition is murder. Murder is an offence in most countries, and if the same conduct that led to the murder occurred in Australia it would be a serious offence against a law of a State or a Territory. This phrase only has application

[page 39] to proposed section 474.14, which deals with use of a telecommunications network to commit a serious offence.

2.26

Also, per subss (5) and (6), impossibility is not a bar to prosecution,

but attempt is not an offence under s 474.14(1) or (2).43 This may be because these offences are already preparatory in nature:44 It is enough that the defendant intended to facilitate the offence. It therefore punishes preparatory conduct that may well fall far short of the law of attempts.

2.27 Despite these similarities, however, a stark point of difference between ss 477.1 and 474.14 is that the latter does not require that the connection or use of a computer connected to a telecommunications network, intended to aid in the commission or facilitation of an offence, be itself unauthorised. In other words, no ‘hacking’ is required in order to commit a s 474.14 offence. Thus, s 474.14(1) or (2) could apply to any use of the Internet, for example, with the requisite criminal intent. The physical element could be entirely lawful conduct, such as performing a search for information from a home computer:45 [S]ubsection 474.14(1) will cover a broad range of preparatory activities that make use of telecommunications, undertaken with the intention to commit, or facilitate the commission of, a serious offence … [S]ubsection 474.14(2) will cover any use of equipment connected to a telecommunications network to commit, or facilitate the commission of, an offence. Examples of the type of conduct covered by the proposed offence range from the simple making of a telephone call to facilitate the commission of a bank robbery to the use of a computer connected to the Internet to electronically remove money from a financial institution’s computer system.

2.28 A rare example of the use of s 474.14 in a prosecution is the following case which involved a defendant in Australia who had been working as a ‘money mule’ for an organised crime operation overseas, helping it to launder proceeds of crime:46 [page 40]

R v Columbus [2007] QCA 396 (16 November 2007) at [1], [4], [9], [12]–[13], [30] Williams JA: Crimes using the internet, particularly where there is an international element, are particularly hard to detect and prosecute successfully. Such crimes have the potential for inflicting serious financial harm on innocent citizens. In consequence,

when it comes to sentencing such an offender the aspect of deterrence assumes greater importance. That to my mind is a very relevant consideration when one is considering whether or not the sentence under review was manifestly excessive. Keane JA: On 22 June 2007, the applicant pleaded guilty to one count of dealing in proceeds of crime worth $10,000 or more contrary to s 400.6 of the Criminal Code (Cth), and one count of using a telecommunications network with intent to commit a serious offence contrary to s 474.14(1) of the Criminal Code (Cth). The maximum penalty for each offence was 10 years imprisonment … The applicant was involved in an unlawful internet-based activity known as ‘muling’. This activity enables the beneficiaries of unlawful transactions to obtain the financial benefit of those transactions. He and his partner M made contact online with a company which agreed to transfer to the bank accounts of the applicant and his partner sums of unlawfully obtained money. The applicant withdrew the cash, kept a commission of about five per cent and sent the balance to an address in Singapore … An examination of a laptop computer seized at the applicant’s house showed that, between 20 January 2006 and 15 March 2006, the applicant was sending e-mails looking for further work as a mule. The applicant tried to suggest that these e-mails were actually sent by a cousin whose name he declined to provide … The applicant’s original motivation for seeking work as a mule was, he said, to obtain extra cash for Christmas … In my respectful opinion, it was open to the learned sentencing judge to impose a sentence involving a period of actual custody by reason of the need to ensure that those who make a deliberate choice to facilitate the unlawful movement of money on the internet as part of an organised criminal activity must understand that this choice will attract serious consequences. General deterrence has an important role to play in preventing the kind of deliberate choice in which the applicant chose to indulge. Where dishonest people are free to make a deliberate choice whether or not to engage in criminal activity for easy money, it is only the threat of actual imprisonment if they are caught which is likely to provide the necessary cost-benefit incentive to refrain from such activity.

2.29 Section 474.14 could also be used in combination with other Commonwealth laws, such as those relating to planning or committing terrorist acts, or those relating to terrorist organisations, to provide a powerful legislative framework for dealing with computer-related aspects of this area of crime (discussed further in Chapter 4). [page 41]

2.30 In addition to s 477.1, a further unauthorised access offence was added to the Criminal Code Act 1995 (Cth) by the Cybercrime Act 2001 (Cth):47 478.1 Unauthorised access to, or modification of, restricted data (1) A person is guilty of an offence if: (a) the person causes any unauthorised access to, or modification of, restricted data; and (b) the person intends to cause the access or modification; and (c) the person knows that the access or modification is unauthorised. Penalty: 2 years imprisonment. (3) In this section: restricted data means data: (a) held in a computer; and (b) to which access is restricted by an access control system associated with a function of the computer.

2.31 The scope of s 478.1 as introduced by the Cybercrime Act 2001 (Cth) was explained as follows in the Explanatory Memorandum to the Bill:48 The proposed offence relates only to unauthorised access or modification of restricted data rather than any data. ‘Restricted data’ is defined to mean ‘data held in a computer; and to which access is restricted by an access control system associated with a function of the computer’. Therefore, a person would only commit an offence if he or she by-passed an access control system, such as a password or other security feature, in order to access the data … This offence will apply to a person who hacks into a computer system protected by a password or other similar security measure in order to access personal or commercial information or alter that information. The offence will also cover an employee who breaks a password on his or her employer’s computer system in order to access the Internet or to access protected information. However, the offence would not apply to an employee who has access to the Internet at work and uses that access to place bets on horse races in defiance of his or her employer’s ban on using the Internet for purposes that are not work-related.

2.32 The application of s 478.1 and its counterpart summary offence in s 308H of the Crimes Act 1900 (NSW) were considered in the following family

[page 42] law case. The central issue was whether emails accessed by one parent without the consent of the other were to be ruled inadmissible as being illegally or improperly obtained under s 138 of the Evidence Act 1995 (Cth and NSW).49

Anders & Anders (No.2) [2008] FMCAfam 1125 (15 October 2008) at [1], [4]–[5], [22]–[26], [33], [38] Kemp FM: During the course of the hearing, an issue arose as to the admissibility of various emails obtained by the father after accessing in some way, through the use of a password, the mother’s email account. The relevant emails … [as] the subject documents are relevant to the Court’s assessment [of] the determination of a number of issues, including the mother’s involvement in a witch’s coven and the impact that her witchcraft activity and her possession of witchcraft items (such as a dagger and mirror) are having upon the children. The mother’s evidence being that her interest in witchcraft was largely as a result of her research for a book she is writing and that she was not more involved in its practices … With respect to the illegality basis [for exclusion under s 138], whilst the Court finds the father was not authorised to access the subject documents, the Court is of the view that there is insufficient relevant evidence before it to determine whether the subject documents constituted restricted data held in a computer within the relevant statutory definitions of s 308H and s 478.1(1)(a) …

2.33 Unauthorised interception is similar to unauthorised access, but involves data in transit rather than in a static or stored form. The main Commonwealth law dealing with telecommunications interception is the Telecommunications (Interception and Access) Act 1979 (Cth). It contains the following definitional provisions (s 5): communication includes conversation and a message, and any part of a conversation or message, whether: (a) in the form of: (i) speech, music or other sounds; (ii) data;

(iii) text; [page 43] (iv) visual images, whether or not animated; or (v) signals; or (b) in any other form or in any combination of forms. … telecommunications service means a service for carrying communications by means of guided or unguided electromagnetic energy or both, being a service the use of which enables communications to be carried over a telecommunications system operated by a carrier but not being a service for carrying communications solely by means of radiocommunication. … telecommunications system means: (a) a telecommunications network that is within Australia; or (b) a telecommunications network that is partly within Australia, but only to the extent that the network is within Australia; and includes equipment, a line or other facility that is connected to such a network and is within Australia.

2.34 The general prohibition on telecommunications interception then follows (s 7), though this is, of course, subject to numerous specific exceptions, including law enforcement interceptions carried out under a warrant: 7 Telecommunications not to be intercepted (1) A person shall not: (a) intercept; (b) authorize, suffer or permit another person to intercept; or (c) do any act or thing that will enable him or her or another person to intercept; a communication passing over a telecommunications system. (2) Subsection (1) does not apply to or in relation to: (a) an act or thing done by an employee of a carrier in the course of his or her duties for or in connection with … the identifying or tracing of any person who has contravened, or is suspected of having contravened or

being likely to contravene, a provision of Part 10.6 of the Criminal Code … or … (b) the interception of a communication under a warrant …

2.35 Section 105 of the Telecommunications (Interception and Access) Act 1979 (Cth) provides that a contravention of subs 7(1) is an indictable offence punishable by up to two years’ imprisonment. Even in the absence of [page 44] a prosecution for breach of the provision, however, unauthorised recordings of phone conversations may be inadmissible as evidence or damage a party’s position in litigation.50 2.36 Authorisations and warrants for telecommunications interception may be granted under numerous provisions of the Act, including Pt 2–2 (ASIO authorisations), Pt 2–3 (Emergency warrants), Pt 2–4 (Testing interception capability), Pt 2–5 (Law enforcement warrants); and, in relation to stored communications access, under Pt 3–2 (ASIO authorisations) and Pt 3–3 (Law enforcement warrants). These are discussed further in Chapter 11. 2.37 The Criminal Code Act 1995 (Cth) also contains an offence dealing with interception devices, defined in the Telecommunications (Interception and Access) Act 1979 (Cth) as ‘a terminal device that is capable of being used for transmitting or receiving a communication over a telecommunications system’. The Criminal Code offence is in s 474.4, though there is an exemption for authorised interceptions: 474.4 Interception devices (1) A person is guilty of an offence if: (a) the person:

(i) manufactures; or (ii) advertises, displays or offers for sale; or (iii) sells; or (iv) possesses; an apparatus or device (whether in an assembled or unassembled form); and (b) the apparatus or device is an interception device. Penalty: Imprisonment for 5 years.

2.38 While interception devices and other surveillance technologies, including miniature devices known as ‘spycams’, may be easily obtained in Australia and overseas, their legality should be carefully considered before being obtained or used.51

[page 45]

Questions for consideration 1.

In M Yar, ‘Computer Hacking: Just Another Case of Juvenile Delinquency?’ (2005) 44(4) Howard Journal of Criminal Justice 387 at 389–90 (notes omitted), the origins of the term ‘hacker’ and ‘hacking’ are discussed, and critiqued as follows: The contested nature of the terms is, however, worth bearing in mind, for a good criminological reason. It shows how hacking, as a form of criminal activity, is actively constructed by governments, law enforcement, the computer security industry, businesses, and media; and how the equation of such activities with ‘crime’ and ‘criminality’ is both embraced and challenged by those who engage in them … Reactions to hacking and hackers cannot be understood independently from how their meanings are socially created, negotiated and resisted. Criminal justice and other agents propagate, disseminate and utilise negative constructions of hacking as part of the ‘war on computer crime’. Those who find themselves so positioned may reject the label, insisting that they are misunderstood, and try to persuade others that they are not ‘criminals’; alternatively, they may seek out and embrace the label, and act accordingly, thereby setting in motion a process of ‘deviance amplification’ … which ends up producing the very behaviour that the forces of ‘law and order’ are seeking to prevent. In extremis, such constructions can be seen to make hackers into ‘folk devils’ …, an apparently urgent threat to society which fuels the kinds of ‘moral panic’ about computer crime alluded to in the introduction.

2.

Is this analysis helpful? What does the term ‘hacker’ connote today, and has it lost its earlier significance? Who decides on how and to whom these labels are applied? Distributed denial of service (DDoS) attacks can result in criminal prosecution and fines. However, J Leiderman, ‘Justice for the PayPal Wikileaks Protesters: Why DDoS is Free Speech’, The Guardian, 23 January 2013, argues that they are no more than the online equivalent of a ‘sitin’ protest: A reported 10,000 protesters around the world took to the internet with a protest method known as DDoS (distributed denial of service) — the functional equivalent of repeatedly hitting the refresh button on a computer. With enough people refreshing enough times, the site is flooded with traffic, slowed, or even temporarily knocked offline. No damage is done to the site or its backing computer system; and when the protest is over, the site resumes business as usual. This is not ‘hacking’. It is protest, and it is speech.

3.

Is this a realistic assessment? What business or other losses might the owner of a targeted website suffer? Would there also be unintended ‘collateral’ damage? J Clough, in Principles of Cybercrime, Cambridge University Press, 2010 at p 154, notes that the

scope of the term ‘communication’ under the Telecommunications (Interception and Access) Act 1979 (Cth) is somewhat unclear, and may not include some elements of ‘traffic data’, defined in the Convention on Cybercrime: ‘traffic data’ means any computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service. For what reasons might it be desirable to have a clearer definition of ‘communication’? 1.

M Yar, ‘Computer Hacking: Just Another Case of Juvenile Delinquency?’ (2005) 44(4) Howard Journal of Criminal Justice 387 at 389–90 (notes omitted). An interesting study of hacker motivations is R Young, L Zhang and V Prybutok, ‘Hacking into the Minds of Hackers’ (2007) 24(4) Information Systems Management 281. An interesting account of the early Australian hacking community is in S Dreyfus and J Assange, Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier, Mandarin, 1997; re-published in 2011 by William Heinemann, Random House, Sydney.

2.

A M Bossler and G W Burruss, ‘The General Theory of Crime and Computer Hacking: Low SelfControl Hackers?’ in T J Holt and B H Schell (eds), Corporate Hacking and Technology-Driven Crime: Social Dynamics and Implications, Information Science Reference, Hershey, New York, 2011, p 40–1 (notes omitted). A famous convicted hacker who later became a security consultant is Kevin Mitnick, author of books including K Mitnick, The Art of Deception: Controlling the Human Element of Security, Wiley, 2002; K Mitnick and L Simon, The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders, and Deceivers, Wiley, 2005; and K Mitnick and L Simon, Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker, Little, Brown, 2011.

3.

D E Denning, ‘Activism, Hacktivism and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy’ in J Arquilla and D Ronfeldt (eds), Networks and Netwars: The Future of Terrorism, Crime and Militancy, Rand Corporation, 2001, p 241; see also T McCormick, ‘A Short History of Hacktivism’, The Sydney Morning Herald, 10 May 2013.

4.

Two exceptions are s 33 of the Electronic Commerce Act 2000 of the Philippines, which criminalises ‘hacking and cracking’, defined as unauthorised access to or interference with a computer system; and s 408E of the Criminal Code Act 1899 (Qld), which uses the section heading ‘Computer hacking and misuse’ in referring to the use of a restricted computer without the controllers’ consent, though not in the text of the offence provision.

5.

Council of Europe, Convention on Cybercrime. Articles 2 and 3 are in Chapter II — Measures to be taken at the national level, Section 1 — Substantive criminal law, Title 1 — Offences against the confidentiality, integrity and availability of computer data and systems. Despite the term ‘illegal’ in the sub-heading, the arguably wider ‘without right’ appears in the text, which can be understood as being synonymous with ‘unauthorised’ in Australian legislation.

6.

R Barber, ‘Hacking Techniques: The Tools That Hackers Use, and How They Are Evolving to Become More Sophisticated’ (2001) 3 Computer Fraud and Security 9; P Sommer, ‘Criminalising Hacking Tools’ (2006) 3(2) Digital Investigation 68.

7.

Explanatory Report, Convention on Cybercrime at [46]; also discussed in J Clough, Principles of Cybercrime, Cambridge University Press, 2010, pp 58–9.

8.

Some early Australian computer offences used this terminology; for example, s 9A (Computer trespass) of the Summary Offences Act 1966 (Vic).

9.

DPP v Murdoch [1993] 1 VR 406 (2 October 1992), in which the defendant was a State Bank of Victoria employee who used his position within the Network Operations Section to dishonestly operate debit card accounts so as to enable him to withdraw funds from an automated teller machine (ATM); the reasoning of Hayne J was followed in Salter v DPP [2008] NSWSC 1325 (5 December 2008).

10. Cases involving Crimes Act 1914 (Cth) unauthorised access offences — which have been revised and moved to the Criminal Code Act 1995 (Cth) — include Gilmour v DPP (Cth) [1996] NSWSC 55 (1 April 1996); DPP (Cth) v Rogers [1998] VSC 274; [1998] VSC 48 (20 April 1998); R v Stevens [1999] NSWCCA 69 (15 April 1999); and Dragojlovic v The Queen [2013] VSCA 151 (20 June 2013). 11. See S Bronitt and M Gani, ‘Shifting Boundaries of Cybercrime: From Computer Hacking to Cyberterrorism’ (2003) 27 Criminal Law Journal 303. Similar cases are Rhatigan v Forbes [2009] WASC 368 (7 December 2009) and Casilli v Wehrmann [2014] WASC 319 (10 September 2014). 12. M A Dizon, ‘Rules of a Networked Society: Here, There and Everywhere’ in R Leenes and E Kosta (eds), Bridging Distances in Technology and Regulation, Wolf Legal Publishers, Netherlands, 2013, p 92 (notes omitted). This is not to say that there have been no prosecutions of ‘external’ hackers, though the outcomes may not always be reported, in part due to guilty pleas and the relative youth of offenders: see, for example, R v Assange [1996] VSC 60; [1996] VICSC 60; [1997] 2 VR 247 (2 October 1996). 13. This appears to have been the view taken of the unauthorised access offending in R v Assange (note 12 above), whose later activities with Wikileaks have not so far been the subject of Australian prosecutions: D Anton and G Urbas, ‘Why Julian Assange May Have a Case to Answer in Australia, Despite What the AFP Says’, ANU College of Law Research Paper no. 11-04, 1 January 2011. 14. M Calce and C Silverman, How I Cracked the Internet and Why It’s Still Broken, Penguin Group, Canada, 2008. Michael Calce (‘MafiaBoy’) was sentenced by a Montreal court as a youth to probation, restricted use of the Internet and a small fine. 15. R v Boden [2002] QCA 164 (10 May 2002), discussed further in Chapter 4. 16. Explanatory Report, Convention on Cybercrime at [53]–[54]; also discussed in J Clough, Principles of Cybercrime, note 7 above, pp 136–7. 17. The Commonwealth offences, as well as those found in the legislation of the Australian Capital Territory, New South Wales and Victoria, are largely based on the report of the Model Criminal Code Officers Committee of the Standing Committee of Attorneys-General, Chapter 4 — Damage and Computer Offences and Amendments to Chapter 2: Jurisdiction, January 2001: ; see also S Bronitt and M Gani, ‘Shifting Boundaries of Cybercrime: From Computer Hacking to Cyberterrorism’ (2003) 27 Criminal Law Journal 303. 18. As noted above, Australian legislation generally uses the term ‘unauthorised’ rather than the stricter term ‘illegal’ as found in Arts 2 and 3 of the Convention on Cybercrime, though they arguably converge around the concept of ‘without right’, including without the consent of a

computer’s owner. 19. Key terms are defined in Criminal Code Act 1995 (Cth) s 476.1 (Definitions) and s 476.2 (Meaning of unauthorised access, modification or impairment). Not listed are the related offences of s 478.3 (Possession or control of data with intent to commit a computer offence) and s 478.4 (Producing, supplying or obtaining data with intent to commit a computer offence), each punishable by imprisonment for three years. The broader offence in s 474.14 (Using a telecommunications network with intention to commit a serious offence) is discussed below at [2.23]. 20. Key terms are defined in Criminal Code 2002 (ACT) s 412 (Definitions), s 413 (Limited meaning of access to data etc) and s 414 (Meaning of unauthorised access, modification or impairment). Not listed are the related offences of s 418 (Possession of data with intent to commit serious computer offence) and s 419 (Producing, supplying or obtaining data with intent to commit serious computer offence), each punishable by imprisonment for three years or 300 penalty units or both. 21. Key terms are defined in Crimes Act 1900 (NSW) s 308 (General definitions), s 308A (Meaning of access to data, modification of data and impairment of electronic communication) and s 308B (Meaning of unauthorised access, modification or impairment). Not listed are the related offences of s 308F (Possession of data with intent to commit serious computer offence) and s 308G (Producing, supplying or obtaining data with intent to commit serious computer offence), each punishable by imprisonment for three years. 22. Key terms are defined in Criminal Code Act (NT) s 276 (Interpretation) and s 276A (Meaning of access to data, modification of data and impairment of electronic communication). 23. Key terms are defined in Criminal Law Consolidation Act 1935 (SA) s 86B (Interpretation) and s 86C (Meaning of access to or modification of data). Not listed is the related offence of s 86I (Possession of computer viruses etc with intent to commit serious computer offence), punishable by imprisonment for three years. 24. Key terms are defined in Criminal Code Act 1924 (Tas) s 257A (Interpretation). 25. Key terms are defined in Crimes Act 1958 (Vic) s 247A (Interpretation). Not listed are the related offences of s 247E (Possession of data with intent to commit serious computer offence) and s 247F (Producing, supplying or obtaining data with intent to commit serious computer offence), each punishable by imprisonment for three years. Note Yardborough & Chesterman [2014] FCCA 446 (24 March 2014), rejecting an argument that the actions of a husband accessing his wife’s emails after she had given him her password contravened s 247G. 26. Part 10.7 — Computer offences of the Criminal Code Act 1995 (Cth) was added by the Cybercrime Act 2001 (Cth). The definition of ‘access’ in s 476.1 is supplemented by a definition of ‘access … in relation to material’ in s 473.1, which applies to Part 10.6 — Telecommunications services, discussed further in Chapters 8–10. 27. See the discussion of s 478.1 below at [2.30]. 28. This provision is found in Division 477 — Serious computer offences. It has been substantially amended by the Cybercrime Legislation Amendment Act 2012 (Cth). 29. As originally enacted, s 477.1 contained two discrete offences: subs (1) where the unauthorised access, modification or impairment was caused by means of a ‘carriage service’ (thus providing the constitutional basis for a Commonwealth offence), coupled with an intention to commit or

facilitate a serious Commonwealth, State or Territory offence by the access, modification or impairment; and subs (4) for unauthorised access, modification or impairment, however caused, coupled with an intention to commit or facilitate a serious Commonwealth offence by the access, modification or impairment (thus providing a different constitutional basis). The two were replaced with a single offence under the Cybercrime Legislation Amendment Act 2012 (Cth) amendments, which is why some subsection and paragraph numbers are missing, with the constitutional basis for s 477.1 now presumably being the ‘external affairs’ power because the latter Act was adopted to allow Australia to accede to the Council of Europe’s Convention on Cybercrime. 30. Criminal Code Act 1995 (Cth) s 4.1 lists physical elements (also known as actus reus) of an offence as ‘conduct’, ‘a result of conduct’, or a ‘circumstance in which conduct, or a result of conduct, occurs’. 31. Criminal Code Act 1995 (Cth) s 5.1 lists fault elements (also known as mens rea) for a physical element as ‘intention, knowledge, recklessness or negligence’; while s 5.6 provides that if no fault element is specified for a physical element of conduct then intention is the fault element, while if the physical element is a result or circumstance then recklessness is the fault element. This does not apply where strict or absolute liability is specified by the legislation creating the offence for any physical elements. 32. Criminal Code Act 1995 (Cth) s 5.2(3) states that ‘[a] person has intention with respect to a result if he or she means to bring it about or is aware that it will occur in the ordinary course of events’. 33. Australian Parliament’s 2010 report Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime, Appendix D — Commonwealth Computer Offences (House of Representatives Standing Committee on Communications, Commonwealth of Australia, Canberra, 2010) refers to s 477.1 with the sub-heading ‘Hacking, malware and denial of service attacks with intent to commit a serious offence’ and states: ‘The offence applies where the primary offence, for example of fraud or terrorism, carries a penalty of five years or more or life imprisonment’. 34. Remarkably few other cases involving s 477.1 have been reported, despite the fact that s 477.1 is cited as the main Commonwealth offence directed against hacking in the Australian Parliament’s 2010 report Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime, Appendix D — Commonwealth Computer Offences (note 33 above). Similarly, the Australian Federal Police (AFP) website on High Tech Crime refers to Pt 10.7 of the Criminal Code Act 1995 (Cth), containing s 477.1, but not the more recent Pt 10.6, which contains further telecommunications offences: . 35. A serious indictable offence is defined as an offence punishable by imprisonment for life or for five years or more, and includes an offence in any other jurisdiction that would be a serious indictable offence if committed in New South Wales: Crimes Act 1900 (NSW) ss 4(1) and 308C(3). Proceedings in which both s 477.1 of the Criminal Code Act 1995 (Cth) and s 308C of the Crimes Act 1900 (NSW) were considered were Denlay v Commissioner of Taxation [2010] FCA 1434 (17 December 2010); [2011] FCAFC 63 (11 May 2011). Cases involving s 308C include R v Bala [2004] NSWCCA 345 (5 October 2004), an appeal against sentences imposed for breaking, entering and stealing and receiving stolen property charges, where an accomplice working in an insurance company had accessed confidential client information including insured valuables and security details, and Butler v R [2012] NSWCCA 54 (5 April 2012) and CL v R [2014] NSWCCA 196 (29

September 2014), both involving unauthorised access with intent to commit the indictable offence of stealing (theft). 36. R v Tahiraj [2014] QCA 353 (19 December 2014). The defendant’s use of the remote access tool (RAT) known as ‘Poison Ivy’ is discussed at [8] and [51]. 37. Arguments suggesting an unknown source of incriminating material found on a defendant’s computer include the ‘Trojan horse defence’: S W Brenner and B Carrier, ‘The Trojan Horse Defence in Cybercrime Cases’ (2004) 21 Santa Clara Computer and High Tech Law Journal 1; D Haagman and B Ghavalas, ‘Trojan Defence: A Forensic View’ (2005) 2(1) Digital Investigation 23. 38. Part 10.6 — Telecommunications services was added to the Criminal Code Act 1995 (Cth) by the Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Act (No. 2) 2004 (Cth) with effect from 1 March 2005. Its provisions were not affected by the Cybercrime Legislation Amendment Act 2012 (Cth). 39. Criminal Code Act 1995 (Cth) s 473.1 defines connected as ‘in relation to a telecommunications network, includes connection otherwise than by means of physical contact (for example, a connection by means of radiocommunication)’; while telecommunications network has the same meaning as in the Telecommunications Act 1997 (Cth). 40. Criminal Code Act 1995 (Cth) ss 5.6 and 6.2. Absolute liability excludes the defence of ‘mistake of fact’ under s 9.2 in relation to any physical element to which it applies. The Explanatory Memorandum to the Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Bill (No. 2) 2004 (Cth) states: ‘If the prosecution was required to prove awareness on the part of the defendant that the offence was a serious offence against the Commonwealth, a State, a Territory or a foreign law, many defendants would be able to evade liability. A defendant would be able to do this by demonstrating that they did not turn their mind to the questions of whether the offence was a serious offence and in which particular jurisdiction the offence was a serious offence’. 41. This time the definition is found in a separate section, s 473.1, which further defines serious offence against a foreign law to mean ‘an offence against a law of a foreign country constituted by conduct that, if it had occurred in Australia, would have constituted a serious offence against a law of the Commonwealth, a State or a Territory’. This embodies a dual-criminality requirement, similar to that embodied in extradition under the Extradition Act 1988 (Cth): see G Urbas, ‘Cybercrime, Jurisdiction and Extradition: The Extended Reach of Cross-Border Law Enforcement’ (2012) 16(1) Journal of Internet Law 7. 42. Explanatory Memorandum, Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Bill (No. 2) 2004 (Cth), in relation to s 474.14. 43. Criminal Code Act 1995 (Cth) s 11.1 deals with attempt. However, there is nothing to indicate that other inchoate offences, such as incitement (s 11.4) or conspiracy (s 11.5), cannot apply to s 477.1. 44. J Clough, Principles of Cybercrime, note 7 above, pp 44–5. Note also that the Explanatory Memorandum to the Bill introducing s 474.14 described its intended scope as covering ‘a broad range of preparatory activities that make use of telecommunications, undertaken with the intention to commit, or facilitate the commission of, a serious offence’: G Urbas and K-K R Choo, ‘Resource Materials on Technology-Enabled Crime’, Technical and Background Paper no. 28, Australian Institute of Criminology, 2008, p 23.

45. Explanatory Memorandum, note 42 above. Thus, s 474.14 arguably subsumes the s 477.1 offence, as noted by J Clough, Principles of Cybercrime, note 7 above, p 45, citing G Urbas and K-K R Choo, ‘Resource Materials on Technology-Enabled Crime’, note 44 above, at p 23. 46. R v Columbus [2007] QCA 396 (16 November 2007) was an application for leave to appeal against concurrent 15-month sentences, which was unsuccessful. 47. This is found in Division 478 — Other computer offences. The missing subs (2) is the result of amendments brought about by the Cybercrime Legislation Amendment Act 2012 (Cth). 48. Explanatory Memorandum, Cybercrime Bill 2001 (Cth). State and Territory counterparts to s 478.1 include Criminal Code 2002 (ACT) s 420, Crimes Act 1900 (NSW) s 308H and Crimes Act 1958 (Vic) s 247G. 49. See also the Victorian case of Yardborough & Chesterman [2014] FCCA 446 (24 March 2014). Section 308H of the Crimes Act 1900 (NSW) has also been considered in several cases involving unauthorised access to the NSW Police computer system (COPS): Johnston v Commissioner of Police [2007] NSWIRComm 73 (2 April 2007); [2007] NSWIRComm 293 (30 November 2007); Flanagan v Commissioner of Police [2008] NSWIRComm 11 (7 February 2008); Salter v Director of Public Prosecutions [2009] NSWCA 357 (4 November 2009); [2011] NSWCA 190 (14 July 2011); and Morgan v Commissioner of Police [2011] NSWCA 134 (30 May 2011). 50. The issue sometimes arises in family law and workers’ compensation cases: Molloy & McAdam [2008] FMCAfam 739 (11 July 2008); Abraham Seda Ghati v Sayan & Ors [2010] NSWWCCPD 74 (14 July 2010); Kawada & Kawada and Ors (No 2) [2011] FamCA 658 (20 July 2011); Russell & Russell [2012] FamCA 99 (7 March 2012). 51. For example, there is no legal exemption for journalists seeking access to information through interception: see N Sinclair, ‘Hacking by Australian Journos? A Risky Proposition’ (2011) 30(2) Communications Law Bulletin 7, which notes that conduct such as that attributed to the (now defunct) News of the World tabloid in the United Kingdom would likely contravene the Telecommunications (Interception and Access) Act 1979 (Cth) if it were engaged in by Australian journalists.

[page 47]

Chapter 3 Unauthorised Modification

Chapter contents Convention on Cybercrime Australian laws Website defacement and spoofing

3.9 3.13 3.28

Questions for consideration

3.0 This chapter deals with unauthorised modification of computers and data, which is a form of intrusion that goes beyond mere unauthorised access and results in changes, usually in a destructive or otherwise unwelcome way, to the functioning of a computer or computer system, or to the data contained in a computer. This may be achieved directly through ‘hacking’ or through the creation of malicious software, known as ‘malware’, which when disseminated causes unauthorised modification. Programs of this kind include computer viruses and worms, adware and spyware, Trojan horses and other programs that surreptitiously change the contents or functioning of an infected computer; for example, by redirecting messages or copying data such as login identifiers and passwords.1 3.1 Malware comes in a great variety of forms and is always evolving, exhibiting greater sophistication, reach, difficulty of detection and eradication, and facilitating more serious criminal offending. The prevalence of malware is routinely tracked by computer security experts, and the effort to combat its more virulent strains is an ongoing challenge for technical experts and for law enforcement and national security agencies concerned with protecting sensitive information.2 As noted by Clough:3

[page 48] While traditionally used to cause unauthorised modification and impairment of data, malware is increasingly being used to access confidential information to facilitate fraud and other offences, so-called ‘blended threats’, for example, gaining access to confidential data and communications, creating false accounts, or obtaining false identification documents … Malware may be disseminated directly, for example by inserting an infected disk, or, more commonly, via the Internet or other computer network via executable files.

3.2 Malware can infect not only personal computers but also mobile devices such as smartphones.4 An overview of the most prevalent methods of distribution of malware with some well-known historic examples is the following (Table 3.1): Table 3.1: Common malicious software distribution agents

Agent

Method of distribution Directed intrusion into a Hacking remote computer by a hacker

Insertion method

Self-executing Examples or not

Manner of Direct transfer execution in course of determined by hack hacker

Attaches to host program

Virus

Self-replicating

Worm

Stand-alone Self-replicating and selfexecuting

Jerusalem (1987) Activation can Michelangelo execute (1992) commands to Love Bug harm computer (2000) Nimda (2001) Morris (1988) Melissa (1999) Can execute Code Red commands to (2001) harm computer Netsky (2004)

executing

Trojan horse

Sometimes defined as unwanted or malicious software disguised as useful software

Hidden in a host program or inserted and hidden in the host computer

harm computer Netsky (2004) Sasser (2004) Can execute commands to harm computer Can take control of computer

AOL variants Netbus (1998) Back Orifice (1998, 2000) Clagger (2006)

[page 49] Agent

Method of Insertion distribution method Combining more than one Blended of the above Self-inserting threat techniques in concert

Self-executing Examples or not Combined methods

Blaster (2003) Sobig (2003) SQL Slammer (2003)

Source: ‘Malware: Viruses, Worms, Trojan Horses’, High Tech Crime Brief no. 10, Australian Institute of Criminology, 2006.

3.3 Code writers who create and disseminate malware may be subject to prosecution if identified.5 Those who use such programs for illicit purposes may also be subject to legal action.6 However, investigations are often difficult because many malware creators are either clever enough to be able to hide their tracks, or they may reside in jurisdictions that do not offer law enforcement co-operation with the countries where victims are located. For this reason, technical solutions such as antivirus protections, firewalls and regular security scans remain the most widely used responses to malware threats, with legal measures only infrequently used.7 3.4

A particularly insidious way in which unauthorised modification can

be used by criminals is through the creation of a ‘botnet’, which is a collection of thousands or even millions of infected computers that can be remotely controlled in a co-ordinated way to perform illicit tasks:8 Malicious botnets are networks of ‘bots’, compromised hosts that are remotely controlled by a master host via one or more controller hosts. The master host is the computer used by the perpetrator and is used to issue commands that are relayed to the bots via the controllers. The controllers are often Internet Relay Chat (IRC) servers, which are normally used for relaying messages among client terminals. Controllers are often created from compromised hosts that perform a coordinating role for the botnet … Botnets are used for various purposes, most of them related to illegitimate activity. Some of their uses include launching distributed denial-of-service

[page 50] (DDoS) attacks, sending spam, trojan and phishing email, illegally distributing pirated media, serving phishing sites, performing click fraud, and stealing personal information, among others. They are also the sources of massive exploit activity as they recruit new vulnerable systems to expand their reach. Botnets have developed several techniques in their malware and infrastructure that make them robust to typical mitigation techniques. Due to their sheer volume, diverse capabilities, and robustness they pose a significant and growing threat to the Internet as well as enterprise networks.

3.5 The person who controls a botnet is called the ‘botmaster’. Some creators of botnets offer their services and products on a commercial basis, and a few have been prosecuted for their role in criminal botnet exploitation. The first reported conviction in the United States was in 2006, resulting in a sentence of 57 months in prison.9 The dismantling by law enforcement agencies of botnets with hundreds of thousands or even millions of infected computers has since been revealed.10 3.6 It should be noted that while every unauthorised modification of data involves some change to the way in which computers or computer systems operate, not every modification results in impairment. Some modifications may indeed be designed to be hidden, leaving unaffected the operation of a computer as experienced by its user. However, unauthorised modification can also have destructive consequences, such as the disabling

of computer programs and the systems they support, including critical infrastructure. This subject is discussed in more detail in Chapter 4. 3.7 Early cases sought to deal with unauthorised modification of computer data by reference to more traditional crimes such as criminal damage. For example, an English court held in 1986 that the offence of causing criminal damage applied to the deletion of data from a computercontrolled machine, which rendered it unusable.11 In another case a few years later, the English Court of Appeal upheld the conviction of a defendant who had been found [page 51] guilty under s 1 of the Criminal Damage Act 1971 (UK) of causing criminal damage by gaining unauthorised access to a university computer system and altering data contained on computer disks in the system, causing the computers to fail for a time period:12

R v Whiteley (1991) 93 Cr App R 25 Lord Lane CJ: The evidence before the jury was that the disks are so constructed as to contain upon them thousands, if not millions, of magnetic particles. By issuing commands to the computer, impulses are produced which magnetise or demagnetise those particles in a particular way. By that means it is possible to write data or information on the disks and to program them to fulfil a variety of functions. By the same method it is possible to delete or alter data, information or instructions which have previously been written on to the disk … What the Act requires to be proved is that tangible property has been damaged, not necessarily that the damage itself should be tangible. There can be no doubt that the magnetic particles upon the disks were part of the disks and if the appellant was proved to have intentionally and without lawful excuse altered the particles in such a way as to cause an impairment of the value or usefulness of the disk to the owner, there would be damage within the meaning of s 1. The fact that the alteration could only be perceived by operating the computer did not make the alterations any the less real, or the damage, if the alteration amounted to damage, any the less within the ambit of the Act … Any alteration to the physical nature of the property concerned may amount to damage within the meaning of the section. Whether it does so or not will depend upon the

effect that the alteration has had upon the legitimate operator (who for convenience may be referred to as the owner). If the hacker’s actions do not go beyond, for example, mere tinkering on an otherwise ‘empty’ disk, no damage would be established. Where, on the other hand, the interference with the disk amounts to an impairment of the value or usefulness of the disk to the owner, then the necessary damage is established …

[page 52] 3.8 It should also be noted that not every modification of computer data that could be described as ‘hacking’ is necessarily criminalised. For example, the ‘White Hats’ (discussed in Chapter 2) who are employed by corporations to conduct penetration testing do so with authorisation, and therefore are not acting unlawfully.

Convention on Cybercrime 3.9 The Council of Europe’s Convention on Cybercrime addresses unauthorised modification and impairment together in the following three articles, which deal with data interference, system interference and misuse of devices:13

Article 4 — Data interference 1

2

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, deterioration, alteration or suppression of computer data without right. A Party may reserve the right to require that the conduct described in paragraph 1 result in serious harm.

Article 5 — System interference Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by

inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data. Article 6 — Misuse of devices 1

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right: a the production, sale, procurement for use, import, distribution or otherwise making available of: i a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5; [page 53] ii

a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed,

with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and b

2

3

the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches. This article shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system. Each Party may reserve the right not to apply paragraph 1 of this article, provided that the reservation does not concern the sale, distribution or otherwise making available of the items referred to in paragraph 1 a.ii of this article.

3.10 The explanatory notes to the Convention on Cybercrime provide further detail on what is meant to be covered by Art 4:14 The aim of this provision is to provide computer data and computer programs with protection similar to that enjoyed by corporeal objects against intentional infliction of damage. The protected legal interest here is the integrity and the proper functioning or use of stored computer data or computer programs.

In paragraph 1, ‘damaging’ and ‘deteriorating’ as overlapping acts relate in particular to a negative alteration of the integrity or of information content of data and programmes. ‘Deletion’ of data is the equivalent of the destruction of a corporeal thing. It destroys them and makes them unrecognisable. Suppressing of computer data means any action that prevents or terminates the availability of the data to the person who has access to the computer or the data carrier on which it was stored. The term ‘alteration’ means the modification of existing data. The input of malicious codes, such as viruses and Trojan horses is, therefore, covered under this paragraph, as is the resulting modification of the data.

[page 54] 3.11 The Convention on Cybercrime does not explicitly mention either malware or botnets, which may be seen as a gap in its coverage.15 However, it does appear that the inclusion of computer programs within the scope of ‘device’ in Art 6 covers the creation of malware for the purposes of at least some unauthorised modification or impairment of computers, data and related systems. The explanatory notes provide further detail about Art 6:16 This provision establishes as a separate and independent criminal offence the intentional commission of specific illegal acts regarding certain devices or access data to be misused for the purpose of committing the above-described offences against the confidentiality, the integrity and availability of computer systems or data. As the commission of these offences often requires the possession of means of access (‘hacker tools’) or other tools, there is a strong incentive to acquire them for criminal purposes which may then lead to the creation of a kind of black market in their production and distribution. To combat such dangers more effectively, the criminal law should prohibit specific potentially dangerous acts at the source, preceding the commission of offences under Articles 2–5.

3.12 Governments and private companies share responsibility for prevention and control of high-tech crime (HTC) tools, which appear to be widely available:17 The proliferation of information and communications technologies (ICT) and connectivity of the internet opens the door to 24/7 fingertip access to most HTC tools. This is not surprising, considering the unsupervised and unregulated nature of the internet … Some of these tools (e.g. virus creation kits, phishing kits, distributed denial of service (DDoS) kits, email bombers, botnet management kits) can be used with minimal levels of expertise.

Australian laws 3.13 The main focus in what follows is on Commonwealth laws, with some reference also to State and Territory laws. The following table outlines the main unauthorised modification offences across Australian jurisdictions (Table 3.2). [page 55] Table 3.2: Commonwealth, State and Territory unauthorised modification offences Provision Criminal Code Act 1995 s 477.1 (Unauthorised access, modification or impairment with intent to commit a serious offence)

CTH18

ACT19

Physical elements

Fault elements Intention by that modification to Causing any commit or facilitate a unauthorised serious offence, modification of data knowing the held in a computer modification is unauthorised Knowing the Criminal Code Act modification is 1995 s 477.2 Causing any unauthorised, being (Unauthorised unauthorised reckless as to whether modification of data modification of data this will impair access to cause held in a computer to, or reliability, impairment) security or operation of, such data Criminal Code Act 1995 s 478.1 Causing any Intention to cause the (Unauthorised unauthorised modification, knowing access to, or modification of it to be unauthorised modification of, restricted data restricted data) Criminal Code 2002 Intention to commit s 415 (Unauthorised Causing or enable a serious access, modification unauthorised offence, knowing the or impairment with modification of data modification is intent to commit held in a computer unauthorised serious offence)

Maximum penalty As for the serious offence (imprisonment for five years or more)

Imprisonment for 10 years

Imprisonment for two years

As for the serious offence (imprisonment for five years or more)

[page 56] Provision Criminal Code 2002 s 416 (Unauthorised modification of data to cause impairment) Criminal Code 2002 s 420 (Unauthorised access to or modification of restricted data) Crimes Act 1900 s 308C (Unauthorised access, modification or impairment with intent to commit serious indictable offence) NSW20

Physical elements

Fault elements Knowing the modification is Causing unauthorised, being unauthorised reckless as to whether modification of data this will impair access held in a computer to, or reliability, security or operation of, data Causing unauthorised Intention to cause the modification of modification, knowing restricted data held it to be unauthorised in a computer Causing any unauthorised computer function (defined to include unauthorised modification)

Intention to commit or facilitate a serious offence, knowing the modification is unauthorised

Knowing the modification is Crimes Act 1900 s unauthorised, Causing 308D (Unauthorised intending by this to unauthorised modification of data impair access to, or modification of data with intent to cause reliability, security or held in a computer impairment) operation of, data, or being reckless as to any such impairment

Maximum penalty

Imprisonment for 10 years or 1000 penalty units or both

Imprisonment for two years or 200 penalty units or both

As for the serious offence (imprisonment for five years or more)

Imprisonment for 10 years

[page 57] Provision Crimes Act 1900 s 308H (Unauthorised access to or modification of

Physical elements

Fault elements

Maximum penalty

Causing any unauthorised modification of restricted data held

Intention to cause the Imprisonment for modification, knowing two years

restricted data held in computer)

NT21

QLD

SA22

in a computer

it to be unauthorised

Intent by the modification to Unlawfully causing Criminal Code Act s impede access to, or any modification of Imprisonment for 10 276C (Unlawful adversely affect the data held in a years modification of data) reliability, security or computer operation of, data held in a computer Imprisonment for Using a restricted two years; five years Criminal Code Act computer without if causing damage or 1899 s 408E the consent of the Not specified obtaining a benefit; (Computer hacking computer’s 10 years if damage and misuse) controller or benefit is over $5000 Criminal Law Intention by that Consolidation Act Using a computer to modification to 1935 s 86E (Use of cause (directly or As for the serious commit or facilitate a computer with indirectly) offence serious offence, intention to commit, unauthorised (imprisonment for knowing the or facilitate the modification of five years or more) modification is commission of, an computer data unauthorised offence)

[page 58] Provision Criminal Law Consolidation Act 1935 s 86F (Use of computer to commit, or facilitate the commission of, an offence outside the State) Criminal Code Act

Physical elements

Fault elements Intention by that Using a computer to modification to cause (directly or commit or facilitate a indirectly) prohibited act in unauthorised another jurisdiction, modification of knowing the computer data modification is unauthorised Unlawfully and intentionally destroying, Not specified damaging, erasing or altering data stored

Maximum penalty

As for the prohibited act (imprisonment for five years or more)

A general maximum

TAS23

1924 s 257C (Damaging computer data)

Criminal Code Act 1924 s 257E (Insertion of false information as data)

VIC24

Crimes Act 1958 s 247B (Unauthorised access, modification or impairment with intent to commit serious offence)

in a computer

Dishonestly introducing into, or recording or storing in, a computer or computer system, false or misleading information Causing any unauthorised computer function (defined to include unauthorised modification of data held in a computer)

penalty of 21 years applies to Criminal Code offences

Not specified

A general maximum penalty of 21 years applies to Criminal Code offences

Intention to commit or facilitate a serious offence, knowing the modification is unauthorised

As for the serious offence (imprisonment for five years or more)

[page 59] Provision

Fault elements Knowing the modification is Crimes Act 1958 s unauthorised, Causing 247C (Unauthorised intending by this to unauthorised modification of data impair access to, or modification of data to cause reliability, security or held in a computer impairment) operation of, data, or being reckless as to any such impairment Crimes Act 1958 s Causing any 247G (Unauthorised unauthorised Intention to cause the access to or modification of modification, knowing modification of restricted data held it to be unauthorised restricted data) in a computer

WA

Criminal Code Act Compilation Act 1913 s 440A (Unlawful use of computer)

Physical elements

Unlawfully using (defined to include operating) a restricted-access computer system

Not specified

Maximum penalty

Imprisonment for 10 years

Imprisonment for two years Imprisonment for two years; five years if causing damage or obtaining a benefit; 10 years if damage or benefit is over

$5000 Sources: Australasian Legal Information Institute (AustLII): ; State and Territory legislative databases.

3.14 At the Commonwealth level, unauthorised modification was included in the first computer crime laws added to the Crimes Act 1914 (Cth). These included s 76C, which criminalised interference with Commonwealth computers and data, including destroying, erasing or altering such data.25 The following case [page 60] prosecuted under these provisions, involving a Commonwealth Government employee, illustrates the kind of conduct covered by the offences:26

DPP (Cth) v Rogers [1998] VSC 274; [1998] VICSC 48 (20 April 1998) Ormiston JA: The offences were committed by the respondent during the course of, and as a consequence of, her employment with the Department of Social Security … During the eleven years she was employed with the department, she worked primarily in the family payments section at the Bendigo office. The offences were committed by her between 6 April 1995 and 9 July 1996. In that period of time, on 24 separate occasions, she either inserted data into the department’s computer or altered data in that computer in such a way as to effect fraud upon the Commonwealth for her benefit. The consequences of the offences, indeed, continued in one sense until January 1997, in that she continued to receive payments in consequence of the alteration or the insertion of data, constituting the last offence. The respondent used a total of twelve different names for this purpose, two of which were the names of actual recipients of benefits and the other ten of which were fictitious. She caused money to be paid into six separate bank accounts conducted one way or another by her. The total amount obtained in that way was $16,312. In effect, she was making false entries or altering entries into the computer at least once per month …

3.15

Those initial Commonwealth computer offences were updated and

relocated to the Criminal Code Act 1995 (Cth) by the Cybercrime Act 2001 (Cth). Part 10.7 of the Criminal Code contains the following relevant definitions:

476.1 Definitions (1) In this Part: … modification, in respect of data held in a computer, means: (a) the alteration or removal of the data; or (b) an addition to the data. unauthorised access, modification or impairment has the meaning given in section 476.2. [page 61] (2) In this Part, a reference to: (a) access to data held in a computer; or (b) modification of data held in a computer; or (c) the impairment of electronic communication to or from a computer; is limited to such access, modification or impairment caused, whether directly or indirectly, by the execution of a function of a computer. 476.2 Meaning of unauthorised access, modification or impairment (1) In this Part: (a) access to data held in a computer; or (b) modification of data held in a computer; or (c) the impairment of electronic communication to or from a computer; or (d) the impairment of the reliability, security or operation of any data held on a computer disk, credit card or other device used to store data by electronic means; by a person is unauthorised if the person is not entitled to cause that access, modification or impairment. (2) Any such access, modification or impairment caused by the person is not unauthorised merely because he or she has an ulterior purpose for causing it. (3) For the purposes of an offence under this Part, a person causes any such unauthorised access, modification or impairment if the person’s conduct

substantially contributes to it. …

3.16 As can be seen, the above definitions capture the modification of computer data that is ‘caused, whether directly or indirectly, by the execution of a function of a computer’, which includes through the use of malware. It is also arguable that a creator of malware subsequently used by others could be said to have engaged in conduct which ‘substantially contributes’ to unauthorised modification, in virtue of s 476.2(3), thereby potentially attracting liability under substantive offences. 3.17 The main unauthorised modification offence added to the Criminal Code Act 1995 (Cth) by the Cybercrime Act 2001 (Cth) is:27 [page 62]

477.2 Unauthorised modification of data to cause impairment (1) A person is guilty of an offence if: (a) the person causes any unauthorised modification of data held in a computer; and (b) the person knows the modification is unauthorised; and (c) the person is reckless as to whether the modification impairs or will impair: (i) access to that or any other data held in any computer; or (ii) the reliability, security or operation, of any such data. Penalty: 10 years imprisonment. (3) A person may be guilty of an offence against this section even if there is or will be no actual impairment to: (a) access to data held in a computer; or (b) the reliability, security or operation, of any such data. (4) A conviction for an offence against this section is an alternative verdict to a charge for an offence against section 477.3 (unauthorised impairment of electronic communication).

3.18 The fault element that attaches to causing unauthorised modification of data is recklessness, per s 5.6 of the Criminal Code Act 1995 (Cth), but the prosecution must prove that the defendant had actual knowledge that the modification was authorised, per s 477.2(1)(b). Recklessness also attaches to the potential impairment caused by the modification, per s 477.2(1)(c). While s 477.2(1) appears to be directed at unauthorised modification in order to cause impairment, it is not a requirement that any impairment actually be caused, as per subs (3).28 3.19 The s 477.2 offence extends both to hacking and to knowingly infecting computers with malware, with disregard to any impairment that may be caused.29 Impairment, however, need not be in the form of observable loss [page 63] of functionality. The offence also covers unauthorised modification which is designed to obtain covert access to information, thus impairing the ‘security’ of data, as illustrated by the following investigation and prosecution in Western Australia, reported in 2012:30

Case Study: Criminal investigation In 2009, the Australian Federal Police [AFP] received information regarding the unauthorised modification of data at a Western Australian government department. The subsequent investigation revealed two males, who were contractors to the department, sharing information regarding the illegal access to the departmental computer operating system. The investigation revealed communications between the two males pertaining to the creation of malicious software and subsequent commands to hack network security controls in an attempt to crack a file and reveal the usernames and passwords of departmental staff. The AFP executed search warrants at both males’ addresses and seized a number of computers and associated media. Both males were subsequently charged with conspiracy to cause an unauthorised modification of data held in a computer, knowing

the modification to be unauthorised, and being reckless as to whether the modification impaired the reliability, security or operation, of any such data and the modification is caused by means of a carriage service, contrary to section 11.5(1) and sub-section 477.2(1) of the Criminal Code Act 1995 (Cth). Upon appearing at Court, both males pleaded not-guilty to the above offence. Following a trial, they were both found guilty. One of the offenders was sentenced to 30 months imprisonment to be released after having served 10 months, and the other to 36 months to be released after having served 12 months, both to enter into a recognisance to be of good behaviour for a period of 20 and 24 months, respectively.

3.20 In subsequent appeal proceedings, the sentences imposed in the District Court on the two males were confirmed.31 The Western Australian Court of Appeal noted that the sentencing judge had correctly taken into account relevant factors, including the high level of criminality, the public interest in [page 64] protecting the integrity of computer systems, the high degree of premeditation and the abuse of trust involved.32 3.21 It has been suggested that acts such as ‘home-jacking’ may also contravene s 477.2 of the Criminal Code Act 1995 (Cth) or its State and Territory analogues:33 ‘Home-jacking’ is the result of Web design techniques which allow the unauthorised substitution of the ‘home page’ so that when the user next launches their browser, instead of the user’s selected home page coming up on screen, the selected Web site appears. A digital file can also be inserted into the user’s computer so that the selected Web page appears in the ‘favourites’ list in the Web browser program. The unauthorised inserting of data may be a criminal offence under sections 477 (1) or (2) of the Cybercrime Act 2001 (Cth) or under section 308D of the Crimes Act 1900 (NSW). That is, provided there is no consent of the Web user so that the insertion of the data which changes the ‘home page’ or ‘favourites’ is clearly unauthorised, with the necessary intention or recklessness as to the impairment of the functioning of the Web user’s computer browser software. Some Web sites overtly ask the Web user if they wish to change their home page, if this option is selected the user is clearly consenting to the change. However with a covert change it can be argued that the unauthorised inserting of a digital file into the Web user’s computer is a criminal act.

3.22 However, it is doubtful that offences such as those under s 477.2 could extend to minor data modifications that occur in the course of ordinary computer usage, such as the use of ‘cookies’ to record connection to a webpage, as this is arguably neither unauthorised within the meaning of the legislative provisions nor done so as to impair data.34 Nor is the use of such devices likely to breach privacy legislation:35 Analytical information collected from cookies (e.g., the number of times a page was visited) will not be personal information under the Privacy Act unless an individual is reasonably identifiable …

[page 65] 3.23 The situation may be different for more intrusive forms of spyware.36 It will also be very different where serious impairment of public infrastructure is threatened through unauthorised access or modification.37 3.24 The s 478.1 offence in the Criminal Code Act 1995 (Cth) (discussed in Chapter 2) also applies in relation to unauthorised modification of restricted data, being data protected by an access control system:38

478.1 Unauthorised access to, or modification of, restricted data (1) A person is guilty of an offence if: (a) the person causes any unauthorised access to, or modification of, restricted data; and (b) the person intends to cause the access or modification; and (c) the person knows that the access or modification is unauthorised. Penalty: 2 years imprisonment. (3) In this section: restricted data means data: (a) held in a computer; and (b) to which access is restricted by an access control system associated with a function of the computer.

3.25

The Explanatory Memorandum to the Cybercrime Bill 2001 states:

This offence will apply to a person who hacks into a computer system protected by a password or other similar security measure in order to access personal or commercial information or alter that information. The offence will also cover an employee who breaks a password on his or her employer’s computer system in order to access the Internet or to access protected information.

[page 66] 3.26 The absence of any definition of ‘computer’ in the above Commonwealth, State and Territory legislation means that it may be applicable to dealings with mobile devices such as smartphones. The application of s 247C of the Crimes Act 1958 (Vic) to the deletion of photographs taken by a club patron who had recorded an incident on his mobile phone was considered in a 2011 Victorian case. The phone had been forcibly taken from the patron by a club bouncer and the photos deleted. While the magistrate accepted that the term ‘computer’ did extend to devices such as smartphones, he held that the bouncer’s conduct was properly the subject of a related robbery charge and dismissed the charges under s 247C:39 Recent technological developments in mobile phones have had the effect of turning them into mini computers. I understand this development has occurred in the last 5–6 years. It appears to me that when enacted in 2003, s 247C was directed to conventional computer hardware, being desktop and laptop computers. On reflection and on a literal interpretation of s 247C, it now appears that this provision also applies to the new technology incorporated into mobile phones.

3.27 The destruction of computer data by physical force, for example by smashing a mobile phone against a wall, is unlikely to be prosecuted as a computer crime. It is to be noted that provisions such as s 476.1 of the Criminal Code Act 1995 (Cth) limit the meaning of unauthorised access, modification and impairment to that ‘caused, whether directly or indirectly, by the execution of a function of a computer’. Even where such a limitation is not explicit in State or Territory legislation, it is arguably likely

to be read into computer offence provisions so as to confine these to their reasonably intended scope of operation.40

Website defacement and spoofing 3.28 One of the more contentious forms of computer misconduct involving unauthorised modification of computer data is website defacement by hackers with a political or similar cause. The term ‘hacktivism’ has been adapted to describe this activity, which can range from mildly amusing through serious annoyance, and perhaps on to cyberterrorism (discussed further in Chapter 4):41 [page 67] [H]activism refers to the marriage of hacking and activism. It covers operations that use hacking techniques against a target’s Internet site with the intent of disrupting normal operations but not causing serious damage. Examples are web sit-ins and virtual blockades, automated email bombs, web hacks, computer break-ins, and computer viruses and worms.

3.29 An early example of computer screen defacement, which has been attributed to Australian hackers though no charges were ever laid, was the 1989 attack against the National Aeronautics and Space Administration (NASA) in the United States. The first sign of the fact that NASA’s computers had been compromised came in the form of a visible defacement of its internal computer displays:42

Monday, 16 October 1989 NASA’s Goddard Space Flight Center, Greenbelt, Maryland Across the vast NASA empire, reaching from Maryland to California, from Europe to Japan, NASA workers greeted each other, checked their in-trays for mail, got their cups of coffee, settled into their chairs and tried to login to their computers for a day of solving complex physics problems. But many of the computer systems were behaving very strangely.

From the moment staff logged in, it was clear that someone — or something — had taken over. Instead of the usual system’s official identification banner, they were startled to find the following message staring them in the face:

[page 68] Wanked? Most of the American computer system managers reading this new banner had never heard the word ‘wank’. Who would want to invade NASA’s computer systems? And who exactly were the Worms Against Nuclear Killers? Were they some loony fringe group? Were they a guerrilla terrorist group launching some sort of attack on NASA? And why ‘worms’? A worm was a strange choice of animal mascot for a revolutionary group. Worms were the bottom of the rung. As in ‘as lowly as a worm’. Who would choose a worm as a symbol of power? As for the nuclear killers, well, that was even stranger. The banner’s motto — ‘You talk of times of peace for all, and then prepare for war’ — just didn’t seem to apply to NASA. The agency didn’t make nuclear missiles, it sent people to the moon. It did have military payloads in some of its projects, but NASA didn’t rate very highly on the ‘nuclear killer’ scale next to other agencies of the US Government, such as the Department of Defense. So the question remained: why NASA? And that word, ‘WANKED’. It did not make sense. What did it mean when a system was ‘wanked’? It meant NASA had lost control over its computer systems. A NASA scientist logging in to an infected computer on that Monday got [deleted files] messages … exactly as if the scientist had instructed the computer to delete all the files herself. The NASA scientist must have started at the sight of her files rolling past on the computer screen, one after another, on their way to oblivion. Something was definitely wrong. She would have tried to stop the process, probably pressing the control key and the ‘c’ key at the same time. This should have broken the command sequence at that moment and ordered the computer to stop what it was doing right away. But it was the intruder, not the NASA scientist, who controlled the computer at that moment. And the intruder told the computer: ‘That command means nothing. Ignore it’. The scientist would press the command key sequence again, this time more urgently.

And again, over and over. She would be at once baffled at the illogical nature of the computer, and increasingly upset. Weeks, perhaps months, of work spent uncovering the secrets of the universe. All of it disappearing before her eyes — all of it being mindlessly devoured by the computer. The whole thing beyond her control. Going. Going. Gone.

3.30 The defacement of government and corporate websites by hacktivists, often also referred to as ‘cyber vandalism’, is nowadays a computer security problem to which most large organisations have to respond, through [page 69] either technological prevention measures or remediation and reputation management:43 Websites are not only defaced for political reasons, many defacers do it just for the thrill. For example, there are online contests in which hackers are awarded points for defacing the largest number of web sites in a specified amount of time. Corporations are also targeted more often than other sites on the Internet and they often seek to take measures to protect themselves from defacement or hacking in general. Web sites represent the image of a company or organisation and these are therefore especially vulnerable to defacement. Visitors may lose faith in sites that cannot promise security and will become wary of performing online transactions. After defacement, sites have to be shut down for repairs, sometimes for an extended period of time, causing expenses and loss of profit.

3.31 While motivations behind website defacement may not always be clear, in some circumstances there is an explicit political agenda or set of demands attached. This may be manifested through the addition of slogans or images in support of a political movement, a nation or a particular cause.44 In other cases, the website defacement may be using pornographic images in support of a political aim, a striking example in the Australian context being the ‘Operation Titstorm’ attack:45 On 10 February 2010, an internet based group of protesters calling themselves ‘Anonymous’ launched a cyber-attack on the Australian Parliament House website. Aptly named ‘Operation Titstorm’, the attack was launched by the group to protest against the Rudd government’s plans to introduce a mandatory internet filter banning pornographic images of animated

characters, small breasted women and female ejaculation. It brought down the website for three days by flooding it with network traffic — up to 7.5 million requests per second — and it bombarded parliamentary email addresses with pornographic material (ironically, of the very kind the government intends to ban). It also plastered a selection of this questionable material across the Prime Minister’s homepage.

3.32 Although it is not known whether anybody was ever prosecuted in relation to this attack, it clearly exemplifies the use of website defacement as a political tool. Whether this constitutes a form of legitimate protest or crosses the line into criminality or even cyberterrorism is a matter for debate. Australian anti-terrorism legislation indeed allows for a degree of non-violent protest and advocacy, which arguably includes some online protests. However, [page 70] where a website is defaced purely for ‘shock value’ or as an exercise in ‘trolling’, leniency is less forthcoming.46 3.33 Some Australian website attacks have attracted Australian Federal Police investigations and charges under the Criminal Code Act 1995 (Cth):47

Media Release: Two arrested for hacking websites A long-term Australian Federal Police (AFP) investigation has resulted in the arrest of two men in two states allegedly involved in a campaign targeting Australian and international websites. The AFP will allege in court that the two men claimed to be members of the online issue motivated group ‘Anonymous’. Since 2012, people who claim to be members of ‘Anonymous’ have targeted a number of Australian government and corporate networks. These attacks have resulted in theft of personal data, defacement of websites and Distributed Denial of Service (DDoS) attacks causing websites to drop offline. National Manager High Tech Crime Operations Tim Morris said attacks such as these can have a serious impact on government and business services. ‘Hacking activities can affect everyone from small businesses right up to large

government organisations,’ said Assistant Commissioner Morris. ‘These acts can cause serious disruption to government and business networks, which in turn can be catastrophic for people who rely on these networks to run their small business or administer their entitlements or personal finances. ‘The impairment or disruption of communications to or from computer networks is a criminal act and can have serious consequences; it is not harmless fun.’ AFP officers last night conducted search warrants at residential addresses in Penrith, NSW and Scarborough, WA. A number of computer hard drives and other equipment were seized during the warrants. It is anticipated that it will take several months to analyse these items due to the amount of information stored on them. [page 71] It will be alleged in court that these two men were known to each other online and targeted organisations, including a large internet service provider and web servers hosting Australian and Indonesian government websites. A 40-year-old Scarborough (Western Australia) man was charged with: aid the unauthorised modification of Melbourne IT Limited computer network located in Brisbane, Queensland to cause impairment, contrary to Section 477.2 of the Criminal Code Act 1995 pursuant to Section 11.2 of the Criminal Code Act 1995; and unauthorised modification of Indonesian Government web servers, to cause impairment, contrary to Section 477.2 of the Criminal Code Act 1995. An 18-year-old Penrith (New South Wales) man was charged with the following offences: unauthorised modification of data to Netspeed ISP located in Canberra, ACT, to cause impairment, contrary to Section 477.2 of the Criminal Code Act 1995; and unauthorised access to and modification of restricted data belonging to the ACT Long Service Leave Board, Canberra, ACT, contrary to Section 478.1 of the Criminal Code Act 1995.

3.34 A more subtle form of website manipulation is through ‘spoofing’, which involves the creation of fake websites that so closely resemble real ones as to trick users. The motivation is usually to obtain illegal access to identification or financial information, which can then be used to steal or defraud:48 People using computer systems often make security-relevant decisions based on contextual

cues they see. For example, you might decide to type in your bank account number because you believe you are visiting your bank’s Web page. This belief might arise because the page has a familiar look, because the bank’s URL appears in the browser’s location line, or for some other reason … By ‘security-relevant decision’, we mean any decision a person makes that might lead to undesirable results such as a breach of privacy or unauthorized tampering with data. Deciding to divulge sensitive information, for example by typing in a password or account number, is one example of a security-relevant decision. Choosing to accept a downloaded document is a security-relevant decision, since in many cases a downloaded document is capable of containing malicious elements that harm the person receiving the document.

[page 72] Even the decision to accept the accuracy of information displayed by your computer can be security-relevant. For example, if you decide to buy a stock based on information you get from an online stock ticker, you are trusting that the information provided by the ticker is correct. If somebody could present you with incorrect stock prices, they might cause you to engage in a transaction that you would not have otherwise made, and this could cost you money.

3.35 More sophisticated forms of website spoofing disguise the URL of a fake website so that it is indistinguishable from that of a genuine one, or create false links by injecting data into a computer’s domain name system (DNS) resolver’s cache so that it directs search hits or stored links to an attacker’s website or computer (so-called ‘DNS spoofing’, ‘cache poisoning’ and ‘Man-In-The-Middle’ attacks).49 To the extent that this alters data in a victim’s computer, it is a form of unauthorised modification of data. The use of various computer-related techniques to commit fraud is discussed further in Chapter 5, and identity crimes are discussed in Chapter 6. 3.36 Finally, it should be noted that techniques such as ‘page-jacking’ and other forms of re-directing or manipulating search results may also lead to civil liability or enforcement action by regulators such as the Australian Competition and Consumer Commission (ACCC).50

[page 73]

Questions for consideration 1.

In E Brunner et al, Critical Infrastructure Protection — Cybersecurity — Recent Strategies and Policies: An Analysis, CRN Reports, Center for Security Studies, ETH Zurich, 2009, the following gradation of cyber threats is offered (pp 16–17): Rung 1 — activism — the normal, non-disruptive use of the Internet in support of a (political) agenda or cause Rung 2 — hacktivism — the marriage of hacking and activism, including operations that use hacking techniques against a target’s internet site with the intention of disrupting normal operations Rung 3 — cybercrime — includes theft of intellectual property, extortion based on the threat of Distributed Denial of Service … (DDoS) attacks, fraud based on identity theft, etc. The intention of the attacker is economically driven. Rung 4 — cyber-terrorism — unlawful attacks against computers, networks and the information stored therein, to intimidate or coerce a government or its people in furtherance of political or social objectives. Such an attack should result in violence against persons or property, or at least cause enough harm to generate the requisite fear level to be considered cyber-terrorism. Rung 5 — cyberwar — the use of computers to disrupt the activities of an enemy country, especially deliberate attacks on communication systems. Does this approach adequately reflect the range and seriousness of cyber threats? Are there missing entries; for example, where does cyber espionage fit in?

2.

Aside from legalities, does ‘hacktivism’ ever succeed in changing government policy? As noted by D E Denning, ‘Activism, Hacktivism and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy’ in J Arquilla and D Ronfeldt (eds), Networks and Netwars: The Future of Terrorism, Crime and Militancy, Rand Corporation, 2001, p 242: With respect to hacktivism and cyberterrorism, those who engage in such activity are less likely to accomplish their … policy objectives than those who do not employ disruptive and destructive techniques. They may feel a sense of empowerment, because they can control government computers and get media attention, but that does not mean they will succeed in changing policy. The main effect is likely to be a strengthening of cyberdefense policies, both nationally and internationally, rather than accommodation to the demands of the actors. Do you agree? Are there examples where website defacement or DDoS attacks have succeeded in bringing about desired or desirable policy changes?

3.

Suppose that a teenage ‘script-kiddie’ creates some malware and releases it by attaching it to a link in a joke email sent initially to a few recipients, but which then replicates itself and spreads through email address books to infect millions of other computers. Some of these may be government or military networks, and the cost of cleaning up these systems runs to millions of dollars. If the malware creator is identified and is convicted under unauthorised modification laws, what would be an appropriate sentence?

1.

See ‘Malware: Viruses, Worms, Trojan Horses’, High Tech Crime Brief no. 10, Australian Institute of Criminology, 2006; and ‘More Malware: Adware, Spyware, Spam and Spim’, High Tech Crime Brief no. 11, Australian Institute of Criminology, 2006. Technical details can be found at online security websites, such as Kaspersky Lab’s ‘Internet Security Threats’: .

2.

A Olguin, ‘The Increasing Prevalence and Complexity of Malware’, Cisco Blog, 26 August 2014; Symantec, Internet Security Threat Report (most recent 2014): .

3.

J Clough, Principles of Cybercrime, Cambridge University Press, 2010, p 32 (notes omitted).

4.

Sophos, ‘When Malware Goes Mobile’: .

5.

The ‘Love Bug’ virus or worm emanating from the Philippines was discussed in Chapter 1. More successful prosecutions have followed, mainly in the United States: K Cesare, ‘Prosecuting Computer Virus Authors: The Need for an Adequate and Immediate International Solution’ (2001) 14 Transnational Law 135; E H Freeman, ‘Prosecution of Computer Virus Authors’ (2003) 12(1) Information Systems Security 5.

6.

See, for example, Europol, ‘Users of Remote Access Trojans Arrested in EU Cybercrime Operation’, media release, 20 November 2014: .

7.

C Perrin, ‘There is No Legal Solution to Malware’, Tech Republic, IT Security, 29 April 2009: .

8.

A Karasaridis, B Rexroad and D Hoeflin, ‘Wide-Scale Botnet Detection and Characterization’, Proceedings of USENIX HotBots ‘07 (2007), notes omitted: .

9.

Federal Bureau of Investigation (FBI), ‘The Case of the “Zombie King”; Hacker Sentenced for Hijacking Computers for Profit’, media release, 8 May 2006: .

10. House of Representatives Standing Committee on Communications, Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime, Commonwealth of Australia, Canberra, 2010 at [2.20]; see also Federal Bureau of Investigation (FBI), ‘International Botnet Involving More Than Two Million Computers Disabled’, media release, 13 April 2011: ; Europol, ‘Notorious Botnet Infecting 2 Million Computers Disrupted’, media release, 5 December 2013: . 11. Cox v Riley [1986] 83 Cr App R 54. The defendant had deliberately erased a computer program

from a plastic circuit card that operated a computerised saw used in making window-frame profiles. The damage made the saw inoperable. He argued that the property in question was not tangible and therefore could not be ‘damaged’. The Queen’s Bench Division judges held that erasing the computer program constituted damage, and that it cost the owner time, labour and expense to re-program the machine. 12. The jury in R v Whiteley (1991) 93 Cr App R 25 had acquitted the defendant on charges relating to criminal damage to the computers that had temporarily failed, but had convicted him on the basis of damage to the disks. Soon after the trial, but not affecting the appeal, the legislature passed the Computer Misuse Act 1990 (UK), which obviated the need to rely on criminal damage charges in such cases. The three main offences in the Act are s 1 (Unauthorised access to computer material), s 2 (Unauthorised access with intent to commit or facilitate commission of further offences) and s 3 (Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.), the last clearly extending to unauthorised modification of data causing impairment. 13. Council of Europe, Convention on Cybercrime. Articles 4, 5 and 6 appear in Chapter II — Measures to be taken at the national level, Section 1 — Substantive criminal law, Title 1 — Offences against the confidentiality, integrity and availability of computer data and systems. 14. Explanatory Report, Convention on Cybercrime at [60]–[61]; also discussed in J Clough, Principles of Cybercrime, note 3 above, p 101. 15. A Maurushat, ‘Australia’s Accession to the Cybercrime Convention: Is the Convention Still Relevant in Combating Cybercrime in the Era of Botnets and Obfuscation Crime Tools?’, University of New South Wales Legal Research Series, 2011. 16. Explanatory Report, Convention on Cybercrime at [71]. 17. See ‘Acquiring High Tech Crime Tools’, High Tech Crime Brief no. 13, Australian Institute of Criminology, 2006: . 18. Key terms are defined in Criminal Code Act 1995 (Cth) s 476.1 (Definitions) and s 476.2 (Meaning of unauthorised access, modification or impairment). Not listed are the related offences of s 478.3 (Possession or control of data with intent to commit a computer offence) and s 478.4 (Producing, supplying or obtaining data with intent to commit a computer offence), each punishable by imprisonment for three years. Part 10.6 of the Criminal Code Act 1995 (Cth) also contains a number of offences relating to modification of telecommunications device identifiers, as well as the broader s 474.14 (Using a telecommunications network with intention to commit a serious offence). 19. Key terms are defined in Criminal Code 2002 (ACT) s 412 (Definitions), s 413 (Limited meaning of access to data etc) and s 414 (Meaning of unauthorised access, modification or impairment). Not listed are the related offences of s 418 (Possession of data with intent to commit serious computer offence) and s 419 (Producing, supplying or obtaining data with intent to commit serious computer offence), each punishable by imprisonment for three years or 300 penalty units or both. 20. Key terms are defined in Crimes Act 1900 (NSW) s 308 (General definitions), s 308A (Meaning of access to data, modification of data and impairment of electronic communication) and s 308B (Meaning of unauthorised access, modification or impairment). Not listed are the related offences

of s 308F (Possession of data with intent to commit serious computer offence) and s 308G (Producing, supplying or obtaining data with intent to commit serious computer offence), each punishable by imprisonment for three years. 21. Key terms are defined in Criminal Code Act (NT) s 276 (Interpretation) and s 276A (Meaning of access to data, modification of data and impairment of electronic communication). 22. Key terms are defined in Criminal Law Consolidation Act 1935 (SA) s 86B (Interpretation) and s 86C (Meaning of access to or modification of data). Not listed is the related offence of s 86I (Possession of computer viruses etc with intent to commit serious computer offence), punishable by imprisonment for three years. 23. Key terms are defined in Criminal Code Act 1924 (Tas) s 257A (Interpretation). 24. Key terms are defined in Crimes Act 1958 (Vic) s 247A (Interpretation). Not listed are the related offences of s 247E (Possession of data with intent to commit serious computer offence) and s 247F (Producing, supplying or obtaining data with intent to commit serious computer offence), each punishable by imprisonment for three years. Civil proceedings in which s 247G was considered in relation to alleged unauthorised modification of a company’s business directory are Websyte Corporation Pty Ltd v Alexander [2012] FCA 69 (13 February 2012); Websyte Corporation Pty Ltd v Alexander (No 2) [2012] FCA 562 (30 May 2012); see also the family law case of Yardborough & Chesterman [2014] FCCA 446 (24 March 2014), rejecting an argument that the actions of a husband accessing his wife’s emails after she had given him her password contravened s 247G. 25. Part VIA (Offences relating to computers) was added to the Crimes Act 1914 (Cth) by the Crimes Legislation Amendment Act 1989 (Cth). It comprised s 76A (Interpretation), s 76B (Intentionally and without authority obtaining access to data stored in a Commonwealth computer), s 76C (Intentionally and without authority destroying, erasing or altering data stored in a Commonwealth computer), s 76D (Intentionally and without authority obtaining access to data stored in a computer by means of a Commonwealth facility), s 76E (Intentionally and without authority destroying, erasing or altering data stored in a computer by means of a Commonwealth facility) and s 76F (Concurrent operation of State and Territory laws). 26. The defendant pleaded guilty to four counts of altering data stored in a Commonwealth computer without lawful authority or excuse and 20 counts of inserting data without lawful authority or excuse into a Commonwealth computer contrary to s 76C of the Crimes Act 1914 (Cth); this offence was in similar terms to the current unauthorised modification offence in s 477.1 of the Criminal Code Act 1995 (Cth). See also Gilmour v DPP (Cth) [1996] NSWSC 55 (1 April 1996). 27. This provision, found in Division 477 — Serious computer offences, has been amended by the Cybercrime Legislation Amendment Act 2012 (Cth), removing subs (2) which had provided a constitutional basis through reference to Commonwealth computers or data, and telecommunications networks. The amendments were made in the process of Australia’s accession to the Convention on Cybercrime, thus relying on the external affairs legislative power. 28. The Explanatory Memorandum to the Cybercrime Bill 2001 (Cth) introducing s 477.2 in its original form compared it with former s 76C of the Crimes Act 1914 (Cth), noting that that offence was ‘too broad and vague for a maximum 10-year penalty, as it extends to the harmless use of another person’s computer without that person’s permission. The mass expansion in the use of computers in the workplace and elsewhere that has occurred in the past decade means that the existing offence is even more problematic than when it was enacted’.

29. Australian Federal Police (AFP), ‘Two Arrested for Hacking Offences’, media release, 22 May 2014; House of Representatives Standing Committee on Communications, Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime, Appendix D — Commonwealth Computer Offences, ‘Malware infections — Section 477.2’, Commonwealth of Australia, Canberra, 2010. See also K-K R Choo, ‘Zombies and Botnets’, Trends and Issues in Crime and Criminal Justice no. 333, Australian Institute of Criminology, March 2007: . 30. CERT Australia, Cybercrime and Security Survey Report 2012 (released in 2013), p 33. The 2013 report (released in 2014) includes a similar case study of external malware infection of Australian business websites: . 31. R v Larkin and Shee (unrep. District Court of WA, 2011); Larkin v The Queen [2012] WASCA 238 (23 November 2012). 32. Larkin v The Queen [2012] WASCA 238 (23 November 2012) at [77] per Buss JA, with Martin CJ and Newnes JA agreeing. Issues around sentencing of cybercrime offenders are considered in greater detail in Chapter 12. 33. M Averill, ‘The Spider’s Stratagem on the Web: Hunting and Collecting Web Users’ (2004) 5(1) Digital Technology Law Journal 1 at [19]–[20] (notes omitted). The technique is also known as ‘page-jacking’. 34. M Averill, ‘The Spider’s Stratagem on the Web: Hunting and Collecting Web Users’, note 33 above, at [39]–[41] discusses the use of cookies as a form of spyware, but notes that, under United States legislation such as the Spyware Control Act 2004 of Utah, cookies are excluded from the definition of spyware. 35. Office of the Australian Information Commissioner (OAIC), Australian Privacy Principles Guidelines, Canberra, 2014, at note 11: . 36. Australian Institute of Criminology, ‘Hacking Offences’, High Tech Crime Brief no. 5, 2005: . 37. A significant investigation into unauthorised modification offences allegedly committed against a major service provider linked to the National Broadband Network (NBN) was reported in 2011, with a NSW-based hacker using the nickname ‘Evil’ charged with one count of unauthorised access to, or modification of, data to cause impairment, and 48 counts of unauthorised access to, or modification of, restricted data: see B Packham, ‘NBN Hacker Posed Threat to Australia’s National Infrastructure, Police Will Allege’, The Australian, 27 July 2011. Later reports indicate a plea to several Criminal Code offences with a two-year sentence imposed in June 2012, with a 12-month non-parole period. 38. This provision is found in Division 477 — Serious computer offences. It has been amended by the Cybercrime Legislation Amendment Act 2012 (Cth), removing subs (2) which had provided a constitutional basis through reference to Commonwealth computers or data, and telecommunications networks. The head of power relied on is now presumably the external affairs power, because the amendments were made in the process of Australia’s accession to the Convention on Cybercrime. 39. DLC Russo v Bartlett, Sinadov and Traikovski, Victorian Magistrates’ Court at Melbourne (Criminal Division), 29 June 2011 at [66].

40. However, note that impairment of electronic communication under s 308E of the Crimes Act 1900 (NSW) may be caused by non-electronic means, such as by cutting cables to CCTV and security alarms in a building as part of a robbery: Hernandez v R [2013] NSWCCA 51 (1 March 2013). 41. D E Denning, ‘Activism, Hacktivism and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy’, in J Arquilla and D Ronfeldt (eds), Networks and Netwars: The Future of Terrorism, Crime and Militancy, Rand Corporation, 2001, p 241. The topic of cyberterrorism is discussed further in Chapter 4. 42. S Dreyfus and J Assange, Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier, Mandarin, 1997; re-published by William Heinemann, Random House, Sydney, 2011; see also the 2003 documentary, In the Realm of the Hackers, directed by Kevin Anderson. The line ‘You talk of times of peace for all, and then prepare for war’ was later identified by author Dreyfus as a lyric from a Midnight Oil song: S Dreyfus, ‘Computer Hackers: Juvenile Delinquents or International Saboteurs?’, paper presented at the Internet Crime conference, Melbourne, 16–17 February 1998, by the Australian Institute of Criminology: . 43. R Nagpal, Evolution of Cyber Crimes, 1.10: ‘Web Defacement’, Asian School of Cyber Laws, 2008, pp 14–15; see also S Furnell, ‘Cybercrime: Vandalizing the Information Society’, (2003) 2722 Lecture Notes in Computer Science 8. 44. R Ghandi, A Sharma, W Mahoney, W Sousan, Q Zhu and P Laplante, ‘Dimensions of CyberAttacks: Social, Political, Economic and Cultural’ (2011) IEEE Technology and Society Magazine 28. 45. K Hardy, ‘Operation Titstorm: Hacktivism or Cyber-Terrorism?’ (2010) 33(2) University of New South Wales Law Journal 474. 46. As illustrated by the case of R v Hampson [2011] QCA 132 (21 June 2011), discussed in Chapter 10. 47. Australian Federal Police (AFP), ‘Two Arrested for Hacking Offences’, media release, 22 May 2014. The release notes that the two charged were to appear before the Perth Magistrates Court and the Sydney Local Court, respectively. Previous hacking arrests reported by the AFP include ‘AFP Arrests First “Lulzsec” Hacker’, media release, 24 April 2013 and ‘AFP Arrests Cowra Man After Landmark Hacking Investigation’, media release, 27 July 2011: see . 48. E W Felton, D Balfanz, D Dean and D S Wallach, ‘Web Spoofing: An Internet Con Game’ (1997) Technical Report 540-96, Princeton University, New Jersey: . 49. S Son and V Shmatikov, ‘The Hitchhiker’s Guide to DNS Cache Poisoning’ in S Jajodia and J Zhou (eds), Security and Privacy in Communication Networks, Proceedings of the 6th International ICST Conference, Singapore, 7–9 September 2010, Springer, 2010. 50. M Averill, ‘The Spider’s Stratagem on the Web: Hunting and Collecting Web Users’, note 33 above, at [12]–[16] discusses a joint Federal Trade Commission (FTC) and Australian Competition and Consumer Commission (ACCC) action against persons engaged in page-jacking that re-directed browsers to pornographic sites.

[page 75]

Chapter 4 Unauthorised Impairment

Chapter contents Convention on Cybercrime Australian laws Cyberterrorism Cyber espionage and cyberwar

4.4 4.6 4.17 4.30

Questions for consideration

4.0 This chapter deals with unauthorised impairment of computers, data and electronic communications as an extension of unauthorised access and modification (discussed in Chapters 2 and 3). Interference with computers and their data can result in impaired functioning, which may extend to computer-supported services such as the Internet, telephone networks and other forms of electronic communication. Such impairment may be the result of a singular, well-targeted hacking attack; a consequence of a malware infection; or might be produced by the use of a botnet (discussed in Chapter 3). One of the well-known criminal uses of a botnet is:1 … launching ‘distributed denial of service’ (DDoS) attacks (a method by which botnets flood a computer system with information thus damaging or shutting down the system).

4.1 Botnets have been evolving in size and sophistication since they were first identified by computer security specialists nearly two decades ago.2 Their use in denial of service (DoS) and particularly in distributed denial of service (DDoS) attacks has evolved to become a significant threat to businesses and their customers.3 As observed in a recent worldwide report:4 [page 76]

DDoS attacks against customers remain the number one operational threat to service providers. Attacks against infrastructure continue to grow in prominence … End-user subscribers and e-commerce organizations are the most commonly targeted DDoS attack victims, with government in the third spot.

4.2 Some DDoS attacks target governments more directly. A striking Australian example is the ‘Operation Titstorm’ attack in protest at the (then) government’s consideration of Internet filter policies (discussed in Chapter 3). Not only did this attack deface government websites and flood parliamentary email addresses with pornography, but it also brought down the Australian Parliament website with a flood of network traffic of up to 7.5 million requests per second.5 4.3 A case involving a New Zealand teenager who created a highly sophisticated botnet illustrates how these can both covertly modify the functioning of computers they infect, while impairing the ultimate target of the attack:

R v Walker [2008] NZHC 1114 (15 July 2008) at [4]–[7] Potter J: The offending covers the period 30 January 2006 to 28 November 2007 when Mr Walker was aged 16 to 18 years. That is a period of almost two years. Mr Walker developed and used software that enabled him to remotely control infected computers. Collectively, the infected computers formed a robot network, commonly referred to as a bot net. Mr Walker installed his bot code on tens of thousands of computers. He developed his code so that it could protect itself from discovery, spread automatically and identify and destroy rival bot codes. The code automatically disabled any antivirus software on an infected computer and prevented software from being updated, but in such a way that the computer owner believed the antivirus software he or she had on his or her computer was still working and was successfully installing updates. Another bot code allowed Mr Walker to operate through other computers as a proxy, making it harder for his activity to be traced back to him. Mr Walker’s code is considered by international cybercrime investigators to be amongst the most advanced bot programming encountered. [page 77] Mr Walker’s development and use of the code led to the two charges of accessing

computer systems without authorisation. The ways in which Mr Walker used his bot code then led to the other charges of … [d]amaging or interfering with a computer system. This resulted in a DDoS (Distributed Denial of Service) attack on the University of Pennsylvania computer system.

Convention on Cybercrime 4.4 As noted in Chapter 3, the Council of Europe’s Convention on Cybercrime addresses unauthorised modification and impairment together in Arts 4–6, dealing with data interference, system interference and misuse of devices.6 The explanatory notes provide further detail on what is meant to be covered by the term ‘system interference’ in Art 5:7 This is referred to … as computer sabotage. The provision aims at criminalising the intentional hindering of the lawful use of computer systems including telecommunications facilities by using or influencing computer data. The protected legal interest is the interest of operators and users of computer or telecommunication systems being able to have them function properly. The text is formulated in a neutral way so that all kinds of functions can be protected by it. The term ‘hindering’ refers to actions that interfere with the proper functioning of the computer system. Such hindering must take place by inputting, transmitting, damaging, deleting, altering or suppressing computer data. The hindering must furthermore be ‘serious’ in order to give rise to criminal sanction.

4.5 It should be noted that the threat of ‘computer sabotage’ in this sense is not only to those computer systems directly affected but also to critical infrastructure, such as transport, communications and financial services, that depends on them. In extreme cases, the safety of populations may be put at risk. When computer sabotage is conducted with a political motivation, it may approximate a terrorist or even a military attack. [page 78]

Australian laws

4.6 Unauthorised impairment of electronic communications is dealt with under Commonwealth, State and Territory laws. The following table outlines the main unauthorised impairment offences across all Australian jurisdictions (Table 4.1). Table 4.1: Commonwealth, State and Territory unauthorised impairment offences

CTH8

Provision Criminal Code Act 1995 s 477.1 (Unauthorised access, modification or impairment with intent to commit a serious offence) Criminal Code Act 1995 s 477.3 (Unauthorised impairment of electronic communication) Criminal Code Act 1995 s 478.2 (Unauthorised impairment of data held on a computer disk etc.)

Physical elements

Fault elements Intention by that Causing any modification to unauthorised commit or facilitate a impairment of serious offence, electronic knowing the communication to modification is or from a computer unauthorised Causing any unauthorised Knowing the impairment of impairment is electronic unauthorised communication to or from a computer Causing any unauthorised impairment of the Intention to cause the reliability, security or impairment, knowing operation of data it to be unauthorised held on a computer disk, etc

Maximum penalty As for the serious offence (imprisonment for five years or more)

Imprisonment for 10 years

Imprisonment for two years

[page 79] Provision Criminal Code 2002 s 415 (Unauthorised access, modification or impairment with intent to commit serious offence)

Physical elements Causing unauthorised impairment of electronic communication to or from a computer

Fault elements

Maximum penalty

Intention to commit or enable a serious offence, knowing the impairment is unauthorised

As for the serious offence (imprisonment for five years or more)

Knowing the impairment is

ACT9

Criminal Code 2002 s 417 (Unauthorised impairment of electronic communication)

Criminal Code 2002 s 421 (Unauthorised impairment of data held on a computer disc, credit card etc)

NSW10

Crimes Act 1900 s 308C (Unauthorised access, modification or impairment with intent to commit serious indictable offence)

Causing unauthorised impairment of electronic communication to or from a computer

Causing unauthorised impairment of the reliability, security or operation of data held on a computer disc, etc Causing any unauthorised computer function (defined to include unauthorised impairment of electronic communication to or from any computer)

unauthorised, Imprisonment for 10 intending or being years or 1000 reckless as to whether penalty units or both this will impair access to, or reliability, security or operation of, data

Intention to cause the Imprisonment for impairment, knowing two years or 200 it to be unauthorised penalty units or both

Intention to commit or facilitate a serious offence, knowing the impairment is unauthorised

As for the serious offence (imprisonment for five years or more)

[page 80] Provision

Physical elements

Fault elements Maximum penalty Knowing the impairment is unauthorised, intending to impair Imprisonment for 10 electronic years communication to or from the computer, or being reckless as to such impairment

Crimes Act 1900 s 308E (Unauthorised impairment of electronic communication)

Causing unauthorised impairment of electronic communication to or from any computer

Crimes Act 1900 s 308I (Unauthorised impairment of data held in computer

Causing any unauthorised impairment of the Intention to cause the Imprisonment for reliability, security or impairment, knowing two years

disk, credit card or other device)

NT11

QLD

operation of data held on a computer disk, etc Criminal Code Act s Unlawfully causing 276D (Unlawful impairment of impairment of electronic electronic communication to communication) or from a computer Using a restricted Criminal Code Act computer without 1899 s 408E the consent of the (Computer hacking computer’s and misuse) controller

it to be unauthorised

Intent to impair electronic communication

Imprisonment for 10 years

Not specified

Imprisonment for two years; five years if causing damage or obtaining a benefit; 10 years where value is over $5000

[page 81]

SA12

TAS13

Provision Criminal Law Consolidation Act 1935 s 86E (Use of computer with intention to commit, or facilitate the commission of, an offence) Criminal Law Consolidation Act 1935 s 86F (Use of computer to commit, or facilitate the commission of, an offence outside the State)

Criminal Code Act 1924 s 257C (Damaging computer data)

Physical elements

Fault elements

Maximum penalty

Using a computer to cause (directly or indirectly) unauthorised impairment of electronic communication

Intention by that impairment to commit or facilitate a serious offence, knowing the impairment is unauthorised

As for the serious offence (imprisonment for five years or more)

Using a computer to cause (directly or indirectly) unauthorised impairment of electronic communication

Intention by that impairment to commit or facilitate a prohibited act in another jurisdiction, knowing the impairment is unauthorised

As for the prohibited act (imprisonment for five years or more)

Unlawfully and intentionally interfering with, interrupting or Not specified obstructing lawful use of a computer or computer system or

A general maximum penalty of 21 years applies to Criminal Code offences

VIC14

data Causing any unauthorised Crimes Act 1958 s computer function 247B (Unauthorised (defined to include access, modification unauthorised or impairment with impairment of intent to commit electronic serious offence) communication to or from a computer)

Intention to commit or facilitate a serious offence, knowing the impairment is unauthorised

As for the serious offence (imprisonment for five years or more)

[page 82] Provision

Physical elements

Crimes Act 1958 s 247D (Unauthorised impairment of electronic communication)

Causing unauthorised impairment of electronic communication to or from any computer

Crimes Act 1958 s 247H (Unauthorised impairment of data held in computer disk, credit card or other device)

WA

Criminal Code Act Compilation Act 1913 s 440A (Unlawful use of computer)

Fault elements Maximum penalty Knowing the impairment is unauthorised, intending to impair Imprisonment for 10 communication to or years from the computer, or being reckless as to any such impairment

Causing any unauthorised impairment of the Intention to cause the Imprisonment for reliability, security or impairment, knowing two years operation of data it to be unauthorised held on a computer disk, etc Imprisonment for Unlawfully using two years; five years (defined to include if causing damage or operating) a Not specified obtaining a benefit; restricted-access 10 years where value computer system is over $5000

Sources: Australasian Legal Information Institute (AustLII): ; State and Territory legislative databases.

4.7

As seen in Chapters 2 and 3 in relation to unauthorised access and

modification offences, the Criminal Code Act 1995 (Cth) contains the following definitions which are relevant also to impairment:15 [page 83]

476.1 Definitions (1) In this Part: … impairment of electronic communication to or from a computer includes: (a) the prevention of any such communication; or (b) the impairment of any such communication on an electronic link or network used by the computer; but does not include a mere interception of any such communication. … unauthorised access, modification or impairment has the meaning given in section 476.2. (2) In this Part, a reference to: (a) access to data held in a computer; or (b) modification of data held in a computer; or (c) the impairment of electronic communication to or from a computer; is limited to such access, modification or impairment caused, whether directly or indirectly, by the execution of a function of a computer. 476.2 Meaning of unauthorised access, modification or impairment (1) In this Part: (a) access to data held in a computer; or (b) modification of data held in a computer; or (c) the impairment of electronic communication to or from a computer; or (d) the impairment of the reliability, security or operation of any data held on a computer disk, credit card or other device used to store data by electronic means; by a person is unauthorised if the person is not entitled to cause that access, modification or impairment. (2) Any such access, modification or impairment caused by the person is not

unauthorised merely because he or she has an ulterior purpose for causing it. (3) For the purposes of an offence under this Part, a person causes any such unauthorised access, modification or impairment if the person’s conduct substantially contributes to it. …

[page 84] 4.8 The offence in s 477.1 of unauthorised access, modification or impairment with intent to commit a serious offence was discussed in Chapters 2 and 3. In its application to impairment, it criminalises acts done by a person that cause ‘any unauthorised impairment of electronic communication to or from a computer’ where the person knows the impairment is unauthorised and ‘intends to commit, or facilitate the commission of, a serious offence against a law of the Commonwealth, a State or a Territory (whether by that person or another person) by the … impairment’.16 4.9 The main other unauthorised impairment offence added by the Cybercrime Act 2001 (Cth) is s 477.3:17

477.3 Unauthorised impairment of electronic communication (1) A person is guilty of an offence if: (a) the person causes any unauthorised impairment of electronic communication to or from a computer; and (b) the person knows that the impairment is unauthorised. Penalty: 10 years imprisonment. … (3) A conviction for an offence against this section is an alternative verdict to a charge for an offence against section 477.2 (unauthorised modification of data to cause impairment).

4.10 In s 477.3, the physical element of causing unauthorised impairment of electronic communication to or from a computer has no associated fault element, so, under s 5.6 of the Criminal Code Act 1995 (Cth), recklessness is the fault element required to be proved for this result. Under subs (1)(b), knowledge is specified as the fault element for the circumstance of lack of authorisation, so s 5.6 does not apply. [page 85] 4.11 There is also a second impairment offence, relating to impairment of data held on a disk, credit card or other electronic storage device. Impairment in this provision relates to the reliability, security or operation of such data.18

478.2 Unauthorised impairment of data held on a computer disk etc. A person is guilty of an offence if: (a) the person causes any unauthorised impairment of the reliability, security or operation of data held on: (i) a computer disk; or (ii) a credit card; or (iii) another device used to store data by electronic means; and (b) the person intends to cause the impairment; and (c) the person knows that the impairment is unauthorised. Penalty: 2 years imprisonment.

4.12 Two related offences are s 478.3, which criminalises possession or control of data with intent to commit or facilitate a Div 477 computer offence, and s 478.4, which criminalises producing, supplying or obtaining data with intent to commit a Div 477 computer offence, both punishable by imprisonment for three years.19 4.13

An interesting question is whether the unauthorised use of another

person’s wireless network, widely known as ‘piggy-backing’, might amount to unauthorised impairment.20 Though this might result is some diminution of [page 86] bandwidth to the rightful user of the network, it is unlikely that this would usually be enough to impair its use:21 Furthermore, s 477.3 is unlikely to result in a satisfactory claim given an actual impairment to the electronic communication (bandwidth). The reason why it would be difficult to successfully establish such a case is because in most instances of piggybacking there is no real loss or change to the usage or access to the Internet. The definition of impairment specifically excludes a mere interception, which is often what piggybacking would be characterised as, particularly if it is conducted by individuals who are only using it for basic browsing and checking of emails … For unsecured wireless networks it would be difficult to establish s 478.1 due to the requirement of access to restricted data. The unauthorised access can easily be proven simply by the action of piggybacking; however, this is unlikely to be a contravention if there are no security measures in place to protect the data and bring it within the definition of restricted data. Similarly it would be difficult to prosecute under s 478.3 if an individual is merely accessing an unsecured wireless network for personal browsing. Rather it is essential that the purpose for which the unsecured wireless network is accessed is for the individual to obtain data or other information which can then be used to facilitate the commission of a serious computer offence under Division 477.

4.14 The scope of the above offences is generally limited to impairment caused through the execution of computer functions, rather than through purely physical damage to communications facilities.22 Nonetheless, the impairment of important systems that depend on computers and telecommunications for their operation, known as ‘critical infrastructure’, poses real risks to society:23 Australia’s critical infrastructure refers to the physical facilities, supply chains, IT and communication networks that we rely on in our daily lives. It includes things like power, water, health facilities, communications systems and banking. If these things were disrupted or destroyed for an extended period, it would significantly impact on our social and economic wellbeing or could affect our ability to conduct national defence and ensure national security.

[page 87] 4.15 The vulnerability of critical infrastructure to cyber-attacks is recognised at all governmental levels, with responses requiring the cooperation of the private sector:24 Attacks on critical computer systems in both the government and private sector are being contemplated as an alternative way of conducting warfare and a means by which criminals, terrorist groups and hostile intelligence services could damage Australia’s national interests. For example, malicious activities against ICT systems have caused the disruption of electric power systems in multiple regions overseas, including a case that resulted in a major multi-city power outage. Some recent DDoS attacks have resulted in the degradation and complete disruption of online services in Australia, impacting systems that are critical to Australia’s national interest, such as the financial sector. Such attacks are inexpensive to conduct, potentially hugely destructive and can be instigated from almost anywhere in the world. There is a growing array of state and non-state actors who are compromising, stealing, changing or destroying information and therefore potentially causing critical disruptions to Australian systems. The distinction between traditional threat actors — hackers, terrorists, organised criminal networks, industrial spies and foreign intelligence services — increasingly appears to be blurring. With the borderless, anonymous nature of the Internet, attribution of the source of attacks is difficult. The speed of technological change associated with next generation networks is challenging traditional notions of what constitutes computer networks and how we should secure them. This includes the combination of increased bandwidth; convergent voice, data, video networks; mobile wireless devices; embedded processors and sensors; social networking and other Web 2.0 applications; and Internet based networks (cloud computing). Source: Australian Government, Cyber Security Strategy, 2009: .

4.16 The reference in the Australian Government’s Cyber Security Strategy to ‘terrorist groups and hostile intelligence services’ raises the contentious topics of cyberterrorism, cyber espionage and cyberwar. These are considered below.

[page 88]

Cyberterrorism 4.17 There is no universally accepted definition of ‘cyberterrorism’ (alternative spellings are ‘cyber terrorism’ and ‘cyber-terrorism’) or much agreement as to how much of a real risk it poses. Grabosky and Stohl (2003) note that:25 Few terms in contemporary conventional discourse are used as loosely as ‘cyber’ and ‘terrorism’. Not surprisingly, their use together is hardly a guarantor of conceptual rigour. To some, the term ‘cyber’ is synonymous with digital technology generally. This is increasingly unhelpful given the pervasiveness of digital technology in contemporary society. As kitchen appliances increasingly become ‘wired’, almost everything will be digital. For present purposes, let us use the term cyber to refer to those technologies commonly referred to as the internet and the world wide web. The term terrorism has been grossly abused, and means many things to many people. To some, it has almost become synonymous with anything evil. Since the Cold War, the adage ‘one person’s terrorist is another’s freedom fighter’ has become hackneyed. The term terror was first used to describe the systematic use of violence and the guillotine by the Jacobin and Thermidorean regimes in France; that is, as an instrument of state control. Subsequent use of terror was discussed as an element of totalitarian dictatorships of the left and right. The systematic use of violence by non-state actors over the past two centuries has led to a broadening of the term. Today, the term is used to refer to an act or threat of violence to create fear and/or compliant conduct in a victim or wider audience for the purpose of achieving political ends.

4.18 Despite this, the term ‘cyberterrorism’ has become widely adopted in cybersecurity discussions, with an oft-cited explanation being that of Professor Denning in a United States Congress hearing in 2000:26 Cyberterrorism is the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not.

[page 89] 4.19 There is considerable complexity in distinguishing between the risks posed by physical attacks on critical infrastructure and those posed by cyber-based attacks, and indeed in sorting these from seemingly everyday failures of complex infrastructure, such as power and water outages, often due to natural causes:27 Comparing aerial and cyber attacks on hydroelectric dams helps provide a measure for cyberthreats. Early in World War II, the Royal Air Force mounted a daring attack on dams in the Ruhr, a chief source of electrical power for German industry. The raid was a success, the dams breached by bombs and, for a period of time, the electrical supply in the region was disrupted. A comparable cyber attack occurred when a young hacker reportedly gained access to the computer controls for a dam in the U.S. Southwest, but did not disrupt service or cause physical damage. In neither attack was the damage or the reduction in electrical power paralyzing. Of the two, the cyber attack was less effective in that it caused no physical damage and could be classed more as an annoyance than a threat. The aerial attack resulted in physical damage that needed to be repaired. The only advantage of a cyber attack is that it is less expensive — a teen-ager and a desktop computer rather than valuable aircrews and expensive aircraft. Many analyses have cyber-terrorists shutting down the electrical power system … The U.S. electrical power grid is a desirable target, but it is a network of multiple, redundant systems that are used to routine system failure and disruption … A hacker or even a large group of hackers would need to find vulnerabilities in multiple systems to significantly disrupt the power supply and even then, an attack might only disrupt service for a few hours.

4.20 Among security experts, there is considerable disagreement about how real the risk of cyberterrorism is, and therefore what kind and level of response is justified. The following is a fairly typical example of a sceptical attitude:28 While governments and the media repeatedly distribute information about cyber-threats, real cyber-attacks resulting in deaths and injuries remain largely the stuff of Hollywood movies or conspiracy theory. In fact, menacing scenarios of major disruptive occurrences in the cyberdomain, triggered by malicious actors, have remained just that — scenarios.

4.21 Nonetheless, governments remain concerned about the threats. The Australian Government’s Cyber Security Strategy warns:29 There is a growing array of state and non-state actors who are compromising, stealing, changing or destroying information and therefore potentially causing critical disruptions to

Australian systems. The distinction between traditional threat actors — hackers, terrorists, organised criminal networks, industrial

[page 90] spies and foreign intelligence services — increasingly appears to be blurring. With the borderless, anonymous nature of the Internet, attribution of the source of attacks is difficult.

4.22 A Queensland case routinely cited to illustrate the risk of attacks against critical infrastructure is that of a disgruntled engineer, who was convicted of hacking into a Queensland sewerage system, causing thousands of litres of raw sewage to be discharged into local waterways.30 His appeal against the convictions was heard in the Queensland Court of Appeal in 2002:

R v Boden [2002] QCA 164 (10 May 2002) at [2], [5]–[8], [12]–[15] Muir J: After a trial in the District Court the appellant, who appeals against conviction and seeks leave to appeal against sentence, was convicted of — 26 counts of using a restricted computer without the consent of its controller thereby intending to cause detriment or damage; 1 count of using a restricted computer without the consent of its controller intending to cause detriment or damage and causing detriment greater than $5,000; 1 count of wilfully and unlawfully causing serious environmental harm; and 1 count of stealing a two-way radio and 1 count of stealing a PDS Compact 500 computer. The Crown case on the computer hacking offences was that between 9 February 2000 and 23 April 2000 the appellant accessed computers controlling the Maroochy Shire Council’s sewerage system, altering electronic data in respect of particular sewerage pumping stations and causing malfunctions in their operations. The evidence revealed that the Council’s sewerage system had about 150 stations pumping sewerage to treatment plants. Each pumping station had installed a PDS Compact 500 computer capable of receiving instructions from a central control centre, transmitting alarm signals and other data to the central computer and providing messages to stop and start the pumps at the pumping station. Communications

between pumping stations and between a pumping station and the central computer were by means of a private two-way radio system operating through repeater [page 91] stations at Buderim, Nambour and Mount Coolum. Each repeater station transmitted on a different frequency. Hunter Watertech Pty Ltd installed the computerised system over a period of about two and a half years. By mid-January 2000 the installation work had been completed but the system still had some teething problems receiving attention. The appellant, an engineer, had been employed by Hunter Watertech as its site supervisor on the project for about two years until resigning with effect from 3 December 1999. At about the time of his resignation he approached the Council seeking employment. He was told to enquire again at a later date. He made another approach to the Council for employment in January 2000 and was told that he would not be employed. The sewerage system then experienced a spate of faults. Pumps were not running when they should have been, alarms were not reporting to the central computer and there was a loss of communication between the central computer and various pumping stations. An employee of Hunter Watertech, Mr Yager, was appointed to look into the problem. He began monitoring and recording all signals, messages and also traffic on the radio network. As a result of his investigations he concluded that many of the problems being experienced with the system resulted from human intervention rather than equipment failure. His opinion was shared by other technical experts who gave evidence. Further, the evidence revealed that the problems associated with the alleged hacking ceased when the appellant was arrested … On 23 April 2000 an intruder, by means of electronic messages, disabled alarms at four pumping stations using the identification of pumping station 4. The intrusions began just after 7:30 pm and concluded just after 9:00 pm. By this time the appellant had fallen under suspicion and was under surveillance. A vehicle driven by him was located by police officers on the Bruce Highway near the Glasshouse Mountains heading south. A police car started to follow the appellant’s vehicle which then turned off the highway at the Deception Bay exit. The police car missed the turn, turned around and started to go the wrong way up the exit ramp in order to follow the appellant when his vehicle was seen coming down the ramp to the highway. When the appellant’s vehicle was pulled over and searched at around 10:00 pm, a PDS Compact 500 computer, later identified in evidence as the property of Hunter Watertech, was found in it as was a laptop computer. On examination it was found that the software to enable the laptop to communicate with the PDS system through the PDS computer had been re-installed in the laptop on 29 February 2000 and that the PDS Compact computer had been programmed to identify itself as pump station 4 — the identification used by the intruder in accessing

the Council sewerage system earlier that night. The software programme installed in the laptop was one developed by Hunter Watertech for its use in changing [page 92] configurations in the PDS computers. There was evidence that this programme was required to enable a computer to access the Council’s sewerage system and that it had no other practical use. The unchallenged evidence of Mr Kingsley, a police computer expert, was that the programme had been used at least 31 times between 7 April and 19 April and that it was last used at 9:31pm on 23 April 2000. Also found in the car was a two-way radio set to the frequencies of the Buderim and Mount Coolum repeater stations and the leads necessary to connect the PDS computer, the laptop and the radio.

4.23 Although the convictions on five of the 26 hacking charges in the above case were overturned, others were upheld, along with the remaining counts. For this reason, the sentences that had been imposed, totalling imprisonment for two years and an order for over $13,000 to be paid to the Council for loss and damages caused, were affirmed.31 4.24 A great deal of counter-terrorism legislation has been enacted in Australia and other countries, largely in line with United Nations initiatives, particularly since the 2001 attacks in the United States.32 This includes offences that may apply to computer misuse, including those attacks that could amount to cyberterrorism.33 The Criminal Code Act 1995 (Cth) defines a ‘terrorist act’ as follows:34

100.1 Definitions In this Part: (1) … terrorist act means an action or threat of action where: (a) the action falls within subsection (2) and does not fall within subsection (3); and (b) the action is done or the threat is made with the intention of advancing a political, religious or ideological cause; and

[page 93] (c) the action is done or the threat is made with the intention of: (i) coercing, or influencing by intimidation, the government of the Commonwealth or a State, Territory or foreign country, or of part of a State, Territory or foreign country; or (ii) intimidating the public or a section of the public. … (2) Action falls within this subsection if it: (a) causes serious harm that is physical harm to a person; or (b) causes serious damage to property; or (c) causes a person’s death; or (d) endangers a person’s life, other than the life of the person taking the action; or (e) creates a serious risk to the health or safety of the public or a section of the public; or (f) seriously interferes with, seriously disrupts, or destroys, an electronic system including, but not limited to: (i) an information system; or (ii) a telecommunications system; or (iii) a financial system; or (iv) a system used for the delivery of essential government services; or (v) a system used for, or by, an essential public utility; or (vi) a system used for, or by, a transport system. (3) Action falls within this subsection if it: (a) is advocacy, protest, dissent or industrial action; and (b) is not intended: (i) to cause serious harm that is physical harm to a person; or (ii) to cause a person’s death; or (iii) to endanger the life of a person, other than the person taking the action; or (iv) to create a serious risk to the health or safety of the public or a section of the public.

4.25 Notably, under para (2)(f), unauthorised modification or impairment of computer and telecommunications systems may constitute a terrorist act under s 100.1 if other conditions are met. The maximum penalty for

[page 94] committing a terrorist act is imprisonment for life.35 An act of cyberterrorism, such as attacking critical telecommunications infrastructure in order to advance a political or religious cause, could be prosecuted in Australia under either cybercrime or terrorism laws. 4.26 Other Criminal Code Act 1995 (Cth) offences that refer to the definition of ‘terrorist act’ in s 100.1 include:36 s 101.2 (Providing or receiving training connected with terrorist acts); s 101.4 (Possessing things connected with terrorist acts); s 101.5 (Collecting or making documents likely to facilitate terrorist acts); and s 101.6 (Other acts done in preparation for, or planning, terrorist acts). 4.27 One of few Australian cases involving terrorism offences and which related to the use of the Internet in planning stages concluded with a conviction in 2006, followed by the imposition of a 20-year sentence of imprisonment:37

R v Lodhi [2006] NSWSC 691 (23 August 2006) at [1]–[5], [25]–[26], [35] Whealy J: On 19 June 2006 Faheem Khalid Lodhi (‘the offender’) was found guilty by a jury in respect of three of the four charges on which he had been indicted. The three charges were as follows. First on or about 3 October 2003 at Sydney, the offender collected documents, namely two maps of the Australian electricity supply system, which were connected with preparation for a terrorist act, namely bombing part of the system, knowing the said connection. Secondly, a charge that the offender, on or about 10 October 2003 intentionally did an act in preparation for a terrorist act, namely he sought information concerning the availability of materials capable of being used for the manufacture of explosives or incendiary devices. [page 95]

Thirdly, a charge that on or about 26 October 2003, the offender possessed a document containing information concerning the ingredients for and the method of manufacture of poisons, explosives, detonators and incendiary devices connected with the preparation for a terrorist act, knowing the said connection. The first and third of these charges carries a maximum penalty of 15 years imprisonment. The second charge carries a maximum penalty of life imprisonment. As I have indicated earlier, there was a fourth charge namely, a charge that on or about 24 October 2003 the offender made a set of aerial photographs of certain Australian Defence establishments. The jury found that the accused was not guilty in respect of this charge. … Throughout the trial, a central issue for the jury’s determination had been the state of mind or the intentions of the offender. The contents of these documents [described as ‘a terrorism manual for the manufacture of homemade poisons, explosives, detonators and incendiary devices’] make it plain beyond reasonable doubt that, when he collected the wall maps from Ms Bakla at Energy Supply, the subject of homemade bombs or explosives was likely to have been at the forefront of his thinking. … I am satisfied beyond reasonable doubt that the offender’s possession of this document reflected very clearly his intention to make use of its contents for the purpose of using the information to assist in an enterprise to assemble an explosive which would be used as part and parcel of the ultimate carrying out of an act of terror within Australia. I am satisfied that his intention or state of mind at the time it was found in his possession, and indeed prior to that time and well after, was that the material could be used to advance the cause of violent jihad in Australia. Moreover, I am satisfied beyond reasonable doubt that it was the offender’s intention that any such enterprise would be carried out to coerce, or influence by intimidation, the Government of Australia and to intimidate the public.

4.28 To date, there has been no reported case of a cyberterrorist attack severely impairing or destroying Australian infrastructure. However, the use by terrorist organisations of the Internet for planning, communications, recruitment, financing and propaganda purposes is a continuing concern.38 The internet enables terrorists to research and coordinate attacks. Terrorists may use it for psychological warfare, publicity or propaganda, data mining, fundraising, recruitment or mobilisation, networking, information sharing, and

[page 96]

planning or coordination. All active terrorist groups have an internet presence and employ social networking or video-sharing sites and online communities. The interactive capacity of YouTube and Facebook enables terrorists to recruit personnel. Blogging services including Twitter can become a coordination tool for launching attacks. Communication occurs over the internet as well as through chatrooms, message boards or email, which impose minimal disclosure requirements and are simply and inexpensively established. Digital currency facilitates money transfers, avoids financial institutions, is difficult to trace, does not require customer identification and is free from oversight. Virtual worlds for transferring funds or information offer similar advantages …

4.29 Some of the existing terrorism and terrorist organisation offences discussed earlier may apply to such online activities, supported by the applicability of ‘inchoate’ offences such as attempt, conspiracy and incitement.39 However, it may be noted that they do not clearly extend to the promotion of terrorist causes in the abstract, with no explicit connection to any terrorist acts or organisations. Some countries have sought to counter the spread of terrorist propaganda by enacting offences relating to ‘glorification of terrorism’ but these have met opposition from free speech advocates.40 In Australia, Pt 5.1 of the Criminal Code Act 1995 (Cth) deals with treason, urging violence and advocating terrorism. The latter is criminalised under s 80.2C, added by the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 (Cth):

80.2C Advocating terrorism (1) A person commits an offence if: (a) the person advocates: (i) the doing of a terrorist act; or (ii) the commission of a terrorism offence referred to in subsection (2); and (b) the person engages in that conduct reckless as to whether another person will: (i) engage in a terrorist act; or (ii) commit a terrorism offence referred to in subsection (2). Note: There is a defence in section 80.3 for acts done in good faith. Penalty: Imprisonment for 5 years.

[page 97] (2) A terrorism offence is referred to in this subsection if: (a) the offence is punishable on conviction by imprisonment for 5 years or more; and (b) the offence is not: (i) an offence against section 11.1 (attempt), 11.4 (incitement) or 11.5 (conspiracy) to the extent that it relates to a terrorism offence; or (ii) a terrorism offence that a person is taken to have committed because of section 11.2 (complicity and common purpose), 11.2A (joint commission) or 11.3 (commission by proxy). Definitions (3) In this section: advocates: a person advocates the doing of a terrorist act or the commission of a terrorism offence if the person counsels, promotes, encourages or urges the doing of a terrorist act or the commission of a terrorism offence. terrorism offence has the same meaning as in subsection 3(1) of the Crimes Act 1914. terrorist act has the same meaning as in section 100.1. (4) A reference in this section to advocating the doing of a terrorist act or the commission of a terrorism offence includes a reference to: (a) advocating the doing of a terrorist act or the commission of a terrorism offence, even if a terrorist act or terrorism offence does not occur; and (b) advocating the doing of a specific terrorist act or the commission of a specific terrorism offence; and (c) advocating the doing of more than one terrorist act or the commission of more than one terrorism offence.

Cyber espionage and cyberwar 4.30 Crossing the boundaries of cybercrime, cybersecurity and a number of other disciplines, cyber espionage poses challenges to businesses and governments alike. Commercially valuable and other sensitive information has long been subject to protection against unauthorised access and disclosure.41

[page 98] Some countries even have criminal offences covering ‘industrial espionage’ or ‘trade secrets’, which extend to online activities.42 Further, although it may be that many or most countries engage in some level of spying or espionage activity against others, all have legal prohibitions against unauthorised access to, and disclosure of, their own ‘state secrets’ based on the need to protect national security. For example, under the Criminal Code Act 1995 (Cth) s 91.1(1):43

91.1 Espionage and similar activities (1) A person commits an offence if: (a) the person communicates, or makes available: (i) information concerning the Commonwealth’s security or defence; or (ii) information concerning the security or defence of another country, being information that the person acquired (whether directly or indirectly) from the Commonwealth; and (b) the person does so intending to prejudice the Commonwealth’s security or defence; and (c) the person’s act results in, or is likely to result in, the information being communicated or made available to another country or a foreign organisation, or to a person acting on behalf of such a country or organisation. Penalty: Imprisonment for 25 years.

4.31 The response to espionage and national security threats is supported by a plethora of laws, agencies, powers and policies. Other important legislation includes the Australian Security Intelligence Organisation Act 1979 (Cth), Crimes Act 1914 (Cth), Defence Act 1903 (Cth), Defence Force Discipline Act 1982 (Cth) and National Security Information (Criminal and Civil Proceedings) Act 2004 (Cth). 4.32

As technology has evolved, the prospect of waging war in

cyberspace has advanced. Conflicts of various kinds involving national security tensions [page 99] and even the use of conventional military force have increasingly been preceded or accompanied by online attacks. Security experts note recent developments:44 Once the stuff of science fiction, cyberwarfare is now a major security concern of political and military leaders around the world. Recent related, headline-grabbing events include the hostile use of cyberspace against Estonia in 2007 and between Georgia and Russia in August 2008. Beyond merely disrupting networks and information flow, cyberattacks with significantly graver consequences are also on the horizon. ‘Stuxnet’, a highly sophisticated malware developed specifically for cross-domain destruction of physical infrastructure, may be a harbinger of what is to come.

4.33 The emergence of sophisticated malware, such as Stuxnet in 2010, confirmed the viability of targeted cyber-attacks in the service of national security:45

Stuxnet Stuxnet is a sophisticated computer program designed to penetrate and establish control over remote systems in a quasi-autonomous fashion. It represents a new generation of ‘fire-and-forget’ malware that can be aimed in cyberspace against selected targets. Those that Stuxnet targeted were ‘airgapped’; in other words, they were not connected to the public Internet and penetration required the use of intermediary devices such as USB sticks to gain access and establish control. Using four ‘zero-day vulnerabilities’ (vulnerabilities previously unknown, so that there has been no time to develop and distribute patches), the Stuxnet worm employs Siemens’ default passwords to access Windows operating systems that run the WinCC and PCS 7 programs. These are programmable logic controller (PLC) programs that manage industrial plants. The genius of the worm is that it can strike and reprogram a computer target. First Stuxnet hunted down frequency-converter drives made by Fararo Paya in Iran and Vacon in Finland. These each respond to the PLC computer commands that control the speed of a motor by regulating how much power is fed to it. These drives are set at the very high speeds required by centrifuges to separate and concentrate the uranium-

235 isotope for use in light-water reactors and, at higher levels of enrichment, for use as fissile material for nuclear weapons. [page 100] Then Stuxnet alternated the frequency of the electrical current that powers the centrifuges, causing them to switch back and forth between high and low speeds at intervals for which the machines were not designed. Symantec researcher Eric Chien put it this way: ‘Stuxnet changes the output frequencies and thus the speed of the motors for short intervals over a period of months. Interfering with the speed of the motors sabotages the normal operation of the industrial control process.’ In a devious touch, the worm contains a rootkit that conceals commands downloaded from the Siemens systems. Some media reports mistakenly thought the Iranian light-water power reactor at Bushehr was also a target. Iran confirmed that Stuxnet infected personal computers there while denying that much damage was inflicted. But Bushehr seems an unlikely target, because the plutonium produced by such light-water reactors is not well suited for weapons purposes. The more likely target is Iran’s uranium-enrichment programme. Although most of the 4,000–5,000 centrifuges operating to date at the pilot and industrial-scale fuel-enrichment facilities at Natanz have been producing only lowenriched uranium, the same centrifuges could be put to use to produce highly enriched uranium for weapons. Alternatively, and in a more likely scenario, it is feared that Iran could be operating secret centrifuge facilities to produce highly enriched uranium. The key to the Stuxnet worm is that it can attack both known and unknown centrifuges.

4.34 In Australia, the significance of cyberwar has also been recognised as an emerging threat at the national level, posing risks across multiple sectors.46 For Australia, cyber warfare is a serious threat. A 2009 Defence White Paper observed that Australia’s national security could be compromised by cyber attacks on our defence, governmental, commercial and infrastructure-related information networks. Their potential impact has paradoxically grown with the Defence Department’s increasing dependence on networked operations. Irregular opponents such as insurgents and terrorists are exploiting technology in low-risk and effective ways. This circumstance has prompted a more enhanced cyber situational awareness and incident-response capability.

4.35 In legal terms, as well as possible prosecutions under domestic law if any individuals responsible for cyber-attacks can be identified and

brought to justice, there is also a growing body of international legal rules that would [page 101] bring such conduct within the scope of the law of armed conflict, depending on the degree to which the ‘attribution’ problem can be overcome:47 The Tallinn Manual on the International Law Applicable to Cyber Warfare (‘Manual’), the most systematic effort to adapt the law of armed conflict (‘LOAC’) to cyber, takes a cautious stance. The Manual relies on the International Law Commission’s (‘ILC’) Draft Articles on Responsibility of States for Internationally Wrongful Acts (‘Draft Articles’), which tie state responsibility to showing that a private party is ‘acting on the instructions of, or under the direction or control of ’ a state … The test for attribution shapes the accountability of states for conduct that affects other sovereign nations. Although a state can violate international law without meeting the test, a victim state is sharply restricted in its choice of remedies if attribution to a state is impossible. If the cyber-intrusion by the non-state actor rises to the level of a use of force or an armed attack, self-defence measures are possible against another state only when that state is deemed responsible … This cautious view overlooks the risks of cyber prompted by what I call the ‘attribution asymmetry’. Cyber is relatively easy to direct, given a sophisticated commander, but very difficult to detect. While it is difficult to direct a group of armed personnel located hundreds or thousands of miles away from the funder of the group, an entity that wishes to control cyber-weapons can control their use from a remote location by requiring groups with state cyber-tools to submit to periodic virtual accounting. On the other hand, unlike conventional kinetic action where effects are manifest within a short time after the weapon is used, cyberweapons can take months to detect, lying dormant for significant periods or secretly altering data to clandestinely compromise a network’s operation. This ability to engage in more precise direction while avoiding detection distinguishes cyber from kinetic weapons.

[page 102]

Questions for consideration 1.

In introducing the draft provision that was later enacted as s 477.3 (Unauthorised impairment of electronic communication) of the Criminal Code Act 1995 (Cth), the report of the Model Criminal Code Officers Committee of the Standing Committee of Attorneys-General, Chapter 4 — Damage and Computer Offences and Amendments to Chapter 2: Jurisdiction, January 2001, pp 171–3, noted that the offence: … has an extremely broad band of application, from harms which are transient and trifling to conduct which results in serious economic loss or serious disruption of business, government or community activities. The prohibition would be breached by conduct which impaired communication of a single message of no importance. Given that the offence carries a maximum penalty of imprisonment for 10 years, how are different levels of impairment to be reflected in legal outcomes? Should there be a threshold level of impairment for the offence so that it would not apply to ‘transient and trifling’ impairments, such as reductions in bandwidth from ‘piggy-backing’ or similar activities?

2.

In N Phair, Cybercrime: The Reality of the Threat, E-Security Publishing, Canberra, 2007, pp 141– 51, the topic of cyberterrorism is introduced as follows: Terrorists have traditionally used physical violence to perpetrate attacks that cause fear, destruction and media attention. However, terrorist organisations may choose to recruit computer experts in the future to carry out attacks in the form of distributed denial of service (DDoS), designed to produce the same effects … The use of a DDoS attack, or infection by virus, may create disruption on the computer network or even the internet, but the damage it causes does not necessarily generate terror. The question is, to what level and against which infrastructure, would such an attack need to be perpetrated to cause terror among the general public? How is this question to be answered? If a cyberterrorist attack against an electricity grid or other critical infrastructure occurred, would the public be informed of its origins? Without the element of ‘attribution’, would such an attack lack impact?

3.

A Bergin and C Ungerer, ‘Homeward Bound: Australia’s New Counter-Terrorism White Paper’, Australian Strategic Policy Institute (ASPI), Policy Analysis no. 57, March 2010, note: There are more than 4,000 terrorist-related websites worldwide. Ideas cross borders through cyberspace. We aren’t going to ban our way out of this problem. Cyberspace affords individuals access and anonymity in an extremist environment and the ability to find like-minded extremists in thousands of chat rooms and social networking sites. To what extent can any government respond to online terrorist propaganda without

compromising the availability and use of the Internet for legitimate, however contentious, political discussion and debate? How and where should the dividing line between free speech and community safety be made? 1.

House of Representatives Standing Committee on Communications, Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime, Commonwealth of Australia, Canberra, 2010 at [2.24].

2.

Though difficult to pinpoint with accuracy, commentators see the release of the Sub7 and Pretty Park malware in 1999 as the dawn of botnet techniques: A Bridgwater, ‘A Brief History of the Botnet’, Dr. Dobb’s, 28 September 2010: .

3.

A DoS attack can in principle be conducted from a single computer, but a DDoS attack is in practice much more effective and difficult to block because it harnesses the power of whole networks of computers, typically through the use of a botnet: US-CERT, ‘Understanding Denialof-Service Attacks’: .

4.

B Prince, ‘DDoS Attacks Boom as Hackers Increase Size, Frequency’, Security Week, 27 January 2015, citing Arbor Networks, 10th Annual Worldwide Infrastructure Security Report: .

5.

K Hardy, ‘Operation Titstorm: Hacktivism or Cyber-Terrorism?’ (2010) 33(2) University of New South Wales Law Journal 474. An arrest of a 17-year-old on charges relating to hacking and website defacements was announced by the Australian Federal Police (AFP) in 2013, but it is not known whether the arrest related to the Operation Titstorm or other attacks: AFP, ‘17-Year-Old Suspected Member of “Anonymous” Charged with Unauthorised Access to Computer Data’, media release, 5 April 2013.

6.

Council of Europe, Convention on Cybercrime. Articles 4, 5 and 6 appear in Chapter II — Measures to taken at the national level, Section 1 — Substantive criminal law, Title 1 — Offences against the confidentiality, integrity and availability of computer data and systems.

7.

Explanatory Report, Convention on Cybercrime at [65]–[70]; also discussed in J Clough, Principles of Cybercrime, Cambridge University Press, 2010, p 102. Paragraph [69] discusses the sending of unsolicited email for commercial purposes, commonly known as ‘spamming’, and notes that this should only be covered by Art 5 where it intentionally and seriously hinders communication. In Australia, the Spam Act 2003 (Cth) makes such conduct unlawful but imposes only civil penalties rather than criminal punishments such as imprisonment: see Australian Communications and Media Authority v Clarity1 Pty Ltd [2006] FCA 410 (13 April 2006); and R McCusker, ‘Spam: Nuisance or Menace, Prevention or Cure?’, Trends and Issues in Crime and Criminal Justice no. 294, Australian Institute of Criminology, March 2005.

8.

Key terms are defined in Criminal Code Act 1995 (Cth) s 476.1 (Definitions) and s 476.2 (Meaning of unauthorised access, modification or impairment). Not listed are the related offences of s 478.3 (Possession or control of data with intent to commit a computer offence) and s 478.4 (Producing, supplying or obtaining data with intent to commit a computer offence), each punishable by imprisonment for three years.

9.

Key terms are defined in Criminal Code 2002 (ACT) s 412 (Definitions), s 413 (Limited meaning of access to data etc) and s 414 (Meaning of unauthorised access, modification or impairment).

Not listed are the related offences of s 418 (Possession of data with intent to commit serious computer offence) and s 419 (Producing, supplying or obtaining data with intent to commit serious computer offence), each punishable by imprisonment for three years or 300 penalty units or both. 10. Key terms are defined in Crimes Act 1900 (NSW) s 308 (General definitions), s 308A (Meaning of access to data, modification of data and impairment of electronic communication) and s 308B (Meaning of unauthorised access, modification or impairment). Not listed are the related offences of s 308F (Possession of data with intent to commit serious computer offence) and s 308G (Producing, supplying or obtaining data with intent to commit serious computer offence), each punishable by imprisonment for three years. 11. Key terms are defined in Criminal Code Act (NT) s 276 (Interpretation) and s 276A (Meaning of access to data, modification of data and impairment of electronic communication). 12. Key terms are defined in Criminal Law Consolidation Act 1935 (SA) s 86B (Interpretation) and s 86C (Meaning of access to or modification of data). Not listed is the related offence of s 86I (Possession of computer viruses etc with intent to commit serious computer offence), punishable by imprisonment for three years. 13. Key terms are defined in Criminal Code Act 1924 (Tas) s 257A (Interpretation). 14. Key terms are defined in Crimes Act 1958 (Vic) s 247A (Interpretation). Not listed are the related offences of s 247E (Possession of data with intent to commit serious computer offence) and s 247F (Producing, supplying or obtaining data with intent to commit serious computer offence), each punishable by imprisonment for three years. 15. The Dictionary to the Criminal Code Act 1995 (Cth) also defines electronic communication to mean a communication by means of guided or unguided electromagnetic energy or both. The key term impairment is left undefined in the Code, which was a deliberate choice: see Model Criminal Code Officers Committee of the Standing Committee of Attorneys-General, Chapter 4 — Damage and Computer Offences and Amendments to Chapter 2: Jurisdiction, January 2001, p 137: ‘Unlike “access” and “modification” the concept of “impairment” is not defined. It extends to any harm affecting electronic communications. In this respect “impairment”, which includes intangible as well as tangible harms, is akin to the undefined concept of causing “damage” to property’. 16. Criminal Code Act 1995 (Cth) s 477.1(1)(a)(iii), (c) and (d). The section was amended by the Cybercrime Legislation Amendment Act 2012 (Cth). 17. This provision is found in Division 477 — Serious computer offences. It has been amended by the Cybercrime Legislation Amendment Act 2012 (Cth), removing subs (2) which had provided a constitutional basis through reference to Commonwealth computers or data, and telecommunications networks. The head of power relied on is now presumably the external affairs power, because the amendments were made in the process of Australia’s accession to the Convention on Cybercrime. As originally proposed by the Model Criminal Code Officers Committee of the Standing Committee of Attorneys-General in its report, Chapter 4 — Damage and Computer Offences and Amendments to Chapter 2: Jurisdiction, January 2001, the offence was ‘aimed at such tactics as flooding email with input beyond its capacity, resulting in system breakdown’, that is, denial of service (DoS) attacks (p 137). 18. This provision is found in Division 478 — Other computer offences. The Explanatory Memorandum to the Cybercrime Bill 2001 stated: ‘There is currently no equivalent offence, as the

existing [then Crimes Act] offences pertain only to data stored in a computer, and do not extend to electronic data held in other devices’. This may be doubted because the legislation, including the Criminal Code Act 1995 (Cth) Dictionary, has never sought to define ‘computer’, and its natural reading must include a range of portable devices. The misuse of credit cards and other devices is discussed in Chapters 6 and 10. 19. The Australian Parliament’s 2010 report, Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime, Appendix D — Commonwealth Computer Offences (House of Representatives Standing Committee on Communications, Commonwealth of Australia, Canberra, 2010), suggested that the s 478.3 offence ‘is intended to cover the possession of a program or a root-kit that enables a person to hack into another person’s computer system, impair data via a malware infection or impair electronic communications via a DDOS attack’. 20. Related terms such as ‘sniffing’, ‘war driving’ and ‘LAN-jacking’ are discussed in G Urbas and T Krone, ‘Mobile and Wireless Technologies: Security and Risk Factors’, Trends and Issues in Crime and Criminal Justice no. 329, Australian Institute of Criminology, November 2006: . 21. R A Carter and D Makin, ‘Piggyback Hunting — Browsing the Internet in Australia via Unsecured Wireless Networks: Virtual Theft or Acceptable Behaviour in an Online World?’ (2009)16 James Cook University Law Review 20. 22. See, for example, Criminal Code Act 1995 (Cth) s 476.1(2), Criminal Code 2002 (ACT) s 413 and Crimes Act 1900 (NSW) s 308A(4). However, the case of Hernandez v R [2013] NSWCCA 51 (1 March 2013) involved guilty pleas to offences including impairing electronic communications where the defendant engaged in burglaries and ‘would cut cables and disarm alarms and CCTV cameras before entering the remainder of the premises’ (at [11]). This was stated to be an offence under Crimes Act 1900 (NSW) s 308E in Morgan v R [2014] NSWCCA 284 (5 December 2014). 23. Australian Government, Australian National Security website, ‘Critical Infrastructure Resilience’: ; see also Trusted Information Sharing Network: . 24. Australian Government, Cyber Security Strategy, Commonwealth of Australia, Canberra, 2009: . 25. P Grabosky and M Stohl, ‘Cyberterrorism’ (2003) 82 Australian Law Reform Commission Reform Journal 8: (notes omitted). See also M Stohl, ‘Cyber Terrorism: A Clear and Present Danger, the Sum of All Fears, Breaking Point or Patriot Games?’ (2006) 46 Crime, Law and Social Change 223; J Clough, Principles of Cybercrime, Cambridge University Press, 2010, pp 11–13. 26. D Denning, ‘Cyberterrorism’, Testimony before the Special Oversight Panel on Terrorism, Committee on Armed Services, US House of Representatives, 23 May 2000: . 27. J A Lewis, ‘Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats’, Centre for Strategic and International Studies, Washington DC, 2002, p 5. 28. M D Cavelty, ‘Cyber-Terror — Looming Threat or Phantom Menace? The Framing of the US Cyber-Threat Debate’ (2008) 4(1) Journal of Information Technology and Politics 19 at 20.

29. Australian Government, Cyber Security Strategy, note 24 above. 30. S Avancha, J Undercoffer, A Joshi and J Pinkston, ‘Security for Wireless Sensor Networks’ [2004] Wireless Sensor Networks 253; J Slay and M Miller, ‘Lessons Learned from the Maroochy Water Breach’ in Critical Infrastructure Protection, International Federation for Information Processing (IFIP), 2008. 31. R v Boden [2002] QCA 164 (10 May 2002) at [2] and [55], referring to s 408D of the Queensland Criminal Code. A special leave application to the High Court was refused: Boden v The Queen B55/2002 [2003] HCATrans 828 (25 June 2003). 32. M Gani and G Urbas, ‘Alert or Alarmed? Recent Legislative Reforms Directed at Terrorist Organisations and Persons Supporting or Assisting Terrorist Acts’ (2004) 8(1) Newcastle Law Review 23; Justice P D McClellan, ‘Terrorism and the Law’ [2006] New South Wales Judicial Scholarship 1; G Williams, ‘A Decade of Australian Anti-Terror Laws’ (2011) 35(3) Melbourne University Law Review 1136. 33. G Urbas, ‘Cyber-Terrorism and Australian Law’ (2005) 8(1) Internet Law Bulletin 5; and G Urbas, ‘A Tangled Web: Cybercrime, Terrorism and the Internet’ (2012) 15(3) Internet Law Bulletin 54. 34. Criminal Code Act 1995 (Cth) Part 5.3 — Terrorism, Division 100 — Preliminary; see also G Syrota, ‘The Definition of “Terrorist Act” in Part 5.3 of the Commonwealth Criminal Code’ (2007) 33(2) University of Western Australia Law Review 307. 35. Criminal Code Act 1995 (Cth), Division 101 — Terrorism, s 101.1(1). Subsection (2) provides that ‘extended geographical jurisdiction—category D’ applies to the offence, meaning that it need not be committed within Australia or have any other connection to Australia for liability to attach; see also G Urbas, ‘Cybercrime, Jurisdiction and Extradition: The Extended Reach of Cross-Border Law Enforcement’ (2012) 16(1) Journal of Internet Law 7. 36. Maximum penalties range from 10 to 25 years for these offences. These provisions were added to the Criminal Code Act 1995 (Cth) by the Security Legislation Amendment (Terrorism) Act 2002 (Cth). Section 101.3, which prohibited directing organisations concerned with terrorist acts, was not enacted and, instead, Division 102 — Terrorist organisations contains numerous offences relating to terrorist organisations, defined by reference to involvement in terrorist acts or through listing under regulations. Division 103 — Financing terrorism, Division 104 — Control orders and Division 105 — Preventative detention orders add to the comprehensive legislative scheme. 37. Subsequent appeals were unsuccessful: Faheem Khalid Lodhi v R [2007] NSWCCA 360 (20 December 2007); Lodhi v The Queen & Anor [2008] HCATrans 225 (13 June 2008); Lodhi v Attorney General of New South Wales [2013] NSWCA 433 (18 December 2013). 38. S Tully, ‘Protecting Australian Cyberspace: Are Our International Lawyers Ready?’ (2012) 19 Australian International Law Journal 49 at 62–3; see also C Lentz, ‘A State’s Duty to Prevent and Respond to Cyberterrorist Acts’ (2009–2010) 10 Chicago Journal of International Law 799. 39. Criminal Code Act 1995 (Cth) s 11.1 (Attempt), s 11.4 (Incitement) and s 11.5 (Conspiracy). 40. B Saul, ‘Speaking of Terror: Criminalising Incitement to Violence’ (2005) 28(3) University of New South Wales Law Journal 868; E Barendt, ‘Threats to Freedom of Speech in the United Kingdom?’ (2005) 28(3) University of New South Wales Law Journal 895. 41. At common law, through the action of ‘beach of confidence’; see, for example, S Ricketson and M Richardson, Intellectual Property — Cases, Materials and Commentary, 3rd ed, 2005, Ch 11, citing

(at p 617) F Gurry’s essay, ‘Breach of Confidence’ (1985): ‘The action for breach of confidence provides an important means for preserving the value of many classes of economically significant information — know-how, product and process inventions, and certain specific items of business data’. 42. See H Nasheri, Economic Espionage and Industrial Spying, Cambridge University Press, 2005; O Thonnard, L Bilge, G O’Gorman and M Lee, ‘Industrial Espionage and Targeted Attacks: Understanding the Characteristics of an Escalating Threat’ in Research in Attacks, Intrusions, and Defenses (2012) 7462 Lecture Notes in Computer Science 64; G Urbas, ‘Cybercrime Legislation in the Asia-Pacific Region’ in R Broadhurst and P Grabosky (eds), Cyber Crime: The Challenge in Asia, Hong Kong University Press, 2005. 43. Criminal Code Act 1995 (Cth) Division 91 — Espionage and similar activities. Subsections (2)–(4) contain related offences, while subss (5)–(7) deal with procedural and jurisdictional matters. 44. A P Liff, ‘Cyberwar: A New “Absolute Weapon”? The Proliferation of Cyberwarfare Capabilities and Interstate War’ (2012) 35(3) Journal of Strategic Studies 401; see also P C Reich, S Weinstein, C Wild and A S Cabanlong, ‘Cyber Warfare: A Review of Theories, Law, Policies, Actual Incidents — and the Dilemma of Anonymity’ (2010) 1(2) European Journal of Law and Technology (online): . 45. J P Farwell and R Rohozinski, ‘Stuxnet and the Future of Cyber War’ (2011) 53(1) Survival: Global Politics and Strategy 23. 46. S Tully, ‘Protecting Australian Cyberspace: Are Our International Lawyers Ready?’, note 38 above, at 55. Note the establishment in late 2014 of the multi-agency Australian Cyber Security Centre, which ‘will bring together existing cyber security capabilities across Defence, the AttorneyGeneral’s Department, Australian Security Intelligence Organisation, Australian Federal Police and Australian Crime Commission in a single location — the Ben Chifley Building, in Canberra’: . 47. P Margulies, ‘Sovereignty and Cyber Attacks: Technology’s Challenge to the Law of State Responsibility’ (2013) 14(2) Melbourne Journal of International Law 496 at 497–500.

[page 103]

Part 3 Online Financial and Property Crimes

[page 105]

Chapter 5 Online Fraud and Forgery

Chapter contents Online fraud and forgery Convention on Cybercrime Australian fraud laws Australian forgery laws Spam

5.4 5.10 5.14 5.21 5.25

Questions for consideration

5.0 The motivation behind a great deal of cybercrime is, simply stated, money. As with traditionally committed financial crimes, the purpose is to steal, defraud or by other means separate victims from their cash, valuables or the means of acquiring access to these (eg, bank account or credit card details). Indeed, many of the ‘scams’ doing the rounds of the Internet are decades, if not centuries, old, but their reach and profitability have been greatly magnified by the ability to connect with millions of people around the world through modern telecommunications. 5.1 The Australian Parliament’s 2010 inquiry into cybercrime identified financial gain as one of the principal motivations of cyber criminals:1 The Committee heard that cyber crime has become a highly lucrative business through cyber attacks which involve the theft of personal information, fraud, illegally accessing financial systems and online extortion. Additionally, an underground economy has developed through which cyber criminals may earn money by trading cyber crime related goods and services.

5.2 The Committee went on to consider the place of identity theft and fraud, scams, extortion, underground forums and websites, as well as money laundering in the modern cybercrime economy. In relation to online scams, it noted:2 [page 106]

Online scams are another lucrative activity for cyber criminals. A plethora of scams exist on the Internet and new scams are continually emerging. Some of the scams brought to the Committee’s attention were: romance scams, where victims hand over money to fraudulent participants on online dating websites (see the case study below for a victim’s account of such a scam); advance-fee scams where the victim is promised large returns on an upfront payment; and fake lottery, ticketing or online shopping scams, where victims are fooled into paying for a non-existent product.

Case Study: A victim’s account of a romance scam Witness A, who is based in Australia, established an online relationship via a dating website with a man claiming to be a citizen of the USA. The man claimed to be travelling to Nigeria to work, after which he proposed to visit Witness A in Australia. Over the following months the man claimed to have run into a range of difficulties while in Nigeria and repeatedly asked for assistance in the form of money transfers and the provision of valuable goods. Witness A was suspicious of these requests, but felt emotionally compelled to assist their ‘partner’ to travel to Australia. Witness A lost AUD$20,000 before becoming aware that they were being victimised, and suffered significant emotional distress as a result of the scam.

Perpetrators may use other cyber crime tools to fashion and disseminate online scams. For example, a cyber criminal may use seemingly inconsequential information gained from a spyware program, such as an address or friends’ names, to make a personalised and highly convincing scam email. Additionally, a cyber criminal may seek to reach a wide number of victims by sending out a scam in a spam email.

5.3 Recent estimated losses of Australians due to personal fraud are around $1.4 billion per year.3 However, the consequences of such scams can extend beyond purely financial losses. Lives may be ruined, particularly where retirement savings are involved, and people may be exposed to physical danger in further dealings with scammers, as tragically illustrated in the following case:4 [page 107]

Case Study: Death of WA romance fraud victim A romance fraud victim from Western Australia has been found dead in her rented villa after travelling to South Africa to visit a Nigerian man she was having a relationship with on the internet. 67 year old widow Jette Jacobs from the Western Australian town of Wagin left Perth on 22 November 2012 and her body was found by South African police in a Johannesburg villa on 9 February 2013. Her death is being investigated by local police and WA Police believe she may have died in suspicious circumstances. Ms Jacobs’ money, credit cards, jewellery, laptop computer and other personal items were missing from the villa. Ms Jacobs lost her husband in 2002 and her subsequent partner in 2009. She then met a man purporting to be ‘Jesse Orowo Omokoh’ from Nigeria on a dating website and they had regular contact over a four-year period. Ms Jacobs had sent at least $80,000 to Nigeria during this time and met the man known as ‘Jesse’ during a visit to Johannesburg in 2010 without incident. During her last visit, Ms Jacobs was to meet ‘Jesse’ for a second time but he said he couldn’t get a visa to join her immediately. A letter from Project Sunbird was sent to Ms Jacobs warning that she may be a victim of fraud, but it arrived shortly after she had left Australia. The joint project between WA Police and Consumer Protection tracks large amounts of money being sent from WA to West African countries and attempts to warn the senders that they could be victims of relationship fraud. Detective Senior Sergeant Dom Blackshaw of the Major Fraud Squad (WA Police) said there is evidence that ‘Jesse’ had arrived in Johannesburg two days before reporting her death and giving a statement to local police. ‘The circumstances of Ms Jacobs’ death are still being investigated, but there is evidence that it is suspicious,’ Det Snr Sgt Blackshaw said. ‘During Project Sunbird, we were alarmed to discover that some fraud victims had plans to visit their internet partners in Africa. An Albany man was about to leave for Africa when we intervened and another woman in the south west of the State also stated that she had booked her flight but luckily changed her mind at the last minute. ‘These relationship frauds are being perpetrated by ruthless overseas criminals who are members of organised crime syndicates. To travel to Africa to visit someone you have met on the internet is extremely dangerous and could, as in the case of Ms Jacobs, cost your life.’ Source: Government of Western Australia, Department of Commerce, WA ScamNet.

[page 108]

Online fraud and forgery 5.4 The use of electronic communications to perpetrate frauds and scams came to the attention of criminologists in Australia several decades ago:5 Commercial sites and advertisements have begun to proliferate on the World Wide Web. Anyone exposed to the Web will note the increasing number of commercial advertisements for a vast range of products. The visual impact and allure of these messages is already formidable. Unfortunately, not all of these advertisements are legitimate. Moreover, cyberfrauds may originate from and be accessible to nearly anywhere in the world. In certain respects, this is similar to transnational fraudulent solicitations by telephone or fax. The fundamental difference is that web solicitations tend to be less targeted than telephone or fax solicitations, and less personal. Their reach, however, is vastly wider.

5.5 With the explosion of Internet traffic and connected devices since then, the opportunities for fraudsters have only further increased. Not only does fraud occur through false advertising online, but there is a range of activities such as ‘phishing’ and its many variants, card skimming, identity fraud and theft (discussed further in Chapter 6), and an astonishing array of scams that are all designed to unjustly enrich criminals at the expense of the unwary or vulnerable.6 Some fraudulent activity specifically targets the young, the old or the lonely.7 Some targets particular groups or even individuals.8 Much of it has become increasingly sophisticated and harder to detect. 5.6 The range of technological devices and procedures used in connection with online fraud has been described as follows:9 [page 109]

Phishing — when consumers are tricked into transmitting financial information to a fraudulent website where the information is later housed for use in fraudulent activities; Pharming — in which victims’ computer systems are compromised via hacking or

malware, or where software redirects victims to fake websites where they are asked to enter their details; Skimming — where personal information is ‘skimmed’ from plastic cards by devices covertly attached to card readers; and Malware — when malicious software such as viruses are used or installed on computers in order to alter functions within programs and files. There are also a number of new and emerging techniques: SMiShing — personal information obtained via SMS; Vishing — personal information obtained via phone; Malware — used to collect personal information via Smartphones; Spear-phishing — highly targeted spam; Koobface on social media — where victims are sent messages via their social media site with a virus; Social phishing — whereby the perpetrator gains the trust of an individual and accesses their friend list or as a phisher gains unauthorised access to a user’s account and starts sending spam to the user’s direct contacts; Keylogging viruses — these viruses capture login details or passwords for bank accounts, for example, which can then be used or sold; Fraud in virtual platforms such as ‘Second Life’; and Online rental scams — whereby fake rental flats are advertised online and victims send personal information and/or deposit payments to prove they can pay the rent …

5.7 Perhaps the most widely known form of online fraud is the email solicitation, such as the seemingly ubiquitous ‘Nigerian 419’ or ‘advance fee’ scam:10

Hello, Re: I want to invest in your country. My name is Dr. Raymond Chang, retired Chief Auditor. I secured the sum of 15,000,000.00 legally through my office and I want to invest it in your country. I need your honest cooperation to partner with me to invest in your company or in any other viable business opportunity in your country under mutual interest benefits. Our partnership [page 110]

will be absolutely risk free, Please I will also like to know the laws as it concerns foreign investors like me. You should please, contact me here: [email protected], for details. I look forward to your cordial response. Regards, Dr. Raymond Chang,

5.8 Variants of the ‘advance fee’ scam include generous offers of lottery wins, prizes, inheritances, tax refunds, hot stock tips and so on. Other scams revolve around vehicles such as ‘pyramid’ or ‘Ponzi’ investment schemes, employment offers, holiday accommodation, dating and romance, miracle cures, weight loss, etc. To all of them, the same old adage can be readily applied: If it seems too good to be true, then it probably is. 5.9 Fraud is a large topic that spans both criminal and civil remedies, as well as the growing service areas of fraud detection and prevention. It includes not only consumer fraud, but fraud against businesses and government. Much of it has an online aspect, but a great deal of fraud is committed in more conventional ways.11 The related topic of forgery, or illegal alteration of documents, is narrower in its focus though this also has computer-related aspects. The discussion below focuses on criminal acts of fraud and forgery perpetrated by online means.

Convention on Cybercrime 5.10 The Council of Europe’s Convention on Cybercrime deals with computer-related forgery and fraud together as ‘computer-related offences’:12

Article 7 — Computer-related forgery Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the input, alteration,

[page 111] deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. A Party may require an intent to defraud, or similar dishonest intent, before criminal liability attaches. Article 8 — Computer-related fraud Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the causing of a loss of property to another person by: a b

any input, alteration, deletion or suppression of computer data, any interference with the functioning of a computer system,

with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.

5.11 As can be seen, the focus of the Convention on Cybercrime is on acts in relation to computers that result in ‘inauthentic data’ being passed off as genuine, and on using data alteration or computer interference in order to defraud in order to obtain an ‘economic benefit’. The scope of Art 7 is further explained as follows:13 The purpose of this article is to create a parallel offence to the forgery of tangible documents. It aims at filling gaps in criminal law related to traditional forgery, which requires visual readability of statements, or declarations embodied in a document and which does not apply to electronically stored data. Manipulations of such data with evidentiary value may have the same serious consequences as traditional acts of forgery if a third party is thereby misled. Computer-related forgery involves unauthorised creating or altering stored data so that they acquire a different evidentiary value in the course of legal transactions, which relies on the authenticity of information contained in the data, is subject to a deception. The protected legal interest is the security and reliability of electronic data which may have consequences for legal relations. It should be noted that national concepts of forgery vary greatly. One concept is based on the authenticity as to the author of the document, and others are based on the truthfulness of the statement contained in the document. However, it was agreed that the deception as to authenticity refers at minimum to the issuer of the data, regardless of the correctness or veracity of the contents of the data. Parties may go further and include under the term ‘authentic’ the genuineness of the data.

[page 112] This provision covers data which is the equivalent of a public or private document, which has legal effects. The unauthorised ‘input’ of correct or incorrect data brings about a situation that corresponds to the making of a false document. Subsequent alterations (modifications, variations, partial changes), deletions (removal of data from a data medium) and suppression (holding back, concealment of data) correspond in general to the falsification of a genuine document.

5.12 The scope of Art 8 is similarly elucidated in the explanatory 14 notes: With the arrival of the technological revolution the opportunities for committing economic crimes such as fraud, including credit card fraud, have multiplied. Assets represented or administered in computer systems (electronic funds, deposit money) have become the target of manipulations like traditional forms of property. These crimes consist mainly of input manipulations, where incorrect data is fed into the computer, or by programme manipulations and other interferences with the course of data processing. The aim of this article is to criminalise any undue manipulation in the course of data processing with the intention to effect an illegal transfer of property. To ensure that all possible relevant manipulations are covered, the constituent elements of ‘input’, ‘alteration’, ‘deletion’ or ‘suppression’ in Article 8(a) are supplemented by the general act of ‘interference with the functioning of a computer programme or system’ in Article 8(b). The elements of ‘input, alteration, deletion or suppression’ have the same meaning as in the previous articles. Article 8(b) covers acts such as hardware manipulations, acts suppressing printouts and acts affecting recording or flow of data, or the sequence in which programs are run. The computer fraud manipulations are criminalised if they produce a direct economic or possessory loss of another person’s property and the perpetrator acted with the intent of procuring an unlawful economic gain for himself or for another person. The term ‘loss of property’, being a broad notion, includes loss of money, tangibles and intangibles with an economic value.

5.13 An important subset of computer-related fraud and forgery relates to the creation of false identity documents and to the misuse of identity and financial information in order to steal or defraud, which are discussed in greater detail in Chapter 6. Online conduct may also involve dealing in ‘pirated’ copyright material, such as infringing copies of books, music and films, discussed in Chapter 7. It should also be noted that some online frauds are not primarily directed at financial gain, but may result in other

forms of victimisation, such as sexual exploitation. These misuses of telecommunications are discussed in greater detail in Chapters 9 and 10. [page 113]

Australian fraud laws 5.14 Fraud is defined under common law in terms of obtaining a monetary or other gain or causing a loss through deception. As a crime, it is traditionally prosecuted in Australia under State and Territory laws, apart from more limited categories, such as fraud against the Commonwealth, fraud by corporate employees and tax or benefit fraud.15 The following table outlines the main fraud offences across all Australian jurisdictions (Table 5.1). Table 5.1: Commonwealth, State and Territory fraud offences

Provision

Physical Fault elements elements Criminal Code By a deception, Dishonestly, Act 1995 s obtaining from with intention of 134.1 another person permanently (Obtaining property depriving the property by belonging to the other person deception) Commonwealth CTH16 Criminal Code By deception, Act 1995 s obtaining 134.2 financial (Obtaining Dishonestly advantage from financial the advantage by Commonwealth deception)

Maximum penalty

Imprisonment for 10 years

Imprisonment for 10 years

ACT17

Criminal Code 2002 s 326 (Obtaining property by deception)

By a deception, obtaining from another person property belonging to someone else

Dishonestly, with intention of permanently depriving the other person

Imprisonment for 10 years or 1000 penalty units or both

[page 114] Provision Criminal Code 2002 s 332 (Obtaining financial advantage by deception)

Physical elements

Fault elements Maximum penalty

By deception, obtaining financial Dishonestly advantage from someone else

By deception, obtaining Crimes Act property NSW18 1900 s 192E belonging to (Fraud) another or financial advantage By deception, obtaining Criminal Code property Act s 227 NT19 belonging to (Criminal another or deception) financial advantage

Imprisonment for 10 years or 1000 penalty units or both

Dishonestly

Imprisonment for 10 years

Not specified

As for stealing property of the same value; or imprisonment for seven years where credit is obtained

QLD

Criminal Code Obtaining Act 1899 s property or a 408C (Fraud) benefit, etc

SA20

Criminal Law Consolidation Act 1935 s 139 (Deception)

Dishonestly

Deceiving another to Dishonestly obtain a gain or cause a loss

Imprisonment for five years; 12 years if in position of authority or where value is over $30,000 Imprisonment for 10 years; 15 years if aggravated [page 115]

Provision Criminal Code Act 1924 s 250 (Obtaining goods by false pretences)

TAS21

Criminal Code Act 1924 s 253A (Fraud)

Criminal Code

Physical elements

Fault elements Maximum penalty A general By any false maximum pretence, With intent to penalty of 21 obtaining defraud years applies to goods Criminal Code offences A general By deceit or maximum any fraudulent With intent to penalty of 21 means, defraud years applies to obtaining Criminal Code property, etc offences Destroying, damaging, A general erasing, maximum

VIC

WA22

Act 1924 s 257B (Computerrelated fraud)

altering or With intent to otherwise defraud manipulating computer data, etc

Crimes Act 1958 s 81 (Obtaining property by deception) Crimes Act 1958 s 82 (Obtaining financial advantage by deception) Criminal Code Act Compilation Act 1913 s 409 (Fraud)

By deception, obtaining property belonging to another

Dishonestly

Imprisonment for 10 years

By deception, obtaining financial advantage

Dishonestly

Imprisonment for 10 years

By deceit or any fraudulent With intent to means, defraud obtaining property, etc

penalty of 21 years applies to Criminal Code offences

Imprisonment for seven years; 10 years if victim is over 60 years old

Sources: Australasian Legal Information Institute (AustLII): ; State and Territory legislative databases.

[page 116] 5.15 In general, courts dealing with fraud prosecutions involving computer-related conduct have been able to adapt existing fraud and related offences and apply them satisfactorily to the online environment. The Federal Court of Australia has observed, in dealing with an online copyright piracy case:23

First, internet fraud, though relatively new, involves nothing more than an application of the legal principles applicable to communication by post and telegraph … True it is that the Internet has a wider reach and wider field of applications but the problem of widely disseminated communication is … much older than the Internet and the World Wide Web … [T]he law has had to grapple with cases of this kind ever since newspapers and magazines, and later radio and television, came to be made available to large numbers of people over wide geographic areas. To this may be added telephones, mobile phones and fax machines.

5.16 Of course, where a fraud is committed by the direct alteration of computer data rather than by making false and deceptive representations to a person, other computer offences may be more appropriate, such as the unauthorised access, modification and impairment offences discussed in preceding chapters. However, the ‘computer-related fraud’ offence in s 257B of the Criminal Code Act 1924 (Tas) seems tailor-made for such prosecutions:24

Brown v Tasmania [2008] TASSC 33 (2 July 2008) at [2]– [3], [5] Crawford CJ: The appellant pleaded guilty to 57 crimes of dishonesty, most of which concerned identity fraud. They were 30 counts of computer-related fraud (Criminal Code, s 257B), four of obtaining goods by a false pretence (s 250), six of forgery (s 278), five of uttering (s 279), one of attempting to dishonestly acquire a financial advantage (ss 252A and 299), one of attempted computer-related fraud (ss 257B and 299), two of personation (s 288), four of receiving stolen property (s 258), two of fraud on a creditor (s 296(1)(a)), and two of engaging in money laundering (Crime (Confiscation of Profits) Act 1993, s 67(2) (since repealed)). They may be categorised as constituting five series of events between 26 June 2006 and 5 September 2007. Most of the crimes, if not all, involved accomplices. Counts 1 to 4 concerned events that commenced with the aggravated burglary of a house on 20 June 2006, in which many items of property [page 117] were stolen, including a laptop computer worth $2,000. On 26 June 2006, the appellant received the computer, knowing it to be stolen, from an accomplice. Using the computer, she accessed the householder’s bank account, altered personal information relating to it, changed the online banking facility to telephone banking, and, with intent to defraud, transferred $9,000 from the account into an account in her own name with

another bank. At the same time, she arranged electronically for a further $9,000 to be transferred in the same way on 5 July 2006 … Counts 5 to 24 concerned events that commenced on 11 August 2006 with an aggravated burglary of a house, in which a backpack was stolen and a motor vehicle taken. The backpack contained personal papers, including a driver’s licence, tax file number details, bankcards and bank details relating to two people. On the following day, the appellant and an accomplice received the contents of the backpack. Her accomplice was able to obtain the internet password for a bank account linked to one of the stolen cards and $5,000 was fraudulently transferred from the account by her accomplice, by using the internet, into an account of … the accomplice’s sister. Later that day, the accomplice transferred another $5,000 out of the first bank account into another account in the name of an associate … once again by using the internet. The appellant abetted the accomplice to perform those two transactions. On the same day, an accomplice, in the presence of the appellant, contacted the bank by telephone and, with the assistance of the stolen documents, and by falsely claiming to be the account holder, was able to fraudulently alter the password for the account …

5.17 In other jurisdictions, by contrast, a complication has been the application of general property offences to conduct involving fraudulent manipulation of devices such as automated teller machines (ATMs) in order to secure a dishonest gain:25

Kennison v Daire (1986) 160 CLR 129 Gibbs CJ, Mason, Wilson, Deane and Dawson JJ: The appellant was convicted of larceny contrary to s 131 of the Criminal Law Consolidation Act 1935 (SA), as amended. He was the holder of an Easybank card which enabled him to use the automatic teller machine of the Savings Bank of South Australia to withdraw money from his account with that bank. It [page 118] was a condition of the use of the card that the customer’s account could be drawn against to the extent of the funds available in that account. Before the date of the alleged offence, the appellant had closed his account and withdrawn the balance, but had not returned the card. On the occasion of the alleged offence, he used his card to withdraw $200 from the machine at the Adelaide branch of the bank. He was able to do so because the machine was off-line and was programmed to allow the withdrawal of up to $200 by any person who placed the card in the machine and gave the corresponding personal identification number. When off-line the machine was incapable of

determining whether the card holder had any account which remained current, and if so, whether the account was in credit. It is not in doubt that the appellant acted fraudulently with intent permanently to deprive the bank of $200. The appellant’s submission is that the bank consented to the taking. It is submitted that the bank intended that the machine should operate within the terms of its programme, and that when it did so it gave effect to the intention of the bank. In the course of an interesting argument, Mr Tilmouth pointed out that if a teller, having the general authority of the bank, pays out money on a cheque when the drawer’s account is overdrawn, or on a forged order, the correct conclusion is that the bank intends that the property in the money should pass, and that the case is not one of larceny … He submitted that, in effect, the machine was invested with a similar authority and that if, within the instructions in its programme, it handed over the money, it should be held that the property in the money passed to the card holder with the consent of the bank. With all respect we find it impossible to accept these arguments. The fact that the bank programmed the machine in a way that facilitated the commission of a fraud by a person holding a card did not mean that the bank consented to the withdrawal of money by a person who had no account with the bank. It is not suggested that any person, having the authority of the bank to consent to the particular transaction, did so. The machine could not give the bank’s consent in fact and there is no principle of law that requires it to be treated as though it were a person with authority to decide and consent. The proper inference to be drawn from the facts is that the bank consented to the withdrawal of up to $200 by a card holder who presented his card and supplied his personal identification number, only if the card holder had an account which was current. It would be quite unreal to infer that the bank consented to the withdrawal by a card holder whose account had been closed. The conditions of use of the card supplied by the bank to its customers support the conclusion that no such inference can be drawn. It is unnecessary to consider what the position might have been if the account had remained current but had insufficient funds to its credit … For these reasons, which are substantially those expressed by King CJ in the Full Court of South Australia, the appeal should be dismissed.

[page 119] 5.18 In order to ensure that the absence of a human being at the other end of a fraudulent transaction is not a bar to a conviction for obtaining by deception, some Australian legislation defines deception as including ‘conduct by a person that causes a computer, a machine or an electronic

device to make a response that the person is not authorised to cause it to do’.26 This legislative device appears to allow fraud offences to apply straightforwardly to interactions with automated systems, such as those allowing the public to file tax statements and similar documents electronically, which may result in payments made without manual processing.27 5.19 Where a deception is brought about by unauthorised access to or modification of data, those offences may be appropriately charged along with fraud offences. This is illustrated by the following case, involving both Commonwealth computer offences and the Victorian obtaining by deception offence:28

R v Idolo [1998] VSC 276; [1998] VICSC 57 (21 April 1998) Tadgell JA: The applicant was engaged by Telstra Corporation Ltd (Telstra) from 22 April 1992 until 5 May 1995 to work on their retail and inventory computer system project, which was known as the MOSS project. During that period he was located at 181 Victoria Parade, Collingwood. From 8 May 1995 until 25 September 1995, when his engagement was terminated, he was employed again as a computer programmer by Telstra on what was called the Telstra Integrated Pay and Personnel System project, known as TIPPS, on the fourth floor, Riverside Quay, South Melbourne. The MOSS project is a retail and inventory computer system for Telstra mobile telephones. When equipment such as mobile telephones and associated accessories is sold through Telstra shops and purchased on account, the sales person at the shop enters details of the purchase on a computer data base, referred to as the MOSS inventory, which in turn operates a computer called VIR. Each night a batch process takes the details of all the sales and passes them on to one of the digital billing systems called MICA or the analog billing system, called RACE, depending on the type of mobile telephone purchased, whether analog or digital. It is only after this process occurs that a bill is produced and forwarded to the purchaser for payment. The applicant was a team member on the MOSS project from April 1992 to May 1995 when he was transferred to the TIPPS project. While he was on [page 120] the MOSS project his duties included the development, implementation and support of what are called the interfaces with RACE and MICA. He was, according to the

evidence, the main analyst for the MOSS project in relation to the development of the interface between MOSS and the MICA and RACE billing systems. Using his detailed knowledge of and access to the MOSS system, the applicant altered data in the MOSS interface in such a way as to prevent charges in respect of the purchase of a number of mobile telephones being billed to the accounts of the purchasers. He also altered data in the interface which caused monetary credits to be added to his own personal Telstra accounts and certain Telstra accounts of a friend of his, one Vincent Rusciano. At no time was the applicant authorized to make alterations of those kinds. On the night of 29 August 1995, unfortunately for the applicant, the batch process failed, prompting an investigation. Certain unauthorized alterations to data, involving in particular an attempt to credit an amount of $1099 to a Telstra account in the name of Vesticom Pty Ltd, a company associated with the applicant, were identified and eventually traced to the applicant’s computer logical terminal identification. The source of the alterations was traced to the applicant’s personal computer at Riverside Quay in South Melbourne. As a result of these findings, the applicant’s work area at Riverside Quay was, on 25 September 1995, searched by members of the Computer Crime Section of the Commonwealth police and his personal computer was seized. Later, when the hard drive in the computer was analyzed, a text file was found which gave instructions in computer programming language for the adding of credits to the applicant’s Telstra account. The exercise had been attempted on 29 August and had caused the batch system to crash. On 25 January 1996 search warrants were executed by the Australian Federal Police at the applicant’s premises and at his work station at Telstra and at the premises of his friend, Rusciano, and also at the premises of a company, Heine Management Ltd, Rusciano’s employer, and those of Eurolynx Corporate Services Pty Ltd, a company associated with Heine. On the same day the applicant was interviewed by the Federal police.

5.20 Other forms of computer-based frauds that may result in prosecution and conviction include falsely invoicing businesses for nonexistent goods or services, or doing the same to individuals through online auctions and similar interactions.29 Other scams include advance fee frauds, market manipulation or ‘share-ramping’, and romance scams (discussed earlier at [5.3]). Unfortunately, many of the online scams to which Australians may fall prey originate outside the country’s borders, making police investigation and prosecution difficult. In such cases, there may be little that concerned relatives [page 121]

are able to do even if they see vulnerable family members being swindled, short of making guardianship applications where appropriate in the case of elderly or infirm victims.30

Australian forgery laws 5.21 Forgery is a particular kind of deceptive practice involving ‘false documents’, and thus overlaps with fraud to some extent. However, it is important to understand that not every document that contains one or more false statements is a forgery. Rather, a forged document is one which purports to be something that it is not, or, in other words, which ‘not only tells a lie, but tells a lie about itself ’:31 [E]very instrument which fraudulently purports to be that which it is not is a forgery, whether the falseness of the instrument consists in the fact that it is made in a false name, or that the pretended date, when that is a material portion of the deed, is not the date at which the deed was in fact executed.

5.22 The application of forgery offences to the online environment would appear to pose little difficulty, given that electronic files are legally recognised as ‘documents’ as defined in legislation.32 Making falsified electronic documents is thus included:33 The essence of forgery is the act of falsifying a document with the purpose of perpetrating a deception; in the past, the falsification was carried out on a paper document. Cyberforgery simply introduces two new permutations, either of which can be adequately dealt with by amending extant forgery laws: (1) using computer technology to forge paper documents; or (2) using computer technology to forge electronic documents. This is not an area in which new, cybercrime-specific penal laws are required.

[page 122] 5.23 Forgery offences exist under Commonwealth, State and Territory laws. The following table outlines the main fraud offences across all Australian jurisdictions (Table 5.2).

Table 5.2: Commonwealth, State and Territory forgery offences Provision

Physical elements

Criminal Code Act 1995 s 144.1 (Forgery)

Making a false document

Criminal Code Act 1995 s 145.1 (Using forged document)

Using a false document

CTH34

ACT35

Criminal Code 2002 Making a false s 346 (Forgery) document

Fault elements Dishonestly to induce a Commonwealth public official to accept it as genuine, so as to obtain a gain or cause a loss, etc Knowing that it is false, dishonestly to induce a Commonwealth public official to accept it as genuine, so as to obtain a gain or cause a loss, etc With intention that it will be used to dishonestly induce another person to accept it as genuine, so as to obtain a gain, cause a loss, etc

Maximum penalty

Imprisonment for 10 years

Imprisonment for 10 years

Imprisonment for 10 years or 1000 penalty units or both

[page 123] Provision

Physical elements

Criminal Code 2002 Using a false s 347 (Using a false document document)

Crimes Act 1900 s 253 (Forgery — making false document) NSW36

Making a false document

Fault elements With intention that it will be used to dishonestly induce another person to accept it as genuine, so as to obtain a gain, cause a loss, etc With intention that it will be used to dishonestly induce another person to accept it as genuine, so as to obtain a gain, cause a loss, etc

Maximum penalty

Imprisonment for 10 years or 1000 penalty units or both

Imprisonment for 10 years

Crimes Act 1900 s 254 (Using false document)

NT

Using a false document

With intention that it will be used to Imprisonment for 10 dishonestly induce years or 1000 another person to accept it as genuine, so penalty units or both as to obtain a gain, cause a loss, etc

Making a false Criminal Code Act s writing in a register, Not specified 258 (Forgery) altering documents, etc

Imprisonment for seven years

[page 124] Provision

Physical elements

Fault elements

Criminal Code Act Forging or uttering a 1899 s 488 (Forgery Not specified document and uttering) QLD Criminal Code Act 1899 s 510 (Instruments and materials for forgery)

SA37

TAS38

VIC39

Maximum penalty Imprisonment for three years; seven years if forging a power of attorney; 14 years if forging valuable security, etc

Making, possessing, With intent to use it to Imprisonment for 14 using, etc a thing forge a document years

Intending to deceive, exploit another Imprisonment for 10 person, or to years; 15 years if manipulate a machine aggravated so as to cause benefit or loss A general maximum Forging any Criminal Code Act penalty of 21 years document, seal or With intent to defraud 1924 s 278 (Forgery) applies to Criminal die Code offences With intention that it will be used to induce Crimes Act 1958 s Making, using, etc a another person to Imprisonment for 10 83A (Falsification of accept it as genuine, so false document years documents) as to prejudice a Criminal Law Consolidation Act Creating, etc a false 1935 140 (Dishonest document dealings with false documents)

person, etc WA40

Criminal Code Act Compilation Act Forging or uttering a Imprisonment for With intent to defraud 1913 s 473 (Forgery record seven years and uttering)

Sources: Australasian Legal Information Institute (AustLII): ; State and Territory legislative databases.

[page 125] 5.24 Clearly, the creation or use online of false documents can fall within the scope of a Commonwealth, State or Territory forgery offence.41 There is also Commonwealth legislation specifically dealing with counterfeit currency and some other classes of goods.42 Perhaps the most tempting targets for criminals using computer technology in the creation of false documents is the production of fake identification documents. These can subsequently be used to commit a range of crimes, including theft, fraud, tax and benefits fraud, migration and visa fraud, etc. Identity crimes are discussed in greater detail in Chapter 6.

Spam 5.25 A final topic that may be conveniently dealt with at this point is ‘spam’, which is a widely used term for high-volume or bulk unsolicited email:43 The word ‘Spam’ as applied to Email means ‘Unsolicited Bulk Email’. Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content. A message is Spam only if it is both Unsolicited and Bulk. Unsolicited Email is normal email (examples: first contact enquiries, job enquiries, sales enquiries).

Bulk Email is normal email communications, discussion lists).

(examples:

subscriber

newsletters,

customer

Technical definition of Spam An electronic message is ‘spam’ if (A) the recipient’s personal identity and context are irrelevant because the message is equally applicable to many other potential recipients; AND (B) the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent. [page 126] Understanding the Spam Issue Spam is an issue about consent, not content. Whether the Unsolicited Bulk Email (UBE) message is an advert, a scam, porn, a begging letter or an offer of a free lunch, the content is irrelevant — if the message was sent unsolicited and in bulk then the message is spam. Spam is not a sub-set of UBE, it is not ‘UBE that is also a scam or that doesn’t contain an unsubscribe link’. All email sent unsolicited and in bulk is Spam. Source: The Spamhaus Project: .

5.26 Spam is widely used in the dissemination of fraudulent or ‘scam’ messages, as well as for a range of other uses that may attract criminal or other legal liability. Offers typically include prizes, job offers, stock-market tips, weight-loss and hair-replacement therapies, pharmaceutical drugs including Viagra and other sexual enhancement remedies, etc. First emerging as a serious computer and network security issue decades ago, its recent use has become associated with massive botnets, with the number of spam messages estimated as reaching over 200 billion per month worldwide, or around 80% of total global Internet traffic.44 5.27 While many anti-spam strategies involve technical solutions, such as filters at both Internet service provider (ISP) and personal computer (PC) levels, there is also anti-spam legislation. In some jurisdictions, this includes criminal offence provisions, but only civil penalties in Australia.45 Key definitions are as follow (Spam Act 2003 (Cth) ss 4–6): address-harvesting software means software that is specifically designed or

marketed for use for: (a) searching the internet for electronic addresses; and (b) collecting, compiling, capturing or otherwise harvesting those electronic addresses. … [page 127] message means information: (a) (b) (c) (d) (e) (f)

whether in the form of text; or whether in the form of data; or whether in the form of speech, music or other sounds; or whether in the form of visual images (animated or otherwise); or whether in any other form; or whether in any combination of forms.

… electronic message is a message sent: (a) using: (i) an internet carriage service; or (ii) any other listed carriage service; and (b) to an electronic address in connection with: (i) an e-mail account; or (ii) an instant messaging account; or (iii) a telephone account; or (iv) a similar account. Note: E-mail addresses and telephone numbers are examples of electronic addresses. … commercial electronic message is an electronic message, where, having regard to: (a) the content of the message; and (b) the way in which the message is presented; and (c) the content that can be located using the links, telephone numbers or contact information (if any) set out in the message; it would be concluded that the purpose, or one of the purposes, of the message is: (d) to offer to supply goods or services; or (e) to advertise or promote goods or services; or

(f)

to advertise or promote a supplier, or prospective supplier, of goods or services; or … (j) to offer to provide a business opportunity or investment opportunity; or (k) to advertise or promote a business opportunity or investment opportunity; or (l) to advertise or promote a provider, or prospective provider, of a business opportunity or investment opportunity; …

[page 128] 5.28

Prohibitions under the Spam Act 2003 (Cth) then include sending:

unsolicited commercial electronic messages (s 16); commercial electronic messages without accurate sender information (s 17); commercial electronic messages without an unsubscribe facility (s 18). Prohibitions also apply to: supplying address-harvesting software and harvested-address lists (s 20); acquiring address-harvesting software and harvested-address lists (s 21); using address-harvesting software and harvested-address lists (s 22). Maximum penalties range from 10 to 10,000 penalty units per infringement, with the maximum applying to a corporation with a prior record of contraventions, equating to potential $1.7 million dollar fines.46 5.29 Proceedings against Australian spammers may be brought by the Australian Communications and Media Authority (ACMA). Proceedings have resulted in million-dollar fines against individual and corporate spammers, along with declarations and injunctions.47 Variants on spam include ‘spim’ for instant messaging, and ‘spit’ for IT telephony.48 ACMA proceedings have also been brought against SMS spammers.49 However, the fact remains that legal responses are, at best, only part of the solution:50 Despite a raft of legislation in a range of countries, spam remains a relatively low-risk, cost-

effective and profitable marketing method. Spam is a complex multi-faceted issue that demands a complex multi-lateral response. Governments alone cannot tackle spam. Individuals and businesses also need to increase their awareness of the dangers of spam and of the importance of establishing effective policies to prevent its dissemination. Although prosecution of major spam producers should be a priority, it should be recognised that investigatory, evidentiary and jurisdictional difficulties may arise. Consequently, a more proactive response using technological filtering applications should continue to be a key focus of the fight against spam. It should also be recognised that the perpetrators of spam, especially those with criminal intentions, are likely to continue trying to undermine such applications and may at times exploit system vulnerabilities.

[page 129]

Questions for consideration 1.

Is the application of existing fraud and forgery laws to the online environment simple and straightforward, or should consideration be given to enacting more specific offences? An example might be the offence of ‘computer-related fraud’ in s 257B of the Criminal Code Act 1924 (Tas), which criminalises data modification ‘with intent to defraud’. Do such technology-specific offences help or hinder the prospects of successful convictions?

2.

T C Pratt, K Holtfreter and M D Reisig, ‘Routine Online Activity and Internet Fraud Targeting: Extending the Generality of Routine Activity Theory’ (2010) 47(3) Journal of Research in Crime and Delinquency 267 at 284, conclude an empirical study on Internet fraud victimisation with the following observation: Thus, crime control policies could be developed with an eye toward educating citizens about using various safeguards when shopping online (e.g., secure servers and virus protection software). Just as we can teach potential sexual assault targets to change their daily routines, we can educate potential fraud targets about altering their online activities, minimizing exposure to the criminal opportunity structure. This approach highlights the need to think about the prevention of crime in general, and online victimization in particular, in ways that move beyond a strict focus on the criminal justice system … Instead, parents, schools, and employers will each be critical to any efforts at educating citizens on how to reduce their exposure to online risks.

Is this a workable approach to minimising the risks of online fraud? Does it unfairly put the responsibility for crime control on actual and potential victims? What, if any, good alternatives are there? 3.

R McCusker, ‘Spam: Nuisance or Menace, Prevention or Cure?’, Trends and Issues in Crime and Justice no. 294, Australian Institute of Criminology, March 2005, suggests that:

Ultimately, the individuals targeted by spam might assist in the anti-spam effort by: avoiding placing email addresses in a public domain, for example a chat room; if placing an email address in a public domain, disguising it so that, for example ‘[email protected]’ becomes ‘johndoe at fakesite.com’; using multiple email addresses so that in the event of receiving spam the targeted email address can be discarded; installing and updating spam filters on home computers; using longer and more complicated email addresses; and never responding to spam in any way (including clicking on an unsubscribe button), but simply deleting it.

Are these strategies likely to be effective in protecting against spammers, or in reducing spam traffic overall? Does the prospect of civil litigation and large fines deter spammers, or might the threat of imprisonment be more effective? 1.

House of Representatives Standing Committee on Communications, Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime, Ch 2: ‘Nature, Prevalence and Economic Impact of Cyber Crime’, Commonwealth of Australia, Canberra, 2010 at [2.9] (notes omitted). Other motivations were ‘curiosity, fame-seeking, personal reasons (such as stalking or emotional harassment), political reasons (such as protests), espionage or cyber warfare’ (at [2.8]).

2.

House of Representatives Standing Committee on Communications, Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime, note 1 above, at [2.43]–[2.44] (notes omitted).

3.

Australian Bureau of Statistics, ‘Personal Fraud Costs Australians $1.4 Billion’, media release, 19 April 2012; see further Australian Competition and Consumer Commission (ACCC), ‘SCAMwatch’: .

4.

Government of Western Australia, Department of Commerce, WA ScamNet, ‘Death of WA Romance Fraud Victim’ (updates to 4 June 2014): . The main suspect was arrested in Nigeria in June 2014 and charged with nine counts of conspiracy and obtaining money by false pretences: .

5.

P Grabosky and R Smith, Crime in the Digital Age: Controlling Telecommunications and Cyberspace Illegalities, The Federation Press, 1998, p 136. See also P Grabosky, R Smith and G Dempsey, Electronic Theft: Unlawful Acquisition in Cyberspace, Cambridge University Press, 2001; and R Smith, P Grabosky and G Urbas, Cyber Criminals on Trial, Cambridge University Press, 2004.

6.

See, for example, the techniques described by the Australian Competition and Consumer Commission (ACCC), ‘SCAMwatch’: .

7.

A Adogame, ‘The 419 Code as Business Unusual: Youth and the Unfolding of the Advance Fee Fraud Online Discourse’ (2009) 37(4) Asian Journal of Social Science 551; G Muscat, M James and A Graycar, ‘Older People and Consumer Fraud’, Trends and Issues in Crime and Criminal Justice no. 220, Australian Institute of Criminology, March 2002; L M Alves and S R Wilson, ‘The Effects of Loneliness on Telemarketing Fraud Vulnerability Among Older Adults’ (2008) 20(1) Journal of Elder Abuse and Neglect 63; A Rege, ‘What’s Love Got to Do with It? Exploring Online Dating Scams and Identity Fraud’ (2009) 3(2) International Journal of Cyber Criminology 494.

8.

B Parmar, ‘Protecting Against Spear-Phishing’ (2012) 1 Computer Fraud and Security 8; T Caldwell, ‘Spear-Phishing: How to Spot and Mitigate the Menace’ (2013) 1 Computer Fraud and Security 8. The topics of ‘phishing’ and ‘spear-phishing’ are discussed further in Chapter 6.

9.

C Cross, R Smith and K Richards, ‘Challenges of Responding to Online Fraud Victimisation in Australia’, Trends and Issues in Crime and Criminal Justice no. 474, Australian Institute of Criminology, May 2014, citing J Kerr et al, Research on Sentencing Online Fraud Offences, United Kingdom Sentencing Council, 2013.

10. This example was received by the author on 4 March 2013 from an apparently United Kingdom address, and is reproduced with original grammatical imperfections. The ‘419’ scam is named after the relevant section of the Nigerian Criminal Code, and is just one version of ‘advance fee’ fraud: R Smith, M Holmes and P Kaufman, ‘Nigerian Advance Fee Fraud’, Trends and Issues in Crime and Criminal Justice no. 121, Australian Institute of Criminology, July 1999. 11. Fraud surveys in Australia are regularly conducted by organisations such as KPMG (Fraud and Misconduct Survey): ; the Australian Institute of Criminology (Fraud Against the Commonwealth annual survey): ; and the Australian Consumer Fraud Taskforce: . 12. Council of Europe, Convention on Cybercrime. Articles 7 and 8 are in Chapter II — Measures to taken at the national level, Section 1 — Substantive criminal law, Title 2 — Computer-related offences. The topic of computer-related forgery is discussed in greater detail below, beginning at [5.21]. 13. Explanatory Report, Convention on Cybercrime at [81]–[83]; also discussed in J Clough, Principles of Cybercrime, Cambridge University Press, 2010, pp 206–7. 14. Explanatory Report, Convention on Cybercrime at [86]–[88]; discussed in J Clough, Principles of Cybercrime, note 13 above, pp 201–2. 15. Criminal Code Act 1995 (Cth), particularly amendments added by the Criminal Code Amendment (Theft, Fraud, Bribery and Related Offences) Act 2000 (Cth); Corporations Act 2001 (Cth); Income Tax Assessment Act 1997 (Cth); Social Security (Administration) Act 1999 (Cth). 16. These offences are found in Part 7.3 — Fraudulent conduct, which was added by the Criminal Code Amendment (Theft, Fraud, Bribery and Related Offences) Act 2000 (Cth); other offences found in Pt 7.3 include s 135.1 (General dishonesty), s 135.2 (Obtaining financial advantage), s 135.4 (Conspiracy to defraud), s 136.1 (False or misleading statements in applications), s 137.1 (False or misleading information) and s 137.2 (False or misleading documents). Forgery offences are found in Part 7.7 — Forgery and related offences, discussed below, beginning at [5.21]. 17. These offences are found in Part 3.3 — Fraudulent conduct, which was added by the Criminal

Code (Theft, Fraud, Bribery and Related Offences) Amendment Act 2004 (ACT); other offences found in Pt 3.3 include s 333 (General dishonesty), s 334 (Conspiracy to defraud), s 335 (Obtaining financial advantage from the Territory), s 336A (Making false or misleading statements on oath or in statutory declarations), s 337 (Making false or misleading statements), s 338 (Giving false or misleading information) and s 339 (Producing false or misleading documents). Forgery offences are found in Part 3.6 — Forgery and related offences, discussed below, beginning at [5.21]. 18. Found in Part 4AA — Fraud, added by the Crimes Amendment (Fraud, Identity and Forgery Offences) Act 2009 (NSW). Other Pt 4AA offences are s 192F (Intention to defraud by destroying or concealing accounting records), s 192G (Intention to defraud by false or misleading statement) and s 192H (Intention to defraud by false or misleading statement). Identity-related offences are found in Part 4AB — Identity offences, and forgery offences are found in Part 5 — Forgery, discussed below, beginning at [5.21]. 19. Found in Part VI — Property offences and related matters, Div 2. Division 2A deals with identity crimes, while Div 4 deals with frauds by trustees and officers of corporations, and Div 7 deals with forgery. See also Summary Offences Act (NT) s 60A (Fraud other than false pretences). 20. Other dishonesty offences include s 140 (Dishonest dealings with documents), s 141 (Dishonest manipulation of machines) and s 142 (Dishonest exploitation of position of advantage). Part 5A deals with identity theft.. 21. Found in Chapter XXVIII — False pretences, cheating and frauds concerning titles. Other offences in Ch XXVIII are Criminal Code Act 1924 (Tas) s 251 (Obtaining execution of a security by false pretences), s 252 (Cheating), s 252A (Acquiring a financial advantage), s 253 (Fraud in respect of payment for work), s 254 (Fraud on sale or mortgage of property), etc. Chapter XXX deals with frauds by trustees and company officers, and Ch XXXII deals with forgery. Section 257B, found in Chapter XXVIIIA — Crimes relating to computers, is unusual as a separate computer fraud offence. 22. Found in Chapter XL — Fraud. Other offences are found in Chapter XLI — Receiving property stolen or fraudulently obtained, and in Chapter XLII — Frauds by trustees and officers of companies and corporations. 23. United States of America v Griffiths [2004] FCA 879 (7 July 2004), per Jacobson J at [117]–[118]. This case is further discussed along with appeals to the Full Federal Court and the High Court of Australia, in relation to a copyright extradition request, in Chapter 7. 24. See also McCulloch v Tasmania [2010] TASCCA 21 (22 December 2010); Johnstone v Tasmania [2011] TASCCA 9 (2 August 2011); and Henderson v Tasmania; Henderson v R [2012] TASCCA 12 (23 October 2012). An earlier similar case is R v Benbow [1991] TASSC 1992 (23 December 1991). 25. Reproduced here is the full judgment of the High Court, minus a few case citations. It is one of the shortest substantive judgments in the court’s history. Larceny was removed from the Criminal Law Consolidation Act 1935 (SA) and replaced with new offences including s 141 (Dishonest manipulation of machines) by the Criminal Law Consolidation (Offences of Dishonesty) Amendment Act 2002 (SA). 26. For example, Criminal Code Act 1995 (Cth) ss 133.1 and 480.1; Criminal Code Act 2002 (ACT) s 325; and Crimes Act 1900 (NSW) s 192B, defining the term ‘deception’. 27. See, for example, Ridley v R [2008] NSWCCA 324 (18 December 2008); Sayed v The Queen [2012]

WASCA 17 (27 January 2012). 28. The Commonwealth charges related to unauthorised altering of data under s 76E of the Crimes Act 1914 (Cth), since repealed, while the Victorian offence was s 81 of the Crimes Act 1985 (Vic). 29. See Ferrus v Qld Police [2006] QCA 57 (9 March 2006); DPP v Gianello [2014] VCC 2015 (7 November 2014); and R v Gopurenko [2014] QCA 255 (10 October 2014). 30. See ALW v NSW Trustee and Guardian [2012] NSWADTAP 51 (4 December 2012); and Senton by his litigation guardian the Public Advocate of the Australian Capital Territory v Steen [2014] ACTSC 63 (9 April 2014). See also Australian Competition and Consumer Commission (ACCC), ‘SCAMwatch’: . 31. R v Ritson (1869) LR 1 CCR 200 at 203, per Blackburn J, as cited by Brennan J in Brott v R [1992] HCA 5; (1992) 173 CLR 426 (25 February 1992). 32. For example, under the Acts Interpretation Act 1901 (Cth) s 2B, ‘document means any record of information, and includes: (a) anything on which there is writing; and (b) anything on which there are marks, figures, symbols or perforations having a meaning for persons qualified to interpret them; and (c) anything from which sounds, images or writings can be reproduced with or without the aid of anything else; and (d) a map, plan, drawing or photograph’. The Copyright Act 1968 (Cth) s 10 further defines literary work to include ‘(a) a table, or compilation, expressed in words, figures or symbols; and (b) a computer program or compilation of computer programs’. 33. S W Brenner, ‘Cybercrime Investigation and Prosecution: The Role of Penal and Procedural Law’ [2001] Murdoch University Electronic Journal of Law 8 at [40]. 34. These offences are found in Part 7.7 — Forgery and related offences. Subsection 144.1(3) is a variant where the intention is ‘to dishonestly cause a computer, a machine or an electronic device to respond to the document as if the document were genuine’, while subs (5) relates to false Commonwealth documents. Other offences in Pt 7.7 are s 145.2 (Possession of forged document) and s 154.3 (Possession, making or adaptation of devices etc. for making forgeries), both punishable by imprisonment for 10 years, and s 145.4 (Falsification of documents etc.) and s 145.5 (Giving information derived from false or misleading documents), carrying a maximum penalty of seven years’ imprisonment. 35. These offences are found in Part 3.6 — Forgery and related offences. Other offences are s 348 (Possessing false document) and s 349 (Making or possessing device etc. for making false document), also punishable by imprisonment for 10 years. 36. Found in Part 5 — Forgery. Other offences are s 255 (Possession of false document) and s 256 (Making or possession of equipment etc. for making false documents), also punishable by imprisonment for 10 years. The latter offence has been applied to the manufacture of fake credit cards and identification documents in R v Bin Li and Kun Wang [2013] NSWDC 211 (23 August 2013) and R v Qian Lin [2014] NSWCCA 254 (10 November 2014). 37. Other dishonesty offences include s 141 (Dishonest manipulation of machines) and s 142 (Dishonest exploitation of position of advantage). Part 5A deals with identity theft. 38. Found in Chapter XXXII — Forgery and uttering. 39. Section 83B abolishes the common law offences of forgery and uttering. 40. Found in Chapter XL — Fraud. Other offences are found in Chapter XLI — Receiving property stolen or fraudulently obtained, Chapter XLII — Frauds by trustees and officers of companies and

corporations. 41. R v Illingworth [2014] QDC 229 (26 August 2014). 42. Crimes (Currency) Act 1981 (Cth), Customs Act 1901 (Cth), Therapeutic Goods Act 1989 (Cth) as well as intellectual property legislation which applies to infringing ‘pirated’ or ‘counterfeit’ items. 43. Speculation about the origins of the term ‘spam’ points to the Monty Python comedy sketch about a café serving the canned processed meat known as Spam in every meal, replete with a song that repeats the word in a similarly annoying way to that in which bulk email floods inboxes: ‘The Origin of the Word “Spam”’: . 44. J Schultz, ‘Spam Hits Three Year High-Water Mark’, Cisco Blogs (2 May 2014): ; and ‘ITU and Internet Society Collaborate to Combat Spam, Which Accounts for 80 Per Cent of Global E-Mail Traffic’, Fierce IT Security (6 November 2014): . 45. Spam Act 2003 (Cth); cf the CAN-SPAM Act 2003 (US), which includes criminal enforcement. 46. Crimes Act 1914 (Cth) s 4AA (Penalty units). Note that criminal prosecutions are not to be brought for civil penalty contraventions: Spam Act 2003 (Cth) s 27. 47. Australian Communications and Media Authority v Clarity1 Pty Ltd [2006] FCA 410 (13 April 2006); [2006] FCA 1399 (27 October 2006); [2008] FCA 130 (21 February 2008). 48. V G Cerf, ‘Spam, Spim and Spit’ (2005) 48(4) Communications of the ACM 40; see also ‘More Malware: Adware, Spyware, Spam and Spim’, High Tech Crime Brief no. 11, Australian Institute of Criminology, 2006. 49. Australian Communications and Media Authority v Mobilegate Ltd — A Company Incorporated in Hong Kong [2009] FCA 539 (22 May 2009); [2009] FCA 887 (14 August 2009); [2009] FCA 1225 (23 October 2009); [2009] FCA 1507 (30 November 2009); [2009] FCA 1533 (16 December 2009); [2010] FCA 1197 (5 November 2010); [2010] FCA 1383 (1 December 2010). 50. R McCusker, ‘Spam: Nuisance or Menace, Prevention or Cure?’, Trends and Issues in Crime and Justice no. 294, Australian institute of Criminology, March 2005: .

[page 131]

Chapter 6 Identity Crimes and Card Skimming

Chapter contents Phishing and pharming Credit card skimming Australian laws

6.4 6.12 6.15

Questions for consideration

6.0 In this chapter, the exploration of financially motivated crimes continues, with a focus on identity crimes and card skimming. These are related to online fraud and forgery, but often play a preparatory and facilitative role in larger criminal schemes. For example:1 An individual or a criminal group may collect identity details of unsuspecting victims, such as names, addresses, birth dates and so on, by means that may include hacking, data interception, the use of spyware, or phishing. Details of credit cards and other financial information may similarly be obtained, including through the surreptitious skimming of cards used in retail transactions or at an automated teller machine (ATM). These identification and financial details may then be used to fraudulently order goods from online retailers, causing loss to the victim, the retailer and/or the financial institution or credit provider that issued the card. The details can also be used to manufacture fake cards that can then be used to withdraw funds from an ATM, buy goods and services, or to impersonate the victim in other ways. The details can also be sold on through criminal markets to others. 6.1

It should be noted that terms such as ‘identity crime’ and its variants

are often used without great precision. One distinction to bear in mind is between [page 132] wrongly using a real person’s identity, whether that person is dead or still alive, as opposed to the creation of a new but fictitious identity, which can be used to commit fraud or other offences. The difference may be seen in the number of victims affected: using person A’s identity to commit a fraud against seller B by ordering goods in A’s name clearly involves two victims (A and B), while creating a fictitious identity with which to order goods from B may involve only one victim (B). 6.2

A suggested demarcation of terminology is as follows:2

Identity crime — a generic term used to refer to offences committed through the use of a false identity, including money laundering, drug crimes, tax evasion, illegal migration, terrorism, etc. Identity fraud — a more specific term used to refer to the deceptive use of a false identity to acquire funds, purchase goods or service, etc. Identity theft — the wrongful assumption or use of another person’s identity. 6.3 The scale of the problem of identity crime has recently been investigated by the Australian Institute of Criminology (AIC):3 Identity crime and misuse of personal information affect all sectors in Australia and cost individuals, business and government many millions of dollars annually. In the public sector, the misuse of personal information has been recognised in income tax evasion, customs duty and GST fraud, superannuation fraud, obtaining welfare and health care benefit fraud achieved through the use of false names, immigration fraud and taking English language tests (a key requirement for visas) for someone else. In the private sector, the problem areas have been identified as opening bank accounts in false names to obtain finance, ATM fraud, online and mobile banking and payment card fraud, funds transfer fraud, and securities and investment fraud. In addition to these and other financial crime risks, misuse of identity can also arise in connection with violent crime, such as where individuals have sought to avoid

detection and prosecution for murder, robbery and acts of terrorism by pretending to be someone else. In May 2013, in order to explore the nature and scope of identity crime and misuse in Australia, the Australian Institute of Criminology was commissioned by the AttorneyGeneral’s Department to undertake a national survey. This project is one of a series of initiatives that are being implemented as part of the

[page 133] National Identity Security Strategy, Australia’s national response to enhancing identity security, which seeks to prevent identity crime and misuse, contribute to national security and facilitate the benefits of the digital economy. Subsequently, the Australian Institute of Criminology used an online research panel to generate a sample of 5,000 Australians aged 15 years and over to measure personal experiences of identity crime. The survey covered the number of contacts, responses and victimisation incidents experienced, as well as financial loss and other impacts, reporting and response activities, and victims’ perceptions of changing levels of risk. Detailed demographic information was also collected that enabled profiles of victims to be created. … The present survey found that 20.8 percent of the 4,995 respondents reported misuse of their personal information at some time during their life, with 9.4 percent reporting misuse of their personal information in the previous 12 months.

Phishing and pharming 6.4 Identification and financial information may be obtained by cyber criminals through techniques known as ‘phishing’:4 Phishing can be defined as the criminal creation and use of emails and websites — which are designed to look like emails and websites of well-known legitimate businesses, financial institutions, and government agencies — in order to deceive Internet users into disclosing their bank and financial account information or other personal data such as usernames and passwords. Consider this example. An internet user receives an official-looking email that appears to have been sent by a familiar organisation or business, such as a bank, and reads that email because it does indeed look official. The email says that the user needs to update or validate his or her account information by clicking a link that takes the user to a phoney website that looks like the site of the organisation or business referred to in the email. At that site, the user is asked to provide personal and confidential information, like banking or credit card details or passwords and usernames, purportedly in order to update or validate his or her account.

Regardless of the means by which this information is obtained, the phisher then uses the information to commit fraudulent acts in the following ways. First, the phisher may pretend to be another person online, abusing that person’s existing credit or debit facility. Second, the phisher may pretend to be another person in transactions with that person’s bank or other financial service provider. Third, the phisher may assume the identity of another person, using that assumed identity to incur debts and liabilities.

6.5 Variations on the theme include ‘spear phishing’ or ‘puddle phishing’, which is directed at a specific victim or a small group of victims by using [page 134] more personalised information; ‘smishing’ using SMS messaging; and ‘vishing’ using voice mail. For example, an email that appears to be from a bank may be addressed to the particular recipient, who as it turns out, actually has an account with that bank. Typically, he or she would be asked to confirm identity, account and login details. 6.6 The term ‘pharming’ refers to a combination attack that uses hacking and/or malware to re-direct a computer user’s web browser, stored links or searches to a fake website. That website may then capture the user’s personal and financial information. Fake or ‘spoof ’ websites were once clumsy efforts, and easy to spot due to spelling errors and poor graphics, but have become much more convincing, with webpages including apparently genuine URLs and security icons.5 6.7 Perhaps because consumers have become more wary of emails and websites seeking personal and financial information, some fraudsters have reverted to phone calls purporting to be from a bank, a large business or government department. In the past, such fraud techniques were associated with ‘cold calls’ from distant ‘boiler rooms’.6 Those receiving such calls may be then duped into revealing information to the trained, persuasive voice on the phone. A recent Australian alert illustrates:7

Scam alert! The Australian Bankers’ Association is warning of a telephone survey scam which is using the ABA’s name in an attempt to de-fraud bank customers. The bogus survey telephone operator informs the person that they are completing a customer satisfaction survey and then asks a series of questions regarding the person’s banking provider, such as: With whom do you bank? How long have you banked with them? Are you satisfied with the service? The operator claims they are completing the survey on behalf of the ABA. This is false. Source: Australian Bankers’ Association (ABA).

[page 135] 6.8 Other varieties of phone scams abound, and may include dubious or deceptive practices engaged in by some service providers themselves, such as ‘over-billing’ or duping call recipients into replying using services charged at premium rates. Such problems have been a feature of telephony for a long time, and some of the variations have also been adapted to the SMS environment. For example:8 Fraudulent practices in telecommunications include a wide array of activities and victims. Fraud may involve switching service providers without customer authorization, charges for services never rendered, and rate increases without notices. Consumers often receive fewer service features and are charged higher rates. Local telephone companies handle thousands of calls from customers angry about a problem created by competitors.

6.9 Sophisticated attacks by cyber criminals may combine online phishing, pharming malware and phone call fraud. Such ‘blended threat’ attacks can snare even highly educated and tech-aware victims. A startling recent example from the United States is the following:9

Lawyer who clicked on attachment loses

$289K in hacker scam A lawyer who clicked on an email attachment lost $289,000 to hackers who likely installed a virus that recorded his keystrokes. The anonymous lawyer, identified only as John from the San Diego area, told ABC 10 News how it happened. On Feb. 9, John received an email with an address ending in usps.gov. Thinking he had received a legitimate email from the U.S. Postal Service, he clicked on the attachment. Hours later, John tried to access his law firm’s account with Pacific Premier Bank, the story says. He was transferred to a page asking for his PIN, rather than his usual login, and received a call from a person identifying himself as a bank employee. The caller said the bank noticed John was having trouble accessing the account and told him to type in his PIN, along with another number, [page 136] which turned out to be a wire transfer code. Then a page appeared saying the site was down for maintenance. John received another call from the supposed bank employee two days later. ‘He asked me to enter the information several times, but told me it wasn’t working. He then said I was locked out of my account for 24 hours,’ John told ABC 10 News. ‘That’s when alarm bells started to go off.’ Within hours, John discovered that $289,000 had been transferred from the account to a Chinese bank. ‘I never thought it would happen to me,’ said John. ‘I was shocked. I felt like a dummy, basically.’ An expert who spoke with ABC 10 News said the hackers evidently installed a virus to capture John’s keystrokes. Whether a bank will cover the loss depends on its terms and conditions, the expert said. In John’s case, Pacific Premier Bank declined to cover the loss. Source: American Bar Association, ABA Journal, 19 February 2015.

6.10 Detecting and responding to phishing attacks is difficult, particularly as there may be a time lag between victimisation, discovery and reporting to authorities:10 While phishing attacks may seem straightforward, jurisdictional or evidentiary issues hamper law enforcement agencies. Investigators must act quickly to obtain necessary evidence, with

the average time online for a phishing site being three days … Investigation is also difficult and costly … There may be reluctance to commence an investigation into a crime that has originated from another jurisdiction, particularly within countries that do not have laws criminalising their conduct …

6.11 The question of who bears the loss from such crimes is also a difficult one. Some courts have held that inadequate vigilance by bank customers may mean that they, rather than the bank, must bear the consequence.11 A similar set of considerations applies to credit card losses. [page 137]

Credit card skimming 6.12 The targeting of ATMs and other facilities in which credit, debit and other cards are used is ongoing and persistent. Some of the techniques are well-known but continue to be used by criminals, presumably because they yield results:12 Shoulder surfing is performed at ATM machines where another person is using the machine and the fraudster strategically positions himself or herself so that they can observe the customer’s PIN code. Skimming is a more elaborate technique which involves a small electronic device which the fraudster installs on the card slot on ATMs or petrol pumps. The device is equipped with a magnetic reader capable of scanning credit cards or EFTPOS cards. Skimmers are hard to detect. Increasing[ly] elaborate technique is used with EFTPOS. EFTPOS machines are stolen from stores then modified and equipped with skimming devices. The machines are then replaced without the staff noticing the switch.

6.13 Card details obtained through skimming can be used to create counterfeit or ‘cloned’ cards that can then be used in perpetrating frauds and other crimes. Alternatively, the information can simply be used in committing other online crimes:13 The ‘skimmed’ data is generally stored in the skimmer and then transmitted to a computer. The data can then be downloaded onto another magnetic strip, in most cases a counterfeit credit card which becomes an exact copy of the original. However the skimmed credit card data can be downloaded onto any form of media that has a magnetic strip, including a library card, a security card or even a parking ticket.

The counterfeit cards or other media are then used to make fraudulent purchases of goods or to withdraw funds from ATMs. The form of media that the skimmed data is downloaded onto will limit the possible uses — data on a parking ticket is unlikely to be used to purchase goods ‘over the counter’, but could be used in some instances to withdraw cash from ATMs. It is also possible that the information skimmed from credit cards could be used to purchase goods over the phone or the Internet. This removes the need to forge any counterfeit credit card or create any physical record of the skimmed data.

6.14 Although it is difficult to measure the costs of card skimming, in part because some of the losses are borne by credit card companies and defrayed through the imposition of higher interest rates among all card users, estimates [page 138] range into the tens of millions of dollars in Australia alone.14 Arrests of foreign nationals indicate that card skimming is an organised and international criminal activity.15

Australian laws 6.15 While the Convention on Cybercrime makes no specific reference to either identity crimes or to card skimming, it is arguably covered by the provisions relating to illegal access (Art 2), illegal interception (Art 3), misuse of devices (Art 6), computer-related forgery (Art 7) and computerrelated fraud (Art 8). Similarly, under Australian domestic law, much of the criminal conduct that involves theft or fraud using identifying and financial information, including that stored on cards, can be prosecuted using unauthorised access, interception, fraud and forgery offences. 6.16 Laws introduced at the Commonwealth level that protect personal financial information include those in the Criminal Code Act 1995 (Cth) Part 10.8 — Financial information offences.16 Key definitions are in s 480.1(1):

… dealing in personal financial information includes supplying or using financial information. deception means an intentional or reckless deception, whether by words or other conduct, and whether as to fact or as to law, and includes: (a) a deception as to the intentions of the person using the deception or any other person; and (b) conduct by a person that causes a computer, a machine or an electronic device to make a response that the person is not authorised to cause it to do. … [page 139] personal financial information means information relating to a person that may be used (whether alone or in conjunction with other information) to access funds, credit or other financial benefits. (2) For the purposes of this Part, a person is taken to obtain or deal in personal information without the consent of the person to whom the information relates if the consent of that person is obtained by any deception. (3) This Part extends to personal information relating to: (a) an individual; or (b) a corporation; or (c) a living or dead person.

6.17 As noted in Chapter 5, deceptive conduct includes not just the actual or attempted deception of people, but also conduct that causes unauthorised responses in a machine. That may include, for example, knowingly causing an ATM to dispense funds to which the person using the ATM is not entitled, as in the early case of Kennison v Daire (1986) 160 CLR 129. The same would certainly apply to the insertion into an ATM of a stolen or cloned card using another person’s access and account details. Part 10.8 includes three related offences that provide a basis for prosecution of such activities:

480.4 Dishonestly obtaining or dealing in personal financial information A person is guilty of an offence if the person: (a) dishonestly obtains, or deals in, personal financial information; and (b) obtains, or deals in, that information without the consent of the person to whom the information relates. Penalty: Imprisonment for 5 years. 480.5 Possession or control of thing with intent to dishonestly obtain or deal in personal financial information (1) A person is guilty of an offence if: (a) the person has possession or control of any thing; and (b) the person has that possession or control with the intention that the thing be used: (i) by the person; or (ii) by another person; [page 140] to commit an offence against section 480.4 (dishonestly obtaining or dealing in personal financial information) or to facilitate the commission of that offence. Penalty: Imprisonment for 3 years. (2) A person may be found guilty of an offence against subsection (1) even if committing the offence against section 480.4 (dishonestly obtaining or dealing in personal financial information) is impossible. (3) It is not an offence to attempt to commit an offence against subsection (1). 480.6 Importation of thing with intent to dishonestly obtain or deal in personal financial information A person is guilty of an offence if the person: (a) imports a thing into Australia; and (b) does so with the intention that the thing be used: (i) by the person; or (ii) by another person; in committing an offence against section 480.4 (dishonestly obtaining or dealing in personal financial information) or to facilitate the commission of that offence.

Penalty: Imprisonment for 3 years.

6.18 Clearly, such offences can be used to prosecute those who produce or use false identification documents, as well as those who engage in cardskimming activities. Other offences that may apply include unauthorised access, modification and impairment, illegal interception, fraud and forgery, and various regulatory offences that apply to banking, employment, taxation, migration and so on. An early Australian prosecution for computer-based identity crimes is described by Clough:17 For example, in R v Zehir the defendant used his computer to produce forty-one false birth certificates and forty-one false student identification cards. Using these false documents he was then able to open bank accounts, register a business name and apply for a driver’s licence. In an example of ‘identity breeding’ once he had opened bank accounts using false identification, he was able to use the cards issued by the bank as proof of identity for subsequent transactions.

6.19 The application of the Criminal Code Act 1995 (Cth) financial information offences as well as related offences is illustrated by the following [page 141] more recent case, in which the applicant had been convicted under s 480.4 of dishonestly dealing in personal information in the form of stolen credit card details, as well as numerous New South Wales offences. The appeal against the sentences imposed failed.

Hancock v R [2012] NSWCCA 200 (14 September 2012) at [1], [10]–[13] Schmidt J: The applicant admitted to being the head of a crime syndicate involved in the manufacture, distribution and use of false identity documents, such as drivers licences, Medicare cards, bank ATM cards and credit cards which generated earnings for him of over $100,000. He pleaded guilty in the Local Court to ten offences, nine of which related to the activities of the syndicate. The tenth offence was concerned with

supplying 55.1 grams of methylamphetamine. This offence was unrelated to the activities of the syndicate … The applicant obtained compromised credit card data from various sources, which he supplied to Kha Weng Foong, who produced high quality credit cards and Medicare cards, which he later collected. He also provided fictitious names to Henley Han, who produced false identity documents, including NSW drivers licenses, which he then also collected. Quoc Du Hua was the applicant’s peer in the syndicate. He made arrangements with the applicant as to the workings of the syndicate and negotiated the exchange of goods and money with the applicant. Yung Feng Yun was one of the supervisors of the shoppers to whom the applicant supplied the false identity and credit cards. The shoppers made purchases, which they handed to Yun, who waited in a car parked nearby. Sock Meng Kee supervised another group of shoppers and remitted money overseas for the applicant. The applicant’s daughter, Mei Ch’eng (Mary) Che received proceeds from the use of false identity and credit cards provided by the applicant in Victoria. Bing Xian Yeoh supervised a group of shoppers in Victoria and collected goods which he handed to her in return for payment … The offender conspired with Foong to make false instruments between 18 February 2009 to 1 July 2009. During this period Foong acquired the material and machinery required to produce high quality false credit cards. At the request of the offender Foong used these materials and machinery to manufacture false credit cards which he subsequently provided to the offender in return for a financial reward. The offender subsequently provided the false credit cards manufactured by Foong to supervise the various groups of shoppers in Sydney and Melbourne. The supervisors included Kee and Yun in Sydney and Che and Yeoh in Melbourne. The ‘shoppers’ used the credit cards to purchase valuable goods from various retail outlets … [page 142] During the period of conspiracy the offender regularly received the details of compromised credit card data including credit card numbers and card holder numbers via SMS from a male person known as Kwan Seong Wong in Spain and from other contacts in Malaysia and Australia. The offender regularly forwarded this data to Foong and the offender [sic Han] to enable them to manufacture the false credit cards and identification documents. The offender visited Foong’s residence in Kings Cross on a number of occasions to collect the manufactured credit cards. On other occasions Foong sent batches of completed credit cards to the offender by Australia Post.

6.20

The Criminal Code Act 1995 (Cth) was amended in 2011 with the

addition of a new Part 9.5 — Identity crime.18 This includes the following definitional provisions:

370.1 Definitions In this Code: deal, in identification information, includes make, supply or use any such information. identification documentation means any document or other thing that: (a) contains or incorporates identification information; and (b) is capable of being used by a person for the purpose of pretending to be, or passing the person off as, another person (whether living, dead, real or fictitious). identification information means information, or a document, relating to a person (whether living, dead, real or fictitious) that is capable of being used (whether alone or in conjunction with other information or documents) to identify or purportedly identify the person, including any of the following: (a) a name or address; (b) a date or place of birth, whether the person is married or has a de facto partner, relatives’ identity or similar information; (c) a driver’s licence or driver’s licence number; (d) a passport or passport number; (e) biometric data; [page 143] (f) (g) (h) (i) (j)

a voice print; a credit or debit card, its number, or data stored or encrypted on it; a financial account number, user name or password; a digital signature; a series of numbers or letters (or both) intended for use as a means of personal identification; (k) an ABN. 370.2 Definition of foreign indictable offence In Division 372: foreign indictable offence means an offence against a law of a foreign country

or part of a foreign country that is constituted by conduct that, if engaged in in Australia, would constitute an indictable offence against a law of the Commonwealth.

6.21

Division 372 of Pt 9.5 then contains the following main offences:19

372.1 Dealing in identification information (1) A person (the first person) commits an offence if: (a) the first person deals in identification information; and (b) the first person intends that any person (the user) (whether or not the first person) will use the identification information to pretend to be, or to pass the user off as, another person (whether living, dead, real or fictitious) for the purpose of: (i) committing an offence; or (ii) facilitating the commission of an offence; and [page 144] (c) the offence referred to in paragraph (b) is: (i) an indictable offence against a law of the Commonwealth; or (ii) a foreign indictable offence. Penalty: Imprisonment for 5 years. … 372.1A Dealing in identification information that involves use of a carriage service Dealing in identification information using a carriage service (1) A person (the first person) commits an offence if: (a) the first person deals in identification information; and (b) the first person does so using a carriage service; and (c) the first person intends that any person (the user) (whether or not the first person) will use the identification information to pretend to be, or to pass the user off as, another person (whether living, dead, real or fictitious) for the purpose of: (i) committing an offence; or (ii) facilitating the commission of an offence; and

(d) the offence referred to in paragraph (c) is: (i) an indictable offence against a law of the Commonwealth; or (ii) an indictable offence against a law of a State or Territory; or (iii) a foreign indictable offence. Penalty: Imprisonment for 5 years. … Dealing in identification information obtained using a carriage service (3) A person (the first person) commits an offence if: (a) (b) (c) (d)

the first person obtains identification information; and the first person does so using a carriage service; and the first person deals in the identification information; and the first person intends that any person (the user) (whether or not the first person) will use the identification information to pretend to be, or to pass the user off as, another person (whether living, dead, real or fictitious) for the purpose of: (i) committing an offence; or (ii) facilitating the commission of an offence; and [page 145]

(e) the offence referred to in paragraph (d) is: (i) an indictable offence against a law of the Commonwealth; or (ii) an indictable offence against a law of a State or Territory; or (iii) a foreign indictable offence. Penalty: Imprisonment for 5 years. …

6.22 The Explanatory Memorandum to the Bill introducing the s 372.1A offences stated that these amendments would:20 … expand identity crime offences to include dealing in identity information with an intention to commit, or facilitate, the commission of a foreign indictable offence. It will also create a new offence of using a carriage service, such as the internet or a mobile phone, to obtain and/or deal in identification information where a person intends to commit, or facilitate the commission of, a Commonwealth, State, Territory or foreign indictable offence. These expanded offences will help prevent identity crime by ensuring that the Commonwealth’s laws account for the transnational and multi-jurisdictional nature of identity crime.

6.23 As in other Commonwealth legislation, the use of a ‘carriage service’ includes the Internet and telephone services. It should also be noted that the definition of ‘identification information’ in s 370.1 includes ‘a credit or debit card, its number, or data stored or encrypted on it’, which means that there is considerable overlap with the definition of ‘personal financial information’ in s 480.1. Therefore, activities such as phishing and card skimming may be covered by offences within both Pts 9.5 and 10.8 of the Criminal Code Act 1995 (Cth).21 6.24 Further, where such activities involve the interception of data, there may be additional coverage through the Telecommunications (Interception [page 146] and Access) Act 1979 (Cth). This was recognised by the Model Criminal Code Officers Committee:22 If skimming is perpetrated by interception of credit and debit card information from data cables between a commercial premises and a financial institution, then this is likely to constitute an offence under the Telecommunications (Interception) Act 1979 (Cth) or Part VIIB of the Crimes Act 1914 (Cth) (telecommunications offences).

6.25 Finally, in relation to identity crimes, it has long been recognised that victimisation can be a costly and harrowing experience, particularly where new identification documents have to be obtained from government departments, and credit history has to be restored:23 Victims of identity theft and phishing attacks primarily suffer financial losses. However, these crimes also exact a price on the victim in time and money spent trying to rebuild her credit and good name, and a price on society in business losses, generally passed on to consumers through higher costs for goods and credit. Phishing imposes an additional societal cost — loss of consumer confidence in conducting business online.

6.26 Because of this further cost to victims, some recent legislation on identity crimes has also included special provisions allowing a court to

issue a certificate designed to facilitate redress. For example, Div 375 of the Criminal Code Act 1995 (Cth) contains the following provisions:

375.1 Certificate may be issued by magistrate in relation to victim of identity crime (1) A magistrate may, on application by a person (the victim), issue a certificate under this section if the magistrate is satisfied, on the balance of probabilities, that: (a) another person (the dealer) has dealt in identification information; and (b) the dealer intended that any person (the user) (whether or not the dealer) would use the identification information to pretend to be, or to pass the user off as, another person (whether the victim or another person living, dead, real or fictitious) for the purpose of: (i) committing an offence; or (ii) facilitating the commission of an offence; and [page 147] (c) the certificate may assist with any problems the dealing has caused in relation to the victim’s personal or business affairs; and (d) the offence referred to in paragraph (b) is an indictable offence against a law of the Commonwealth. Note: Deal, in identification information, includes make, supply or use any such information. See section 370.1. (2) This section applies: (a) even if: (i) committing the offence referred to in paragraph (1)(b) is impossible; or (ii) the offence referred to in paragraph (1)(b) is to be committed at a later time; and (b) whether or not the person to whom the identification information concerned relates consented to the dealing in the identification information. 375.2 Content of certificate (1) A certificate issued under section 375.1 must: (a) identify the victim; and (b) describe the dealing in identification information.

(2) The certificate may contain such other information as the magistrate considers appropriate. (3) The certificate must not identify the dealer.

6.27 Victim certificates may be used in dealings with institutions such as government agencies, banks and credit agencies, but are not otherwise admissible in criminal or civil proceedings:24

Commonwealth Victims’ Certificates A Commonwealth Victims’ Certificate is provided by a state or territory magistrate to a victim of Commonwealth identity crime that: records the name of the victim describes the circumstances in which the person has been a victim of Commonwealth identity crime. [page 148] The perpetrator or alleged perpetrator of the Commonwealth identity crime offence will not be identified in the certificate. The certificate helps support your claim that you have been the victim of Commonwealth identity crime. You can present the certificate to an organisation such as a government agency or a business (such as a financial institution or credit agency). This may help you negotiate with them to re-establish your credentials or to remove a fraudulent transaction from their records. A certificate does not compel any organisation to take a particular action. It will not automatically re-establish your credit rating or remove a fraudulent transaction from your record. It is also not admissible in any legal proceedings.

6.28 An interesting question is whether corporations are protected in relation to misrepresentations about identity in the same way that natural persons are. In a recent proceeding that resulted in a conviction under the Corporations Act 2001 (Cth) for disseminating false information about a bank’s investments in a mining development project, the offender, by way of a protest action, had posted online a fake media release purporting to be from the ANZ Bank. He was convicted and sentenced to one year and eight

months in prison, suspended on the payment of a $1000 good behaviour bond.

R v Moylan [2014] NSWSC 944 (25 July 2014) at [11]– [23] Davies J: On 4 January 2013, as a result of what he ascertained through a Google search, the Offender accessed the website of ‘Crazy Domains’ and purchased for $27 the internet domain name ‘anzcorporate.com’. He also established the email address ‘[email protected]’, providing his own name and personal contact details as part of the registration process. On 5 January he set up the email address referred to and subsequently tested it by sending test emails to his personal email addresses and to Mr Drechsler’s email address. On the same day he accessed the Media Centre page of ANZ’s website and viewed two genuine media releases issued by ANZ. He also accessed articles via the internet relating to the finalisation of the ANZ facility. Later on 5 January the Offender used his computer to create the false media release. [page 149] Between 7.03 pm and 7.28 pm on 5 January the Offender used his computer to create the false media release. He first inserted an ANZ logo, which he had previously downloaded from the internet, at the top of the false media release. He formatted the release using the same lay-out, font and colour-scheme as the two genuine ANZ media releases he had viewed on the ANZ website. He nominated the principal contact for media enquiries as ‘Toby Kent, Group Head of Corporate Sustainability’. Toby Kent was a person actually employed by ANZ with whom the Offender had previously had dealings through his activism against the Maules Creek Project. He listed Mr Kent’s email address as [email protected] and his mobile telephone number as 0431 289 766, although both were actually the Offender’s contact details. He also set up a voicemail message on that mobile phone number in which he identified himself as ‘Toby Kent from ANZ’. Consistent with the two genuine ANZ media releases he had viewed, he nominated as a secondary contact for media enquiries the name of another person, Joanne McCulloch, who was actually a Media Relations Advisor at ANZ, with her correct title and contact details included. The following day, 6 January, the Offender accessed legislation available on the Austlii legal information website and viewed the Criminal Code Act 1995 (Cth) and the Crimes Act 1900 (NSW), in particular s 250 (which contains the meaning of when a document is false) and s 253 (which creates the offence of forgery).

On the same day he sent the false media release from the email address [email protected] to Mr Drechsler who, when he received it, said words to the effect ‘it looks okay’. On the morning of 7 January the Offender researched Australian business media contacts via a number of internet sites. At 10.46 am on 7 January the Offender accessed the transcript of an ABC interview with an international activist group known as the ‘Yes Men’. The Offender had previously accessed videos of the Yes Men and their activities on 27 June 2012. The Offender was aware that in 2004 a member of the Yes Men had falsely represented that he was a spokesperson for Dow Chemical Company and appeared on the BBC World television news program. The Offender knew that in that case the media had initially accepted as genuine the spokesperson’s announcement that a subsidiary company responsible for the Bhopal chemical disaster would be liquidated and the resulting $12 billion would be given as compensation to victims. That was later revealed to be a hoax. [page 150] At 10.38 am on 7 January the Offender sent from his own email address a document to some 20 individuals associated with FLAC titled ‘ANZ Week of Action’. It was a 12 page document intended to be a guide for activists, with a number of suggested activities to ‘shame’ ANZ, with the stated goal that ‘If ANZ withdraws their loan, the Maules Creek Coal Mine will not proceed’. There was also extensive advice on dealing with the media and police as part of any protest actions. At 11.44 am on 7 January, the Offender disseminated the information in the false media release by sending an email from [email protected].

6.29 Given that a corporation is legally a ‘person’, it may be that such conduct could also be prosecuted using the identity crime provisions discussed above.25

[page 151]

Questions for consideration 1.

In relation to identity crime, the Commonwealth Attorney-General, ‘Identity Crime Now Amongst Most Common Crimes in Australia’, media release, 5 May 2014, has provided the following advice: I encourage anyone who has suffered identity crime to report their experiences to police or relevant privacy or consumer protection agencies. This makes it easier to provide support and to prevent similar instances in the future. The extent of deception and dishonesty revealed in this survey emphasises the importance of protecting your personal information, particularly online. People should ensure they have strong passwords on computers, effective privacy settings around social media, and take care when shopping online and disposing of hard copy mail containing personal information. The findings underscore the need for all Australian governments to work collaboratively with the private sector to implement the National Identity Security Strategy, including by expanding use of the Document Verification Service to combat the misuse of false and stolen identities.

How effective is this advice likely to be in reducing the incidence of such crime? What particular pointers should be given to those using the Internet, social media and other online facilities that might reduce their vulnerability to identity crimes? 2.

In A Rege, ‘What’s Love Got to Do with It? Exploring Online Dating Scams and Identity Fraud’ (2009) 3(2) International Journal of Cyber Criminology 494 at 498, the way in which romance scams snare victims is described (notes omitted): Online romance scams unfold as a process, often occurring over several months. Scammers use legitimate dating sites as springboards for meeting their victims. First, a fake profile is thoroughly designed with an ‘articulately worded essay, a list of hobbies, … a flirtatious tag line and even a quality picture’. Scammers can use photographs that range from low-quality and heavily pixilated photographs to high-quality studio shots; often

multiple shots of the same model are used, which strengthens the scammer’s credibility who can supply limitless photographs at the victim’s request. The second stage involves contact; the scammer almost always initiates communication with the victim. Scammers then establish a strong bond with their victims through constant communication to generate trust, confidence, and romantic liaisons; this phase can last anywhere from six to eight months until the desired trust-level is achieved. Romance scams are gender neutral, equally targeting male and female online daters. At the third stage, scammers request money from victims by narrating tragic or desperate circumstances, such as theft of personal documents during travel, unexpected hospital expenses resulting from sudden accidents or illnesses, or securing funds for travel to meet the victim. Furthermore, these circumstances are often sequential; the scammer always needs more financial assistance as the desperate circumstances intensify. The more successful the scammer is in convincing victims of these circumstances, the more the victim is lured into the scam; this ‘cycle of lures’ continues until victims lose patience or realize they are being duped and stop sending money.

Might a greater focus on the misuse of identity online at earlier stages contribute to the prevention of later victimisation due to such romance and other scams? 1.

For a deeper discussion of how ‘digital identity’ is constructed and may be exploited in the online environment, see C Sullivan, Digital Identity: An Emergent Legal Concept, University of Adelaide Press, 2011; and for a detailed analysis of the mechanics of identity-related crime, distinguishing no fewer than 17 types of attack, see B-J Koops, R Leenes, M Meints, N van der Meulen and D-O Jacquet-Chifelle, ‘A Typology of Identity-Related Crime’ (2009) 12(1) Information, Communication and Society 1.

2.

J Clough, Principles of Cybercrime, Cambridge University Press, 2010, p 190, citing work of the Australian Centre for Policing Research and the Australian Transaction Reports and Analysis Centre; see also J H Farrar, ‘Fighting Identity Crime’ (2011) 23(1) Bond Law Review 88.

3.

R Smith and A Hutchings, ‘Identity Crime and Misuse in Australia: Results of the 2013 Online Survey’, Research and Public Policy Series no. 128, Australian Institute of Criminology, May 2014: (Foreword and Executive Summary); also reported in ‘1 in 5 Australians Have Been Victims of Identity Crime with Computer Hacking, Online Banking and Shopping to Blame’, news.com.au, 13 May 2014: ; and see also Attorney-General for Australia, ‘Identity Crime Now Amongst Most Common Crimes in Australia’, media release, 5 May 2014.

4.

A Hutchings and H Hayes, ‘Routine Activity Theory and Phishing Victimisation: Who Gets Caught in the “Net”?’ (2009) 20(3) Current Issues in Criminal Justice 433 (notes omitted). See also P Black, ‘Phish to Fry: Responding to the Phishing Problem’ (2005) 16 Journal of Law, Information and Science 73; and Anti-Phishing Working Group (APWG) website: .

5.

J H Farrar, ‘Fighting Identity Crime’, note 2 above; see also M Wu, R C Miller and S L Garfinkel,

‘Do Security Toolbars Actually Prevent Phishing Attacks?’ in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2006 at 610. 6.

R J Stevenson, The Boiler Room and Other Telephone Scams, University of Illinois Press, 1998.

7.

From the APWG website (note 4 above); see also Australian Bankers’ Association (ABA), ‘Bank Telephone Survey Scam’, media release, 19 December 2014: . The advice provided by the ABA is: ‘The ABA advises that if you have provided any information over the telephone then you should immediately contact your bank, which will take action to protect and monitor your account. For further tips and information on how to protect your financial identity, visit protectfinancialid.org.au’.

8.

M Dodge, ‘Slams, Crams, Jams, and Other Phone Scams’ (2001) 17(4) Journal of Contemporary Criminal Justice 358 at 359; see also A O’Donnell, ‘How to Protect Yourself from Premium SMS Text Message Scams’, About Tech: ; and Australian Competition and Consumer Commission (ACCC), SCAMwatch, ‘Missed Calls & Text Messages from Unknown Numbers’: .

9.

D Cassens Weiss, ‘Lawyer Who Clicked on Attachment Loses $289K in Hacker Scam’, American Bar Association, ABA Journal, Internet Law section, 19 February 2015.

10. A Hutchings and H Hayes, ‘Routine Activity Theory and Phishing Victimisation: Who Gets Caught in the “Net”?’, note 4 above, at 437, citing the Anti-Phishing Working Group’s 2008 report; J Lynch, ‘Identity Theft in Cyberspace: Crime Control Methods and their Effectiveness in Combating Phishing Attacks’ (2005) 20 Berkeley Technology Law Journal 259. 11. In Germany, for example: C Farivar, ‘Clients, Not Banks, Liable for Losses in Phishing Scams, Court Rules’, Ars Technica, 26 April 2012: . 12. J H Farrar, ‘Fighting Identity Crime’, note 2 above, at 91; J Clough, Principles of Cybercrime, note 2 above, pp 196–9. 13. Model Criminal Code Officers Committee of the Standing Committee of Attorneys-General, Model Criminal Code, Chapter 3: Credit Card Skimming Offences, February 2006, p 4. 14. Australian Crime Commission (ACC), ‘Card Fraud’, citing a figure of $44 million annually: ; see also C Yeates, ‘Millions Being “Skimmed” at ATMs’, The Sydney Morning Herald, 15 April 2014: . 15. P Hatch, ‘Suspected Members of International Card-Skimming Syndicate Arrested in Melbourne’, The Age, 29 June 2014: . 16. Part 10.8 was added by the Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Act (No. 2) 2004 (Cth) with effect from 1 March 2005. Its provisions were not affected by the Cybercrime Legislation Amendment Act 2012 (Cth). 17. J Clough, Principles of Cybercrime, note 2 above, pp 191–2 (notes omitted). The case citation

provided is (1998) 104 A Crim R 109. 18. Part 9.5 is closely based on the Criminal Law Consolidation (Identity Theft) Amendment Act 2003 (SA), which added identity crime provisions to South Australian law. These were also noted in Model Criminal Code Officers Committee of the Standing Committee of Attorneys-General, Model Criminal Code, Chapter 3: Credit Card Skimming Offences, Appendix A, February 2006. 19. Section 372.1 was added by the Law and Justice Legislation Amendment (Identity Crimes and Other Measures) Act 2011 (Cth), while s 372.1A was added by the Crimes Legislation Amendment (Serious Drugs, Identity Crime and Other Measures) Act 2012 (Cth). Similar offences are found in the Crimes Act 1900 (NSW) Part 4AB — Identity offences, added by the Crimes Amendment (Fraud, Identity and Forgery Offences) Act 2009 (NSW); Criminal Code Act (NT) Pt VII Division 2A — Identity crime, added by the Criminal Code Amendment (Identity Crime) Act 2014 (NT); Criminal Code Act 1899 (Qld) s 408D (Obtaining or dealing with identification information), added by the Criminal Code and Civil Liability Amendment Act 2007 (Qld); Criminal Law Consolidation Act 1935 (SA) Part 5A — Identity theft, added by the Criminal Law Consolidation (Identity Theft) Amendment Act 2003 (SA); Crimes Act 1958 (Vic) Pt I Division 2AA — Identity crime, added by the Crimes Amendment (Identity Crime) Act 2009 (Vic); see also Criminal Code Act Compilation Act 1913 (WA) Chapter LI (Identity crime). 20. Explanatory Memorandum, Crimes Legislation Amendment (Serious Drugs, Identity Crime and Other Measures) Bill 2012 (Cth). See also J Clough, Principles of Cybercrime, note 2 above, pp 207– 20, including a reference to the famous Steiner cartoon first published in the New Yorker magazine in 1993 with the caption: ‘On the Internet, nobody knows you’re a dog’. The author has appropriated and adapted this in relation to undercover online investigations as, ‘On the Internet, nobody knows you’re a cop’ (see further in Chapter 9). 21. Note that Pt 9.5 also contains offences in s 372.2 (Possession of identification information) and s 372.3 (Possession of equipment used to make identification information), each carrying a maximum penalty of imprisonment for three years. 22. Model Criminal Code Officers Committee of the Standing Committee of Attorneys-General, Model Criminal Code, Chapter 3: Credit Card Skimming Offences, February 2006, p 10. Note that the name of the Telecommunications (Interception) Act 1979 has changed since the report’s writing (to Telecommunications (Interception and Access) Act 1979), and that telecommunications offences are now to be found in the Criminal Code Act 1995 (Cth) rather than the Crimes Act 1914 (Cth). 23. J Lynch, ‘Identity Theft in Cyberspace: Crime Control Methods and Their Effectiveness in Combating Phishing Attacks’ (2005) 20 Berkeley Technology Law Journal 259 at 260. 24. Commonwealth Attorney-General’s Department, ‘Victims of Commonwealth Identity Crime’: ; and see Criminal Code Act 1995 (Cth) s 375.3 (Relation to civil and criminal proceedings) and s 375.4 (Power conferred on magistrate personally). Division 376 goes on to deal with false identities used in air travel. 25. Acts Interpretation Act 1901 (Cth) s 2C provides that expressions used to denote persons generally (such as ‘person’, ‘party’, ‘someone’, ‘anyone’, ‘no-one’, ‘one’, ‘another’ and ‘whoever’) include a body politic or corporate as well as an individual.

[page 153]

Chapter 7 Online Copyright Crimes

Chapter contents Convention on Cybercrime Australian laws

7.8 7.10

Questions for consideration

7.0 This chapter deals with online copyright crimes. Copyright in items such as books, articles, movies and music recordings may be infringed online, including through Internet uploading and downloading, or by nonelectronic means. Copyright infringement may be addressed through both criminal and civil remedies. Thus, the topic of online criminal infringement of copyright occupies only a part of the broader picture of intellectual property rights and their protection. 7.1 Intellectual property is defined under international conventions as including rights relating to:1 literary, artistic and scientific works, performances of performing artists, phonograms, and broadcasts, inventions in all fields of human endeavour, scientific discoveries, industrial designs, trademarks, service marks, and commercial names and designations, protection against unfair competition, and all other rights resulting from intellectual activity in the industrial, scientific, literary or artistic fields.

7.2 Intellectual property rights are protected under both legislation and common law. In Australia, intellectual property legislation is almost entirely in the form of Commonwealth laws, the Constitution vesting legislative power

[page 154] through s 51(xvii) in the Commonwealth Parliament to make laws with respect to ‘copyrights, patents of inventions and designs, and trade marks’. The main categories of intellectual property, and the legal basis for their protection, are as follows (Table 7.1): Table 7.1: Intellectual property protection in Australia2

Category Legislation

Registration Term of requirements protection

Criminal infringement offences For original For original works, Part V None — literary, — Remedies copyright in dramatic, and offences; Copyright Act original works, musical and for encoded Copyright 1968 (Cth) etc exists artistic works, broadcasts, Pt without any 70 years after VAA Div 3; for registration the death of the performers’ author protection, Pt XIA Div 3 Registration Designs Act Five years, Designs with IP None 2003 (Cth) renewable Australia 20 years for standard Registration Patents Act patent; eight Patents with IP None 1990 (Cth) years for an Australia innovation patent Plant Plant Registration 20 or 25 years, An breeder’s Breeder’s with IP depending on infringement

rights (PBR) Trade marks

Rights Act 1994 (Cth) Trade Marks Act 1995 (Cth)

Australia

variety

Registration with IP Australia

10 years, renewable

offence is in s 74 Part 14 contains offences

Source: Australasian Legal Information Institute (AustLII): .

7.3 The focus for criminal copyright infringement is usually on organised and commercial-scale infringement. Activities by individuals for private purposes, such as downloading pirated songs and movies, though they also may legally [page 155] be infringing, rarely attract the application of the criminal offence provisions of the Copyright Act 1968 (Cth). Rather, arrests and prosecutions tend to be directed at traders selling or offering pirated music, film and software, or those who sell or offer devices to get around copyright protections.3 However, it is a dangerous simplification to claim that copyright is always treated as a ‘civil matter’.4 7.4 In fact, criminal penalties for infringing acts have existed under Australian copyright law since the early 1900s, and the role of public enforcement of copyright can be traced back to the Statute of Anne in Britain in 1710.5 The terms ‘piracy’ and ‘counterfeiting’ also have a venerable history in connection with literary and other creative works, and are used in international instruments such as the Trade-Related Aspects of Intellectual Property Rights (TRIPs) Agreement, which provides (Art 61):6 Members shall provide for criminal procedures and penalties to be applied at least in cases of wilful trademark counterfeiting or copyright piracy on a commercial scale. Remedies available shall include imprisonment and/or monetary fines sufficient to provide a deterrent, consistently with the level of penalties applied for crimes of a corresponding gravity. In appropriate cases, remedies available shall also include the seizure, forfeiture and destruction of the infringing goods and of any materials and implements the predominant use of which

has been in the commission of the offence. Members may provide for criminal procedures and penalties to be applied in other cases of infringement of intellectual property rights, in particular where they are committed wilfully and on a commercial scale.

[page 156] 7.5 The terms ‘counterfeit trademark goods’ and ‘pirated copyright goods’ are defined in the TRIPs agreement as follows:7 For the purposes of this Agreement: (a) ‘counterfeit trademark goods’ shall mean any goods, including packaging, bearing without authorization a trademark which is identical to the trademark validly registered in respect of such goods, or which cannot be distinguished in its essential aspects from such a trademark, and which thereby infringes the rights of the owner of the trademark in question under the law of the country of importation; (b) ‘pirated copyright goods’ shall mean any goods which are copies made without the consent of the right holder or person duly authorized by the right holder in the country of production and which are made directly or indirectly from an article where the making of that copy would have constituted an infringement of a copyright or a related right under the law of the country of importation.

7.6 Familiar forms of counterfeit goods are fake or ‘knock-off’ consumer items, such as clothes, watches, handbags, sunglasses, perfumes and electronic devices; while commonly seen pirated goods are books, CDs, DVDs and computer programs. 7.7 More sophisticated counterfeiting and piracy operations extend to the production of drugs and medicines, aircraft and vehicle parts, games, tools and computer parts.8 However, there is no reason to restrict the designation of ‘goods’ to physical items because it is clear that trade marks and copyright also protect non-physical aspects of intellectual creativity and productivity, such as brand reputation, artistic performances, broadcasts and, through the protection of moral rights in relation to literary and artistic works, rights of attribution and integrity. Moreover, online conduct is often associated with the counterfeiting of consumer and other goods:9 Counterfeiters often steal pictures and formatting from the real websites to make their

websites look legit, so don’t be fooled by a professional-looking website. Check out the fine print in the product descriptions, FAQ’s, or ‘Contact Us’ pages. If you find typos, grammatical and spelling errors, or incomplete information, the site is probably fake.

[page 157]

Convention on Cybercrime 7.8 The Council of Europe’s Convention on Cybercrime deals with copyright and other rights that are infringed wilfully, on a commercial scale, and using computers:10 Article 10 — Offences related to infringements of copyright and related rights 1

2

3

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of copyright, as defined under the law of that Party, pursuant to the obligations it has undertaken under the Paris Act of 24 July 1971 revising the Bern Convention for the Protection of Literary and Artistic Works, the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Copyright Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system. Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law the infringement of related rights, as defined under the law of that Party, pursuant to the obligations it has undertaken under the International Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organisations (Rome Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights and the WIPO Performances and Phonograms Treaty, with the exception of any moral rights conferred by such conventions, where such acts are committed wilfully, on a commercial scale and by means of a computer system. A Party may reserve the right not to impose criminal liability under paragraphs 1 and 2 of this article in limited circumstances, provided that other effective remedies are available and that such reservation does not derogate from the Party’s international obligations set forth in the international instruments referred to in paragraphs 1 and 2 of this article.

[page 158] 7.9 It should be noted that Art 10 covers a somewhat narrower range of copyright infringements than is covered under copyright law generally: The focus is on criminal rather than civil infringement of copyright.11 There is a restriction to infringing conduct that is committed wilfully, or intentionally, whereas copyright offences under Australian and other domestic laws may be committed through lesser fault elements, such as recklessness, negligence or even under conditions of strict liability.12 The infringement needs to be on a ‘commercial scale’, while copyright infringement under Australian and other laws need not be limited in this way.13 The infringing act(s) must be ‘by means of a computer system’, whereas Australian and other laws also apply to other means of infringing copyright.14 There is a specific exclusion of ‘moral rights’, whereas Australian and other laws also protect these within their copyright laws.15

Australian laws 7.10 There are no offences in the Criminal Code Act 1995 (Cth) that relate directly to copyright infringement. Rather, the broader unauthorised access, modification and impairment, and some other, offences discussed in previous chapters may apply to online conduct that involves copyright infringement: Section 474.14 (Using a telecommunications network with intention to commit a serious offence) may apply where the serious offence is one punishable by imprisonment for five years or more under the Copyright Act 1968 (Cth). Section 477.1 (Unauthorised access, modification or impairment with

intent to commit a serious offence) may similarly apply to a serious copyright offence. [page 159] Section 477.2 (Unauthorised modification of data to cause impairment) may apply to interference with electronic copyright protections so as to enable infringement. Section 478.1 (Unauthorised access to, or modification of, restricted data) may similarly apply to interference with copyright protections so as to enable infringement. 7.11 However, where copyright infringement is the main aspect of criminal offending, including online infringement, it is more likely that charges will be laid under the Copyright Act 1968 (Cth) directly. The following early case illustrates:16

Ng, Tran and Le (unreported, NSW Local Court, Sydney, December 2003) This case related to the operation of a website called ‘MP3/WMA Land’ which allowed members of the public to listen to, and download, unauthorized copies of music recordings and music video clips free of charge. The Website was linked to some mirror websites and provided access to a large number of CDs and individual songs. Some of the CDs were available through the website before they had been officially released in Australia. During the time it operated the Website received over seven million hits. Ng, Tran and Le were all university students. Ng established and maintained the Website, Tran later helped to maintain and update it. Le’s role was to remix songs onto compilation CDs which were uploaded and posted on the Website. The operation of sites of this kind has a significant impact on the Australian music industry because artists and producers derive no income when their works are made available to the public free of charge. The matter first came to notice as a result of complaints made by an organisation known as Music Industry Piracy Investigations. This was the first criminal prosecution in Australia for offences of this kind. Ng was charged with 22 offences against the Copyright Act 1968, Tran was charged with 17 offences, and Le was charged with 29 offences. All three were convicted. Ng was given a

suspended sentence and ordered to perform 200 hours of community service. Tran was given a suspended sentence and fined. Le was ordered to perform 200 hours of community service. Source: Commonwealth Director of Public Prosecutions (CDPP), Annual Report 2003– 2004.

[page 160] 7.12 A topic of ongoing disagreement is whether it is appropriate to use criminal charges rather than civil remedies in cases involving individual copyright infringers, as opposed to organised crime gangs. Arguments in favour of criminal prosecution focus on the deliberate interference with others’ property rights that infringement may involve, leading to analogies with stealing and fraud, as well as the significant economic harms that may result, both to individual copyright owners and to the industries that rely on copyright protection.17 Contrary arguments tend to suggest that prosecution of individuals is heavy-handed, a misallocation of public resources to protect private commercial interests, and futile in the face of widespread downloading of pirated film and music content, especially by technically proficient youngsters across the world.18 7.13 It is perhaps useful to observe that what can be broadly called ‘intellectual property crime’ extends well beyond the infringement of copyright and other categories of intellectual property:19 However, it is fairly easy to find examples of illegal conduct that arguably falls within the scope of ‘intellectual property crime’, in virtue of its exploitation of intellectual property, but which is not confined to criminal infringement under intellectual property statutes. Such conduct must therefore be prosecuted under a range of other offences. Some examples drawn from recent events illustrate: Example 1: An offender markets a counterfeit medicine with a false indication on the product’s branded packaging indicating that it has approval from the industry regulator, and organises for travel agents to bring overseas customers to the offender’s premises to purchase the product. Example 2: An offender sets up a botnet by targeting a major software company’s operating

system, so that infected computers’ registries surreptitiously issue commands harvesting passwords, email addresses and other information, and relay this data back to a central ‘command and control’ point. Example 3: An offender makes an extortion demand against a computer security company, threatening to publish its source codes unless a payment is received.

[page 161] 7.14 Even within the narrower domain of prosecuted copyright infringement offences, there is a considerable complexity given the array of offences available:20 The main copyright offences are found in Part V Division 5 of the Copyright Act 1968 (Cth), as amended by the Copyright Amendment Act 2006 (Cth) replacing the central offence of copyright infringement with a set of discrete offences in Part V, including s 132AD (Making infringing copy commercially), s 132AE (Selling or hiring out infringing copy), s 132AF (Offering infringing copy for sale or hire), s 132AG (Exhibiting infringing copy in public commercially), s 132AH (Importing infringing copy commercially), s 132AI (Distributing infringing copy), s 132AJ (Possessing infringing copy for commerce), s 132AK (Aggravated offence—work etc. converted to digital form), s 132AL (Making or possessing device for making infringing copy) and s 132AM (Advertising supply of infringing copy). Other offences relating to public performances, circumvention of access control technological protection measures, removal or altering of electronic rights management information, dealing in unauthorised decoders, and performers’ rights are also contained in the legislation. Most of these offences carry maximum penalties up to five years’ imprisonment and/ or substantial fines for the indictable form of the offence, which require proof of intention, knowledge or recklessness for the main elements of offence; and two years’ imprisonment and/or fines for the summary form of the offence, involving negligence. There is also, for many of the infringement offences, a ‘strict liability’ form with no required fault element, punishable by fine only. For strict liability offences, there is an infringement notice scheme under s 133B and s 248SA and Copyright Regulations 1969 (Cth) Part 6A.

7.15 Resolving legal issues around the subsistence and ownership of copyright can be complicated. Fortunately, however, applying the infringement offences under the Copyright Act 1968 (Cth) does not usually require a complex analysis of these aspects. Rather, the offending that is covered by these provisions has its focus on infringing conduct that includes various dealings with infringing copies, including online files,

such as a pirated copy of a film or music, a modified game chip or counterfeit software. An ‘infringing copy’ is defined to mean (s 10): … an article (which may be an electronic reproduction or copy of the work, recording, film, broadcast or edition) the making of which constituted an infringement of the copyright in the work, recording, film, broadcast or edition or, in the case of an article imported without the licence of the owner of the copyright, would have constituted an infringement of that copyright if the article had been made in Australia by the importer …

7.16 The main copyright infringement offence is found in Copyright Act 1968 (Cth) Pt V Div 5 Subdivision B — Substantial infringement on a [page 162] commercial scale. Interestingly, it sub-divides into indictable and summary gradations of offence:21 132AC Commercial-scale infringement prejudicing copyright owner Indictable offence (1) A person commits an offence if: (a) the person engages in conduct; and (b) the conduct results in one or more infringements of the copyright in a work or other subject-matter; and (c) the infringement or infringements have a substantial prejudicial impact on the owner of the copyright; and (d) the infringement or infringements occur on a commercial scale. (2) An offence against subsection (1) is punishable on conviction by a fine of not more than 550 penalty units or imprisonment for not more than 5 years, or both. Note: A corporation may be fined up to 5 times the amount of the maximum fine (see subsection 4B(3) of the Crimes Act 1914). Summary offence (3) A person commits an offence if: (a) the person engages in conduct; and (b) the conduct results in one or more infringements of the copyright in a work or other subject-matter; and (c) the infringement or infringements have a substantial prejudicial impact on the owner of the copyright and the person is negligent as to that fact;

and (d) the infringement or infringements occur on a commercial scale and the person is negligent as to that fact. Penalty: 120 penalty units or imprisonment for 2 years, or both. (4) An offence against subsection (3) is a summary offence, despite section 4G of the Crimes Act 1914. Determining whether infringements occur on commercial scale (5) In determining whether one or more infringements occur on a commercial scale for the purposes of paragraph (1)(d) or (3)(d), the following matters are to be taken into account: (a) the volume and value of any articles that are infringing copies that constitute the infringement or infringements; (b) any other relevant matter. [page 163] Defence relating to law enforcement and national security (6) This section does not apply in respect of anything lawfully done for the purposes of law enforcement or national security by or on behalf of: (a) the Commonwealth or a State or Territory; or (b) an authority of the Commonwealth or of a State or Territory. Note: A defendant bears an evidential burden in relation to the matter in subsection (6) (see subsection 13.3(3) of the Criminal Code). Defence for certain public institutions etc. (7) This section does not apply in respect of anything lawfully done by the following in performing their functions: (a) a library (other than a library that is conducted for the profit, direct or indirect, of an individual or individuals); (b) a body mentioned in: (i) paragraph (a) of the definition of archives in subsection 10(1); or (ii) subsection 10(4); (c) an educational institution; (d) a public non-commercial broadcaster, including: (i) a body that provides a national broadcasting service within the meaning of the Broadcasting Services Act 1992; and (ii) a body that holds a community broadcasting licence within the meaning of that Act. Note 1: A library that is owned by a person conducting a business for profit might not itself be conducted for profit (see section 18). Note 2: A defendant bears an evidential burden in relation to the matter in subsection (7) (see subsection 13.3(3) of the Criminal Code).

(8) This section does not apply in respect of anything lawfully done by a person in connection with a work or other subject-matter if: (a) the person has custody of the work or other subject-matter under an arrangement referred to in section 64 of the Archives Act 1983; and (b) under subsection (7), it would be lawful for the National Archives of Australia to do that thing. Note: A defendant bears an evidential burden in relation to the matter in subsection (8) (see subsection 13.3(3) of the Criminal Code).

[page 164] 7.17 Offences found in the Copyright Act 1968 (Cth) Pt V Div 5 Subdivision C — Infringing copies include: s 132AD (Making infringing copy commercially); s 132AE (Selling or hiring out infringing copy); s 132AF (Offering infringing copy for sale or hire); s 132AG (Exhibiting infringing copy in public commercially); s 132AH (Importing infringing copy commercially); s 132AI (Distributing infringing copy); s 132AJ (Possessing infringing copy for commerce); s 132AK (Aggravated offence — work etc. converted to digital form); s 132AL (Making or possessing device for making infringing copy); s 132AM (Advertising supply of infringing copy). 7.18 These offences are also sub-divided into indictable and summary gradations, while some also have a strict liability form. The strict liability offences in the Copyright Act 1968 (Cth) do not carry penalties of imprisonment but, rather, fines which are meant to be regulated through an infringement notice scheme.22 132AD Making infringing copy commercially

Indictable offence (1) A person commits an offence if: (a) the person makes an article, with the intention of: (i) selling it; or (ii) letting it for hire; or (iii) obtaining a commercial advantage or profit; and (b) the article is an infringing copy of a work or other subject-matter; and (c) copyright subsists in the work or other subject-matter when the article is made. (2) An offence against subsection (1) is punishable on conviction by a fine of not more than 550 penalty units or imprisonment for not more than 5 years, or both. Note 1: A corporation may be fined up to 5 times the amount of the maximum fine (see subsection 4B(3) of the Crimes Act 1914). Note 2: If the infringing copy was made by converting the work or other subject-matter from a hard copy or analog form into a digital or other electronic machine-readable form, there is an aggravated offence with a higher maximum penalty under section 132AK. [page 165] Summary offence (3) A person commits an offence if: (a) the person makes an article, with the intention of: (i) selling it; or (ii) letting it for hire; or (iii) obtaining a commercial advantage or profit; and (b) the article is an infringing copy of a work or other subject-matter and the person is negligent as to that fact; and (c) copyright subsists in the work or other subject-matter when the article is made and the person is negligent as to that fact. Penalty: 120 penalty units or imprisonment for 2 years, or both. (4) An offence against subsection (3) is a summary offence, despite section 4G of the Crimes Act 1914. Strict liability offence (5) A person commits an offence if: (a) the person makes an article in preparation for, or in the course of: (i) selling it; or (ii) letting it for hire; or (iii) obtaining a commercial advantage or profit; and

(b) the article is an infringing copy of a work or other subject-matter; and (c) copyright subsists in the work or other subject-matter when the article is made. Penalty: 60 penalty units. (6) Subsection (5) is an offence of strict liability. Note: For strict liability, see section 6.1 of the Criminal Code.

7.19 The difference between indictable, summary and strict liability gradations of the offences lies in the fault element that applies. For example, in s 132AD(1) above, the default fault element of recklessness applies to the circumstance that the article is an infringing copy of a work or other subject-matter.23 For the summary offence in s 132AD(3), the fault element for this circumstance is negligence.24 For the strict liability offence in s 132AD(5), there [page 166] is no fault element but a defence of mistake of fact may apply.25 One penalty unit is equivalent to $170.26 7.20 Some strict liability offences in the Copyright Act 1968 (Cth) appear to apply to intermediaries such as carriage service providers, with no need for proof of a fault element, in relation to their distribution of infringing content.27 This is perhaps an oversight, given that the legislation contains detailed ‘safe harbour’ provisions excluding civil liability for the same conduct.28 Moreover, the Criminal Code Act 1995 (Cth) effectively excludes liability for intermediaries, including Internet service providers (ISPs), in its telecommunications offences, such as those that relate to child abuse and exploitation material.29 7.21 Prosecution statistics have mostly shown modest numbers of cases though the years from 1989 onwards, with some interesting recent increases (Table 7.2).30

Table 7.2: Copyright and trade mark prosecutions by the Commonwealth Director of Public Prosecutions (CDPP) 1989–2014

Year 1989–90 1990–91 1991–92 1992–93

Copyright Summary Indictable 10 0 11 0 20 0 14 0

Trade mark Summary Indictable N/A N/A N/A N/A N/A N/A 22 0 [page 167]

Year 1993–94 1994–95 1995–96 1996–97 1997–98 1998–99 1999–2000 2000–01 2001–02 2002–03 2003–04 2004–05 2005–06 2006–07 2007–08 2008–09

Copyright Summary Indictable 6 0 11 0 8 0 3 0 4 0 12 0 15 0 8 0 10 0 11 0 23 0 37 0 25 0 35 3 N/A N/A 504 40

Trade mark Summary Indictable 13 0 20 0 11 0 11 0 3 0 12 0 6 1 15 0 14 0 10 0 27 0 14 2 5 0 25 0 N/A N/A 56 6

2009–10 2010–11 2011–12 2012–13 2013–14

377 673 113 43 34

82 0 10 0 0

59 12 39 266 94

0 0 32 0 0

Source: CDPP Annual reports, 1989–90 to 2013–14. Annual reports to 1996–97 provide statistics for each State and Territory separately; from 1997–98 onwards, prosecutions are classified only under the indictable/summary offence distinction. Offences under the Copyright Act and the Trade Marks Act during this period were almost always dealt with summarily. No trade mark prosecutions are separately recorded for the years 1989–92. For 2007–08, offence statistics were not reported because the reporting system was under review. 7.22 Despite the existence of serious offences carrying penalties of imprisonment and potentially large fines in the Copyright Act 1968 (Cth) and the Trade Marks Act 1995 (Cth), successful prosecutions have historically [page 168] mostly resulted in low-range fines without imprisonment.31 This has been so even where the infringing activity has extended to uploading material online, as in the following case:32

Duarte (unreported, NSW Local Court, Sydney, 2007) In 2007, The Simpsons Movie was released worldwide and pirate copies quickly began to appear for download on the Internet. A suspect in Australia was arrested as the first individual discovered to be involved in uploading a handheld ‘camcorder’ version of the movie. The Commonwealth Director of Public Prosecutions reported the arrest as follows: On the 26 July 2007, The Simpson’s Movie [sic] was released in cinemas

throughout Australia. On 27 July 2007, an unauthorised copy of the movie was uploaded onto the internet from Australia and distributed worldwide. In excess of 70,000 downloads were recorded over the following days. On 16 August 2007, the AFP executed a warrant on the home of the person alleged to have uploaded the movie onto the internet. He was subsequently charged under the Copyright Act 1968. The accused pleaded guilty and received a $1000 fine. As reported in the media, the offender was a 23 year-old Sydney resident named Jose Duarte, and his and similar conduct resulted in the deployment by movie studio employees of ‘night vision’ cameras in order to detect covert filming in cinemas. The investigation involved collaboration between the AFP and the Australian Federation Against Copyright Theft, the latter stating that the unauthorised recording of [the] movie was deleted by the authorities from Duarte’s webpage within two hours of it being uploaded.

[page 169] 7.23 The trend has continued with more recent cases, such as the following appeal, in which the applicant had been convicted in relation to sales of what were described as ‘Asian DVDs that infringed the copyright and trade mark of Television Broadcasts Ltd (TVB), a group of companies based in Hong Kong that produce Asian film products’ and ‘English language DVDs that infringed the copyright and trade marks of several American movie companies’.33

Ly v The Queen [2014] FCAFC 175 (17 December 2014) at [1]–[3], [31]–[34], [128]–[129] The Court: On 5 August 2014, the applicant, Mr Phong Ly, entered pleas of guilty, in the County Court of Victoria, to two Commonwealth offences. The first offence was an offence under s 132AJ(1) of the Copyright Act 1968 (Cth) (Copyright Act) of possessing articles, namely digital versatile discs (DVDs), which were infringing copies of subject matter in which copyright subsisted at the time of possession, with the intention of selling the articles. The second offence was under s 148(1) of the Trade Marks Act 1995 (Cth) (Trade Marks Act) of exposing goods for sale, namely quantities of DVDs of

cinematograph files and optical discs of computer games, on which goods there were registered trade marks which were applied without the permission of the registered owners of the trade marks. A plea hearing took place before his Honour Judge Maidment on 5 August 2014 and on 13 August 2014 his Honour imposed a total effective sentence of 12 months imprisonment, with the applicant to be released pursuant to a recognizance release order after 8 months. In respect of Charge 1 (s 132AJ(1) of the Copyright Act), the sentencing judge sentenced the applicant to 12 months imprisonment. In respect of Charge 2, the applicant was sentenced to imprisonment for eight months. The terms of imprisonment were to be served concurrently and to commence on the day of sentence. There was no pre-sentence detention. His Honour made a recognizance release order under s 19AC of the Crimes Act, the effect of which was that the applicant was to be released from imprisonment on his own recognizance of $1,500 to be of good behaviour after serving eight months of imprisonment. … In sentencing the applicant, his Honour noted that s 16A(1) of the Crimes Act required him to impose a sentence that was of a severity appropriate in all the circumstances of the offence and that he had regard to the matters listed in s 16A(2) of the Crimes Act to the extent that they were relevant: Remarks at [14]. A fair reading of his Honour’s remarks on sentence reveals that his Honour considered that the following matters were particularly relevant to arriving at the sentence imposed. [page 170] First, his Honour had regard to the importance of general deterrence in sentencing for such offences: Hamm v Middleton [1999] FCA 777; (1999) 44 IPR 656 (Hamm v Middleton) at [18]; Remarks at [15]. His Honour also had regard to the importance of specific deterrence, particularly in light of the prior offences under the Copyright Act and Trade Marks Act: Remarks at [19], [25]. Second, the offences were to be seen in the context of a wider commercial enterprise that was substantial. The offences were part of a course of conduct in running that enterprise: Remarks at [16]. Third, the sentencing judge found that there was no evidence from which he could find on the balance of probabilities that the applicant was genuinely remorseful: Remarks at [17]. In this respect, his Honour had particular regard to the applicant’s prior offences under the Copyright Act and Trade Marks Act. His Honour found, having regard to the prior convictions, that the applicant committed the offences with his ‘eyes open’, that he failed to heed the warning that should have arisen from his previous court appearances and that his conduct was ‘deliberate, flagrant, calculated offending motivated by the prospect of substantial profits’: Remarks at [18]. His Honour noted that there was no evidence before him of any financial pressure and that he was driven to the conclusion that the applicant was ‘driven by greed, not need’: Remarks at [18]. In relation to this finding, the sentencing judge referred to statements in the psychologist’s

report that the applicant’s prior offences were borne out of the need to make ends meet to support his children and pay his rent, but found that there was no evidence ‘of any financial distress or pressure that would justify’ the offences for which he was being sentenced. Fourth, the applicant pleaded guilty and indicated his plea of guilty at an early stage. His Honour found that the applicant was entitled to substantial credit for his early plea: Remarks at [19]. Fifth, the sentencing judge had regard to the character, age, means and physical and mental condition of the applicant. In this respect, his Honour noted that he was greatly assisted by the psychologist report: Remarks at [19]–[22]. His Honour took into account the applicant’s prospects of rehabilitation: Remarks at [24]. … The applicant has failed to make out any of his grounds of appeal. It has not been shown that the sentencing judge made any specific error … or that the sentence imposed was manifestly excessive … For the foregoing reasons, we would grant leave to appeal but dismiss the appeal.

7.24 Internationally, online copyright infringement has evolved through a series of music file-sharing services, such as Napster, Gnutella, Grokster, Kazaa, Morpheus and so on, many of which have resulted in civil or criminal litigation [page 171] in countries including the United States and in Europe.34 The civil litigation involving the music-sharing service Kazaa extended to the Federal Court of Australia in a landmark case.35 With the advent of BitTorrent technology, the focus has increasingly been on movie downloads and the potential responsibility of intermediaries, such as ISPs, for the infringing conduct of their clients, which to date has not been successfully argued.36 By contrast, direct civil enforcement action against file-sharers in the United States has been more successful, though heavily criticised:37 To date over 18,000 P2P users have been sued by the Recording Industry Association of America (RIAA). Most of these users have been college students and parents of high-school

students. While word of these law suits [is] spreading, and many parents fear that their children may be using a family computer to illegally download and share copyrighted works, few supervising adults have the technical knowledge needed to determine whether and to what extent pirating may be occurring via a computer and Internet connection they are legally responsible for. Additionally, while P2P networks are filled with millions of users with billions of copyrighted files, few users understand the ways in which they are illegally using computers and other mobile electronic devices to download protected content.

7.25 Perhaps the most interesting Australian copyright case with an international aspect has been the extradition of one of the leaders of an online piracy group called ‘DrinkOrDie’ to the United States. This group came to the attention of authorities investigating ‘warez’ activity, and a multi-country law enforcement operation called ‘Operation Buccaneer’ was set up to bring its members to justice.38 On 11 December 2001, law enforcement officials executed over 70 search warrants simultaneously in the United States, the United Kingdom, Australia, Norway, Sweden and Finland. The targets of these warrants were highly organised but globally dispersed members of several Internet-based software piracy groups,

[page 172] including a particularly notorious group known as ‘DrinkOrDie’. The concerted enforcement action, led by the United States Customs Service together with the Computer Crimes and Intellectual Property Section (CCIPS) of the United States Department of Justice, was given the name ‘Operation Buccaneer’. The most prominent of the groups targeted by Operation Buccaneer was ‘DrinkOrDie’, a widespread ‘warez’ network originally established in 1993 in Russia but quickly spreading to multiple jurisdictions including the United States. The group is estimated to have comprised some 40 main individuals, with links to other warez operations worldwide. The group engaged in the ‘stripping’ or ‘cracking’ (removal of anti-copying protections) and distribution of tens of thousands of copyrighted software, games, music titles and movies over the Internet. It had gained an international reputation in being the first to release high-end software applications and utilities, often before their official public release dates. For example, the group is credited with having released the Windows 95 operating system over the Internet two weeks before its official release by Microsoft. The DrinkOrDie group was highly structured, but its members rarely met in person, often knowing each other only through screen names. The members communicated only in closed, invitation-only IRC channels, with password-protection and user ID and IP address authentication mechanisms guarding the group’s Internet file transfer and storage sites. They

came from a range of backgrounds, including corporate executives, computer network administrators at major universities, employees of large hi-tech companies, students, and government workers. Some members of DrinkOrDie and other warez groups were allegedly insiders of software companies, who improperly obtained their firm’s software prior to its public release and provided it to other warez members.

7.26 Legal proceedings against over 20 United States members of DrinkOrDie led to convictions and sentences ranging to 46 months in prison for the alleged leader in that country. Members in the United Kingdom were also convicted and sentenced to somewhat shorter terms. In Australia, attention focussed on an alleged co-leader using the name ‘Bandido’, who was identified as Hew Raymond Griffiths.39 The saga of his legal fight against extradition, through the Federal Court and the High Court of Australia, is continued in Chapter 12.

[page 173]

Questions for consideration 1.

In J E Cohen, ‘Pervasively Distributed Copyright Enforcement’ (2006) 95 Georgetown Law Journal (online), the author suggests that: In an effort to prevent online copyright infringement and protect established business models, the major copyright industries have developed and aggressively pursued a portfolio of strategies designed to implement a regime that I will call pervasively distributed copyright enforcement. These strategies rely on a range of tools including technologies that restrict the range of permitted information use, contractual regimes for authorizing ‘compliant’ implementations of those technologies, legal prohibitions against interfering with the resulting techno-contractual regimes, other legal rules broadly distributing responsibility for policing communications networks, and publicly inculcated norms of appropriate user behavior. In aggregate, they are designed systematically to shift the locus of control over intellectual consumption and communication away from individuals and independent technology vendors and toward purveyors of copyrighted entertainment goods. Some of these strategies have received considerable public and scholarly attention, while others have not. Some are, and are intended to be, highly visible, while others are, and are intended to be, largely invisible to the public eye.

Is this an accurate portrayal of developments? If so, what role does law occupy? 2.

In an opinion piece entitled ‘The Tentacles of Extradition’ (, 26 October 2012), the legal reaction to Griffiths’ extradition on copyright charges is described: In 2007 former NSW Chief Judge in Equity, Justice Peter Young, highlighted in the Australian Law Journal ‘the bizarre fact that people are being extradited to the US to face criminal charges when they have never been to the US and the alleged act occurred wholly outside the US.’ … Justice Young pointed out at the time that ‘although International copyright violations are a great problem … there is also the consideration that a country must protect its nationals from being removed from their homeland to a foreign country merely because the commercial interests of that foreign country are claimed to have been affected by the

person’s behaviour in Australia and the foreign country can exercise influence over Australia … Assuming this decision is correct, should not the Commonwealth Parliament do more to protect Australians from this procedure?’

How might the judge’s question be answered? How should the protection of copyright be balanced against other legal interests? 3.

Does the intellectual property regime, originally developed over centuries to apply to physical goods and industrial processes, successfully translate into the online environment? If not, what better options are there for legal and regulatory reform?

1.

Convention Establishing the World Intellectual Property Organization (Stockholm, 1967), Art 2. Some of the older international agreements, such as the Convention for the Protection of Industrial Property (Paris, 1883) and Convention for the Protection of Literary and Artistic Works (Berne, 1886), refer to ‘industrial property’, or works of creation and invention of commercial value and utility. The more general term ‘intellectual property’ is now used to cover all categories of protected creations and inventions. The organisation responsible for registering patents, plant breeder’s rights (PBR), designs and trade marks in Australia is IP Australia: .

2.

Not included are the common law and equitable actions for passing off and breach of confidential information, nor rights under the Circuit Layouts Act 1989 (Cth) or the Competition and Consumer Act 2010 (Cth), formerly the Trade Practices Act 1974 (Cth).

3.

Australian Federal Police (AFP), selected media releases: ‘Federal Police Arrest Three in $60 Million Music Piracy Operation’, 24 April 2003; ‘Two Arrested Over Pay Television Piracy Scam’, 16 April 2008; ‘Men Arrested for Distributing 14 Million Movies’, 4 December 2008; ‘Three Arrested Over Alleged Breach of Copyright Law’, 10 November 2008; ‘AFP Cracks Down on Organised Counterfeiting’, 14 September 2010: .

4.

Australian Federal Police Commissioner, Andrew Colvin, reported comments on data retention proposals in late 2014: ‘Copyright is essentially a civil matter, this is about criminal matters’: ‘Fears Over Data Retention Laws’, Lateline, Australian Broadcasting Corporation, 31 October 2014: .

5.

W Kelcey, ‘The Offence Provisions of the Copyright Act 1968 — Do They Protect or Punish?’ (2005) 6 Australian Intellectual Property Journal 229; see also G Urbas, ‘Public Enforcement of Intellectual Property Rights’, Trends and Issues in Crime and Criminal Justice no. 177, Australian Institute of Criminology, November 2000: ; and G Urbas, ‘Criminal Enforcement of Intellectual Property Rights: Interaction Between Public Authorities and Private Interests’, in C Heath and A Kampermann Sanders (eds), New Frontiers of Intellectual Property Law: IP and Cultural Heritage, Geographical Indications, Enforcement and Overprotection (2005) 25 Studies in Industrial Property and Copyright Law 303.

6.

Agreement on Trade-Related Aspects of Intellectual Property Rights, Annex 1C to the Agreement

Establishing the World Trade Organization (Marrakesh, 1994), to which Australia is a signatory: . 7.

TRIPs Agreement, note 14 to Art 51. The term ‘goods’ is not defined in the agreement.

8.

International Anti-Counterfeiting Coalition (IACC), which notes that, in the United States alone, over US$1.7 billion worth of counterfeit goods were seized at the border in 2013: .

9.

International Anti-Counterfeiting Coalition (IACC): .

10. Council of Europe, Convention on Cybercrime. Article 10 is in Chapter II — Measures to taken at the national level, Section 1 — Substantive criminal law, Title 4 — Offences related to infringements of copyright and related rights. Related rights include such matters as performers’ protection. See also Council of Europe, Convention on Cybercrime, Explanatory Report at [107]– [117]. 11. For example, the Copyright Act 1968 (Cth) Part V — Remedies and offences contains civil remedies as well as criminal offence provision. 12. Fault elements such as intention, recklessness and negligence, as well as strict and absolute liability, are defined in the Criminal Code Act 1995 (Cth). These definitions and associated principles of criminal responsibility apply to all Commonwealth offences, including those under the Copyright Act 1968 (Cth) and Trade Marks Act 1995 (Cth). 13. Though some offences under the Copyright Act 1968 (Cth) are limited in this way, such as those found in Pt V Div 5 Subdivision B — Substantial infringement on a commercial scale. 14. Infringement under the Copyright Act 1968 (Cth) is defined as ‘doing acts comprised in the copyright’ (s 36), which, in the case of literary, dramatic or musical works, includes reproducing, publishing or performing the work and communicating it to the public (s 31). Of these, only the communication right is limited to electronic means (s 10): ‘communicate means make available online or electronically transmit (whether over a path, or a combination of paths, provided by a material substance or otherwise) a work or other subject-matter, including a performance or live performance within the meaning of this Act’. 15. Copyright Act 1968 (Cth) Part IX — Moral rights of performers and of authors of literary, dramatic, musical or artistic works and cinematographic films; see further M Sainsbury, Moral Rights and Their Application in Australia, The Federation Press, 2003. 16. Also discussed in T Krone, ‘Copyright Offences’, High Tech Crime Brief no. 3, Australian Institute of Criminology, November 2004: ; and G Urbas, ‘Copyright, Crime and Computers: New Legislative Frameworks for Intellectual Property Rights Enforcement’ (2012) 7(1) Journal of International Commercial Law and Technology 11. The offence provisions of the Copyright Act 1968 (Cth) have been amended since. 17. G S Moohr, ‘The Crime of Copyright Infringement: An Inquiry Based on Morality, Harm, and Criminal Theory’ (2003) 83 Boston University Law Review 731; see also ‘Intellectual Property Crime in Australia’, Research and Public Policy Series no. 94, Australian Institute of Criminology, October 2008: . 18. D A Seale, M Polakowski and S Schneider, ‘It’s Not Really Theft!: Personal and Workplace Ethics

that Enable Software Piracy’ (1998) 17(1) Behaviour and Information Technology 27; see also P L Loughlan, ‘“You Wouldn’t Steal a Car”: Intellectual Property and the Language of Theft’ (2007) 29(10) European Intellectual Property Review 410, Sydney Law School Research Paper no. 08/35. 19. M Speck and G Urbas, ‘Defining Intellectual Property Crime’ (2013) 23(3) Australian Intellectual Property Journal 187 (notes omitted), in which the authors consider a tripartite classification similar to that used in cybercrime: (i) crimes against intellectual property; (ii) crimes using intellectual property; and (iii) crimes incidentally involving intellectual property. 20. G Urbas, ‘Copyright, Crime and Computers: New Legislative Frameworks for Intellectual Property Rights Enforcement’, note 16 above. 21. Until amendments under the Copyright Amendment Act 2006 (Cth), all copyright offences were summary, despite the fact that a maximum penalty of imprisonment for five years applied. 22. Copyright Act 1968 (Cth) s 133B (Infringement notices); Copyright Regulations 1969 (Cth) Pt 6A. 23. Criminal Code Act 1995 (Cth) s 5.1 (Fault elements) and s 5.6 (Offences that do not specify fault elements); see also s 5.4 (Recklessness). 24. Criminal Code Act 1995 (Cth) s 5.1 (Fault elements) and s 5.5 (Negligence). 25. Criminal Code Act 1995 (Cth) s 6.1 (Strict liability) and s 9.2 (Mistake of fact). 26. Crimes Act 1914 (Cth) s 4AA (Penalty units). A corporation may be fined five times the maximum for an individual: s 4B (Pecuniary penalties — natural persons and bodies corporate). 27. A ‘carriage service provider’ is as defined in the Telecommunications Act 1997 (Cth), including Internet service providers (ISPs). 28. Copyright Act 1968 (Cth) Pt V Division 2AA — Limitation on remedies available against carriage service providers; see also S Gething and B Fitzgerald, ‘The Criminalisation of Copyright Law: Where do Intermediaries Stand?’ (2009) 22(2) Internet Law Bulletin 1; and G Urbas and K Fouracre, ‘Obligations and Liability of ISPs as Guardians of Internet Content: Comparative Perspectives — Emerging Schemes of Civil and Criminal Liability for ISPs’ (2010) 15(2) Computer Law Review International (CRi) 33. 29. Criminal Code Act 1995 (Cth) s 743.5 (Use of a carriage service), though note that reporting obligations exist under s 424.25 (Obligations of internet service providers and internet content hosts). 30. M Speck and G Urbas, ‘Criminal Infringement of Intellectual Property Rights in Australia: Assessing Recent Reforms’ (2011) 29(4) Copyright Reporter 183; with added updates for the years 2010–12. There is no column for strict liability offences, and indeed it appeared at the time of writing in 2011 that the infringement notice scheme had not in fact been put into operation. 31. G Urbas, ‘Copyright, Crime and Computers: New Legislative Frameworks for Intellectual Property Rights Enforcement’, note 16 above, at 21–2, discussing cases such as Vu v New South Wales Police Service [2007] FCA 1508 (20 August 2007); Le v The Queen [2007] FCA 1463 (18 September 2007); and Interville Technology Pty Ltd v Commonwealth Office of the Director of Public Prosecutions [2009] FCA 481 (8 May 2009). 32. AFACT Executive Director Adrianne Pecotic was quoted in the media as saying that it was the first illegal copy of the movie to be intercepted anywhere in the world, and that the illegal footage was removed within two hours but not before it was downloaded about 3000 times. The file quickly spread to BitTorrent sites and other file-sharing networks and, within 72 hours, had been

downloaded by another 110,000 people. She added that over 90 per cent of newly released movies that illegally appeared on the Internet originated from a camcorder, and pirates were increasingly ditching handycams for smaller mobile phones: A Moses and L Kennedy, ‘Pirated Simpsons Video Filmed on Mobile’, The Sydney Morning Herald, 17 August 2007: . 33. Ly v The Queen [2014] FCAFC 175 (17 December 2014) at [7]. The appeal was from DPP v Ly [2014] VCC 1514 (13 August 2014). An earlier case involving a different defendant of the same surname and involving similar offences was Ly v Jenkins [2001] FCA 1640 (26 November 2001). 34. See, for example, N W Fisk, Understanding Online Piracy: The Truth About Illegal File Sharing, Praeger Publishing, 2009. For an interesting criminal copyright case in Hong Kong, see S Gething, ‘Criminal Infringement of Copyright: The Big Crook Case’ [2008] Sydney University Press Law Books 25; in B Fitzgerald et al (eds), Copyright Law, Digital Content and the Internet in the AsiaPacific: . 35. Universal Music Australia Pty Ltd v Sharman License Holdings Ltd [2005] FCA 1242 (5 September 2005). 36. Roadshow Films Pty Ltd v iiNet Ltd [2012] HCA 16 (20 April 2012). 37. N W Fisk, Understanding Online Piracy: The Truth About Illegal File Sharing, note 34 above, abstract; see also Electronic Frontier Foundation, ‘RIAA v The People: Five Years Later’, 30 September 2008: . 38. From G Urbas, ‘Cross-National Investigation and Prosecution of Intellectual Property Crimes: The Example of Operation Buccaneer’ (2007) 46(4–5) Crime, Law and Social Change 207 (notes omitted). The activities of organised ‘warez’ groups involve obtaining access, usually without permission from copyright owners, to business or entertainment software, ‘stripping’ or ‘cracking’ it to remove anti-copying protections, and then distributing it through specialised warez websites to users: see E Goldman, ‘Warez Trading and Criminal Copyright Infringement: Part 1’, Informit.com, 23 January 2004: . 39. ‘Elder of Internet Piracy Talks to Lateline’, Lateline, Australian Broadcasting Corporation, 29 April 2008: .

[page 175]

Part 4 Online Child Exploitation and Other Privacy Crimes

[page 177]

Chapter 8 Child Pornography

Chapter contents Scale of the problem Terminology Australian laws Defining ‘child pornography’ Offending conduct Sexting Determining offence seriousness

8.1 8.6 8.8 8.9 8.16 8.21 8.25

Questions for consideration

8.0 This chapter deals with the misuse of computers and information technologies to abuse and exploit children, mainly through producing, downloading and distributing ‘child pornography’ material online. These may be static pictures, videos or other depictions. Other forms of exploitation of vulnerable persons are discussed later: Chapter 9 deals with child grooming and Chapter 10 deals with stalking and voyeurism. The study of the online exploitation of children is a challenging and, at times, harrowing area of cybercrime, but is important in terms of recognising and responding to the harm to victims involved, and also in terms of law enforcement responses. Child exploitation crimes represent a large proportion of all cybercrime cases investigated and prosecuted, both in Australia and in other countries. Unfortunately, there is no sign that either the supply of exploitative images or the pool of persons willing to view them is on the decrease.

Scale of the problem

8.1 The number of child abuse images available online is massive, and was estimated over a decade ago at over a million discrete images existing on the world’s websites at any one time. Some individual collectors of such images have been discovered with up to half a million images on their computers.1 The dark figure of undetected images is likely to be much larger, particularly where these are traded through virtual private networks (VPNs) rather than [page 178] via publicly accessible websites. The phenomenal growth in the availability of such images is largely attributed to the rapid adoption of the Internet:2 Unfortunately, the child pornography market exploded in the advent of the Internet and advanced digital technology. The Internet provides ground for individuals to create, access, and share child sexual abuse images worldwide at the click of a button. Child pornography images are readily available through virtually every Internet technology including websites, email, instant messaging/ICQ, Internet Relay Chat (IRC), newsgroups, bulletin boards, peerto-peer networks, and social networking sites. Child pornography offenders can connect on Internet forums and networks to share their interests, desires, and experiences abusing children in addition to selling, sharing, and trading images.

8.2 Arrest rates for child exploitation offences in Australia and other countries, such as the United States, number hundreds of persons each year.3 In the Australian law enforcement operation in 2004, named ‘Operation Auxin’, that brought the issue of child exploitation to the public’s attention perhaps more than any other, there were over 700 suspects, of whom more than 150 were arrested in the first stage of the investigation.4 Many were prosecuted, with most receiving some form of custodial penalty, and some suspects committed suicide.5 In the United Kingdom, conviction numbers peaked at over 1000 cases annually about a decade ago, and in the United States an annual figure of 1500 federal convictions was reached around 2010.6 8.3 Increasingly, law enforcement activity is turning not just to offender identification but also to victim identification and rescue from exploitation.

Hundreds of abused children have been located and removed from further exploitation, as described in a 2013 media release by the United States Immigration and Customs Enforcement (ICE):7 One hundred twenty-three victims of child sexual exploitation were identified by U.S. Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations (HSI) special agents during an international operation aimed at

[page 179] rescuing victims and targeting individuals who own, trade and produce images of child pornography. Of that number, 44 children were directly rescued from their abusers and 79 were identified as either being exploited by others outside of their home or are now adults who were victimized as children … HSI victim assistance specialists, located in offices around the country, provide direct assistance to victims and families, and work with both child and adult victims to provide referrals for services and resources in their area. The specialists remain involved during the investigation and often beyond the sentencing of the perpetrator.

8.4 In the most disturbing of reported cases, children are sexually abused for transmission of live feeds to viewers, often through virtual private networks with online participants directing the abuse in real time:8 Recent arrests of participants in international child pornography rings, including some Australians, have produced evidence of the highly disturbing practice of live child sexual abuse video being streamed to Internet chat rooms, with the actual perpetrator responding in real time to commands from other participants viewing the images. Using a doctrine of constructive presence, it may be possible for such co-offenders to be prosecuted not only in relation to child pornography distribution, but also as accomplices in the sexual assaults. In some jurisdictions, there are offences of aggravated sexual assault in company (e.g. Crimes Act 1900 (NSW), s 61JA, with a penalty of imprisonment for life) that might be applicable to situations involving such groups of online perpetrators. However, these possibilities await prosecutorial consideration and legal exploration in Australian courts.

8.5 The use of the Internet to exploit children remotely, through the agency of adults in other countries, is a phenomenon increasingly being referred to as ‘webcam child sex tourism (WCST)’. A well-publicised sting operation in 2013 using a ‘virtual child’ named ‘Sweetie’ identified 1000 predators in less than three months. This relatively new form of online child exploitation is already resulting in Australian arrests and prosecutions.9

Terminology 8.6 Some police agencies and researchers have discarded the widely used term ‘child pornography’ in favour of other descriptors, partly because this [page 180] phrase suggests a connection with adult pornography or erotica.10 Alternative terms include ‘child abuse material’ and ‘child exploitation material’. However, the term ‘child pornography’ does appear in some legislation, and is still widely used in popular discourse as well as in academic writing.11 It is also used in the Convention on Cybercrime, which provides:12 Article 9 — Offences related to child pornography 1

2

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the following conduct: a producing child pornography for the purpose of its distribution through a computer system; b offering or making available child pornography through a computer system; c distributing or transmitting child pornography through a computer system; d procuring child pornography through a computer system for oneself or for another person; e possessing child pornography in a computer system or on a computer-data storage medium. For the purpose of paragraph 1 above, the term ‘child pornography’ shall include pornographic material that visually depicts: a a minor engaged in sexually explicit conduct; b a person appearing to be a minor engaged in sexually explicit conduct; [page 181]

3

c realistic images representing a minor engaged in sexually explicit conduct. For the purpose of paragraph 2 above, the term ‘minor’ shall include all persons under 18 years of age. A Party may, however, require a lower age-limit, which shall be not less than 16 years.

8.7 As can be seen from the approach taken in the Convention on Cybercrime, there is some latitude in a number of definitional aspects: The definition of ‘minor’ may vary in respect of age — the Convention adopts the meaning of ‘persons under 18 years of age’ but recognises that some state parties may require a lower age limit, such as 16 years. The definition encompasses not only actual minors depicted as engaging in sexually explicit conduct, but also persons (such as adult models) who appear to be minors. The definition encompasses ‘realistic images’ that represent a minor engaged in sexually explicit conduct, which may include entirely artificial or constructed images.

Australian laws 8.8 Child pornography offending in Australia was in earlier times dealt with primarily under various State and Territory statutes criminalising obscene or offensive publications, with some involvement of Commonwealth law where importation was involved. However, with the assumption of key responsibility for telecommunications crimes by the Commonwealth some 10 years ago, this is now the most significant source of law for Internet-based offences.13

Child exploitation The exploitation of children has been inadvertently facilitated and enhanced by the availability of the internet. Offences targeting those who exploit children via the use of services such as the internet, telephone and the post are contained in Commonwealth legislation. Commonwealth legislation creates a number of

offences relating to child pornography material, child abuse material, and grooming and procuring persons under the age of 16 to engage in, or submit to, sexual activity. [page 182] The purpose of the telecommunications-based child exploitation offences is to cover the range of activities that a person can engage in when using the internet, email, mobile phones and other applications to deal with child pornography and child abuse material. These activities include viewing, copying, downloading, sending, exchanging material and making available for viewing, copying or downloading. It also includes offences for using a carriage service to engage in sexual activity with a child, or causing a child to engage in sexual activity with another person. The grooming and procuring offences are targeted at offenders who use the anonymity of the internet to win the trust of a child as a first step to the future sexual abuse of the child, and to allow law enforcement to intervene before a child is actually assaulted. High maximum penalties for some of these offences reflect the community’s abhorrence of this conduct. There are higher maximum penalties for aggravated offences, such as where the offending conduct occurs on three or more occasions and involves two or more people, or where the sexual activity involves a child with a mental impairment or a child who is under the care, supervision or authority of the defendant. These offences are increasingly becoming more sophisticated through the use of networks to distribute material, the protection of material by encryption and online access to the material. Cases can involve hundreds of thousands of depraved and disturbing images of children and the scale and seriousness of this industry poses challenges for investigation and prosecution. Prosecuting these offences often involves complex technical and evidentiary issues. We work closely with the AFP, the ACBPS and other law enforcement agencies in this area. Dealing with such material requires investigators, prosecutors and Courts to hear or read stories of a disturbing nature and may involve viewing pornographic movies, photos and/or graphic material depicting explicit sexual acts involving serious harm to children. We have established an Employee Wellbeing Program designed to implement practical policies and guidelines to support employees who may be at risk of experiencing trauma as a result of exposure to potentially distressing materials. Division 272 of the Criminal Code focuses on child sex offences committed outside Australia by Australian citizens and permanent residents, ranging from possessing child pornography and child abuse material to engaging in sexual activity overseas with children under the age of 16. It is also an offence to

encourage or benefit from these types of offences or to do an act preparatory to committing a child sex tourism offence. This year we prosecuted 376 child exploitation charges under the Criminal Code. Source: Commonwealth Director of Public Prosecutions (CDPP), Annual Report 2012– 2013, p 51.

[page 183]

Defining ‘child pornography’ 8.9 Criminal Code Act 1995 (Cth) s 473.1 contains the following definition: child pornography material means: (a) material that depicts a person, or a representation of a person, who is, or appears to be, under 18 years of age and who: (i) is engaged in, or appears to be engaged in, a sexual pose or sexual activity (whether or not in the presence of other persons); or (ii) is in the presence of a person who is engaged in, or appears to be engaged in, a sexual pose or sexual activity; and does this in a way that reasonable persons would regard as being, in all the circumstances, offensive; or (b) material the dominant characteristic of which is the depiction, for a sexual purpose, of: (i) a sexual organ or the anal region of a person who is, or appears to be, under 18 years of age; or (ii) a representation of such a sexual organ or anal region; or (iii) the breasts, or a representation of the breasts, of a female person who is, or appears to be, under 18 years of age; in a way that reasonable persons would regard as being, in all the circumstances, offensive; or (c) material that describes a person who is, or is implied to be, under 18 years of age and who: (i) is engaged in, or is implied to be engaged in, a sexual pose or sexual activity

(whether or not in the presence of other persons); or (ii) is in the presence of a person who is engaged in, or is implied to be engaged in, a sexual pose or sexual activity; and does this in a way that reasonable persons would regard as being, in all the circumstances, offensive; or (d) material that describes: (i) a sexual organ or the anal region of a person who is, or is implied to be, under 18 years of age; or (ii) the breasts of a female person who is, or is implied to be, under 18 years of age; and does this in a way that reasonable persons would regard as being, in all the circumstances, offensive.

8.10 It should be noted that the definition of ‘child pornography material’ in s 473.1, and a similar definition of ‘child abuse material’ for non-sexual but otherwise abusive images, makes reference to ‘reasonable persons’ in assessing [page 184] offensiveness. This is supplemented by s 473.4, which provides that matters to be taken into account include: (a) the standards of morality, decency and propriety generally accepted by reasonable adults; and (b) the literary, artistic or educational merit (if any) of the material; and (c) the general character of the material (including whether it is of a medical, legal or scientific character).

8.11 While the general scope of the definitions of ‘child pornography’ and related terms in State and Territory legislation is similar to those found in Commonwealth law, there are some differences (eg, in age limits). All jurisdictions include reference to depictions of persons who are or appear to be under the relevant age, so that imagery involving adult actors posing

as children may fall within the statutory definitions.14 The following table summarises the key definitions and additional elements (Table 8.1). Table 8.1: Australian child pornography definitions Provision

CTH

ACT

Criminal Code Act 1995 s 473.1 (‘child pornography material’); s 473.4 (‘offensive’)

Crimes Act 1900 s 64(5) (‘child pornography’)

Main definitional elements Material that depicts or describes a person under 18 years of age in a sexual pose or engaged in sexual activity, or that depicts for a sexual purpose the private parts of the person Anything that represents the sexual parts of a child or a child engaged in or present at an activity of a sexual nature, where ‘child’ is a person under 18 years of age (Dictionary)

Additional elements Material must be offensive by the standards of reasonable adults, taking into account its literary, etc nature

Material must be substantially for the sexual arousal or sexual gratification of someone other than the child

[page 185] Provision

NSW

NT

QLD

Main definitional elements Material that depicts or describes a person under 16 Crimes Act 1900 ss 91FA years of age in a sexual pose (‘child’) and 91FB(1) (‘child or engaged in sexual activity, abuse material’) or that depicts for a sexual purpose the private parts of the person Material that depicts or describes a person under 18 Criminal Code Act s 125A years of age engaging in (‘child abuse material’) sexual activity or in a sexual, offensive or demeaning context Material that depicts or describes a person under 16 Criminal Code Act 1899 s years of age engaging in 207A (‘child exploitation material’)

Additional elements Material must be offensive by the standards of reasonable adults, taking into account its literary, etc nature

Material must be likely to cause offence to a reasonable adult

Material must be likely to cause offence to a reasonable

sexual activity or in a sexual, adult

material’)

SA

TAS

VIC

sexual activity or in a sexual, offensive or demeaning context Material that depicts or Criminal Law Consolidation describes a child under 17 Act 1935 s 62 (‘child years of age engaging in pornography’) sexual activity or the bodily parts of such a child Material that depicts or describes a person under 18 Criminal Code Act 1924 s years of age engaging in 1A (‘child exploitation sexual activity or in a sexual, material’) offensive or demeaning context Material that describes or depicts a minor engaging in Crimes Act 1958 s 67A sexual activity or depicted in (‘child pornography’) an indecent sexual manner or context, where ‘minor’ is a person under 18 years of age

adult

Material must be intended to excite or gratify sexual interest or sadistic or other perverted interest in violence or cruelty Material must be likely to cause offence to a reasonable person

Not specified

[page 186] Provision

WA

Criminal Code Act Compilation Act 1913 s 217A (‘child exploitation material’ and ‘child pornography’)

Main definitional elements Additional elements Material that describes or depicts a child engaging in sexual activity or in a sexual context, or that is likely to Not specified offend a reasonable person, where ‘child’ is a person under 16 years of age

Sources: Australasian Legal Information Institute (AustLII): ; State and Territory legislative databases.

8.12 A contentious issue is whether purely fictional or constructed images are capable of constituting child pornography. In the United States, for example, courts have ruled that the creation of ‘virtual’ images not involving real children may be protected as free speech under the First Amendment, as long as they are distinguishable from ‘real’ child

pornography images.15 However, this may not be the case in other countries:16 The principle of virtual child pornography is that there is no abuse or other exploitation of a real child. As the original reason for the child pornography regulation was to protect real children from being abused and sexually exploited, an important question arises whether virtual pornographic works, or more precisely their creators, may be prosecuted. The answer is affirmative under two conditions: a) b)

the work has a pornographic nature in the sense of criminal law the work must include sexual abuse or exploitation of a non-existent child. Therefore animations depicting sexual behaviour of adult animated characters (i.e. older than 18 years of age) will not be punishable.

8.13 Legislation in some Australian jurisdictions includes as child pornography depictions involving alteration or manipulation of adult images to make a person appear to be a child.17 The following case dealing with cartoon characters based on The Simpsons television series, with crudely drawn [page 187] genitalia and engaging in sexual acts, also clarifies that such unrealistic images may still fall within the legislative definitions.18

McEwen v Simmons [2008] NSWSC 1292 (8 December 2008) at [1]–[2], [40]–[41] Adams J: On 26 February 2008 the plaintiff was convicted in the Parramatta Local Court of the offences of possessing child pornography contrary to s 91H(3) of the Crimes Act 1900 (the Act) and using his computer to access child pornography material contrary to s 474.19(1)(a)(i) of the Criminal Code Act 1995 (the Code). The alleged pornography comprised a series of cartoons depicting figures modelled on members of the television animated series ‘The Simpsons’. Sexual acts are depicted as being performed, in particular, by the ‘children’ of the family. The male figures have genitalia which is evidently human, as do the mother and the girl. It was accepted, I think, that it is implied — from the television series — that, insofar as cartoon characters might have ages, the young male is about ten years old, the female about eight years old and a female toddler. Leaving such an implication aside, it would be difficult to assign ages to

either the young male or the girl, though the latter appears to me to be pre-pubertal and the former less than eighteen (the Commonwealth offence) and possibly less than sixteen (the State offence). Since the issue in this respect is the apparent age, I am sceptical that proof, as it were, of age by reference to another document is relevant. However, this question was raised neither here or below. The question before me is whether a fictional cartoon character is a ‘person’ within the meaning of the statutory offences or, to be more precise, is a depiction or representation of such a ‘person’. The learned Magistrate rejected the submission made on behalf of the plaintiff that cartoon depictions or representations of fictional characters such as the Simpsons were not of ‘persons’. In respect of the Commonwealth offence, the plaintiff was convicted and fined $2000 and entered into a recognisance to be of good behaviour for a period of two years and, in relation to the State offence, he was convicted and fined $1000 and required to enter into a good behaviour bond for a period of two years. … It seems to me that whether a person is indeed depicted by any particular semblance or simulacrum of a human being must be a question of fact and degree. Merely to give human characteristics to, say, a rabbit, a duck or a flower, to use some other familiar images, would not suffice if it were fair to say that the subject of the depiction remained a rabbit, a duck or a flower. A stick figure could not, I think, depict a person — though vide the Commonwealth offence — it might well depict [page 188] a representation of a person. No bright line of inclusion or exclusion can be sensibly described. Of course, because the depiction of a person is an essential element of the offence, it must be proved beyond reasonable doubt. Accordingly, if it were reasonably possible that the depiction is not that of a person, the offence is not proved. It follows that a fictional cartoon character, even one which departs from recognizable human forms in some significant respects, may nevertheless be the depiction of a person within the meaning of the Act. In my view, the Magistrate was correct in determining that, in respect of both the Commonwealth and the New South Wales offences, the word ‘person’ included fictional or imaginary characters and the mere fact that the figure depicted departed from a realistic representation in some respects of a human being did not mean that such a figure was not a ‘person’. As it happened, the Magistrate concluded that the figures in the relevant material were indeed depictions of persons within the meaning of the definitions. As I have said, this decision was a question of fact and, accordingly, not one for me to consider. However, in light of the arguments pressed on me on behalf of the appellant, I think it is appropriate to say that I do not perceive any error in the reasoning or conclusion of the Magistrate on this point.

8.14

The creation of fictional or other literary and artistic works

involving depictions of children engaging in sexual activities may also fall within the statutory definitions, depending on whether they are considered to be ‘offensive’ under legislation, such as s 473.4 of the Criminal Code Act 1995 (Cth). There is no exemption in Australia, unlike some other countries, for purely private works of fantasy.19 In the following case dealing with the importation of child pornography in the form of fictional writing, the Western Australian Court of Appeal dismissed an argument that Commonwealth laws prohibiting such importation violated the Constitution’s implied right to freedom of speech:

Holland v The Queen [2005] WASCA 140 (3 August 2005) at [222]–[225], [235] Roberts-Smith JA: I am prepared to accept that there is, and has been in Australia for some years now, political debate about sexual offences against children, including as to what is an appropriate age of consent for [page 189] males and females, the subject of child abuse generally and paedophilia and same sex relationships between adults and children. However s 233BAB and reg 4A(1)(b) [of the Customs Act 1901 (Cth) and regulations], neither in their terms nor their operation or practical effect, burden governmental or political discussion about such matters. They create no prohibition, restriction or constraint upon anyone debating or advocating changes in the law relating to such matters. What those laws are directed to is material depicting or describing child pornography, as defined. Material of that kind has only one purpose, which is to titillate, to excite or to satisfy a particular prurient interest (that is, an interest in child pornography) by lewd descriptions or depictions of children involved in sexual activity or poses, which ordinary reasonable people would find offensive … [M]aterial of this kind is no part of legitimate political communication. I would conclude therefore, that neither s 233BAB nor reg 4A(1)(b) is invalid by reason of infringing the implied constitutional freedom of political discussion. The next question is whether these two publications are part of that debate, such that a law prohibiting or restricting the importation of them would constitute a breach of that constitutional freedom of political communication. In making the determination, it is necessary to consider each publication as a whole … It is apparent that neither of these publications is part of any political debate which would fall under the protection of the constitutional freedom, but rather is to be characterised as simply child pornography …

The content seeks to present, in a titillating way, by detailed descriptions, sexual activities between an adult male and several young boys which, on any view, would constitute serious criminal offences in any Australian jurisdiction. It is arguable that the author is attempting to portray these activities and relationships as genuine, meaningful and appropriate, but that is no more a matter of genuine political discourse than would be a publication which exhorted people to commit, or which described or depicted, murder, racial vilification or the commission of other crimes. The real question here is whether the magazine as a whole is protected by the constitutional freedom of political communication because of those parts of it which argue for, or comment upon, changes in the law. In my view it is not.

8.15 The next definitional issue to consider is what might count as a depiction of a child in a ‘sexual pose’ or ‘sexual activity’ for the purposes of definitions such as that in s 473.1 of the Criminal Code Act 1995 (Cth). It is known that adults with a sexual interest in children, often referred to as ‘paedophiles’, may [page 190] view images as sexually charged that others would regard as innocent.20 The following case considered how to apply the definition in borderline cases or those involving ‘low level’ sexualised images of children:21

R v Silva [2009] ACTSC 108 (4 September 2009) at [23]– [30] Penfold J: First, ‘depict’ is defined by the Macquarie Dictionary Online … as ‘to represent by or as by painting; portray; delineate; to represent in words; describe’. It seems to me that ‘depict’ is an active verb implying some intention on the part of the maker of the image. It would not cover, for instance, an accidental image such as a water stain that could be seen as resembling a sexual organ. Nor, in the context of child pornography, would the word cover images, even including images of naked or scantily clad children, that appear to have been taken with completely innocent intentions (it would be a rare family album that does not contain photographs of young children in the bath). Among other things, this means that images that are otherwise unobjectionable should not be found to have taken on the character of child

pornography by reason of possibly having been made available to people with an interest in child pornography. Then it is necessary to interpret the words ‘in a sexual pose’. One of the difficulties in doing so is that the Australian community in 2009, with a small number of vocal exceptions, appears to tolerate a wide range of activity, often in commercial contexts, that undeniably involves the sexualisation of young children, whether this involves young children flirting with each other in television advertisements or the sale of padded bras for pre-pubescent girls. The phrase ‘in a sexual pose’ also raises a number of issues relating to the interpretation of adult and child sexual behaviour and the sexual significance of adult women behaving like children and vice versa. One does not have to be a particularly radical feminist to accept that some of the actions that are regarded as sexually inviting when performed by adult women reflect behaviour that in a non-sexual context is much more common among children than among adults. Adult women are sometimes seen as sexually appealing when they are behaving like children … The complexities of female sexuality or sexualisation do not excuse an interest in child pornography; however, they do add another layer of difficulty to any attempt to categorise images of children that do not depict sexual activity or naked sexual organs. They may mean, for instance, that childish mannerisms which, when used by [page 191] an adult, carry sexual connotations do not necessarily carry the same sexual connotations when used by a child. … As to the concept of a ‘pose’ (defined relevantly by the Macquarie Dictionary … as ‘to assume or hold a position or attitude for some artistic purpose’), I take a sexual pose to be a deliberately-struck attitude that draws attention to the sexual aspects of the subject’s identity or personality …

Offending conduct 8.16 Child pornography offences usually encompass a number of discrete activities, not all of which are engaged in by all offenders: creation or production of images, which may involve filming the actual sexual assault of children; access to images, where these are available online; possession and retention of images (eg, on computer hard drives or

storage devices); distribution of images to others, whether for financial gain or otherwise; using pornographic images to groom or deal indecently with children. 8.17 The main Criminal Code Act 1995 (Cth) child pornography offences involving the use of a ‘carriage service’, which is defined broadly so as to include the Internet, telephonic services and so on, include:22 474.19 Using a carriage service for child pornography material (1) A person is guilty of an offence if: (a) the person: (i) accesses material; or (ii) causes material to be transmitted to himself or herself; or (iii) transmits, makes available, publishes, distributes, advertises or promotes material; or (iv) solicits material; and [page 192] (aa) the person does so using a carriage service; and (b) the material is child pornography material. Penalty: Imprisonment for 15 years. (2) To avoid doubt, the following are the fault elements for the physical elements of an offence against subsection (1): (a) intention is the fault element for the conduct referred to in paragraph (1)(a); (b) recklessness is the fault element for the circumstances referred to in paragraph (1)(b). Note: For the meaning of intention and recklessness see sections 5.2 and 5.4. (2A) Absolute liability applies to paragraph (1)(aa). Note: For absolute liability, see section 6.2. (3) As well as the general defences provided for in Part 2.3, defences are provided for under section 474.21 in relation to this section. 474.20 Possessing, controlling, producing, supplying or obtaining child pornography material for use through a carriage service (1) A person is guilty of an offence if: (a) the person:

(i) has possession or control of material; or (ii) produces, supplies or obtains material; and (b) the material is child pornography material; and (c) the person has that possession or control, or engages in that production, supply or obtaining, with the intention that the material be used: (i) by that person; or (ii) by another person; in committing an offence against section 474.19 (using a carriage service for child pornography material). Penalty: Imprisonment for 15 years. … 474.21 Defences in respect of child pornography material (1) A person is not criminally responsible for an offence against section 474.19 (using a carriage service for child pornography material) or 474.20 (possessing etc. child pornography material for use through a carriage service) because of engaging in particular conduct if the conduct: [page 193] (a) is of public benefit; and (b) does not extend beyond what is of public benefit. In determining whether the person is, under this subsection, not criminally responsible for the offence, the question whether the conduct is of public benefit is a question of fact and the person’s motives in engaging in the conduct are irrelevant. Note: A defendant bears an evidential burden in relation to the matter in this subsection, see subsection 13.3(3). (2) For the purposes of subsection (1), conduct is of public benefit if, and only if, the conduct is necessary for or of assistance in: (a) enforcing a law of the Commonwealth, a State or a Territory; or (b) monitoring compliance with, or investigating a contravention of, a law of the Commonwealth, a State or a Territory; or (c) the administration of justice; or (d) conducting scientific, medical or educational research that has been approved by the Minister in writing for the purposes of this section. …

8.18

The defences in s 474.21 further include exemptions from liability

for law enforcement, intelligence and security officers, and the Australian Communications and Media Authority (ACMA), involved in the investigation of prohibited content. An analogous set of provisions applies to child abuse material: see ss 474.22–474.24. Under s 474.24, there are aggravated forms of the child pornography and child abuse material offences, involving conduct on three or more occasions and two or more people, which carry a maximum penalty of 25 years. Alternative verdicts are available under s 474.24B if the aggravated offence is not proven. 8.19 Alongside the Commonwealth provisions, the Australian States and Territories each have their own child pornography laws.23 Because these jurisdictions do not have the same constitutional limitations on legislative power as does the Commonwealth, their laws apply to offline as well as to online content (eg, child pornography in books, magazines or videos). The variation of offences and penalty levels is summarised below (Table 8.2). [page 194] Table 8.2: Australian child pornography offences Provision

CTH

Physical elements Accessing, causing transmission to self, transmitting, making Criminal Code Act available, publishing, 1995 s 474.19 (Using distributing, a carriage service for promoting or child pornography soliciting child material) pornography material, using a carriage service Criminal Code Act Possessing, 1995 s 474.20 controlling, (Possessing etc. child producing, pornography supplying or material for use obtaining child

Fault elements or defences

Maximum penalty

Intentional accessing, etc and recklessness as to the nature of the Imprisonment for 15 material; absolute years liability applies to using a carriage service (but note s 474.21 defences) Intention that the material be used in committing an offence against s

Imprisonment for 15 years

through a carriage service)

ACT

pornography material

Using, offering or procuring a child for Crimes Act 1900 s 64 the production of (Using child for child pornography production of child or for a pornography etc.) pornographic performance Producing, Crimes Act 1900 s publishing, offering 64A (Trading in or selling child child pornography) pornography

474.19 (but note s 474.21 defences) Absolute liability where the child is under 12 years of age; strict liability otherwise in relation to the element of the child’s age

Imprisonment for 15 years (child under 12 years of age) or 10 years (child 12 years of age or more); fines also apply

Not specified

Imprisonment for 12 years; fines also apply

[page 195]

Provision

Physical elements

Crimes Act 1900 s 65 Possessing child (Possessing child pornography pornography)

NSW

Fault elements or defences Intentionally possessing; absolute liability applies to the nature of the material but with a statutory defence (s 65(3))

Maximum penalty

Imprisonment for seven years; fines also apply

Crimes Act 1900 s 91G (Children not to be used for production of child abuse material)

Using a child for the production of child abuse material, or causing, procuring or allowing to be so used

A defence of innocent production, etc applies (s 91HA)

Imprisonment for 14 years (child under 14 years of age) or 10 years (child 14 years of age or more)

Crimes Act 1900 s 91H (Production, dissemination or possession of child abuse material)

Producing, disseminating or possessing child abuse material

Not specified

Imprisonment for 10 years

Defences apply for law enforcement, health and medical purposes

Imprisonment for 10 years; fines also apply for a corporation

Possessing, distributing, Criminal Code Act s producing, selling, 125B (Possession of offering or child abuse material) advertising child

NT

abuse material Using, offering or Criminal Code Act s procuring a child for 125E (Using child the production of for production of child abuse material Not specified child abuse material or for a etc.) pornographic or abusive performance

Imprisonment for 14 years; fines also apply for a corporation

[page 196]

QLD

SA

Provision Criminal Code Act 1899 s 228A (Involving child in making child exploitation material) Criminal Code Act 1899 s 228B (Making child exploitation material) Criminal Code Act 1899 s 228C (Distributing child exploitation material) Criminal Code Act 1899 s 228D (Possessing child exploitation material) Criminal Law Consolidation Act 1935 s 63 (Production or dissemination of child pornography) Criminal Law

Physical elements

Fault elements or defences

Maximum penalty

Statutory defences Involving a child in apply for genuine making child artistic, legal, etc exploitation material purposes (s 228E)

Imprisonment for 14 years

Statutory defences Making child apply for genuine exploitation material artistic, legal, etc purposes (s 228E)

Imprisonment for 14 years

Statutory defences Distributing child apply for genuine exploitation material artistic, legal, etc purposes (s 228E)

Imprisonment for 14 years

Statutory defences Knowingly apply for genuine possessing child artistic, legal, etc exploitation material purposes (s 228E)

Imprisonment for 14 years

Producing or disseminating, or taking any step in Knowing its producing or pornographic nature disseminating, child pornography Knowing its Possessing or pornographic

Imprisonment for 10 years; 12 years if aggravated (For first offence) imprisonment for

Consolidation Act 1935 s 63A (Possession of child pornography)

intending to obtain access to, or taking any step in obtaining access to, child pornography

nature; but with a statutory defence (s 63A(2)) of unknowingly getting possession

five years; seven years if aggravated; or (for subsequent offence) imprisonment

[page 197]

Provision

TAS

Criminal Code Act 1924 s 130 (Involving person under 18 years in production of child exploitation material) Criminal Code Act 1924 s 130A (Distribution of child exploitation material) Criminal Code Act 1924 s 130B (Production of child exploitation material) Criminal Code Act 1924 s 130C (Possession of child exploitation material) Criminal Code Act 1924 s 130D (Accessing child

Physical elements

Involving or facilitating the involvement of a person under 18 years in the production of child exploitation material Distributing, or facilitating the distribution of, child exploitation material Producing, or facilitating the production of, child exploitation material Possessing, or facilitating the production of, child exploitation material

Accessing child exploitation material

Fault elements or defences and taking immediate steps to get rid of the material Knowledge of the nature of the material; statutory defences apply for genuine artistic, legal, etc purposes (s 130E) Knowledge of the nature of the material; statutory defences apply (s 130E) Knowledge of the nature of the material; statutory defences apply (s 130E)

Maximum penalty for seven years; 10 years if aggravated

A general maximum penalty of 21 years applies to Criminal Code offences

A general maximum penalty of 21 years applies to Criminal Code offences A general maximum penalty of 21 years applies to Criminal Code offences

Intending to access such material; statutory defences apply (s 130E)

A general maximum penalty of 21 years applies to Criminal Code offences

Knowledge of the nature of the material; statutory

A general maximum

exploitation material)

defences apply (s 130E)

penalty of 21 years applies to Criminal Code offences

[page 198]

Provision Crimes Act 1958 s 68 (Production of child pornography)

VIC

Crimes Act 1958 s 69 (Procurement etc. of minor for child pornography) Crimes Act 1958 s 69 (Procurement etc. of minor for child pornography) Criminal Code Act Compilation Act 1913 s 217 (Involving child in child exploitation)

WA

Criminal Code Act Compilation Act 1913 s 218 (Producing child exploitation material)

Fault elements or Physical elements defences Maximum penalty Statutory defences Printing, making or apply (s 68(1A)–(4)) Imprisonment for 10 otherwise producing as well as exceptions years child pornography for minors (s 70AAA) Inviting, procuring Statutory defences or causing a minor apply (s 69(2)) as to be concerned in Imprisonment for 10 well as exceptions the making or years for minors (s production of child 70AAA) pornography Statutory defences Knowingly apply (s 70(2)–(6)) Imprisonment for possessing child as well as exceptions five years pornography for minors (s 70AAA) Inviting, procuring, offering or causing a Statutory defences child to be involved Imprisonment for 10 and exclusions apply in the production of years (s 221A) child exploitation material Statutory defences Producing child Imprisonment for 10 and exclusions apply exploitation material years (s 221A)

[page 199]

Provision Criminal Code Act Compilation Act 1913 s 219 (Distributing child exploitation material) Criminal Code Act Compilation Act 1913 s 220 (Possession of child exploitation)

Physical elements

Fault elements or defences

Maximum penalty

Distributing child Statutory defences exploitation material Imprisonment for 10 and exclusions apply (including by years (s 221A) electronic means)

Statutory defences Possessing child Imprisonment for and exclusions apply exploitation material seven years (s 221A)

Sources: Australasian Legal Information Institute (AustLII): ; State and Territory legislative databases.

8.20 Prosecutions involving importation of child pornography material are usually dealt with under Commonwealth law.24 Prosecutions involving Internet-based illegal content may involve a combination of Commonwealth and State or Territory offences.25

Sexting 8.21 Because criminal liability for child pornography offences may attach to any person capable of criminal responsibility, which in Australia is any person of or above the age of 10 years, a concern is that these offences may be used to prosecute young people, such as teenagers engaging in ‘sexting’.26 This is the practice of taking and sending explicit images of oneself or another person, [page 200] typically using a mobile phone, and usually within the context of a consensual romantic relationship.27 The legal risks are considerable:28 [A] wide range of activities undertaken by children and encompassed by the term ‘sexting’

could amount to a criminal offences due to the broad definitions given to child pornography. Given this possibility, it might be expected that provision would be made to prevent the prosecution of children for such severe offences as creation, possession or dissemination of child pornography, particularly given media reports of the prevalence of sexting. This is, however, not the case.

8.22 The Criminal Code Act 1995 (Cth) offers some protection against the prosecution of persons under 18 years of age at the time of alleged conduct, requiring the Attorney-General’s consent: 474.24C Consent to commencement of proceedings where defendant under 18 (1) Proceedings for an offence against this Subdivision must not be commenced without the consent of the Attorney-General if the defendant was under 18 at the time he or she allegedly engaged in the conduct constituting the offence. (2) However, a person may be arrested for, charged with, or remanded in custody or on bail in connection with, such an offence before the necessary consent has been given.

8.23 A 2013 Victorian Parliamentary Inquiry into sexting recommended a number of legislative amendments in that State to prevent the full force of child pornography laws from applying to teenagers engaging in such conduct where there is no coercion or exploitation. It also recommended the creation of a new offence of non-consensual sexting, applicable also to intimate images of adults, in the form of amendments to the Summary Offences Act 1966 (Vic) prohibiting distribution (s 41DA) and threat to distribute (s 41DB) ‘intimate images’, defined as a moving or still image depicting a person engaged in sexual activity, a sexual manner or context, or private parts (s 40).29 The topic of Internet-based stalking and voyeurism, whether targeting children or adults, is further dealt with in Chapter 10. [page 201] 8.24

The Criminal Code Act 1995 (Cth) s 474.25 also imposes reporting

obligations on any person who is an Internet service provider (ISP) or Internet content host (ICH) and who is aware that the services provided ‘can be used to access particular material that the person has reasonable grounds to believe is … child pornography material or child abuse material … and does not refer details of the material to the Australian Federal Police within a reasonable time after becoming aware of the existence of the material’. Failure to comply is punishable by a fine of 100 penalty units. This is in addition to legal obligations that telecommunications carriers have under other legislation, industry codes and so on.30

Determining offence seriousness 8.25 There is some variability in the ways in which courts view individual child pornography offending. A starting point is to assess the quantity and character of the images involved. While some reported cases involve dealings with images numbering in the tens of thousands, not all images are to be regarded with the same level of approbation. Australian courts sometimes employ scales of severity, based on that originally developed in the 1990s by the COPINE (Combating Paedophile Information Networks in Europe) Project based in the United Kingdom:31 (1) (2) (3) (4) (5)

images depicting erotic posing with no sexual activity; sexual activity between children, or solo masturbation by a child; non-penetrative sexual activity between adults and children; penetrative sexual activity between children and adults; sadism or bestiality.

8.26 In addition to the detail of child pornography images, offenders vary as to the kind and extent of involvement in the processes around their creation and distribution. At the lowest level are those who perhaps inadvertently stumble across dubious material while surfing the Internet, perhaps while viewing adult erotica, and follow their curiosity to seek out

images of younger subjects including children or child-like depictions. At the other extreme, arguably, are organised criminals who prey on children [page 202] to create and distribute sexually explicit images, often for purely commercial rather than sexual motivations. 8.27 Sentencing of offenders who have committed repulsive crimes against children is a difficult legal task. This is illustrated by a United States appellate court’s comment in the case of a 50-year old citizen who had brutally raped girls in Cambodia and uploaded videos of the assaults to the Internet:32 The steady stream of criminal cases flowing through this Court brings us many examples of man’s inhumanity to man, and we see a depressingly large number of crimes against children. But the sexual crimes that Irey committed against some of the most vulnerable children in the world set him apart. He raped, sodomized, and sexually tortured fifty or more little girls, some as young as four years of age, on many occasions over a four- or five-year period. He also scripted, cast, starred in, produced, and distributed worldwide some of the most graphic and disturbing child pornography that has ever turned up on the Internet.

8.28 A useful typology of child pornography offending has been advanced by Tony Krone, who notes also that a ‘distributor of child pornography may or may not have a sexual interest in child pornography’ (Table 8.3).33 Table 8.3: A typology of online child pornography offending

Term Browser Private fantasy Trawler

Description Response to spam, accidental hit on suspect site — material knowingly saved Conscious creation of online text or digital images for private use Actively seeking child pornography using openly available browsers

Non-secure collector Secure collector

Actively seeking material often through peer-to-peer networks Actively seeking material but only through secure networks. Collector syndrome and exchange as an entry barrier [page 203]

Term Groomer

Physical abuser Producer Distributor

Description Cultivating an online relationship with one or more children. The offender may or may not seek material in any of the above ways. Pornography may be used to facilitate abuse. Abusing a child who may have been introduced to the offender online. The offender may or may not seek material in any of the above ways. Pornography may be used to facilitate abuse. Records own abuse of children or that of others (or induces children to submit images of themselves) May distribute at any one of the above levels

Source: T Krone, ‘A Typology of Online Child Pornography Offending’, Trends and Issues in Crime and Criminal Justice no. 279, Australian Institute of Criminology, July 2004.

8.29 Earlier sentencing data in Australia indicated that possession of child pornography typically attracted a low-range sentence of 6–18 months’ imprisonment, often suspended on condition of good behaviour.34 However, it is likely that more severe sentences have been imposed in more recent times, in part with the increase in maximum penalty levels. For example, the maximum penalty for child pornography possession in the Australian Capital Territory (ACT) was raised from five years to seven years in 2011, while in New South Wales (NSW) the maximum was raised from five to 10 years in 2010.35

8.30 The NSW Court of Criminal Appeal has identified the following factors to be taken into account in child pornography sentencing:36 Whether actual children were used in the creation of the material. The nature and content of the material, including the age of the children and the gravity of the sexual activity portrayed. The extent of any cruelty or physical harm occasioned to the children that may be discernible from the material. The number of images or items of material — in a case of possession, the significance lying more in the number of different children depicted. [page 204] In a case of possession, the offender’s purpose, whether for his/her own use or for sale or dissemination. In a case of dissemination/transmission, the number of persons to whom the material was disseminated/transmitted. Whether any payment or other material benefit (including the exchange of child pornographic material) was made, provided or received for the acquisition or dissemination/transmission. The proximity of the offender’s activities to those responsible for bringing the material into existence. The degree of planning, organisation or sophistication employed by the offender in acquiring, storing, disseminating or transmitting the material. Whether the offender acted alone or in a collaborative network of likeminded persons. Any risk of the material being seen or acquired by vulnerable persons, particularly children. Any risk of the material being seen or acquired by persons susceptible to act in the manner described or depicted.

8.31 Penalties for the abuse of children in the production of pornography are typically more serious, though sometimes the sentence for computer-related aspects of the crime is ordered to be served concurrently with the sentence imposed for the child sexual abuse.37 8.32 Conviction for specified child sexual assault or child exploitation offences will result in an offender being placed on a child sex offender register. Unlike some sex offender registers in the United States, Australian registers are not accessible to the public.38

[page 205]

Questions for consideration 1.

In K A Kimball, ‘Losing Our Soul: Judicial Discretion in Sentencing Child Pornography Offenders’ (2011) 63 Florida Law Review 1515 (notes omitted), discussing the case of United States v Irey (see note 32), the following is stated: Child pornography offenders fuel a booming $20 billion Internet industry by turning the abuse of countless child victims into a lucrative commodity. The repeated viewing of their exploitation causes victims to feel violated long after their initial abuse and to fear being recognized by those who find pleasure in their humiliation. In addition, courts dehumanize child victims by keeping them nameless during prosecutions against their predators — those who produce, distribute, and possess the degrading and vile images.

How can law enforcement and court processes, including sentencing, properly reflect the range of harms done to victims, without adding to their trauma? If victims cannot be identified, should this make any difference? 2.

In T Krone, ‘A Typology of Online Child Pornography Offending’, Trends and Issues in Crime and Criminal Justice no. 279, Australian Institute of Criminology, July 2004, the following further questions are raised: How can victims be identified to prevent ongoing abuse or provide support in relation to past abuse? What effects are suffered by victims portrayed in child pornography? What is the extent of recidivism among child pornography offenders? What are the most effective ways of rehabilitating a child pornography offender? Does the use of child pornography follow a typical progress from the marginally pornographic to the most extreme images? Is there any causal link between use of child pornography and the physical abuse of children?

How might researchers go about accurately answering these questions?

3.

Australian Federal Police media releases () on child exploitation cases include the following suggestions to the media. How should the media respond? Child exploitation images, Not ‘child pornography’ Use of the phrase ‘child pornography’ actually benefits child sex abusers: It indicates legitimacy and compliance on the part of the victim and therefore legality on the part of the abuser. It conjures up images of children posing in ‘provocative’ positions, rather than suffering horrific abuse. Every photograph captures an actual situation where a child has been abused. This is not pornography.

1.

R Wortley and S Smallbone, ‘Child Pornography on the Internet’, Centre for Problem-Oriented Policing, University at Albany, State University of New York, Guide No. 41, 2006.

2.

Department of Justice, United States, Child Exploitation and Obscenity Section, ‘Child Pornography Today’: .

3.

J Wolak et al, ‘Arrests for Child Pornography Production: Data at Two Time Points from a National Sample of U.S. Law Enforcement Agencies’ (2011) 16(3) Child Maltreatment 184.

4.

T Krone, ‘International Police Operations Against Child Pornography’, Trends and Issues in Crime and Criminal Justice no. 296, Australian Institute of Criminology, April 2005: .

5.

T Krone, ‘Operation Auxin: The Australian Response to Online Child Pornography’ (2005) 67(3) Royal Canadian Mounted Police Gazette 30.

6.

A Gillespie, Child Pornography: Law and Policy, Routledge, 2011; T Lopez et al, ‘Trends and Practice Tips for Representing Child Pornography Offenders at Sentencing’ (2012) 27(3) Criminal Justice, citing United States Sentencing Commission data.

7.

Immigration and Customs Enforcement (ICE), ‘123 Sexually Exploited Children Identified by HSI During “Operation Sunflower”’, media release, 3 January 2013: .

8.

G Urbas and K-K R Choo, ‘Resource Materials on Technology-Enabled Crime’, Technical and Background Paper no. 28, Australian Institute of Criminology, 2008, p 43, citing a media release by the US Department of Justice: ‘Dozens Charged in International Internet-Based Child Pornography Investigation’, 15 March 2006. For a more recent report of organised crime groups involved in live streaming, see Australian Federal Police, ‘Live Online Child Abuse — 29 International Arrests Made’, media release, 16 January 2014.

9.

Terre des Hommes, Webcam Child Sex Tourism — Becoming Sweetie: A Novel Approach to Stopping the Global Rise of Webcam Child Sex Tourism, November 2013 (online): (discussed further in Chapter 9).

10. Australian Federal Police, ‘Online Child Sex Exploitation’: ; Virtual Global Taskforce, ‘Combatting Online Child Sexual Abuse’: ; S Macgregor, ‘It is NOT Child Pornography. It Is a Crime Scene Photo’, The Conversation, 23 February 2013: . 11. For example, J Clough, Principles of Cybercrime, Cambridge University Press, 2010, Ch 10; see also M Taylor and E Quayle, Child Pornography: An Internet Crime, Brunner-Routledge, 2003; P Jenkins, Beyond Tolerance: Child Pornography on the Internet, New York University Press, 2003; A Burke et al, ‘Child Pornography and the Internet: Policing and Treatment Issues’ (2002) 9(1) Psychiatry, Psychology and Law 79. 12. Note that the Council of Europe’s Convention on Cybercrime is only one of several international agreements dealing with the prohibition of child pornography. Others include the Council of Europe Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse (‘Lanzarote Convention’) and the United Nations Convention on the Rights of the Child (ratified by Australia in 1990), with its Optional Protocol on the Rights of the Child on the Sale of Children, Child Prostitution and Child Pornography (ratified by Australia in 2007). 13. Part 10.6 — Telecommunications services was added to the Criminal Code Act 1995 (Cth) by the Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Act (No. 2) 2004 (Cth) with effect from 1 March 2005. 14. In practice, child pornography investigations and prosecutions are more likely to target images that clearly depict under-age victims, including infants and pre-pubescent children, rather than on depictions of teenagers who may be close to the minimum age. 15. See the Prosecutorial Remedies and Other Tools to End the Exploitation of Children Today (PROTECT) Act of 2003, held to be overly broad in Ashcroft v Free Speech Coalition 535 US235 (2002), and particularly the American Civil Liberties Union (ACLU) amicus curiae submission in that litigation. 16. M Pobořilová, ‘Virtual Child Pornography’ (2011) 5(2) Masaryk University Journal of Law and Technology 245, commenting especially on the situation in the Czech Republic. 17. See Crimes Act 1900 (NSW) s 91FB(3); and J Clough, Principles of Cybercrime, note 11 above, p 271, discussing a United Kingdom conviction of a man for superimposing faces from photographs of children onto adult pornography. 18. See also J Clough, ‘Lawful Acts, Unlawful Images: The Problematic Definition of “Child” Pornography’ (2012) 38(3) Monash University Law Review 213. 19. Contrast the leading Canadian case of R v Sharpe [2001] 1 SCR 45, cited in Holland v The Queen [2005] WASCA 140 (3 August 2005) at [201]. Malcolm CJ and McLure JA delivered separate judgments agreeing with the reasoning of Roberts-Smith JA as to the constitutional points, but the appeal against conviction was allowed on other grounds. 20. Paedophilia is a recognised psychiatric disorder under the American Psychiatric Association (APA) Diagnostic and Statistical Manual of Mental Disorders IV-TR, Washington DC, 2000 at 571–2, cited by J Clough, Principles of Cybercrime, note 11 above, at 247; the classification is continued in the subsequent DSM-5, Washington DC, 2013. 21. The classification of images according to gradations of severity such as the ‘Oliver scale’ is discussed below.

22. In R v Stubbs [2009] ACTSC 63 (26 May 2009) at [6]–[7], Higgins CJ observed: ‘The term “carriage service” has nothing to do with transportation. It is defined by reference to the Telecommunications Act 1997 (Cth). In s 7 thereof, “carriage service” is defined as “… a service for carrying communications by means of guided and/or unguided electromagnetic energy.” … “Communications” are widely defined to include transmission and receipt of “data”, “text” or any other form or forms of communication’. 23. See, for further detail, G Urbas, ‘Cybercrime’ in Halsbury’s Laws of Australia, [130-2500]–[13025205], LexisNexis, 2013. 24. See, for example, R v Gent [2005] NSWCCA 370; 162 A Crim R 29 (4 November 2005); Holland v The Queen [2005] WASCA 140 (3 August 2005). 25. As illustrated by the McEwen v Simmons case discussed earlier at [8.13]. Some cases also involve physical contact or other offences so that sentencing outcomes may not relate only to child pornography offences involved: see, for example, SJ v The Queen [2012] VSCA 237 (28 September 2012). 26. See G Urbas, ‘The Age of Criminal Responsibility’, Trends and Issues in Crime and Criminal Justice no. 181, Australian Institute of Criminology, November 2000: . 27. See G Urbas and K Fouracre, ‘Legal Responses to Sexting: The Importance of Consent’ (2013) 16(7) Internet Law Bulletin 171; T Crofts and M Lee, ‘“Sexting”, Children and Child Pornography’ (2013) 35(1) Sydney Law Review 85; and M Salter, T Crofts and M Lee, ‘Beyond Criminalisation and Responsibilisation: Sexting, Gender and Young People’ (2013) 24(3) Current Issues in Criminal Justice 301. One of few reported Australian sexting cases is DPP v Eades [2009] NSWSC 1352 (17 December 2009). 28. T Crofts and M Lee, ‘“Sexting”, Children and Child Pornography’, note 27 above, at 91–2. 29. Parliament of Victoria, Law Reform Committee, Final Report of the Inquiry into Sexting, 29 May 2013: ; and see Summary Offences Act 1966 (Vic) as amended by the Crimes Amendment (Sexual Offences and Other Matters) Act 2014 (Vic). 30. For example, s 313 of the Telecommunications Act 1997 (Cth), which states in subs (1) that a carrier or carriage service provider must ‘do the carrier’s best or the provider’s best to prevent telecommunications networks and facilities from being used in, or in relation to, the commission of offences against the laws of the Commonwealth or of the States and Territories’; see further G Urbas and K Fouracre, ‘Obligations and Liability of ISPs as Guardians of Internet Content: Comparative Perspectives — Emerging Schemes of Civil and Criminal Liability for ISPs’ (2010) 15(2) Computer Law Review International (CRi) 33. 31. R v Silva [2009] ACTSC 108 (4 September 2009) at [6]. The ACT Supreme Court used a five-level gradation developed from the 10-level COPINE scale by the Criminal Division of the Court of Appeal of England and Wales in R v Oliver [2003] 1 Cr App P 28, sometimes also referred to as the ‘Oliver scale’. 32. United States v Irey, 612 F.3d 1160 (11th Cir. 2010), overturning a 17.5-year sentence. 33. T Krone, ‘A Typology of Online Child Pornography Offending’, Trends and Issues in Crime and Criminal Justice no. 279, Australian Institute of Criminology, July 2004: . 34. See T Krone, ‘Child Pornography Sentencing in NSW’, High Tech Crime Brief no. 8, Australian Institute of Criminology, May 2009. This study covered the period 2000–03: . 35. Criminal Proceedings Legislation Amendment Act 2011 (ACT); Crimes Amendment (Child Pornography and Abuse Material) Act 2010 (NSW). An indication that sentencing patterns may be changing somewhat in ACT child pornography possession cases is R v Cooper [2012] ACTCA 9 (21 December 2012) where a sentence of one year and seven months was increased on a prosecution appeal to two years and seven months, though with 18 months to be served by periodic detention and the remainder suspended subject to a good behaviour bond. 36. Minehan v R [2010] NSWCCA 140 (7 July 2010), per Hulme J at [94]. 37. See, for example, R v JM and SM [2010] NSWDC 318 (15 October 2010); and R v TW [2011] ACTCA 25 (17 November 2011). 38. See, for example, Crimes (Child Sex Offenders) Act 2005 (ACT). The National Child Offender System (NCOS), comprising the Australian National Child Offender Register (ANCOR) and the Managed Person System (MPS), is described along with the Child Exploitation Tracking System (CETS) at .

[page 207]

Chapter 9 Online Child Grooming

Chapter contents Legal responses Covert online investigations Webcam child exploitation

9.7 9.21 9.29

Questions for consideration

9.0 This chapter deals with a form of online exploitation of children known as ‘child grooming’.1 This is the misuse of computers and the Internet to abuse and exploit children, principally by adult or older teen sex predators who ‘groom’ victims online. In some cases, this is done to engage the child in sexual behaviour, such as sending naked or sexualised images of themselves, stripping before a webcam, or engaging in sex acts alone or with others for the sexual satisfaction of the groomer. In other cases, the object is to get the child to agree to a meeting with the predator, where sexual contact will occur. While not every instance of child grooming leads to sexual contact, the exploitation of children at any stage of this process is properly regarded as a form of child abuse:2 Grooming behaviour can share a relationship with the wider phenomenon of child abuse; research has shown that an opportunity to sexually abuse a child is more likely to emerge following an act of grooming. Grooming can be conceived as a predatory act committed in order to facilitate sexual abuse and, thus, the issue of context — particularly the motivation behind the behaviour — is highly relevant. The context in which initial, seemingly innocent behaviour of making contact with and forming a relationship with a child is crucial is separating harmless behaviour from grooming behaviour.

9.1 Child predators are often highly motivated, manipulative and persistent. Many take care not to be discovered by adults, such as a child’s [page 208]

parents, and specifically target unsupervised children or those with family or other difficulties. Some groom dozens of children at a time. As with child pornography (discussed in Chapter 8), this is a disturbing area of cybercrime to deal with, but is important both in terms of the harm to victims involved and in terms of law enforcement responses. Child exploitation crimes, including child grooming, represent by far the greatest number of cybercrime cases investigated and prosecuted, both in Australia and other countries. 9.2 The adoption of online communication by children, including social media applications, has facilitated a remarkable growth in the prevalence of grooming:3 The nature of online grooming Children have been found to be vulnerable to adult sexual predators because their development of social skills is not yet complete, making them less likely to pick up relevant cues such as inappropriate remarks that predators may make during conversations. Children with low self-esteem, lack of confidence and naivety are more at risk and more likely to be targeted by offenders. Sexually curious adolescents who are often easily aroused are also more willing to take risks than less curious children, thus making them a target for predators The child grooming process Child grooming, a premeditated behaviour intended to secure the trust and cooperation of children prior to engaging in sexual conduct, is a process that commences with sexual predators choosing a location or target area likely to be attractive to children. A process of grooming then commences during which offenders take a particular interest in their child victim to make them feel special with the intention of gaining their trust. As trust is developed between the child victim and the offender, offenders then seek to desensitise child victims to sexual conduct by introducing a sexual element into the relationship. The attractions of new technologies for children All this is able to be achieved with ease in the online environment. Large numbers of children now use the internet … Social networking through blogging, instant messaging, IRC rooms and short message services all [page 209]

enable children to communicate with friends quickly, effectively and ostensibly with confidentiality. Other communications technologies such as email, VoIP and mobile phones can also be used in the grooming process. Acronyms and other non-linguistic signs (so-called ‘emoticons’) are often used to accelerate the writing process, and many of these are used to represent sexual content. The attractions of new technologies for sexual predators Sexual offenders are also using the internet to locate children for criminal purposes including the creation of pornography, sex tourism, making contact with child prostitutes and establishing contacts for subsequent sexual assault. The anonymous nature of the internet allows offenders to masquerade as children in cyberspace to gain the confidence and trust of their victims over a period of time before introducing a sexual element into the online conversation and eventually arranging a physical meeting. The lack of visual cues in cyberspace that may assist child victims in making judgments about the suitability, trustworthiness and sincerity of others with whom they communicate also facilitates the grooming process for offenders. Another emerging risk relating to online child exploitation is ‘rape’ crimes that take place in online gaming or virtual worlds. These forms of virtual crimes can potentially cause real psychological, social and financial harms to their victims, particularly children. Source: K-K R Choo, ‘Online Child Grooming: A Literature Review on the Misuse of Social Networking Sites for Grooming Children for Sexual Offences’, Research and Public Policy Series no. 103, Australian Institute of Criminology, 2009.

9.3 As noted in the above extract, predators may use the anonymity of online communications to mask their real identities and characteristics; for example, by pretending to be around the same age as a child, or slightly older. This is a way of establishing trust and breaking down the resistance that a child, however familiar with warnings of ‘stranger danger’, may have in forming a friendship with an adult.4 9.4 The danger of online child grooming was first brought to public attention in the United Kingdom by the Toby Studabaker case, in which a 12-year-old girl was persuaded by an American former marine to meet with him in Manchester, and the pair then travelled to Paris and had sex in a hotel. He was convicted and served a sentence in the United Kingdom, and was subsequently

[page 210] returned to the United States to serve another sentence imposed under federal law in relation to the same events.5 9.5 In Australia, the tragic consequences of online grooming of vulnerable teenagers are illustrated by the following case, which resulted in the offender receiving a life sentence for murder.

Carly’s Story In 2006 Carly Ryan thought she had met her dream boyfriend online. His name was Brandon Kane, a 20yr old musician from Melbourne. Brandon was in fact fictitious. An internet construct, the cyberspace alter ego of Gary Francis Newman, a 50yr old predator and paedophile. Carly fell in love with the Brandon construct during months of online contact and phone calls. Gary Newman took on another identity when he attended Carly’s 15th birthday, that of Brandon’s adopted father ‘Shane’. In that guise, he attempted to gain the trust of Carly’s mum, Sonya, and continued to deceive Carly, buying her gifts and promising to bring Brandon to Adelaide to meet her. Gary Newman spent months masquerading as Brandon Kane to win Carly’s love. When he tried to seduce her in person pretending to be Brandon’s father ‘Shane’ saying that Brandon wouldn’t mind if his dad had sex with her, she rejected him. Angry, Gary Newman returned to Melbourne vowing to ‘fix Carly up.’ He used his alter ego to lure Carly to a final, fatal meeting. In February 2007, Gary Newman convinced Carly to meet him. He took Carly to a secluded beach at Port Elliott, South Australia. There, he bashed her, pushed her face into the sand, suffocating her, he then threw her into the water to drown. She was only 15yrs old. A local lady found Carly’s body the next morning, covered in sand, her clothing in disarray. Within 11 days, detectives located Gary Newman in Victoria. They found him at his computer, logged in as Brandon Kane talking with a 14yr old girl in Western Australia. They arrested him, charging him with Carly’s murder. In a Supreme Court trial which continued for over three months, a jury found Gary Francis Newman guilty of murder. He was sentenced on March 31st 2010. South Australian Justice Trish Kelly ordered him to serve a life behind bars with a 29yr non parole period. Justice Kelly said: ‘Gary Newman deserves a life behind bars for his grossly perverted plan to deceive, seduce and murder Carly. It was a terribly cruel

[page 211] thing you did to this beautiful, impressionable 15yr old child. I say child because that’s what she was, a child that fell in love with the idea of the handsome, musically inclined and rather exotic Brandon Kane, the real man was in fact an overweight, balding, middle aged paedophile with sex and murder on his mind. You were sexually obsessed with Carly to the degree that when you couldn’t get your own way, you prepared to and did kill her’. Source: Carly Ryan Foundation website: .

9.6 Because the window of opportunity for preventing such criminal acts is small when a child is in the process of being groomed, the focus of law enforcement investigators and legislators has been on the early stages of predatory behaviour. Although such conduct may be, and in some jurisdictions routinely is, prosecuted as an attempted child sex offence, the better approach is to criminalise the acts of grooming separately rather than relying on the inchoate offence of attempt.6

Legal responses 9.7 The Council of Europe’s Convention on Cybercrime does not have provisions directed at online child grooming, but the more recent Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse (‘Lanzarote Convention’) does, along with other forms of online child exploitation:7 Article 21 — Offences concerning the participation of a child in pornographic performances 1

Each Party shall take the necessary legislative or other measures to ensure that the following intentional conduct is criminalised: a recruiting a child into participating in pornographic performances or causing a child to participate in such performances;

[page 212] b

2

coercing a child into participating in pornographic performances or profiting from or otherwise exploiting a child for such purposes; c knowingly attending pornographic performances involving the participation of children. Each Party may reserve the right to limit the application of paragraph 1.c to cases where children have been recruited or coerced in conformity with paragraph 1.a or b.

Article 22 — Corruption of children Each Party shall take the necessary legislative or other measures to criminalise the intentional causing, for sexual purposes, of a child who has not reached the age [of consent], to witness sexual abuse or sexual activities, even without having to participate. Article 23 — Solicitation of children for sexual purposes Each Party shall take the necessary legislative or other measures to criminalise the intentional proposal, through information and communication technologies, of an adult to meet a child who has not reached the age [of consent] for the purpose of committing any of the offences [of sexual contact, child pornography, etc].

9.8 The age of consent to sexual activity referred to in Arts 22 and 23 is able to be set by each country (as elaborated in Art 18, para 2). In Australia, this is standardly 16 years of age, though some State and Territory jurisdictions have exemption provisions for sexual offences that apply to similarly aged youth. 9.9 In Australia, all jurisdictions have some form of child procuring and grooming offences. Some of the States and Territories rely on older procuring offences only, some have amended these to refer more explicitly to online grooming, and a few have created new grooming offences alongside pre-existing procuring offences. There is also some variation in the age limits and penalty levels that apply (Table 9.1):8 [page 213] Table 9.1: Commonwealth, State and Territory child grooming offences

Provision

Criminal Code Act 1995 s 474.26 (‘procure’)

CTH

Criminal Code Act 1995 s 474.27 (‘groom’)

Crimes Act 1900 s 66(1) ACT

Crimes Act 1900 s 66(2)

NSW

NT

Crimes Act 1900 s 66EB(3)

Criminal Code Act s 131

Main elements Using a carriage service to transmit a communication to another person who is, or is believed to be, under 16 years of age, with the intention of procuring the recipient to engage in, or submit to, sexual activity Using a carriage service to transmit a communication that includes indecent material to another person who is, or is believed to be, under 16 years of age, with the intention of making it easier to procure the recipient to engage in, or submit to, sexual activity Using electronic means, suggest to a young person (under 16 years of age) that the young person commit or take part in, or watch someone else committing or taking part in, an act of a sexual nature Using electronic means, send or make available pornographic material to a young person (under 16 years of age) An adult who engages in any conduct exposing a child (under 16 years of age) to indecent material, with the intention of making it easier to procure the child for unlawful sexual activity with that or any other person

Maximum penalty

Imprisonment for 15 years

Imprisonment for 12 years; or 15 years imprisonment if s 474.27(3) applies (grooming a child for another person)

Imprisonment for 10 years; or five years for a first offence

Imprisonment for five years or 100 penalty units or both

Imprisonment for 12 years if the child is under 14 years of age; 10 years otherwise

(s 131) Imprisonment for No specific provisions; see s three years (five years if 131 (Attempting to procure offender is an adult); (s 132) child under 16 years); s 132 imprisonment for 10 years

(Indecent dealing with child (14 years if child is under 10 under 16 years) years of age)

[page 214] Provision

QLD

SA

TAS

VIC

Main elements Using electronic communication (defined as ‘email, Internet chat rooms, SMS messages, real time Criminal Code Act 1899 s audio/video or other similar 218A communication’) with intent to procure a person who is, or is believed to be, under 16 years of age, to engage in a sexual act No specific provisions; see s Criminal Law Consolidation 63B (Procuring child to Act 1935 commit indecent act etc) Making a communication by any means with the intention of procuring a person under Criminal Code Act 1924 s the age of 17 years, or a 125D person the accused person believes is under the age of 17 years, to engage in an unlawful sexual act A person of or over 18 years of age communicating with a child under 16 years of age or a carer, etc of such a child, Crimes Act 1958 s 49B(2) with intent to facilitate the child’s engagement or involvement in a sexual offence with that person or another adult. Using electronic communication (defined to include ‘data, text or images’) with intent to Criminal Code Act procure a person who is, or

Maximum penalty

Imprisonment for five years; 10 years if the person intended to be procured is, or is believed to be, under 12 years of age

Imprisonment for 12 years for aggravated offence; 10 years for basic offence

A general maximum penalty of 21 years applies to Criminal Code offences

Imprisonment for 10 years

Imprisonment for five years (10 years if person is, or is

WA

Compilation Act 1913 s 204B is believed to be, under 16 believed to be, under 13 years of age to engage in years of age) sexual activity; or exposing a person under 16 years of age to indecent matter

Sources: Australasian Legal Information Institute (AustLII): ; State and Territory legislative databases.

9.10 The Criminal Code Act 1995 (Cth) contains a number of offences dealing with various aspects of the sexual exploitation of children. Some of these are the telecommunications-related child pornography and child abuse material offences discussed in Chapter 8. Others include human trafficking offences, child sex offences outside Australia, and child pornography and child [page 215] abuse material offences using postal services.9 The following offence is found in Pt 10.6:10 474.25A Using a carriage service for sexual activity with person under 16 years of age Engaging in sexual activity with child using a carriage service (1) A person commits an offence if: (a) the person engages in sexual activity with another person (the child) using a carriage service; and (b) the child is under 16 years of age; and (c) the person is at least 18 years of age. Penalty: Imprisonment for 15 years. Causing child to engage in sexual activity with another person (2) A person (the defendant) commits an offence if: (a) the defendant engages in conduct in relation to another person (the child); and (b) that conduct causes the child to engage in sexual activity with another person (the participant) using a carriage service; and

(c) the child is under 16 years of age when the sexual activity is engaged in; and (d) the participant is at least 18 years of age when the sexual activity is engaged in. Penalty: Imprisonment for 15 years. (3) The fault element for paragraph (2)(b) is intention. Defence—child present but defendant does not intend to derive gratification (4) It is a defence to a prosecution for an offence against subsection (1) or (2) if: (a) the conduct constituting the offence consists only of the child being in the presence of a person while sexual activity is engaged in; and (b) the defendant proves that he or she did not intend to derive gratification from the presence of the child during that activity. Note 1: A defendant bears a legal burden in relation to the matter in this subsection, see section 13.4. Note 2: For other defences relating to this offence, see section 474.29.

[page 216] 9.11 The above offence relates to sexual activity with a child engaged in through the use of communications technology.11 This captures some forms of sexual activity with or directed at a child.12 9.12 A separate ‘procuring’ offence applies to communicating with a child, or a person believed to be a child, for sexual activity. There are several different forms of the offence, depending on with whom it was intended that the activity would occur:13 474.26 Using a carriage service to procure persons under 16 years of age (1) A person (the sender) commits an offence if: (a) the sender uses a carriage service to transmit a communication to another person (the recipient); and (b) the sender does this with the intention of procuring the recipient to engage in sexual activity with the sender; and (c) the recipient is someone who is, or who the sender believes to be, under 16 years of age; and

(d) the sender is at least 18 years of age. Penalty: Imprisonment for 15 years. (2) A person (the sender) commits an offence if: (a) the sender uses a carriage service to transmit a communication to another person (the recipient); and (b) the sender does this with the intention of procuring the recipient to engage in sexual activity with another person (the participant); and [page 217] (c) the recipient is someone who is, or who the sender believes to be, under 16 years of age; and (d) the participant is someone who is, or who the sender believes to be, at least 18 years of age. Penalty: Imprisonment for 15 years. (3) A person (the sender) commits an offence if: (a) the sender uses a carriage service to transmit a communication to another person (the recipient); and (b) the sender does this with the intention of procuring the recipient to engage in sexual activity with another person (the participant); and (c) the recipient is someone who is, or who the sender believes to be, under 16 years of age; and (d) the participant is someone who is, or who the sender believes to be, at least 18 years of age; and (e) the sender intends that the sexual activity referred to in paragraph (b) will take place in the presence of: (i) the sender; or (ii) another person (the participant) who is, or who the sender believes to be, at least 18 years of age. Penalty: Imprisonment for 15 years.

9.13 Note that, for the above offences to be committed, it is not necessary for actual sexual activity to transpire, nor is it necessary that there actually be a child being communicated with by the person charged under s 474.26. This is important in allowing the covert investigation of online offenders by law enforcement officers posing as children, discussed

further below at [9.21]. A separate ‘grooming’ offence relates to preparatory communications:14 474.27 Using a carriage service to ‘groom’ persons under 16 years of age (1) A person (the sender) commits an offence if: (a) the sender uses a carriage service to transmit a communication to another person (the recipient); and (c) the sender does this with the intention of making it easier to procure the recipient to engage in sexual activity with the sender; and [page 218] (d) the recipient is someone who is, or who the sender believes to be, under 16 years of age; and (e) the sender is at least 18 years of age. Penalty: Imprisonment for 12 years. (2) A person (the sender) commits an offence if: (a) the sender uses a carriage service to transmit a communication to another person (the recipient); and (c) the sender does this with the intention of making it easier to procure the recipient to engage in sexual activity with another person (the participant); and (d) the recipient is someone who is, or who the sender believes to be, under 16 years of age; and (e) the participant is someone who is, or who the sender believes to be, at least 18 years of age. Penalty: Imprisonment for 12 years. (3) A person (the sender) commits an offence if: (a) the sender uses a carriage service to transmit a communication to another person (the recipient); and (c) the sender does this with the intention of making it easier to procure the recipient to engage in sexual activity with another person; and (d) the recipient is someone who is, or who the sender believes to be, under 16 years of age; and (e) the other person referred to in paragraph (c) is someone who is, or who the sender believes to be, under 18 years of age; and (f) the sender intends that the sexual activity referred to in paragraph (c) will take place in the presence of: (i) the sender; or

(ii) another person (the participant) who is, or who the sender believes to be, at least 18 years of age. Penalty: Imprisonment for 15 years.

9.14 As with s 474.26, for the above offences to be committed, it is not necessary for actual sexual activity to transpire, nor is it necessary that there actually be a child being communicated with by the person charged under s 474.27. This is important in allowing the covert investigation of online offenders by law enforcement officers posing as children, discussed further below at [9.21]. 9.15 Finally, there is a separate offence of transmitting indecent material to a child, such as adult or child pornography, whether in an effort to procure or groom the child or otherwise: [page 219]

474.27A Using a carriage service to transmit indecent communication to person under 16 years of age (1) A person (the sender) commits an offence if: (a) the sender uses a carriage service to transmit a communication to another person (the recipient); and (b) the communication includes material that is indecent; and (c) the recipient is someone who is, or who the sender believes to be, under 16 years of age; and (d) the sender is at least 18 years of age. Penalty: Imprisonment for 7 years. (2) In a prosecution for an offence against subsection (1), whether material is indecent is a matter for the trier of fact. (3) In this section: indecent means indecent according to the standards of ordinary people.

9.16

It will be noted that all of the preceding offences refer to the

recipient of communications as ‘someone who is, or who the sender believes to be, under 16 years of age’. This raises the question of what mental state, whether knowledge, belief or suspicion, is necessary for commission of the offence. There are two possible situations: (i) The recipient is actually a person under 16 years of age. (ii) The recipient is not, but the sender believes him or her to be, under 16 years of age. 9.17 Because there is not a mental state explicitly provided for situation (i) above, the default position under the Criminal Code Act 1995 (Cth) would ordinarily be that ‘recklessness’ would be the requirement for a prosecution on this basis.15 Thus, an alleged offender would have to be shown to have directed his or her mind to the age of the recipient, realised there was a substantial risk that that person was under 16 years, and gone ahead with the communication regardless.16 9.18 However, the Criminal Code Act 1995 (Cth) deals with the situation somewhat differently, though leading to arguably similar results in most cases. [page 220] It provides in s 474.28(1) that for the purposes of a prosecution under s 474.25A, s 474.26 or s 474.27, ‘absolute liability applies to the physical element of circumstance of the offence that the recipient is someone who is under 16 years of age’. What this means is that the prosecution is not required to prove any fault element, whether intention, knowledge, recklessness or even belief, where the recipient is actually a person under 16 years of age. However, there is a statutory defence, with a legal burden falling on the defendant:17 474.29 Defences to offences against this Subdivision

Offences involving sexual activity—belief that child at least 16 years of age (1) It is a defence to a prosecution for an offence against section 474.25A if the defendant proves that, at the time the sexual activity was engaged in, he or she believed that the child was at least 16 years of age. Note: A defendant bears a legal burden in relation to the matter in this subsection, see section 13.4. … (5) It is a defence to a prosecution for an offence against section 474.26, 474.27 or 474.27A if the defendant proves that, at the time the communication was transmitted, he or she believed that the recipient was at least 16 years of age. Note: A defendant bears a legal burden in relation to the matter in this subsection, see section 13.4. Trier of fact may take into account whether belief reasonable (6) In determining whether the defendant had the belief mentioned in one of the preceding subsections of this section, the trier of fact may take into account whether the alleged belief was reasonable in the circumstances.

9.19 In the alternative situation (ii) (see [9.16]), the prosecution must show that the defendant did believe that the recipient was under 16 years of age. Proof of subjective belief can be difficult, as evidenced by cases in which a defendant has succeeded in defending charges by insisting that he had no such belief.18 However, the prosecution’s task is assisted by s 474.28(3), which provides that, for the purposes of a prosecution under s 474.26, s 474.27 or s 474.27A, ‘evidence that the recipient was represented to the sender as being under or of a particular age is, in the absence of evidence to the contrary, proof that the sender believed the recipient to be under or of that age’. [page 221] 9.20 Further, s 474.28(9) provides that ‘it does not matter that the recipient to whom the sender believes the sender is transmitting the communication is a fictitious person represented to the sender as a real person’. What this means is that it is possible for child grooming and

related offences to be committed even where no child is actually at risk of harm. Rather, adults such as law enforcement officers may pose online as children in order to detect and apprehend child predators rather than wait until an actual child is exposed to risk.19

Covert online investigations 9.21 The wording of these Commonwealth provisions, and State legislation on which they are partly based, leaves little doubt that the legislature intended to allow for covert online investigation of child predators by law enforcement agencies.20 It is thus quite legitimate for police to engage in ‘sting operations’ that use, under appropriately supervised conditions, a fictitious child’s identity online as ‘bait’ for a child predator to contact. Ensuing online conversations, such as chat-room logs, sometimes lasting over months, provide important incriminating evidence in subsequent prosecutions. The following case illustrates this in the context of s 474.26:

R v Stubbs [2009] ACTSC 63 (26 May 2009) at [1]–[20] Higgins CJ: The circumstances alleged to give rise to the offences in question arise out of operations conducted between 21 August 2007 and 21 January 2008 during which, utilising the internet, the accused communicated by way of email and online chat via computer not only at his work place but also from internet cafes and a library. The other party to the communications was Detective Stephen Waugh of New Zealand Police based in Auckland who used a false identity, namely, ‘missTufsey14, Roxanne Taylor’. For the purposes of this ruling it is assumed that the communications were in fact as represented by the case statement and proposed exhibit. During the subsequent exchanges [page 222] the accused revealed certain personal details about himself. Detective Waugh, in responding, represented himself to be a 14 year old girl. The accused gradually became more sexually suggestive.

During communications between 25 October 2007 and 14 December 2007, the accused was recorded as saying that he had been thinking about the sexual activity he would like to engage in with ‘Roxanne’ if they could be alone together. He requested ‘Roxanne’ to send naked pictures of herself to him. On 16 November 2007 he gave ‘Roxanne’ detailed instructions on how to masturbate. The terms of those communications could, in my view, properly be regarded as ‘offensive’ to ‘reasonable persons’. It is, of course, a question of fact for a jury whether they were so. As to the first count, it is alleged that the communications relevant thereto commenced with ‘Roxanne’ on 27 November 2007 referring to ‘Sam’, a female friend, asking ‘Roxanne’ to go to Australia with her. The accused responded during that and later communications expressing a desire to meet with ‘Roxanne’ when she came to Australia. Communications concerning secrecy urged by the accused would support a conclusion that the accused was aware that his communications were, at least, likely to be considered offensive. He referred, for example, to wanting to shower and undress ‘Roxanne’. On 8 January 2008 the accused communicated further explicit sexual references including stating he would like them to perform oral sex on each other when she came to Canberra. He included references to finding a hotel room near the bus terminal. Up until 18 January 2008, when ‘Roxanne’ was to meet the accused at Canberra, the communications were more sexually explicit and would support a conclusion that the accused was proposing to engage in sexual activity with ‘her’. During that day, the accused appears to have had a change of heart. He advises ‘Roxanne’ that their communications were ‘wrong’ and that there should not be any sexual activity nor should he meet with her. ‘Roxanne’ responded, accepting the ‘sex stuff’ should not occur but stating that ‘she’ would still like to meet him. The accused subsequently arranged to meet ‘her’ at the Jolimont Centre. ‘She’ sent an email to the accused stating that ‘she’ had arrived there. The accused was then seen apparently responding to this message. He was apprehended by police and, on being questioned, admitted to being at the Jolimont Centre to meet ‘Roxanne’. He denied any intention to engage in sexual activity with ‘Roxanne’, though he conceded he had ‘indulged in fantasies’ concerning such activity with ‘Roxanne’. He agreed that some of his communications with ‘Roxanne’ had ‘sexual content’.

9.22 Not surprisingly, the defendant in this case sought to have the evidence of his online communication with ‘Roxanne’ excluded. An argument based on police breach of s 474.5 of the Criminal Code Act 1995 (Cth), which makes it an offence to cause an electronic communication ‘to be received by a person other [page 223]

than the person to whom it is directed’, was rejected by the trial judge (Higgins CJ, at [24]–[25]). So too was an argument that the police ‘aided and abetted’ the s 474.17 and s 474.26 offences charged. In particular, the judge was unable to accept that the police officer had acted in any way illegally or ‘improperly’ within the meaning of s 138 of the Evidence Act, particularly in view of the investigation’s compliance with a policy and procedure document produced by the New Zealand Police called ‘Principles of Practice for Investigating On-Line Grooming of Children Under 16’.21 9.23 His Honour concluded, in ruling the covertly obtained evidence admissible: 22

R v Stubbs [2009] ACTSC 63 (26 May 2009) at [69]–[72] The evil to be confronted by this kind of investigation is of high public importance. I refer to R v Burdon; ex parte Attorney-General (Qld) [2005] QCA 147; (2005) 153 A Crim R 104 where the facts were similar to those here alleged. As McMurdo P noted, at 108, the widespread use of the internet gives those disposed to corrupting and sexually exploiting children unprecedented access to vast numbers of potential victims. Such predators would be difficult to detect absent a complaint from an actual victim or an operation such as the present. The Gospel of St Matthew records Christ as condemning those who would corrupt the young in the following terms: 18:6 But who so shall offend one of these little ones which believe in me, it were better for him that a millstone were hanged about his neck, and that he were drowned in the depth of the sea (see Mark 9:42; Luke 17:2) [page 224] That, I think reflects the community attitude toward such offences and such offenders. It would support the use of covert operations to detect them in a manner that does not place an actual young person at risk. If there was an impropriety in the operation conducted by Detective Waugh it could only have been in encouraging the alleged offender to expose his intentions. In my view that would not be a grave impropriety nor one likely, as might be the case if a drug operation fails to contain the drug being used as bait, to cause harm to others. It does not curtail unreasonably the civil rights of the accused. He was free to ‘chat’ or not and to choose the terms of his ‘chat’ or emails. I accept that Detective Waugh, had he gone beyond the rules of engagement laid down by New Zealand Police, could have been

counselled. I doubt he would have been disciplined. Evidence of the evil intentions of a sexual predator on the internet would be difficult to obtain otherwise without monitoring actual attempts at corruption of young people. That would be an appalling alternative though it may sometimes be necessary. Better, as commented in R v Burden, that the victim be an adult posing as a child than an actual young person who receives and responds to such communications. It follows that the application to exclude this evidence is refused.

9.24 This ruling follows a line of such decisions starting with early Queensland cases, which introduced the legislative provision on which Criminal Code Act 1995 (Cth) ss 474.26 and 474.27 are modelled.23 9.25 Another case emanating from the Australian Capital Territory and illustrating covert online investigation techniques, but this time involving a United States Federal Bureau of Investigations (FBI) agent acting in concert with an Australian Federal police (AFP) officer, is the following:24 [page 225]

R v Priest [2011] ACTSC 18 (11 February 2011) at [8], [11], [14] Penfold J: The events leading to the conduct alleged to constitute the procuring offence were described as follows when I sentenced Mr Priest on 6 April 2010 on the three other charges [involving child pornography]. Mr Priest first came to police attention in December 2006 when AFP officers were advised by German police that his internet address had been used to download child pornography material. The grooming offence was committed between December 2006 and May 2008. A message was sent by a US undercover detective, Detective McLaughlin, to a mailing list known to circulate child pornography material. The message included the words ‘I am 14 from NH and love hot pics!’ Mr Priest, who used the mailing list, responded, beginning a correspondence with a person he believed to be Brad, a 14-year-old boy from New Hampshire. Communications took place by email, real-time ‘chats’ and other messages. In the course of their exchanges: Mr Priest established the absence of a father-figure in Brad’s life, and portrayed himself as someone Brad could trust. He positioned himself as a sexual confidante and mentor, and told Brad not to be afraid to ask him questions, particularly questions of a sexual nature. Mr Priest often described sexual acts that he

would like to engage in with Brad, and he regularly sent video and still image files containing both child and adult pornography to Brad, including pornographic material showing himself masturbating and ejaculating. … In December 2006 and March 2007, Mr Priest discussed with Brad the possibility of meeting in the United States in 2007 when he travelled there to attend a conference. He first raised this possibility after having communicated with Brad for only about a fortnight. However, Mr Priest was wary of being caught and did not in fact seek to meet Brad when he went to America. The prosecution say that this meeting did not take place because Mr Priest ‘was extremely worried about getting caught’, not because of any insight into ‘the illegality or immorality of his conduct’, and that does seem to be borne out by the transcripts of the communication. On his return to Australia, however, Mr Priest continued to chat with Brad and send him pornographic material, and also to entertain the possibility of a meeting when he returned to the US in 2009. … In July 2007, Detective McLaughlin, who had by then been corresponding with Mr Priest for some months, emailed the AFP offering a referral ‘for a child porn case in Canberra, Australia’ … On 14 April 2008 Agent Chin was assigned to the Priest investigation … By 18 April 2008 Agent Chin had emailed Det McLaughlin about the identity he intended to assume for the purpose of engaging with Mr Priest … Det McLaughlin as ‘Brad’ introduced Mr Priest to Agent Chin as ‘Jamie’ in the following email exchange that took place over about 30 hours on the weekend of 19–20 April 2008. Mr Priest had been using the name John in his dealings with ‘Brad’. [page 226] Mr Priest and ‘Jamie’ then communicated mostly by Windows Live Messenger (MSN). They ‘chatted’ for roughly 70 minutes on 22 April; 160 minutes on 28 April; 200 minutes on 29 April; 90 minutes on 1 May; 90 minutes on 5 May; briefly on 7 May; for roughly 145 minutes on 9 May; 155 minutes on 11 May; and 160 minutes on 12 May. As well, several emails were exchanged during the three-week period, including one attaching a photograph of Mr Priest. On 29 April Mr Priest first raised the possibility of a meeting; on 12 May a meeting was confirmed for 13 May at the Lyneham shops. On 13 May, Mr Priest went to the Lyneham shops at an appropriate time for the meeting that had been confirmed between him and ‘Jamie’ on 12 May. He spent about an hour in and around the shops, including looking in the window of a pizza shop, and then went home. The AFP then visited his home and searched it pursuant to a search warrant. In reliance on his dealings with ‘Jamie’, Mr Priest was charged with the procuring offence.

9.26 The main issue then to be determined at the preliminary hearing of the charge of procuring was the admissibility of the evidence obtained through this covert police investigation, involving officers both in the

United States and Australia posing as children online and co-ordinating their efforts. Counsel for the defendant described this investigation as treating Mr Priest as ‘a fish — one fish — in a barrel’:25

R v Priest [2011] ACTSC 18 (11 February 2011) at [63]– [65], [97] Penfold J: The expression ‘shooting fish in a barrel’, alluded to by counsel in his reference to Mr Priest being ‘one fish—in a barrel’, is in the abstract generally understood as a description of something that is easy; for instance, the Macquarie Dictionary Online (viewed on 19 January 2011) contains the following definition: … be like shooting fish in a barrel, to be extremely easy to do. To my understanding, the use of the expression as a criticism (as is implicit in counsel’s use in this case) implies a description of an unequal contest, in which the target of the exercise is not being given a sporting chance. The problem for Mr Priest is that the criminal law [page 227] and the criminal justice system are not a game with rules designed to ensure a challenge for all participants and an enjoyable spectacle for observers. Certainly the criminal justice system involves more rules based on fairness than any game or sport I can think of, but those rules are aimed at protecting ‘the integrity of the administration of criminal justice’ (Ridgeway at 33), at ensuring that police officers and other officials do not abuse their powers, and at ensuring that innocent people are not wrongly convicted. [The] police actions could justifiably be criticised, for instance, for inducing an initially innocent person to act in a criminal way … or for involving abuse of official power, but they cannot be criticised for failing to give, to a person who commits an offence voluntarily and without inducement, a sporting chance of avoiding prosecution or conviction. Accordingly, I can see no basis for finding that the actions of Det McLaughlin and Agent Chin in offering Mr Priest an opportunity to commit an offence in relation to an Australian ‘child’ are objectionable in any respect. In particular they are not objectionable on the ground that when the opportunity was offered, the police officers had specific reason to expect that Mr Priest would take advantage of it; to the contrary … that expectation would seem to be an indication of good faith on the part of the police officers. Although the issue was not raised in argument, it is worth mentioning also that I can see no objection to the particular approach taken by Agent Chin in adopting as his

fictitious identity a child living in Canberra as distinct from, say, a child who lived in Perth. Locating the fictitious child in Canberra probably increased the possibility that Mr Priest would go beyond ‘grooming’ to the more serious offence of ‘procuring’, by attempting to arrange a meeting … … Finally, there is no basis for saying that the evidence was obtained improperly or in contravention of an Australian law, or in consequence of an impropriety or of such a contravention, such that it would be inadmissible without an exercise of the discretion to admit it under s 138(1) of the Evidence Act. The evidence is not inadmissible under s 138(1) and the discretion to admit under that section need not be considered.

9.27 One of the issues raised in both the cases of R v Stubbs and R v Priest in relation to the legality of the covert investigations was whether police had acted in accordance with legislation and internal guidelines. In both cases, the argument that police had in fact aided and abetted the commission of the offences charged was rejected, on the basis that the officers posing as children did not actively incite or encourage the discussion of sexual activity with children, but merely [page 228] provided the suspect under investigation the opportunity to do so.26 This was held to be in compliance with police guidelines for covert investigations, which state that undercover police ‘must not counsel, incite or procure the commission of a crime by acting as an agent provocateur’ but that:27 Nothing prevents an undercover operative providing an opportunity for people to commit crimes that they intended to commit. However, they must not tempt or encourage anyone to commit crimes they might not otherwise commit.

9.28 As the police had not acted in either case in a way that breached either Australian legislation or their own internal guidelines, it was held that it was not necessary for them to have obtained a controlled operations certificate or an assumed identity authority.28 These mechanisms, originally developed in the context of controlled deliveries of drugs in

undercover narcotics importation investigations, give police protection from civil and criminal liability for acts done within the scope of such operations.29 They have since been legislatively expanded to include the investigation of serious offences generally, and adopted in all Australian jurisdictions.30 While the above cases suggest that their use is not strictly necessary in covert investigations of online child grooming, it may be that their applicability as a regulatory device requiring appropriate senior level authorisation and supervision will nonetheless come to be accepted as ‘best practice’ for such operations.31 [page 229]

Webcam child exploitation 9.29 An emerging related issue is the use of webcam technologies to exploit children by pressuring them to engage in sexual acts for the gratification of viewers, who may be in the same locality as the child or in another country entirely. Sometimes this is done through the offer of payment or other reward. In extreme cases, the child is subjected to forced sexual abuse by adults who may themselves be paid for the production of the streamed images. The practice is becoming known as ‘webcam child sex tourism (WCST)’.32 In a widely reported investigation conducted over two-and-a-half months, using a computer-generated or ‘virtual’ image of a 10-year-old Filipina girl named ‘Sweetie’, the non-government Dutch children’s rights organisation Terre des Hommes identified over 1000 adults from 71 countries willing to pay to see her perform sex acts over a webcam, while over 20,000 attempted to chat with her.33 9.30 Information gathered during the ‘Sweetie’ investigation was handed over to Europol and law enforcement authorities in the countries concerned, and in some cases prosecutions followed. In Australia, it was reported in late 2014 that a 37-year-old Brisbane man had pleaded guilty to

multiple charges as a result of his online interactions with the virtual child and had also asked for Sweetie’s fictional eight-year-old sister to be involved.34 Already on a sex offender register, the man was reportedly given a two-year suspended sentence having served 260 days in custody already.35 9.31 Although ‘Sweetie’ was only a ‘virtual’ child, the investigation conducted by Terre des Hommes uncovered many examples of WCST activity involving actual child victims. Three models of WCST operational structures were described, based on cases from the Philippines:36 [page 230] (i)

individual operations — where under-age children, often with a history of being sexually exploited or abused, would engage in sex acts alone or in groups in order to earn money; (ii) family-run operations — where the parents or other relatives of under-age children would introduce them to webcam sex activities and often also use their exploitation to make money for the family; and (iii) WCST ‘dens’ — where several children hired or trafficked and kept against their will would be forced to perform webcam sex acts, sometimes under the control of organised crime groups or foreign nationals. 9.32 In a recent Victorian case, an offender in Melbourne was convicted and sentenced to more than 11 years’ imprisonment after pleading guilty to more than 20 child sex offences involving the webcam sexual exploitation of children as young as three years old on the Philippines island of Cebu; while another Australian national was arrested and charged with child trafficking and child pornography offences on the island.37 In sentencing the Melbourne man on guilty pleas, the judge commented that there had been ‘no sexual contact’.38 This is somewhat curious, given that the

evidence involved webcam-transmitted images of boys and girls being sexually abused and penetrated by various other children and adults.39 There was thus plenty of physical contact, but not involving the Australian defendant directly. In these circumstances, it is arguable that the purchaser and active consumer of WCST services may also be liable as an accessory to child sexual assault offences involving physical contact, using ‘aiding, abetting, counselling or procuring’ or even offences such as conspiracy, though prosecutors need to be wary of excessive or duplicitous charging and the complexities of establishing jurisdiction for extra-territorial offences.40

[page 231]

Questions for consideration 1.

K-K R Choo, ‘Responding to Online Child Sexual Grooming: An Industry Perspective’, Trends and Issues in Crime and Criminal Justice no. 379, Australian Institute of Criminology, July 2009, describes the process of online grooming as follows (citations omitted): Child grooming, a premeditated behaviour intended to secure the trust and cooperation of children prior to engaging in sexual conduct, is a process that commences with sexual predators choosing a location or target area likely to be attractive to children. A process of grooming then commences during which offenders take a particular interest in their child victim to make them feel special with the intention of gaining their trust. As trust is developed between the child victim and the offender, offenders then seek to desensitise child victims to sexual conduct by introducing a sexual element into the relationship. All this is able to be achieved with ease in the online environment. Large numbers of children now use the internet. In one US study, 55 percent of surveyed young people aged between 12 and 17 years were found to have used online social-networking sites. Sexual offenders are also using the internet to locate children for criminal purposes, including the creation of pornography, sex tourism, making contact with child prostitutes and establishing contacts for subsequent sexual assault. Online sexual solicitations by adults targeting children are of great concern. The anonymous nature of the internet allows offenders to masquerade as children in cyberspace to gain the confidence and trust of their victims over a period of time before introducing a sexual element into the online conversation and eventually arranging a physical meeting. The lack of visual cues in cyberspace that may assist child victims in making judgments about the suitability, trustworthiness and sincerity of others with whom they communicate also facilitates the grooming process for offenders.

In what ways can children be educated so as to prevent the dangers of becoming victims to online predators? What is the online version of the ‘stranger danger’? 2.

In the online child grooming case of R v Gajjar [2008] VSCA 268 (18 December 2008), the Victorian Court of Appeal was asked to consider arguments that the sentence imposed was excessive, considering the fact

there had been no actual child involved, with police instead posing as 14-year-old ‘Lisa’, and that there had been a degree of entrapment. The court responded, at [44]–[46]: It has been observed, correctly in our view, that the fact that there was no actual child victim in this case does not of itself exclude imprisonment as a sentencing outcome. The offence is designed to be preventive. It is likely to be detected only through the use of undercover police techniques. We reject the submission that there was an element of entrapment in what occurred. This was not a case of an ‘unwary innocent’. The appellant voluntarily logged on to this chat room and was more than forthcoming in the dialogue that ensued. It is true that the planned meeting did not proceed. However, the offence was complete long before the appellant and ‘Lisa’ were due to meet.

Do you agree with the court’s approach? If not, how should it have reasoned? 1.

The more general term used in criminal law is ‘procuring’ but Australian legislation also includes ‘grooming’ as a specific preparatory offence: see Table 9.1. In Canada, the term used in s 172.1 of the Criminal Code (Can.) is ‘luring’: see J Clough, Principles of Cybercrime, Cambridge University Press, 2010, p 345.

2.

S Ost, Child Pornography and Sexual Grooming: Legal and Societal Responses, Cambridge University Press, 2009, p 32; see also H Whittle et al, ‘A Review of Online Grooming: Characteristics and Concerns’ (2013) 18(1) Aggression and Violent Behaviour 62.

3.

In an interview in ‘Cops Go Undercover to Catch Cyber Paedophiles’, 7.30 Report, Australian Broadcasting Corporation, 16 September 2009, Dt Snr Sgt Chris O’Connor is asked whether online grooming is an increasing problem, and replies: ‘Exponentially with the increased use of the internet, yes. There aren’t the inherent social barriers on the internet that there are in real life’. He later adds: ‘Every member of the Victoria police force could be put online tomorrow and we wouldn’t scratch the surface. It is not only a law enforcement issue. And it should never be only a law enforcement issue’: .

4.

The ‘ThinkUKnow’ online safety program, initiated by the United Kingdom Child Exploitation and Online Protection (CEOP) Centre, features a short video developed by the Australian Federal Police (AFP) and Microsoft Australia, stressing that not everybody online is who they might pretend to be: .

5.

BBC News, ‘Ex-Marine Jailed for Abduction’, 2 April 2004: .

6.

See G Urbas, ‘Threat on the Net! Online Child Grooming in Australia’ (2011) 103 Precedent 16; and G Urbas, ‘Protecting Children From Online Predators: The Use of Covert Investigation Techniques by Law Enforcement’ (2010) 26(4) Journal of Contemporary Criminal Justice 410.

7.

The Council of Europe Convention on the Protection of Children against Sexual Exploitation and

Sexual Abuse (‘Lanzarote Convention’) opened for signature on 25 October 2007 and entered into force with five ratifications on 1 July 2010; there are over 40 signatories but, to date, none from outside Europe: . 8.

This table is reproduced (with updated information) from G Urbas, ‘Look Who’s Stalking: Cyberstalking, Online Vilification and Child Grooming Offences in Australian Legislation’ (2008) 10(6) Internet Law Bulletin 62. The New South Wales offence under Crimes Act 1900 (NSW) s 66EB was added by the Crimes Amendment (Sexual Procurement or Grooming of Children) Act 2007 (NSW) with effect from 18 January 2008; Crimes Act 1958 (Vic) s 49B was added by the Crimes Amendment (Grooming) Act 2014 (Vic) with effect from 9 April 2014, and amended by the Crimes Amendment (Sexual Offences and Other Matters) Act 2014 (Vic) with effect from 29 October 2014.

9.

Criminal Code Act 1995 (Cth) Divs 271, 272 and 471.

10. This offence was not added by the Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Act 2004 (No. 2) (Cth) along with other Pt 10.6 offences, but rather by the later Crimes Legislation Amendment (Sexual Offences Against Children) Act 2010 (Cth). 11. This offence was added by the Crimes Legislation Amendment (Sexual Offences Against Children) Act 2010 (Cth). The Dictionary to the Criminal Code Act 1995 (Cth) provides that ‘without limiting when a person engages in sexual activity, a person is taken to engage in sexual activity if the person is in the presence of another person (including by a means of communication that allows the person to see or hear the other person) while the other person engages in sexual activity’. An aggravated form of the offence, punishable by imprisonment for 25 years, applies under s 474.25B where the child has a mental impairment or is under the care, supervision or authority of the defendant. Age-related provisions for this and the other offences in the Division are found in s 474.28 and defences are found in s 474.29, including subs (1): ‘It is a defence to a prosecution for an offence against section 474.25A if the defendant proves that, at the time the sexual activity was engaged in, he or she believed that the child was at least 16 years of age. Note: A defendant bears a legal burden in relation to the matter in this subsection, see section 13.4’. 12. According to the Explanatory Memorandum to the Crimes Legislation Amendment (Sexual Offences Against Children) Bill 2010 (Cth), the s 474.25A(1) offence was intended to apply to such acts as ‘where a person masturbates in front of a web cam while a child watches online’, while the s 474.25A(2) offence was intended to apply where ‘a person causes a child to masturbate in front of a web cam and a third party watches online, or a person causes a child to have sexual intercourse with another person (either an adult or child) in front of a web cam and the offender or a third party watches online’. 13. This offence was added by the Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Act 2004 (No. 2) (Cth). 14. This offence was added by the Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Act 2004 (No. 2) (Cth), originally specifying that the communication be ‘indecent’. This element has since been removed to a separate offence, under s 474.27A. 15. Criminal Code Act 1995 (Cth) s 5.4 (Recklessness) and s 5.6 (Offences that do not specify fault elements), as applied to the ‘circumstance’ of the age of the recipient. 16. A requirement to prove intent or recklessness would afford some protection to the defendant who mistakenly believes, for whatever reason, that the recipient is actually an adult, perhaps engaging

in ‘role play’ as a child or teenager. The so-called ‘fantasy defence’, raised by some defendants in child grooming cases, is discussed in R Smith, P Grabosky and G Urbas, Cyber Criminals on Trial, Cambridge University Press, 2004, Ch 5. 17. Under s 141 of the Evidence Act 1995 (Cth), a legal burden imposed on a defendant must be discharged on the balance of probabilities. 18. This is illustrated by the Queensland case of R v Shetty [2005] QCA 225 (24 June 2005). 19. Note that this will not necessarily result in a lesser sentence on conviction: see R v Fuller [2010] NSWCCA 192 (22 October 2010) at [35], where McClellan CJ at CL noted: ‘The sentencing judge identified the lack of an actual victim as a mitigating factor. Although an offence may be more serious when communication is made with an actual child and harm is done to that child, the primary object of the legislature in creating the offence was to prohibit the use of the internet by persons intent upon communicating with young persons for sexual purposes. Although the presence of an actual victim may aggravate the offence, the absence of a victim will not mitigate it’. 20. The Commonwealth provisions were preceded by s 218A of the Queensland Criminal Code, which featured in early cases such as R v Kennings [2004] QCA 162 (14 May 2004); R v Shetty [2005] QCA 225 (24 June 2005) and R v Burdon; ex parte A-G (Qld) [2005] QCA 147 (10 May 2005): see T Krone, ‘Queensland Police Stings in Online Chat Rooms’, Trends and Issues in Crime and Criminal Justice no. 301, Australian Institute of Criminology, July 2005: . 21. This internal police guideline is remarkably reproduced in full in the judgment of Higgins CJ at [38]. A similar guideline produced for Australian Federal Police (AFP) use is referred to in the case of R v Priest [2011] ACTSC 18 (11 February 2011), but not reproduced in the judgment of Penfold J. 22. In the South Australian District Court case of R v Gedling [2007] SADC 124 (21 November 2007), Millsteed J remarked at [60] in relation to a similar provision, s 63B of the Criminal Law Consolidation Act 1935 (SA) as amended by the Criminal Law Consolidation (Child Pornography) Amendment Act 2004 (SA) (the CPA): ‘The wording of the section is plainly wide enough to permit the detection of offenders using the type of subterfuge employed by the police in the present case. Furthermore, the policy of the CPA is to protect children from sexual exploitation. That policy is given effect by s 63B(3) which targets people who engage in ‘grooming’ of children for future sexual abuse. Given the policy of the CPA and the purpose of the section there is, in my view, no sensible reason why s 63B(3) cannot be used to allow the police to assume the identity of a fictitious child in order to detect offenders engaged in online grooming. Indeed this method of entrapment, the legitimacy of which was conceded by the defence in the present case, is frequently used in the investigation of offences under similar federal and interstate legislation’. See further G Urbas, ‘Protecting Children From Online Predators: The Use of Covert Investigation Techniques by Law Enforcement’, note 6 above. 23. T Krone, ‘Queensland Police Stings in Online Chat Rooms’, Trends and Issues in Crime and Criminal Justice no. 301, Australian Institute of Criminology, July 2005: . Queensland cases include R v Kennings [2004] QCA 162 (14 May 2004) and R v Shetty [2005] QCA 225 (24 June 2005), though the conviction in the second case was overturned in a later appeal. Other noteworthy cases involving the same covert policing methods include R v Gajjar [2008] VSCA 268 (18 December 2008) and R v Fuller [2010]

NSWCCA 192 (22 October 2010): see also G Urbas, ‘Protecting Children From Online Predators: The Use of Covert Investigation Techniques by Law Enforcement’, note 6 above; and G Urbas, ‘Threat on the Net! Online Child Grooming in Australia’, note 6 above. 24. The judgment includes extensive transcripts of the chat-room communications between Mr Priest, ‘Brad’ and ‘Jamie’: see R v Priest [2011] ACTSC 18 (11 February 2011) at [16]–[23], [84]–[85]. 25. R v Priest [2011] ACTSC 18 (11 February 2011) at [62], citing Ridgeway v The Queen (1995) 184 CLR 19. The admissibility issue was determined on the basis of s 138 of the Evidence Act 1995 (Cth), which at the time applied to proceedings before ACT courts. A defence application seeking a permanent stay of proceedings on the basis that the prosecution constituted an abuse of process contrary to the fair trial guarantee in s 21 of the Human Rights Act 2004 (ACT) was abandoned at an early stage of the proceeding (at [4]–[6]). 26. R v Stubbs [2009] ACTSC 63 (26 May 2009) at [23]–[66]; R v Priest [2011] ACTSC 18 (11 February 2011) at [71]–[86]. 27. R v Stubbs, note 26 above, at [38], where the Auckland Police ‘Principles of Practice for Investigating On-Line Grooming of Children Under 16’ are reproduced in full; R v Priest, note 26 above, at [71], [91], where the AFP ‘National Guideline on Undercover Operations’ is reproduced in part. 28. R v Stubbs, note 26 above, at [42], [49]–[50], [56]; R v Priest, note 26 above, at [71]–[72], [87]– [90]. 29. Note in particular the enactment of the Crimes Amendment (Controlled Operations) Act 1996 (Cth), following the High Court’s decision in Ridgeway v The Queen (1995) 184 CLR 19 quashing heroin importation convictions on the basis that police had illegally facilitated the importation of the drugs from Malaysia as part of a ‘controlled operation’. 30. Part IAB (Controlled operations) and Pt IAC (Assumed identities) of the Crimes Act 1914 (Cth); Crimes (Controlled Operations) Act 2008 (ACT) and Crimes (Assumed Identities) Act 2009 (ACT); Law Enforcement (Controlled Operations) Act 1997 (NSW) and Law Enforcement and National Security (Assumed Identities) Act 2010 (NSW); Chs 11 and 12 of the Police Powers and Responsibilities Act 2000 (Qld) and Pts 6A and 6B of the Crime and Misconduct Act 2001 (Qld); Criminal Investigation (Covert Operations) Act 2009 (SA); Criminal Law (Undercover Operations) Act 1995 (SA) (repealed) and Police Powers (Controlled Operations) Act 2006 (Tas) and Police Powers (Assumed Identities) Act 2006 (Tas); Crimes (Controlled Operations) Act 2004 (Vic) and Crimes (Assumed Identities) Act 2004 (Vic); Criminal Investigation (Covert Powers) Act 2012 (WA). The Police (Special Investigative and Other Powers) Bill 2014 (NT) awaits consideration. 31. It is noteworthy that, in the South Australian case of R v Barrie [2012] SASCFC 124 (15 November 2012), chat-room communications were conducted using an approval granted under the Criminal Investigation (Covert Operations) Act 2009 (SA), where an officer posed as ‘Annabel Abramowicz, aged 13 years’ and ‘Felicity Grooves aged 14 years’ in conversations with the appellant. He was charged with procuring a child to commit an indecent act, the police alleging that he ‘sent a photograph of his erect penis to Annabel and discussed matters of a general sexual nature, including by enquiring as to whether she was a virgin’ and ‘discussed matters of a sexual nature with Felicity and made arrangements to meet her for the purpose of a sexual encounter’. The appeal to stay proceedings as an abuse of process was dismissed by the Full Court and the matter

was ordered to proceed to trial without delay. 32. Terre des Hommes, Webcam Child Sex Tourism — Becoming Sweetie: A Novel Approach to Stopping the Global Rise of Webcam Child Sex Tourism, November 2013 (online): . 33. Terre des Hommes, Webcam Child Sex Tourism, note 32 above; see also ‘Meet “Sweetie”, a Virtual Girl Created to Target Child Predators’, CNet, 6 November 2013: . 34. The charges included using a carriage service to transmit indecent communications to a person under the age of 16 years (s 474.27A of the Criminal Code Act 1995 (Cth)), possessing child exploitation material (presumably under Queensland law) and failing to comply with a sex offenders register order: Essential Kids, ‘Man Convicted for Webcam Sex with Virtual “Underage Girl”’, 23 October 2014: . 35. Agence-France Press, ‘Australian Convicted in Child Sex Sting with Virtual Filipina Girl’, Inquirer.net, 22 October 2014: . 36. Terre des Hommes, Webcam Child Sex Tourism, note 32 above, pp 25–8. 37. C Houston and L Murdoch, ‘Melbourne Man Jailed over Webcam Sex Offences Involving Filipino Children’, The Sydney Morning Herald, 7 July 2014: . 38. R v Goggins [2014] VCC 1086 (7 July 2014), per Davis J at [32]. There were two Criminal Code Act 1995 (Cth) charges of using a carriage service to access child pornography material, eight charges engaging in sexual activity with a child, seven charges of persistent sexual abuse of a child outside Australia, one charge of causing child pornography material to be transmitted to oneself, one charge of using a carriage service to solicit child pornography, one charge of producing child pornography material for use through a carriage service; as well as charges under the Crimes Act 1958 (Vic) of producing and knowingly possessing child pornography. Two ‘upskirting’ charges under the Summary Offences Act 1966 (Vic) were also dealt with at sentencing. 39. R v Goggins [2014] VCC 1086 (7 July 2014) at [8]–[15]. 40. See G Urbas and K-K R Choo, ‘Resource Materials on Technology-Enabled Crime’, Technical and Background Paper no. 28, Australian Institute of Criminology, 2008, p 43, discussed in Chapter 8; and G Urbas, ‘Criminalisation and Cyberspace: Doctrines of Accessorial Liability and Online Groups’, in T Crofts and A Loughnan (eds), Criminalisation and Criminal Responsibility in Australia, Oxford University Press, 2015.

[page 233]

Chapter 10 Cyberstalking, Online Harassment and Voyeurism

Chapter contents Cyberstalking and online harassment Voyeurism and other privacy invasions

10.1 10.26

Questions for consideration

10.0 This chapter deals with a number of other ways in which computer-related offending can threaten the safety and privacy of both adults and children, particularly through cyberstalking, harassment and voyeurism. As seen in previous chapters, the rapid and widespread adoption of communications tools, such as smartphones and social media applications, has also resulted in a large number of reported abuses of these technologies. Offensive and harassing behaviour exists in society and translates readily to the online environment. Abusive emails and text messages are sent at the click of a button. Participants in online blogs are routinely attacked. Children and young people often experience cyberbullying, sometimes with tragic consequences. Racist, sexist and otherwise personally abusive or socially harmful websites abound.

Cyberstalking and online harassment 10.1 Cyberstalking is the online version of stalking, itself only fairly recently recognised as a criminal offence.1 As explained by Ogilvie:2 Cyberstalking is analogous to traditional forms of stalking in that it incorporates persistent behaviours that instil apprehension and fear. However, with the

[page 234]

advent of new technologies, traditional stalking has taken on entirely new forms through mediums such as email and the Internet. Thus, it becomes cyberstalking … There are three primary ways in which cyberstalking is conducted. Email Stalking: Direct communication through email. Internet Stalking: Global communication through the Internet. Computer Stalking: Unauthorised control of another person’s computer.

10.2 Some Australian State and Territory legislation explicitly defines ‘stalking’ to include acts such as phoning or sending electronic messages to the victim or to another person. For example, in the Australian Capital Territory (ACT):3 35 Stalking (1) A person must not stalk someone with intent— (a) to cause apprehension, or fear of harm, in the person stalked or someone else; or (b) to cause harm to the person stalked or someone else; or (c) to harass the person stalked. Maximum penalty: (a) imprisonment for 5 years if— (i) the offence involved a contravention of an injunction or other order made by a court; or (ii) the offender was in possession of an offensive weapon; or (b) imprisonment for 2 years in any other case. (2) For this section, a person stalks someone else (the stalked person) if, on at least 2 occasions, the person does 1 or more of the following: (a) follows or approaches the stalked person; (b) loiters near, watches, approaches or enters a place where the stalked person resides, works or visits; (c) keeps the stalked person under surveillance; (d) interferes with property in the possession of the stalked person; (e) gives or sends offensive material to the stalked person or leaves offensive material where it is likely to be found by, given to or brought to the attention of, the stalked person; [page 235] (f)

telephones, sends electronic messages to or otherwise contacts the

stalked person; (g) sends electronic messages about the stalked person to anybody else; (h) makes electronic messages about the stalked person available to anybody else; (i) acts covertly in a way that could reasonably be expected to arouse apprehension or fear in the stalked person; (j) engages in conduct amounting to intimidation, harassment or molestation of the stalked person. … (6) For this section: harm means physical harm, harm to mental health, or disease, whether permanent or temporary. harm to mental health includes psychological harm. physical harm includes unconsciousness, pain, disfigurement and physical contact that might reasonably be objected to in the circumstances, whether or not there was an awareness of the contact at the time.

10.3 The following case illustrates the application of the above stalking offence to conduct including electronic communications. In this case, the respondent had been convicted by a magistrate and had successfully appealed to the Supreme Court, with the Chief Justice then ordering that the matter be re-heard by the magistrate. The prosecution appealed unsuccessfully against this order.

R v Henderson [2009] ACTCA 20 (26 November 2009) at [2]–[9] The Court: From about July 2002, the complainant, a female, attended a fitness centre of which the respondent was also a member. From time to time they exchanged greetings but did not otherwise communicate with each other. In May 2004, the complainant moved to another fitness centre and until 2005 there were occasional fleeting meetings, apparently by chance, between her and the respondent. From June 2005 the respondent began to send text messages to the complainant by means of her mobile telephone. How the respondent obtained the complainant’s mobile telephone number is unclear although he suggested in one text message that she had given it to him. The text messages increased in frequency between June 2005 and December 2005 by which time they had totalled 35.

[page 236] On 23 December 2005, the complainant found a card under the windscreen wiper of her car. It was inscribed on the outer cover, ‘I wanted to get you something expensive and sexy for Christmas’ and on the inside ‘ME’ and ‘Love Paul’. Also on 23 December 2005, the complainant complained to the police about being harassed by the text messages and was advised to send the respondent a request that he desist from texting her. She did so and the respondent replied: ‘Sorry, I wont contact u again I promise. Im not stalking u I just saw your car by accident. I won’t go to the gym anymore. Sorry I should have stopped before but I couldn’t.’ There was no further contact between the respondent and the complainant from 23 December 2005 until 8 March 2006 … The appellant and complainant were then both, coincidentally it seems, at a musical event at ‘The Green Room’, a venue in Phillip, ACT. The appellant approached the complainant after staring in her direction for some time. He touched her arm but she moved away. Later, the appellant followed the complainant and her male companion down the stairs, the complainant heard the appellant say, ‘Are you going to leave with him? Fine leave with him, I don’t care what you do’. She was concerned that the appellant might push her, though he did not, in fact, do so. The next incident occurred on 6 February 2007 when an order for flowers to the value of $1,000.00 was placed with a florist for delivery to the complainant ‘from Paul Henderson’. The complainant declined to accept delivery and suggested that the flowers be delivered to Calvary Hospital. On 11 February 2007, the complainant received a text message, ‘Is that you Kimi, Paul’. That was sent by the respondent apparently in the mistaken belief that a ‘no number’ call on his telephone had come from the complainant. There was no further direct contact between the respondent and the complainant but it appears that the respondent sent hundreds of text messages to the public text message line of the radio station, Canberra FM. That apparently occurred because the respondent was under the delusion that the complainant was speaking to him through songs which Canberra FM selected for broadcasting. The complainant had no connection with Canberra FM and the text messages to that radio station only came to her attention because they were referred to her by the police. After she learned of the contents and volume of the text messages she felt ‘overwhelmed, terrified, anxious’.

10.4 There is considerable variation in the definitions of stalking and the associated offences across the State and Territory jurisdictions, including the inclusion of explicit reference to electronic communications (Table 10.1).

[page 237] Table 10.1: Australian State and Territory stalking offences Provision

Physical elements

ACT

Specified acts engaged in on at Crimes Act 1900 s 35 least two separate (Stalking) occasions (including sending electronic messages)

NSW

Crimes (Domestic and Personal Violence) Act 2007 s 13 (Stalking or intimidation with intent to cause fear of physical or mental harm)

NT

Conduct including repeated instances of specified acts Criminal Code Act s (including by 189 (Unlawful telephone and stalking) electronic messages), which actually brings about the fear in the victim specified

Stalking or intimidating another person (defined to include telephone, telephone text messaging, emailing and other technologically assisted means)

Fault elements Intent (including knowing that or being reckless as to whether this would be likely) to cause apprehension or fear of harm in the person stalked or someone else; or to cause harm or harass Intention (including knowing that this would be likely) of causing the other person to fear physical or mental harm (including to another person in a domestic relationship) Intention (including knowing that this would be likely) of causing physical or mental harm to the victim or of arousing apprehension or fear in the victim for his or her own safety or that of another person

Maximum penalty Imprisonment for five years if involving contravention of an injunction or court order, or the offender was in possession of an offensive weapon; two years otherwise

Imprisonment for five years or 50 penalty units or both

Imprisonment for five years if involving contravention of an injunction or court order, or the offender was in possession of an offensive weapon; two years otherwise

[page 238] Provision

Physical elements

Fault elements

Maximum penalty

QLD

SA

TAS

Imprisonment for seven years if the Conduct directed at Intentionally person uses or a person and directed at the threatens violence prolonged or Criminal Code Act person and such as against any person repeated (including 1899 Ch 33A would cause the or property, or contact by (Unlawful stalking) stalked person possesses a weapon telephone, mail, fax, ss 359A–359F apprehension or fear or contravenes or email or through the of violence or causes threatens to use of any detriment contravene an technology) injunction or court order; five years otherwise Specified acts Imprisonment for engaged in on at five years if an least two separate Intending to cause Criminal Law aggravated offence occasions (including serious physical or Consolidation Act involving possession publishing offensive mental harm or to 1935 s 19AA of a weapon or material online or arouse serious (Unlawful stalking) contravention of a communication by apprehension or fear court order; three Internet or other years otherwise electronic means) Pursuing a course of conduct (including publishing or Intent to cause transmitting another person A general maximum Criminal Code Act offensive material by physical or mental penalty of 21 years 1924 s 192 (Stalking) electronic or other harm or to be applies to Criminal means, or using the apprehensive or Code offences Internet or any other fearful form of electronic communication)

[page 239] Provision

Physical elements Fault elements Engaging in a course of conduct (including contact by text message, email or other electronic

Maximum penalty

VIC

WA

Crimes Act 1958 s 21A (Stalking)

Criminal Code Act Compilation Act 1913 ss 338D and 338E (Stalking)

communication; publishing on the Internet or by an email or other electronic communication; causing an unauthorised computer function; tracing use of the Internet or of email or electronic communications)

Intention of causing physical or mental harm to the victim Imprisonment for 10 or arousing years apprehension or fear for safety

Imprisonment for Pursuing another Intent to intimidate eight years person (including (including causing (aggravated offence repeated physical or mental involving an communication, harm or arousing offensive weapon or whether in words or apprehension or fear contravention of a otherwise) for safety) court order); or three years otherwise

Sources: Australasian Legal Information Institute (AustLII): ; State and Territory legislative databases.

10.5 The Criminal Code Act 1995 (Cth) does not have a stalking offence by that name, though stalking is listed in other legislation as an example of behaviour that may constitute ‘family violence’.4 However, its Pt 10.6 offences dealing with the misuse of telecommunications, including Internet and telephone services, may be applied in cyberstalking and similar situations. The [page 240] following three offences provide prosecutors a flexible choice in responding with appropriate charges:5 474.15 Using a carriage service to make a threat Threat to kill

(1) A person (the first person) is guilty of an offence if: (a) the first person uses a carriage service to make to another person (the second person) a threat to kill the second person or a third person; and (b) the first person intends the second person to fear that the threat will be carried out. Penalty: Imprisonment for 10 years. Threat to cause serious harm (2) A person (the first person) is guilty of an offence if: (a) the first person uses a carriage service to make to another person (the second person) a threat to cause serious harm to the second person or a third person; and (b) the first person intends the second person to fear that the threat will be carried out. Penalty: Imprisonment for 7 years. Actual fear not necessary (3) In a prosecution for an offence against this section, it is not necessary to prove that the person receiving the threat actually feared that the threat would be carried out. Definitions (4) In this section: fear includes apprehension. threat to cause serious harm to a person includes a threat to substantially contribute to serious harm to the person. 474.16 Using a carriage service for a hoax threat A person is guilty of an offence if: (a) the person uses a carriage service to send a communication; and [page 241] (b) the person does so with the intention of inducing a false belief that an explosive, or a dangerous or harmful substance or thing, has been or will be left in any place. Penalty: Imprisonment for 10 years. 474.17 Using a carriage service to menace, harass or cause offence (1) A person is guilty of an offence if: (a) the person uses a carriage service; and (b) the person does so in a way (whether by the method of use or the content of a communication, or both) that reasonable persons would

regard as being, in all the circumstances, menacing, harassing or offensive. Penalty: Imprisonment for 3 years. (2) Without limiting subsection (1), that subsection applies to menacing, harassing or causing offence to [specified employees, eg emergency call persons].

10.6 It is to be noted that the use of a carriage service may be menacing, harassing or offensive either because of the method of use or because of the actual content of a communication.6 However, not all harassing behaviour involves offensive material. Some stalking, for example, consists of sending hundreds or even thousands of messages to a victim, though the messages themselves may be expressions of romantic love rather than intrinsically threatening, or there may be harassment through the repeated ordering of unwanted items, such as flowers or pizza, to the victim’s address.7 10.7 It has been observed that the reference in s 474.17 to ‘reasonable persons’ in the determination of offensiveness is unusual in applying an objective standard:8 [page 242] Section 474.17 is unusual. Specific statutory reference to the standards of ordinary or reasonable people is not common in statutory offences of offensive or menacing conduct. One might ask whether anything would have been lost if the offence had omitted reference to the RP standard and simply imposed a penalty for conduct that was, ‘in all the circumstances, menacing, harassing or offensive’. Perhaps that would make no difference to the outcome. Though the reference to the RP standard is no longer overt, one might say that it is implicit in the prohibition.

10.8 The meaning of the phrase ‘menacing, harassing or offensive’ was considered in relation to analogous postal offences by the High Court in Monis v The Queen, a case in which a religious fanatic living in Sydney sent abusive letters to the families of Australian soldiers who had been killed in Afghanistan.9

The requirement that the prohibited use of a postal or similar service be one ‘that reasonable persons would regard as being, in all the circumstances, … offensive’ imports an objective but qualitative criterion of criminal liability … The characteristics of the reasonable person, judicially constructed for the purpose of such statutory criteria, have been variously described [as] ‘reasonably tolerant and understanding, and reasonably contemporary in his reactions’ [and] ‘neither a social anarchist, nor a social cynic’. The reasonable person is a constructed proxy for the judge or jury. Like the hypothetical reasonable person who is consulted on questions of apparent bias, the construct is intended to remind the judge or the jury of the need to view the circumstances of allegedly offensive conduct through objective eyes and to put to one side subjective reactions which may be related to specific individual attitudes or sensitivities. That, however, is easier said than done.

10.9 The application of s 474.17 to harassment by telephone is illustrated in the following case, in which a Queensland resident had been convicted after [page 243] a long-running dispute over allegedly polluted air emanating from a TAFE building:10

Crowther v Sala [2007] QCA 133 (20 April 2007) at [1]– [8] Williams JA: The applicant, Claire Frances Crowther, was charged in the Magistrates Court with a breach of s 474.17(1) of the Commonwealth Criminal Code. The charge read: ‘That on 26th day of August 2005 at Brisbane City in the State of Queensland one Claire Frances Crowther used a carriage service, namely a telephone line and did so in a way that reasonable persons would regard as being in all of the circumstances, menacing, harassing or offensive.’ … the applicant admitted that she made the two telephone calls in question; they were made from her telephone. In consequence the Magistrate stated that he was satisfied beyond reasonable doubt that the applicant ‘used a carriage service and the carriage service was a telephone line’. The Magistrate then went on to say that the second issue in the trial was whether or not the communication made was such ‘that reasonable persons would regard it as being in all the circumstances menacing, harassing or offensive’. After discussing the meaning of each of those three terms he recorded that in the evidence of both the applicant and the complainant the complainant used the words ‘shot guns’ and ‘up your arse’. The Magistrate then referred again to the fact that the test was an objective one and

went on to say: ‘It seems to me that to threaten to do injury to persons at the TAFE and, indeed, to the complainant with a gun would constitute menacing in accordance with an objective test.’ He then referred to the contention of the applicant that she was only using ‘Australian colloquialisms’ in using the words which she did and that in consequence the words used were not, objectively speaking, menacing, harassing or offensive. That submission was rejected by the Magistrate as indicated and he found that the words used were menacing.

10.10 The applicability of stalking legislation to electronic communications has the consequence that communications reaching across jurisdictional boundaries will often need to be considered. An early cyberstalking case involved a defendant in Victoria whose target was the Canadian actress Sara Ballingall from the television series Degrassi Junior High and Degrassi High, [page 244] and the conduct complained about included phone calls, sending mail and emails, sending gifts, operating a website devoted to the television series, and making various threats:

DPP v Sutcliffe [2001] VSC 43 (1 March 2001) at [5]–[6], [10], [59]–[63], [87], [103] Gillard J: Prior to 1994 there was no offence of stalking known to Victorian law. It is noted that the charge alleges conduct which occurred prior to the creation of the offence. In common parlance, stalking in respect to a person is pursuing or approaching a person in a stealthy manner. Today it covers a myriad of circumstances in which a person annoys or harasses another person to the point where the victim is concerned for his or her own safety. The conduct may be physical presence or through various means of communication and can take many forms. … The stalking charge raised a question of jurisdiction because the victim of the alleged stalking resided at all material times in Canada. The alleged actions of the respondent all took place in the State of Victoria. The question came down to whether the offence could be committed by the respondent where the effect of the stalking was experienced outside the jurisdiction.

… The presumption against extra-territorial operation and effect was laid down and applied in an era where it was accepted as a general proposition that ‘all crime is local’ … and there was emphasis on the fact that most crimes were committed at a single location. But in the past 100 years crimes have ceased to be confined to single locations. Criminals are not respecters of borders. State and international boundaries do not concern them. They commit their evil acts anywhere and without thought to location. Movement between countries is much greater now than in the past and subject to less restrictions. Technology has reached the point where communications can be made around the world in less than a second. The Internet provides a speedy, relatively inexpensive means of communication between persons who have access to a computer and a telephone line. Access is not confined to ownership of a computer and businesses have sprung up offering access to the Internet for a small charge. The law must move with these changes. … It was obvious to Parliament that the conduct could take place in a variety of ways, through a variety of means, and over a long period of time at times when the offender and victim were in different places and could be in different states or different countries. Stalking could occur by use of the telephone, Internet, e-mail and computer and in circumstances where the victim and offender could be many thousands of kilometres apart. Parliament in 1994 was well aware that with the advent of new [page 245] technologies stalking could take many forms including through mediums of e-mail, Internet and computer. … It follows in my opinion that the Magistrate was wrong in dismissing the charge of stalking against the respondent on the ground that the Magistrates’ Court lacked jurisdiction. In my opinion it does have jurisdiction to hear the charge against the respondent even though the essential ingredient of the offence, namely proof of the harmful effect, will involve proving the effect of the alleged stalking on a person who at all relevant times was resident in Canada.

10.11 Having resolved the legal question in favour of extraterritorial application, the Supreme Court returned the case to the magistrate, and another appeal followed.11 The wording of the Victorian stalking offence was later revised to clarify its extraterritorial application.12 10.12 The applicability of the offences in Pt 10.6 of the Criminal Code Act 1995 (Cth) — including s 474.17 dealing with use of a carriage service to menace, harass or cause offence — to conduct that crosses jurisdictional

boundaries is made clear by the fact that an extended form of geographical jurisdiction applies.13 Where the conduct or its effects occur within Australia, this will be within the jurisdictional scope of the offence, and a prosecution may be brought in Australia. [page 246] 10.13 A particularly insidious form of online harassment is ‘trolling’, which involves posting offensive or inflammatory comments or other material on websites in order to provoke an outraged reaction. Along with variants such as ‘flaming’ and ‘griefing’, which are harassing activities usually associated with online gaming, this kind of antisocial conduct is very difficult to control, particularly given the real or perceived anonymity that accompanies online behaviour.14 Much of it is ignored, or deleted after complaints, but a proportion simply stays online indefinitely with no legal or other consequences. Nonetheless, offenders can be identified and prosecuted, as the following disturbing case illustrates:15

R v Hampson [2011] QCA 132 (21 June 2011) at [11]– [12] Muir JA: The applicant subscribed to the tribute pages on the social networking site, Facebook, relating to the deaths of Elliott Fletcher and Trinity Bates. Elliott Fletcher, age 12 years, died after being stabbed at School in Shorncliffe. Trinity Bates, aged 8 years, was taken from her bedroom in her home in Bundaberg and later found deceased in a nearby storm water drain. Many people subscribed to these pages and expressed (‘Posted’) various sentiments of sympathy. Soon after the tribute pages were established, a number of ‘posts’ which contained offensive and insulting material, were posted to the tribute pages. A number of users were identified as having posted the offensive comments and material, but only one user was identified as being within the reach of the Australian police. The applicant subscribed to Facebook under an assumed name. The posts were identified as originating from a computer at the applicant’s home in Tarragindi, Brisbane. Police were able to discover that he had joined the tribute pages on Facebook

and that he was ‘friends’ with other users who had been identified as having also posted offensive comments and images. The following particulars of the offences were included in an agreed statement of facts: Count 1: (Distribute Child Exploitation Material) & Count 2: (Use a carriage service to menace, harass or cause offence) [page 247] On or about 15 February 2010, the defendant using the pseudonym, ‘Dale Angerer’ posted to the Elliot Fletcher tribute page an image of Elliot Fletcher’s face with the words ‘woot im dead’ superimposed on the image. On or about 15 February 2010, the defendant posted a morphed image of Elliot Fletcher’s head in the hopper of a wood-chipper. There is a graphic simulation of blood exiting the wood-chipper. The profile picture of ‘Dale Angerer’ is depicted next to the woodchipper and a caption bubble reads, ‘Hi, Dale Angerer here I fully endorse this product. This woodchipper can mince up any dead corpse or your money back guarantee.’ Count 1: (Distribute Child Exploitation Material) & Count 3: (Use a carriage service to menace, harass or cause offence) On 23 February 2010, the defendant using the pseudonym, ‘Dale Angerer’ posted to the Trinity Bates tribute page a manipulated image of a male giving a press conference with a superimposed speech bubble ‘NO NEW LEADS BUT THE PERP CAN’T BE FAR AWAY’. Superimposed behind the male giving the press conference is the profile image for ‘Dale Angerer’. Between 23 and 27 February 2010, as numerous comments were posted by users expressing their sympathy about the death of Trinity Bates, the defendant posted a series of comments to the tribute page about Trinity Bates and other users … On or about 25 February 2010, the defendant using the pseudonym, ‘Dale Angerer’ posted to the Trinity Bates tribute page an image of Trinity Bates’ face with the words ‘woot im dead’ superimposed on the image. On or about 26 February 2010, the defendant using the pseudonym, ‘Dale Angerer’ posted to the Trinity Bates tribute page an image of Trinity Bates’ face superimposed with four erect penises simulating ejaculation. The image is manipulated such that it appears Trinity Bates is grasping two of the penises with her hands. On or about 27 February 2010, the defendant using the pseudonym, ‘Dale Angerer’, posted two images to the Trinity Bates tribute page. One image depicts an image of Trinity Bates superimposed upon a cartoon of a bear with its male genitals exposed. The caption below the image state ‘PEADOBEAR DID IT!’. The second image depicts an image from a movie of the upper torso of a male. The image has been altered as the

word ‘DALE’ is superimposed on the male’s shirt and a bubbled caption reads, ‘I DIDN’T DO IT!!’. [page 248] Count 4: Possess Child Exploitation Material A forensic examination of the defendant’s seized computer equipment located a quantity of child exploitation material. A total of 96 images (27 unique) depict or describe children in sexual acts and 106 images (36 unique) depicted sadism of children. The 96 images (27 unique) which depict or describe children in sexual acts are manipulated images of mostly deceased children with graphic material, that is images and/or text, superimposed on them. Images of deceased children include Madeline McCann and James Bulger, with penises superimposed on their faces. The image of James Bulger has the text ‘HAD IT COMING’ superimposed on it. Three unique images depict three different babies with a penis superimposed over its mouth. One unaltered image is of a female child, approximately 10–12 years of age in a g-string bikini in a sexualised pose with her legs spread. Eight images depicted actors from movies with offensive or demeaning text captions about children superimposed … The 106 images (36 unique) which depict sadism of children are manipulated images [of] children with graphic material, that is images and/or text, superimposed on them. One morphed or manipulated image depicts the head of Adam Walsh, a child murdered in the United States, being hit by a baseball bat. Another morphed image depicts a baby being put through a wood-chipper with the text, ‘Hi, Dale Angerer here I fully endorse this product. This wood-chipper can mince up any dead corpse or your money back GUARANTEE.’ Another manipulated image depicts a male child approximately 5–10 years of age with their head in a dog’s mouth and bared teeth. A forensic analysis also located a number of the unaltered images which formed the basis for the manipulated or ‘morphed’ image.

10.14 Such activities form part of a larger category of online harassing behaviour that is increasingly being referred to as ‘cyberbullying’, particularly where young people are involved as offenders and victims.16 With the ubiquity of mobile devices with Internet connectivity as well as photo and video capability, such as smartphones, it is all too easy for one person to send

[page 249] another an offensive or harassing message. The activity appears to be especially prevalent among adolescents:17 In recent years bullying through electronic means, specifically mobile phones or the internet, has emerged, often collectively labelled ‘cyberbullying’. A corresponding definition of cyberbullying is: ‘An aggressive, intentional act carried out by a group or individual, using electronic forms of contact, repeatedly and over time against a victim who cannot easily defend him or herself ’. The potential for cyberbullying has grown with the increasing penetration of networked computers and mobile phones among young people … Cyberbullying has clearly diversified beyond bullying by text messages or emails. Those referred to in recent press reports and websites … involve mobile phones (bullying by phone calls, text messages, and picture/videoclip bullying including so-called ‘happy slapping’, where a victim is slapped or made to appear silly by one person, filmed by another, and the resulting pictures circulated on mobile phones); and using the internet (bullying by emails, chat room, through instant messaging; and via websites). Some cyberbullying can combine the anonymity of the aggressor found in conventional indirect aggression with the targeted attack on the victim found in conventional direct aggression.

10.15 While bullying has unfortunately long been a negative part of school life and, to some extent, the workplace and other institutional settings, its migration to the online environment magnifies its reach and hence the harm that can be caused. Online bullying can happen at any hour of the day, or late at night. It can be seen by many others, particularly if done on social media, or by the victim alone. It can be experienced as an acute personal attack, and as degradation within a peer group. It can be joined in by others, again magnifying its negative consequences. In some cases, victims of cyberbullying have taken their own lives.18 10.16 In recognition of the harm that can be done through cyberbullying, new Commonwealth legislation is being enacted that will establish the office [page 250]

of a Children’s e-Safety Commissioner, with powers to receive and act on complaints about cyberbullying as well as promoting online safety:19 The Commissioner will be an independent statutory office within the Australian Communications and Media Authority (ACMA). A key function of the Commissioner will be to administer a complaints system for cyber-bullying material targeted at an Australian child. Other functions of the Commissioner will include promoting online safety for children, coordinating relevant activities of Commonwealth Departments, authorities and agencies, supporting, conducting, accrediting and evaluating educational and community awareness programs, making grants and advising the Minister.

10.17 Key definitions in the Enhancing Online Safety for Children Act 2015 (Cth) are as follow (ss 4 and 5): Australian child means a child who is ordinarily resident in Australia. child means an individual who has not reached 18 years. Commissioner means the Children’s e-Safety Commissioner. Convention on the Rights of the Child means the Convention on the Rights of the Child done at New York on 20 November 1989. Note: The Convention is in Australian Treaty Series 1991 No. 4 ([1991] ATS 4) and could in 2014 be viewed in the Australian Treaties Library on the AustLII website (http://www.austlii.edu.au). cyber-bullying material targeted at an Australian child has the meaning given by section 5. electronic service means: (a) a service that allows end-users to access material using a carriage service; or (b) a service that delivers material to persons having equipment appropriate for receiving that material, where the delivery of the service is by means of a carriage service; but does not include: (c) a broadcasting service (within the meaning of the Broadcasting Services Act 1992); or (d) a datacasting service (within the meaning of that Act). [page 251]

material means material: (a) (b) (c) (d) (e) (f)

whether in the form of text; or whether in the form of data; or whether in the form of speech, music or other sounds; or whether in the form of visual images (moving or otherwise); or whether in any other form; or whether in any combination of forms.

online safety for children means the capacity of Australian children to use social media services and electronic services in a safe manner, and includes the protection of Australian children using those services from cyber-bullying material targeted at an Australian child. relevant electronic service means any of the following electronic services: (a) a service that enables end-users to communicate, by means of email, with other end-users; (b) an instant messaging service that enables end-users to communicate with other end-users; (c) an SMS service that enables end-users to communicate with other endusers; (d) an MMS service that enables end-users to communicate with other endusers; (e) a chat service that enables end-users to communicate with other endusers; (f) a service that enables end-users to play online games with other endusers; (g) an electronic service specified in the legislative rules. Note 1: SMS is short for short message service. Note 2: MMS is short for multimedia message service. 5 Cyber-bullying material targeted at an Australian child (1) For the purposes of this Act, if material satisfies the following conditions: (a) the material is provided on a social media service or relevant electronic service; (b) an ordinary reasonable person would conclude that: (i) it is likely that the material was intended to have an effect on a particular Australian child; and (ii) the material would be likely to have the effect on the Australian child of seriously threatening, seriously [page 252]

intimidating, seriously harassing or seriously humiliating the Australian child; (c) such other conditions (if any) as are set out in the legislative rules; then: (d) the material is cyber-bullying material targeted at the Australian child; and (e) the Australian child is the target of the material. (2) An effect mentioned in subsection (1) may be: (a) a direct result of the material being accessed by, or delivered to, the Australian child; or (b) an indirect result of the material being accessed by, or delivered to, one or more other persons. (3) Subsection (1) has effect subject to subsection (4). (4) For the purposes of this Act, if: (a) a person is: (i) in a position of authority over an Australian child; and (ii) an end-user of a social media service or relevant electronic service; and (b) in the lawful exercise of that authority, the person posts material on the service; and (c) the posting of the material is reasonable action taken in a reasonable manner; the material is taken not to be cyber-bullying material targeted at the Australian child.

10.18 The substantive provisions of the Enhancing Online Safety for Children Act 2015 (Cth) allow complaints to be made about cyberbullying material provided on a social media service or relevant electronic service, by:20 an Australian child who has reason to believe that he or she was or is the target; an adult who is a parent or guardian of the child and has been authorised by the child to make a complaint on his or her behalf; or an adult who was within the previous six months an Australian child who has reason to believe that he or she was or is the target. 10.19

The Children’s e-Safety Commissioner may investigate and

provide written notices to designated social media services to remove offending [page 253] material within 48 hours, with non-compliance exposing the service to civil penalties.21 10.20 Some cyberbullying actually urges victims to take their own lives. While committing or attempting suicide is no longer a crime under Australian law, urging another person’s suicide is an offence in most jurisdictions.22 For example, s 17 of the Crimes Act 1900 (ACT) provides: 17 Suicide—aiding etc (1) A person who aids or abets the suicide or attempted suicide of another person is guilty of an offence punishable, on conviction, by imprisonment for 10 years. (2) If— (a) a person incites or counsels another person to commit suicide; and (b) the other person commits, or attempts to commit, suicide as a consequence of that incitement or counselling; the first mentioned person is guilty of an offence punishable, on conviction, by imprisonment for 10 years.

10.21 The Criminal Code Act 1995 (Cth) also includes some provisions directed at online suicide-related material, though not punishable by imprisonment:23 474.29A Using a carriage service for suicide related material (1) A person is guilty of an offence if: (a) the person: (i) uses a carriage service to access material; or (ii) uses a carriage service to cause material to be transmitted to the person; or

[page 254] (iii) uses a carriage service to transmit material; or (iv) uses a carriage service to make material available; or (v) uses a carriage service to publish or otherwise distribute material; and (b) the material directly or indirectly counsels or incites committing or attempting to commit suicide; and (c) the person: (i) intends to use the material to counsel or incite committing or attempting to commit suicide; or (ii) intends that the material be used by another person to counsel or incite committing or attempting to commit suicide. Penalty: 1,000 penalty units. (2) A person is guilty of an offence if: (a) the person: (i) uses a carriage service to access material; or (ii) uses a carriage service to cause material to be transmitted to the person; or (iii) uses a carriage service to transmit material; or (iv) uses a carriage service to make material available; or (v) uses a carriage service to publish or otherwise distribute material; and (b) the material directly or indirectly: (i) promotes a particular method of committing suicide; or (ii) provides instruction on a particular method of committing suicide; and (c) the person: (i) intends to use the material to promote that method of committing suicide or provide instruction on that method of committing suicide; or (ii) intends that the material be used by another person to promote that method of committing suicide or provide instruction on that method of committing suicide; or (iii) intends the material to be used by another person to commit suicide. Penalty: 1,000 penalty units.

10.22 Subsections (3) and (4) of s 474.29A provide an exemption from criminal liability for persons who ‘engage in public discussion or debate

about euthanasia or suicide’ or ‘advocate reform of the law relating to euthanasia or suicide’ as long as this is done with no intention of counselling or inciting [page 255] suicide or instructing in any particular method of suicide. The difficult issues of assisted suicide or ‘mercy killing’, and euthanasia in general, are the subject of ongoing community debate.24 Conduct that crosses the line into urging, counselling or assisting suicide killing may lead to legal proceedings, including criminal prosecutions. This includes the phenomenon of ‘suicide pacts’.25 In some cases, material obtained online by those involved has been part of the evidence.26 10.23 A further form of behaviour to consider in the context of online harassment is vilification. This may be directed at a particular individual or group, or more widely at a race, ethnicity, religious denomination or sexual orientation. Anti-discrimination laws enacted by the Commonwealth, States and Territories over recent decades may address such behaviour, including online posts and communications. Racially vilifying material on websites has been ordered to be removed under the Racial Discrimination Act 1975 (Cth).27 However, this utilises a civil remedy rather than a criminal prosecution process.28 10.24 The Council of Europe’s Convention on Cybercrime does not have provisions directed at online vilification, but there is an Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems. Its substantive provisions are as follow:29 [page 256]

Article 3 — Dissemination of racist and xenophobic material through computer systems Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the following conduct: distributing, or otherwise making available, racist and xenophobic material to the public through a computer system … Article 4 — Racist and xenophobic motivated threat Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the following conduct: threatening, through a computer system, with the commission of a serious criminal offence as defined under its domestic law, (i) persons for the reason that they belong to a group, distinguished by race, colour, descent or national or ethnic origin, as well as religion, if used as a pretext for any of these factors, or (ii) a group of persons which is distinguished by any of these characteristics. Article 5 — Racist and xenophobic motivated insult Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right, the following conduct: insulting publicly, through a computer system, (i) persons for the reason that they belong to a group distinguished by race, colour, descent or national or ethnic origin, as well as religion, if used as a pretext for any of these factors; or (ii) a group of persons which is distinguished by any of these characteristics. Article 6 — Denial, gross minimisation, approval or justification of genocide or crimes against humanity Each Party shall adopt such legislative measures as may be necessary to establish the following conduct as criminal offences under its domestic law, when committed intentionally and without right: distributing or otherwise making available, through a computer system to the public, material which denies, grossly minimises, approves or justifies acts constituting genocide or crimes against humanity, as defined by international law and recognised as such by final and binding decisions of the International Military Tribunal, established by the London Agreement of 8 August 1945, or of any other international court established by relevant international instruments and whose jurisdiction is recognised by that Party.

[page 257]

10.25 If Australia wished to accede to this Additional Protocol to the Convention on Cybercrime this might require legislative amendment of the Racial Discrimination Act 1975 (Cth) so as to include racial vilification offences. At present, such offences are to be found only in some State and Territory legislation. For example, s 24 of the Racial and Religious Tolerance Act 2001 (Vic) provides:30 24 Offence of serious racial vilification (1) A person (the offender) must not, on the ground of the race of another person or class of persons, intentionally engage in conduct that the offender knows is likely— (a) to incite hatred against that other person or class of persons; and (b) to threaten, or incite others to threaten, physical harm towards that other person or class of persons or the property of that other person or class of persons. Note: ‘Engage in conduct’ includes use of the internet or e-mail to publish or transmit statements or other material. Penalty: In the case of a body corporate, 300 penalty units; In any other case, imprisonment for 6 months or 60 penalty units or both. (2) A person (the offender) must not, on the ground of the race of another person or class of persons, intentionally engage in conduct that the offender knows is likely to incite serious contempt for, or revulsion or severe ridicule of, that other person or class of persons. Note: ‘Engage in conduct’ includes use of the internet or e-mail to publish or transmit statements or other material. Penalty: In the case of a body corporate, 300 penalty units; In any other case, imprisonment for 6 months or 60 penalty units or both. (3) For the purposes of subsections (1) and (2), conduct— [page 258] (a) may be constituted by a single occasion or by a number of occasions over a period of time; and (b) may occur in or outside Victoria.

A prosecution for an offence against subsection (1) or (2) must not be (4) commenced without the written consent of the Director of Public Prosecutions.

Voyeurism and other privacy invasions 10.26 Finally, some intrusive behaviour online is characterised by its lack of regard for the privacy of others, including sexual privacy. With the widespread use of smartphones, webcams and mini-devices of various kinds, as well as the exploitation of technical vulnerabilities through malware such as remote access tools (RATs), there is a wealth of opportunities for technology-enabled spying on others. 10.27 Voyeurs such as ‘peeping Toms’ have been part of society through history. The misuse of technology for prurient purposes is thus hardly surprising, though it appears to have taken commentators and legislators by surprise:31 A troubling wave of photography has hit the Internet in the last couple years, simply because everyone has either a cell phone that takes photos or has a digital camera. Photos of our body’s private places are being taken then posted online. Imagine a woman putting on a skirt or dress to go some place and while she’s out, perhaps as she’s standing waiting for a traffic light, someone slides a cell phone between her legs or under the hem of her skirt and snaps a photograph. This is what’s called ‘upskirting’. There’s also ‘downblousing’, where the photos are taken down a woman’s shirt. A question that comes to mind: is there any legal recourse for these women who have essentially been violated? That’s debatable, and it seems that it has lawmakers somewhat baffled over what to do.

10.28 In Australia, there are some offences that may be applicable to such behaviour. Apart from general charges, such as offensive behaviour in public, there are some more specific offences created to reflect the

technological aspects of these kinds of voyeurism. Examples are in Div 15B of the Crimes Act 1900 (NSW): [page 259]

91I Definitions (1) In this Division: building includes a vehicle, vessel, tent or temporary structure. private parts means a person’s genital area or anal area, whether bare or covered by underwear. (2) For the purposes of this Division, a person is engaged in a private act if: (a) the person is in a state of undress, using the toilet, showering or bathing, engaged in a sexual act of a kind not ordinarily done in public, or engaged in any other like activity, and (b) the circumstances are such that a reasonable person would reasonably expect to be afforded privacy. (3) For the purposes of this Division, a person films another person, or another person’s private parts, if the person causes one or more images (whether still or moving) of the other person or the other person’s private parts to be recorded or transmitted for the purpose of enabling the person or a third person to observe those images (whether during the filming or later). 91J Voyeurism (1) General offence A person who, for the purpose of obtaining sexual arousal or sexual gratification, observes a person who is engaged in a private act: (a) without the consent of the person being observed to being observed for that purpose, and (b) knowing that the person being observed does not consent to being observed for that purpose, is guilty of an offence. Maximum penalty: 100 penalty units or imprisonment for 2 years, or both. (2) An offence against subsection (1) is a summary offence. (3) Aggravated offence A person who, for the purpose of obtaining sexual arousal or sexual gratification, observes a person who is engaged in a private act: (a) without the consent of the person being observed to being observed for that purpose, and

(b) knowing that the person being observed does not consent to being observed for that purpose, and (c) in circumstances of aggravation, is guilty of an offence. Maximum penalty: imprisonment for 5 years. [page 260] (4) In this section, circumstances of aggravation means circumstances in which: (a) the person whom the offender observed was a child under the age of 16 years, or (b) the offender constructed or adapted the fabric of any building for the purpose of facilitating the commission of the offence. … 91K Filming a person engaged in private act (1) General offence A person who, for the purpose of obtaining, or enabling another person to obtain, sexual arousal or sexual gratification, films another person who is engaged in a private act: (a) without the consent of the person being filmed to being filmed for that purpose, and (b) knowing that the person being filmed does not consent to being filmed for that purpose, is guilty of an offence. Maximum penalty: 100 penalty units or imprisonment for 2 years, or both. (2) An offence against subsection (1) is a summary offence. (3) Aggravated offence A person who, for the purpose of obtaining, or enabling another person to obtain, sexual arousal or sexual gratification, films another person who is engaged in a private act: (a) without the consent of the person being filmed to being filmed for that purpose, and (b) knowing that the person being filmed does not consent to being filmed for that purpose, and (c) in circumstances of aggravation, is guilty of an offence. Maximum penalty: imprisonment for 5 years. (4) In this section, circumstances of aggravation means circumstances in which: (a) the person whom the offender filmed was a child under the age of 16 years, or

(b)

the offender constructed or adapted the fabric of any building for the purpose of facilitating the commission of the offence.

… [page 261] 91L Filming a person’s private parts (1) General offence A person who, for the purpose of obtaining, or enabling another person to obtain, sexual arousal or sexual gratification, films another person’s private parts, in circumstances in which a reasonable person would reasonably expect the person’s private parts could not be filmed: (a) without the consent of the person being filmed to being filmed for that purpose, and (b) knowing that the person being filmed does not consent to being filmed for that purpose, is guilty of an offence. Maximum penalty: 100 penalty units or imprisonment for 2 years, or both. (2) An offence against subsection (1) is a summary offence. (3) Aggravated offence A person who, for the purpose of obtaining, or enabling another person to obtain, sexual arousal or sexual gratification, films another person’s private parts, in circumstances in which a reasonable person would expect that his or her private parts could not be filmed: (a) without the consent of the person being filmed to being filmed for that purpose, and (b) knowing that the person being filmed does not consent to being filmed for that purpose, and (c) in circumstances of aggravation, is guilty of an offence. Maximum penalty: imprisonment for 5 years. (4) In this section, circumstances of aggravation means circumstances in which: (a) the person whom the offender filmed was a child under the age of 16 years, or (b) the offender constructed or adapted the fabric of any building for the purpose of facilitating the commission of the offence. … 91M Installing device to facilitate observation or filming (1) Offence A person who, with the intention of enabling that person or any other person to commit an offence against section 91J, 91K or 91L, installs any device, or constructs or adapts the fabric of any building, for the purpose

of facilitating the observation or filming of another person, is guilty of an offence. Maximum penalty: 100 penalty units or imprisonment for 2 years, or both. (2) An offence against this section is a summary offence. …

[page 262] 10.29 These provisions were inserted by the Crimes Amendment (Sexual Offences) Act 2008 (NSW). In Victoria, similar offences were introduced into the Summary Offences Act 1966 (Vic) through the Summary Offences Amendment (Upskirting) Act 2007 (Vic). More recently, Victoria has added summary offences of distribution of intimate images, which target non-consensual ‘sexting’ and related acts involving both adult and child victims. Where children are involved, of course, child pornography and grooming laws may also be applicable. 10.30 In the Australian Capital Territory, which is in the process of introducing offences similar to those in New South Wales, cases have been dealt with under older criminal charges, as well as Commonwealth offences.32

R v McDonald and Deblaquiere [2013] ACTSC 122 (27 June 2013) at [17], [32]–[33] Refshauge J: Mr McDonald has been charged with offences against s 60(1) of the Crimes Act 1900 (ACT) (committing an act of indecency without consent) and against s 474.17(1) of the Criminal Code Act 1995 (Cth) (using a carriage service to menace, harass or cause offence). Mr DeBlaquiere has been charged only with the latter offence … The complainant and Mr McDonald met through their employment as cadets at the Australian Defence Force Academy. They engaged in some communication through the online social networking website, Facebook. They discussed what was described as a ‘friends with benefits’ arrangement, that is, friends engaged in a sexual relationship. On 29 March 2011, the complainant agreed to a ‘friends with benefits’ arrangement

with Mr McDonald, but with conditions, one being relevantly that it was confidential between them and neither of them would tell anyone else in the Academy about it. Mr McDonald agreed. The two also agreed to meet that night for the purposes of sexual activity. Later that afternoon, Mr McDonald told Mr DeBlaquiere that he was to have sex with a female cadet that evening. Mr DeBlaquiere sent a text message suggesting the sexual activity be filmed. They then agreed that, during the encounter with the complainant, Mr McDonald would activate his computer’s webcam, a small video camera which allows users to stream video to others via the Internet. They would use this to broadcast the sexual activity to Mr DeBlaquiere’s computer in his room. At about 8:00 pm that night, Mr McDonald and the complainant made arrangements to meet at 11:45 pm. At 11:44 pm, Mr McDonald activated his computer, connecting it to the Internet and at 11:52 pm logged on to Skype. [page 263] Shortly before midnight, the complainant met Mr McDonald and went to his room where they engaged in consensual sexual intercourse. At times during the activity, Mr McDonald made gestures towards the webcam on his computer. During this time, Mr DeBlaquiere was, with five other cadets, watching the sexual intercourse on his computer. The complainant had no knowledge of the fact that the sexual intercourse was being filmed and broadcast. The complainant did not consent to the filming or broadcasting; indeed, it was contrary to the conditions under which she had agreed to enter into the arrangement with Mr McDonald. Later that evening, when the complainant returned to her room, she discovered that she had received a message on Facebook from Mr McDonald suggesting that their sexual intercourse had been broadcast. The complainant responded, stating ‘Please tell me I wasn’t on webcam?’ and Mr McDonald telephoned her, telling her that he did not have his webcam activated and that the message must have been posted by a friend as a joke.

10.31 Finally, developments in other countries suggest that websites featuring what is known as ‘revenge porn’ are the next to fall under legislative scrutiny.33 While such material may be lawful adult erotica in its visual content, the distribution of it principally in order to harass, intimidate or humiliate an ex-partner may well constitute stalking under Australian laws, or an offence under s 474.17 of using a carriage service in a menacing, harassing or offensive manner.

[page 264]

Questions for consideration 1.

In a United Kingdom study of cyberstalking behaviour and victims, L P Sheridan and T Grant, ‘Is Cyberstalking Different?’ (2007) 13(6) Psychology, Crime and Law 627 at 636 (notes omitted), concluded that: In terms of effects on the victim, off-line stalking was associated more with changes to the victim’s social and employment spheres, whilst online stalking was more strongly associated with loss of family and friends. The latter finding is difficult to unpack, particularly given that victims reported an increase in negative effects on friends and family as the degree of off-line stalking increased. Also, victims reported the lowest mean number of third parties affected in cases of purely online stalking. It may be that the online medium is more conducive to both the distribution of falsehoods concerning the victim, and the stalker sending malicious communications to the victim’s family and friends whilst posing as the victim. Indeed, a number of respondents related such episodes: ‘She set up an email account with an address almost identical to my own and then proceeded to send offensive emails to people in my name.’ Perhaps the most important finding in terms of effects on victims was that levels of all medical and psychological effects, and most social and financial effects did not differ significantly according to degree of cyber involvement. How do these findings accord with expectations about the effects of online stalking and harassment? What are the differences (if any) between online and offline offending?

2.

In introducing the Enhancing Online Safety for Children Bill 2014 (Cth), the minister stated in his Second Reading Speech on 3 December 2014: The measures in this bill implement key aspects of the government’s election commitment to enhance online safety for Australian children. The internet — and social media — offers a forum for human interaction which in the main is of great social benefit. But sometimes human interactions go wrong — offline or online. When that happens, the internet — and social media in particular — can make bullying behaviours more dangerous to children who are the victim of those behaviours. The measures in this bill will bring a better and more rapid response to these dangers — and help keep Australian children safer online. How does the new legislation achieve this desirable aim? Will it succeed?

3.

D Keats Citron and M A Franks, ‘Criminalizing Revenge Porn’ (2014) 49 Wake Forest Law Review 345; University of Maryland Legal Studies Research Paper No. 2014-1, state at p 347 (notes omitted) in reference to the United States: Revenge porn victims have only recently come forward to describe the grave harms they

have suffered, including stalking, loss of professional and educational opportunities, and psychological damage. As with domestic violence and sexual assault, victims of revenge porn suffer negative consequences for speaking out, including the risk of increased harm. We are only now beginning to get a sense of how large the problem of revenge porn is now that brave, outspoken victims have opened a space for others to tell their stories. The fact that non-consensual porn so often involves the Internet and social media, the public, law enforcement, and the judiciary sometimes struggle to understand the mechanics of the conduct and the devastation it can cause. How should Australians prepare themselves for similar developments here? 1.

A summary of Australian State and Territory legislative provisions is provided in Table 10.1.

2.

E Ogilvie, ‘Cyberstalking’, Trends & Issues in Crime and Criminal Justice no.166, Australian Institute of Criminology, September 2000; and E Ogilvie, ‘Stalking: Legislative, Policing and Prosecution Patterns in Australia’, Research and Public Policy Series no. 34, Australian Institute of Criminology, 2000; see also G Urbas, ‘Australian Legislative Responses to Stalking’, paper presented at Stalking: Criminal Justice Responses Conference, Sydney, 7–8 December 2000: .

3.

Crimes Act 1900 (ACT) s 35. Subsections (3)–(5) provide further details about liability under the provision. The Commonwealth does not have a specific stalking offence, but note that s 474.17 (Using a carriage service to menace, harass or cause offence) of the Criminal Code Act 1995 (Cth) performs a similar role in relation to online behaviour (discussed below at [10.5]).

4.

Family Law Act 1975 (Cth) s 4AB (Definitions of family violence etc.); see also ss 68C and 114AA (Powers of arrest).

5.

These offences were added to the Criminal Code Act 1995 (Cth) by the Crimes Legislation Amendment (Telecommunications Offences and Other Measures) Act (No. 2) 2004 (Cth) with effect from 1 March 2005.

6.

As with the child pornography offences discussed in Chapter 8, the meaning of ‘offensive’ is partly defined by s 473.4 (Determining whether material is offensive), which makes reference to standards of morality, decency and propriety generally accepted by reasonable adults; the literary, artistic or educational merit (if any) of the material; and the general character of the material (including whether it is of a medical, legal or scientific character).

7.

A recent example is described in B Baskin, ‘Stalker Bombarded Young Prostitute with Thousands of Calls, Text Messages’, Courier Mail, 1 August 2014: .

8.

I Leader-Elliot, ‘The Australian Criminal Code: Time for Some Changes’ (2009) 37(2) Federal Law Review 205 at 229. However, it should be noted that the definitions of ‘child abuse material’ and ‘child pornography material’ in s 473.1 refer to children being depicted ‘in a way that reasonable persons would regard as being, in all the circumstances, offensive’ and that s 473.4 (Determining whether material is offensive) supplements these definitions by providing: ‘The matters to be taken into account in deciding for the purposes of this Part whether reasonable persons would regard particular material, or a particular use of a carriage service, as being, in all the circumstances,

offensive, include: (a) the standards of morality, decency and propriety generally accepted by reasonable adults; and (b) the literary, artistic or educational merit (if any) of the material; and (c) the general character of the material (including whether it is of a medical, legal or scientific character)’. 9.

Monis v The Queen [2013] HCA 4 (27 February 2013) at [44] per French CJ (notes omitted). The defendant had been convicted under s 471.12 of the Criminal Code Act 1995 (Cth) for using postal or similar services in a way that reasonable persons would regard as being, in all the circumstances, menacing, harassing or offensive. On the constitutional question whether this provision was invalid in imposing an impermissible limitation on the implied freedom of communication, the High Court split 3:3 with the result that the appeal by Monis and his co-accused Droudis was dismissed. Tragically, Monis took 17 people hostage in Sydney’s Martin Place and he and two of the hostages were killed in the Lindt Café where they were being held: L Knowles, ‘Sydney Siege: Man Behind Martin Place Stand-Off was Iranian Man Haron Monis, Who Had Violent Criminal History’, ABC News, 16 December 2014: .

10. The defendant was found by the magistrate to have contravened s 474.17 but the magistrate discharged her without recording a conviction, imposing a $1000 recognisance and a 12-month good behaviour bond. Her appeals to the District Court and the Supreme Court were unsuccessful. The case is further discussed in I Leader-Elliot, ‘The Australian Criminal Code: Time for Some Changes’, note 8 above, at 229–31; and also in A Hemming, ‘When Is a Code a Code?’ (2010) 15(1) Deakin Law Review 65. Telephone and text message harassment can also be prosecuted as stalking: R v Briggs [2013] QCA 110 (14 May 2013). 11. Sutcliffe v DPP [2003] VSCA 34 (7 April 2003). However, the Court of Appeal refused leave to appeal because there had not actually been a resolution of the charges before them to appeal from: ‘As I see it, the difficulty in granting leave to appeal lies in the fact that the parties have thus far been proceeding upon an agreed statement of facts. Nothing has yet been established against the defendant, for no admissions have been made and no evidence has yet been led … As a general rule this Court sets its face not only against the fragmentation of criminal proceedings but also against the expression of an advisory opinion. That, it seems to me, is what is being sought here. In my opinion it is time now for the parties to go into evidence and to establish the facts upon which this matter depends. Until they have done so, I cannot see how this proceeding can be characterised otherwise than as an application for an advisory opinion’: per Phillips JA at [7]–[8], Buchanan and Chernov JJA agreeing. 12. Section 21A (Stalking) of the Crimes Act 1958 (Vic) now provides that it is immaterial that some or all of the course of conduct constituting an offence against the provision occurred outside Victoria, as long as the victim was in Victoria at the time at which that conduct occurred, or, where the victim was outside Victoria, that the conduct occurred in Victoria. 13. Criminal Code Act 1995 (Cth) s 475.2 (Geographical jurisdiction), which states that extended geographical jurisdiction—category A applies to offences in Pt 10.6. A similar provision is made in s 476.3 for Pt 10.7 offences. This means that an offence can only be committed if the conduct occurred wholly in Australia or on board an Australian aircraft or ship, or the conduct occurred outside Australia but an effect of the conduct occurred in Australia or on board an Australian aircraft or ship, or the person against whom the offence is charged was an Australian citizen or corporation, or the offence is ancillary to a principal offence which falls within jurisdiction. Issues

of jurisdiction are discussed further in Chapter 11. 14. S Thacker, ‘An Exploratory Study of Trolling in Online Video Gaming’ (2012) 2(4) International Journal of Cyber Behaviour, Psychology and Learning 1; A Bochaver and K Khlomov, ‘Cyberbullying: Harassment in the Space of Modern Technologies’ (2014) 11(3) Psychology: Journal of Higher School of Economics 178 (in Russian). 15. The sentences that had been imposed after pleas of guilty, which included three years’ imprisonment with release after 12 months on the s 474.17 charges, were reduced on appeal to two years’ imprisonment with immediate release on a good behaviour bond. See also ‘Australia’s First Trolling Case Hits Court’, AM Program, ABC Radio National, 5 June 2000: . 16. Q Li, ‘New Bottle But Old Wine: A Research of Cyberbullying in Schools’ (2007) 23(4) Computers in Human Behaviour 1777; S Kift, M Campbell and D Butler, ‘Cyberbullying in Social Networking Sites and Blogs: Legal Issues for Young People and Schools’ (2010) 20(2) Journal of Law, Information and Science 60. 17. P K Smith, J Mahdavi, M Carvalho, S Fisher, S Russell and N Tippett, ‘Cyberbullying: Its Nature and Impact in Secondary School Pupils’ (2008) 49(4) Journal of Child Psychology and Psychiatry376; see also M A Campbell, ‘Cyber Bullying: An Old Problem in a New Guise?’ (2005) 15(1) Australian Journal of Guidance and Counselling 68; and S Kift, M Campbell and D Butler, ‘Cyberbullying in Social Networking Sites and Blogs: Legal Issues for Young People and Schools’, note 16 above. 18. In Australia, the suicide of Charlotte Dawson showed that the lethal effects of cyberbullying can also extend to adults in the public limelight: ‘Charlotte Dawson, Former Model and Television Personality, Found Dead in Sydney Apartment’, ABC News, 23 February 2014. In other countries, suicides of bullying victims — including the cases of Rehtaeh Parsons and Audrie Pott in Canada; Amanda Todd, Jessica Logan, Tyler Clementi and Ryan Halligan in the United States; and sadly many others — have led to calls for greater social responses, such as education and legal changes. See, for help against cyberbullying, the BeyondBlue website: . 19. Explanatory Memorandum to the Enhancing Online Safety for Children Bill 2014 (Cth), which was introduced into Parliament on 3 December 2014 and passed both Houses without amendment on 4 March 2015. The legislation is thus the Enhancing Online Safety for Children Act 2015 (Cth). 20. Enhancing Online Safety for Children Act 2015 (Cth) s 18. 21. Enhancing Online Safety for Children Act 2015 (Cth) Part 3 — Complaints about cyber-bullying material, Part 4 — Social media services, Part 5 — End-user notices, and Part 6 — Enforcement. See further P Fletcher MP, ‘Senate Passes Enhancing Online Safety for Children Bill with Strong Bipartisan Support’, media release, 4 March 2015: . 22. See Halsbury’s Laws of Australia, ‘Homicide’ (Title 130), LexisNexis; and S Bronitt and B McSherry, Principles of Criminal Law, Thomson Reuters, 3rd ed, 2010, pp 546–8. 23. Added by the Criminal Code Amendment (Suicide Related Material Offences) Act 2005 (Cth). Note also s 474.29B (Possessing etc. suicide related material for use through a carriage service).

Controversial legislation on euthanasia includes s 50A of the Northern Territory (Self24. Government) Act 1978 (Cth), inserted in 1997 to block the legalisation of euthanasia in the Territory, and a similar provision in s 23 of the Australian Capital Territory (Self-Government) Act 1988 (Cth). 25. Some special legislative provisions apply, such as Crimes Act 1900 (NSW) s 31B (Survivor of suicide pact); Crimes Act 1958 (Vic) s 6B (Survivor of suicide pact who kills deceased party is guilty of manslaughter). See further Halsbury’s Laws of Australia, ‘Homicide’ (Title 130), LexisNexis; and S Bronitt and B McSherry, Principles of Criminal Law, note 22 above, pp 548–9. 26. For example, R v Klinkermann [2013] VSC 65 (25 February 2013) at [8]. Importation and administration of drugs, including those sourced through online means, used in assisting suicide may also lead to criminal charges: R v Justins [2008] NSWSC 1194 (12 November 2008); Justins v R [2010] NSWCCA 242 (28 October 2010); R v Justins [2011] NSWSC 568 (26 May 2011); R v Nielsen [2012] QSC 29 (16 February 2012). 27. See particularly the protracted ‘Adelaide Institute’ litigation: Jones v Toben [2002] FCA 1150 (17 September 2002); Toben v Jones [2003] FCAFC 137 (27 June 2003); and Jones v Toben [2009] FCA 354 (16 April 2009). 28. However, the Racial Discrimination Act 1975 (Cth) does not have criminal offence provisions for vilification, unlike some State and Territory legislation. For example, online comments by journalist Andrew Bolt were found to have breached prohibitions under s 18C of the Racial Discrimination Act 1975 (Cth) in Eatock v Bolt [2011] FCA 1103 (28 September 2011): G Urbas, ‘Internet Discussion and the Racial Discrimination Act’ (2012) 24(3) Legal Date 9; and G Urbas, ‘Racial Vilification on the Internet: Lessons from the Toben and Bolt Cases’ (2011) 14(7 & 8) Internet Law Bulletin 195. 29. The Additional Protocol to the Convention on Cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems, has fewer ratifications than the main Convention, all within Europe. It entered into force for those countries on 1 March 2006: . 30. While some other State or Territory jurisdictions have similar racial vilification offences, only Victoria has criminal prohibitions on religious vilification, in s 25. See further D Feenan, ‘Religious Vilification Laws: Quelling Fires of Hatred?’ (2006) 31(3) Alternative Law Journal 153; M Thornton and T Luker, ‘The Spectral Ground: Religious Belief Discrimination’ (2009) 9 Macquarie Law Journal 71. 31. D Myers, ‘“Upskirting” Photography Creating Legal Controversy’, Digital Journal, 29 November 2008: . 32. Crimes Legislation Amendment Bill 2014 (ACT). The R v McDonald and Deblaquiere case proceeded to conviction and the imposition of suspended sentences against both offenders. 33. D Keats Citron and M A Franks, ‘Criminalizing Revenge Porn’ (2014) 49 Wake Forest Law Review345; University of Maryland Legal Studies Research Paper No. 2014-1.

[page 265]

Part 5 Investigation, Prosecution and Judicial Issues

[page 267]

Chapter 11 Investigating Cybercrime

Chapter contents Search and seizure powers Convention on Cybercrime Covert investigation powers

11.1 11.16 11.26

Questions for consideration

11.0 This chapter explores the ways in which law enforcement agencies, including the police, are able to gather evidence as part of their cybercrime investigations. It should be noted that many of the techniques and procedures discussed, such as the seizure and forensic analysis of computer contents, may apply to the investigation of a wider range of crimes, including traditional offences such as homicides. The following is an example:1 In 2007, Melanie McGuire was convicted of killing her husband William. According to prosecutors, Ms McGuire used chloral hydrate to sedate William and then shot him ‘three or four times’ before dismembering his body and dumping the remains in Chesapeake Bay. After the remains were discovered, police began investigating the crime … Police computer forensic investigators examined the couple’s home computer and found that in the weeks before the murder, someone — presumably Melanie McGuire — used the computer to research topics such as ‘how to commit murder’, ‘how to illegally purchase guns’ and ‘undetectable poisons’ …

However, it is in cybercrime investigations that such computer forensic analysis methodologies are most consistently and prominently used.

Search and seizure powers 11.1 The Cybercrime Act 2001 (Cth), which updated Australian Commonwealth computer crime offences and relocated them to the Criminal Code Act 1995 (Cth), also introduced amendments to the

[page 268] Crimes Act 1914 (Cth) and the Customs Act 1901 (Cth) dealing with investigative powers. One of the responsibilities of the Australian Federal Police (AFP) is the provision of police services, including conducting investigations, in relation to the Australian Capital Territory as well as in relation to Commonwealth laws, property and interests.2 Accordingly, this agency plays a leading role in enforcing the cybercrime provisions of the Criminal Code Act 1995 (Cth) and other legislation discussed in previous chapters. 11.2 In the early 2000s, a specialised unit was created within the AFP, initially known as the Australian High Tech Crime Centre (AHTCC) and later renamed as High Tech Crime Operations (HTCO).3 The focus of this unit is described as follows:4 High Tech Crime Operations (HTCO) portfolio provides the AFP with an enhanced capability to investigate, disrupt and prosecute offenders committing serious and complex technology crimes. These include significant computer intrusions such as Distributed Denial of Service (DDOS) attacks, breaches of major computer systems, collective large scale breaches to harvest personal, business and/or financial data, creating, controlling or distributing malicious software, and crime which directly impacts the banking and finance sector. HTCO is responsible for the investigation of crimes associated with online child sex exploitation and child sexual exploitation in travel and tourism. HTCO supports and assists jurisdictions, particularly those with developing socio economic communities in relation to child sexual exploitation in travel and tourism, by working with local law enforcement agencies and other relevant entities, including non-government organisations. HTCO investigate[s] and target[s] offenders who use the internet to facilitate the sexual exploitation of children. Significant penalties apply to offences related to both online child exploitation and child exploitation in travel and tourism under the Criminal Code Act 1995.

11.3 In order to equip the AFP and partner agencies with appropriate powers to investigate cybercrime, the provisions of the Crimes Act 1914 (Cth) relating to search warrants were extended to the use of electronic equipment during searches:5 [page 269]

3K Use of equipment to examine or process things Equipment may be brought to warrant premises (1) The executing officer of a warrant in relation to premises, or constable assisting, may bring to the warrant premises any equipment reasonably necessary for the examination or processing of a thing found at the premises in order to determine whether it is a thing that may be seized under the warrant. Thing may be moved for examination or processing (2) A thing found at warrant premises, or a thing found during a search under a warrant that is in force in relation to a person, may be moved to another place for examination or processing in order to determine whether it may be seized under a warrant if: (a) both of the following apply: (i) it is significantly more practicable to do so having regard to the timeliness and cost of examining or processing the thing at another place and the availability of expert assistance; (ii) the executing officer or constable assisting suspects on reasonable grounds that the thing contains or constitutes evidential material; or (b) for a thing found at warrant premises—the occupier of the premises consents in writing; or (c) for a thing found during a search under a warrant that is in force in relation to a person—the person consents in writing. Notification of examination or processing and right to be present (3) If a thing is moved to another place for the purpose of examination or processing under subsection (2), the executing officer must, if it is practicable to do so: (a) inform the person referred to in paragraph (2)(b) or (c) (as the case requires) of the address of the place and the time at which the examination or processing will be carried out; and (b) allow that person or his or her representative to be present during the examination or processing. (3AA) The executing officer need not comply with paragraph (3)(a) or (b) if he or she believes on reasonable grounds that to do so might: (a) endanger the safety of a person; or (b) prejudice an investigation or prosecution. Time limit on moving a thing (3A)

The thing may be moved to another place for examination or processing for no longer than 14 days.

[page 270] (3B)

(3C)

(3D)

An executing officer may apply to an issuing officer for one or more extensions of that time if the executing officer believes on reasonable grounds that the thing cannot be examined or processed within 14 days or that time as previously extended. The executing officer must give notice of the application to the person referred to in paragraph (2)(b) or (c) (as the case requires), and that person is entitled to be heard in relation to the application. A single extension cannot exceed 7 days.

Equipment at warrant premises may be operated (4) The executing officer of a warrant in relation to premises, or a constable assisting, may operate equipment already at the warrant premises to carry out the examination or processing of a thing found at the premises in order to determine whether it is a thing that may be seized under the warrant if the executing officer or constable believes on reasonable grounds that: (a) the equipment is suitable for the examination or processing; and (b) the examination or processing can be carried out without damage to the equipment or the thing.

11.4 What s 3K authorises is the use of equipment, such as laptop computers with forensic imaging software installed, brought by investigating officers executing a search warrant and to be used in examining a computer or other electronic device found at search premises, or the removal of such computers and devices to another location for forensic analysis.6 Its scope has been explained as follows:7 Section 3K authorises the electronic copying of information found in electronic form at the warrant premises, and the removal of the copy for examination away from those premises to determine whether any of that material can be seized under the warrant. It is s 3K(2) that authorises the removal of ‘things’ for the purpose of examining them away from the search premises in order to determine whether ‘they are things that may be seized under the warrant’. Section 3K(3) is confined to imposing a pre-condition to the executing officer’s entitlement to conduct the off-premises examination. The term ‘things’ in s 3K extends, in my opinion, not just to a physical object such as a disk or tape on which information is stored in electronic form, but also to the information so stored itself. The reference in s 3K(1) to ‘things that

[page 271] may be seized under the warrant’ is confined to things that comprise ‘evidential material’ …

11.5 The next provision added was s 3L, dealing with use of electronic equipment:8 3L Use of electronic equipment at premises (1) The executing officer of a warrant in relation to premises, or a constable assisting, may operate electronic equipment at the warrant premises to access data (including data not held at the premises) if he or she suspects on reasonable grounds that the data constitutes evidential material. Note: A constable can obtain an order requiring a person with knowledge of a computer or computer system to provide assistance: see section 3LA. (1A) If the executing officer or constable assisting suspects on reasonable grounds that any data accessed by operating the electronic equipment constitutes evidential material, he or she may: (a) copy any or all of the data accessed by operating the electronic equipment to a disk, tape or other associated device brought to the premises; or (b) if the occupier of the premises agrees in writing—copy any or all of the data accessed by operating the electronic equipment to a disk, tape or other associated device at the premises; and take the device from the premises. (1B) If: (a) the executing officer or constable assisting takes the device from the premises; and (b) the Commissioner is satisfied that the data is not required (or is no longer required) for a purpose mentioned in section 3ZQU or for other judicial or administrative review proceedings; the Commissioner must arrange for: (c) the removal of the data from any device in the control of the Australian Federal Police; and (d) the destruction of any other reproduction of the data in the control of the Australian Federal Police. (2) If the executing officer or a constable assisting, after operating the equipment, finds that evidential material is accessible by doing so, he or she may: (a) seize the equipment and any disk, tape or other associated device; or

[page 272]

(3)

(4)

(5)

(6)

(7)

(8)

(9)

(b) if the material can, by using facilities at the premises, be put in documentary form—operate the facilities to put the material in that form and seize the documents so produced. A constable may seize equipment under paragraph (2)(a) only if: (a) it is not practicable to copy the data as mentioned in subsection (1A) or to put the material in documentary form as mentioned in paragraph (2) (b); or (b) possession by the occupier of the equipment could constitute an offence. If the executing officer or a constable assisting suspects on reasonable grounds that: (a) evidential material may be accessible by operating electronic equipment at the premises; and (b) expert assistance is required to operate the equipment; and (c) if he or she does not take action under this subsection, the material may be destroyed, altered or otherwise interfered with; he or she may do whatever is necessary to secure the equipment, whether by locking it up, placing a guard or otherwise. The executing officer or a constable assisting must give notice to the occupier of the premises of his or her intention to secure equipment and of the fact that the equipment may be secured for up to 24 hours. The equipment may be secured: (a) for a period not exceeding 24 hours; or (b) until the equipment has been operated by the expert; whichever happens first. If the executing officer or a constable assisting believes on reasonable grounds that the expert assistance will not be available within 24 hours, he or she may apply to an issuing officer for an extension of that period. The executing officer or a constable assisting must give notice to the occupier of the premises of his or her intention to apply for an extension, and the occupier is entitled to be heard in relation to the application. The provisions of this Division relating to the issue of warrants apply, with such modifications as are necessary, to the issuing of an extension.

[page 273] 11.6

The interaction between s 3K and s 3L has been explained as

follows:9 Broadly stated, s 3K authorises, inter alia, the pre-seizure removal and examination of ‘things found at the premises’ where a search warrant is executed. The power of removal arises where it is not practicable to examine or process the things at the warrant premises (s 3K(2)(a)) … Section 3L, on the other hand, is an examination and seizure provision. It authorises the use of electronic equipment found at the warrant premises in order to determine whether evidential material is accessible by so doing. If an officer finds that evidential material is accessible by operating the equipment, then the equipment and associated disks, tapes or other storage devices may be seized. Alternatively, the equipment may be used to print out the relevant material in documentary form which may be seized, or to copy it to another disk, tape or storage device which may then be taken from the premises. That taking completes the execution of the warrant in relation to the evidential material so copied. Seizure is not applicable in such a case.

11.7 The reference in s 3L(1) to ‘data (including data not held at the premises)’ suggests that a degree of latitude is to be afforded in allowing the execution of a warrant at search premises to extend to locating data held on computers connected to, but remote from, those found at the premises. Taken literally, this would appear to allow even cross-border searches to be permissible under Australian law.10 11.8 An additional provision was added in 2010 in order to clarify that electronic equipment could also be used in relation to computers and devices removed to another place for analysis:11 [page 274]

3LAA Use of electronic equipment at other place (1) If electronic equipment is moved to another place under subsection 3K(2), the executing officer or a constable assisting may operate the equipment to access data (including data held at another place). (2) If the executing officer or constable assisting suspects on reasonable grounds that any data accessed by operating the electronic equipment constitutes evidential material, he or she may copy any or all of the data accessed by operating the electronic equipment to a disk, tape or other associated device. (3) If the Commissioner is satisfied that the data is not required (or is no longer required) for a purpose mentioned in section 3ZQU or for other judicial or

administrative review proceedings, the Commissioner must arrange for: (a) the removal of the data from any device in the control of the Australian Federal Police; and (b) the destruction of any other reproduction of the data in the control of the Australian Federal Police. (4) If the executing officer or a constable assisting, after operating the equipment, finds that evidential material is accessible by doing so, he or she may: (a) seize the equipment and any disk, tape or other associated device; or (b) if the material can be put in documentary form—put the material in that form and seize the documents so produced. (5) A constable may seize equipment under paragraph (4)(a) only if: (a) it is not practicable to copy the data as mentioned in subsection (2) or to put the material in documentary form as mentioned in paragraph (4)(b); or (b) possession of the equipment, by the person referred to in paragraph 3K(2)(a) or (b) (as the case requires), could constitute an offence.

11.9 A predictable obstacle to the analysis of computer data is that access to the data may be protected by passwords or other security measures, data may be encrypted, and so on. In order to allow law enforcement agencies to overcome such impediments to investigation, a further provision was added by the Cybercrime Act 2001 (Cth), enabling a court order to be obtained to compel those with relevant information, such as computer technicians and IT officers, to assist investigators:12 [page 275]

3LA Person with knowledge of a computer or a computer system to assist access etc. (1) A constable may apply to a magistrate for an order requiring a specified person to provide any information or assistance that is reasonable and necessary to allow a constable to do one or more of the following: (a) access data held in, or accessible from, a computer or data storage device that: (i) is on warrant premises; or (ii) has been moved under subsection 3K(2) and is at a place for examination or processing; or

(iii) has been seized under this Division; (b) copy data held in, or accessible from, a computer, or data storage device, described in paragraph (a) to another data storage device; (c) convert into documentary form or another form intelligible to a constable: (i) data held in, or accessible from, a computer, or data storage device, described in paragraph (a); or (ii) data held in a data storage device to which the data was copied as described in paragraph (b); or (iii) data held in a data storage device removed from warrant premises under subsection 3L(1A). (2) The magistrate may grant the order if the magistrate is satisfied that: (a) there are reasonable grounds for suspecting that evidential material is held in, or is accessible from, the computer or data storage device; and (b) the specified person is: (i) reasonably suspected of having committed the offence stated in the relevant warrant; or (ii) the owner or lessee of the computer or device; or (iii) an employee of the owner or lessee of the computer or device; or (iv) a person engaged under a contract for services by the owner or lessee of the computer or device; or [page 276] (v) a person who uses or has used the computer or device; or (vi) a person who is or was a system administrator for the system including the computer or device; and (c) the specified person has relevant knowledge of: (i) the computer or device or a computer network of which the computer or device forms or formed a part; or (ii) measures applied to protect data held in, or accessible from, the computer or device. (3) If: (a) the computer or data storage device that is the subject of the order is seized under this Division; and (b) the order was granted on the basis of an application made before the seizure; the order does not have effect on or after the seizure. Note: An application for another order under this section relating to the computer or data storage device may be made after the seizure. (4) If the computer or data storage device is not on warrant premises, the order

must: (a) specify the period within which the person must provide the information or assistance; and (b) specify the place at which the person must provide the information or assistance; and (c) specify the conditions (if any) determined by the magistrate as the conditions to which the requirement on the person to provide the information or assistance is subject. (5) A person commits an offence if the person fails to comply with the order. Penalty for contravention of this subsection: Imprisonment for 2 years.

11.10 It is unclear to what extent s 3LA is used in cybercrime investigations to require the disclosure of passwords and decryption information. It may be that those faced with requests for such information or assistance voluntarily comply, so that the power to obtain a court order does not need to be invoked.13 [page 277] Where such a request is directed to a suspect in a criminal investigation, s 3LA has the capacity to restrict the common law privilege against selfincrimination. However, it should be noted that this right is already significantly abrogated under Australian legislation, and certainly does not prevent police from being able to obtain court orders to compel suspects and others to provide forensic material, such as a DNA sample.14 11.11 In general, persons who own or control premises will be aware of the execution of a search warrant, either at the time or soon thereafter.15 However, given that the above provisions relating to the execution of search warrants also allow access to data not held on the search premises, the question arises whether this can be done surreptitiously or whether some notification must be given. A partial answer is provided by s 3LB, which requires that the executing officer must notify the owner of premises other than those specified in the search warrant of access to data on the

owner’s premises that has been obtained under a warrant, where practicable.16 Where such premises are outside Australia, it may be questioned whether it is likely to be practicable to notify owners of premises of any access.17 11.12 In general, the techniques utilised by forensic examiners aim to cause the least damage or disruption to computers and data that is required.18 Nonetheless, provisions have also been added requiring compensation to be paid to relevant owners under the legislation in the case of damage caused by insufficient care.19 The process by which a forensic analysis of a computer is undertaken by specialised examiners, in this case a commercial accounting firm, is described below. [page 278]

Grant v Marshall [2003] FCA 1161 (19 September 2003) — Annexure A The forensic image process 1.

2.

3.

Proper acquisition of computer evidence requires the use of non-invasive advanced computer software specifically designed for the task. Such software recovers, searches, authenticates and documents relevant electronic evidence without compromising the integrity of the original evidence. PricewaterhouseCoopers currently use ‘EnCase’ software, which is the industry standard. The cornerstone of the computer forensics is the ‘forensic image’ process. Quite simply this is the process of making an exact copy of all data, including all Operating System files, application files, user files (including deleted files, data fragments, etc.) located on the ‘target’ hard drive. The image retains the identical data structure as it appeared on the original hard disk. The forensic image process usually follows the following steps: 1 The ‘target’ computer is physically examined to identify its components. 2 The hard drive is removed from the ‘target’ computer and is connected to [the] PricewaterhouseCoopers computer system. 3 The hard drive from the ‘target’ computer system is connected to and accessed via the hardware and software of the PricewaterhouseCoopers computer. The hardware used includes a write-blocking device which

4.

5.

prevents the alteration of data on the ‘target’ hard drive. 4 An image of the ‘target’ computer is written to the PricewaterhouseCoopers computer as a series of computer files (usually split into 640 megabyte parts so that the image files can be stored on CD). The taking of a forensic image of a standard computer takes between 40 and 90 minutes. 5 The settings of the ‘target’ computer (such as the accuracy of the date and time setting of the internal computer clock) are recorded. 6 The images files are secured on CDs and are verified to confirm their integrity. The EnCase forensic image has an in-built audit trail with a sophisticated integrity validation process. It is possible using Encase software to directly analyse the forensic image, but it is also possible to use the forensic image to restore an exact copy of the computer to another computer and operate the system as a normal user. Analysis of a forensic image is a technical process requiring skill and resources. The vast array of computer software in use requires the forensic examiner to employ a diverse range of techniques to access data in a myriad of formats. Additionally, it is possible that [page 279]

6.

7.

there has been an attempt to conceal evidence with deceptive file names, password protection or encryption. The forensic image allows the examiner to conduct this search in a properly controlled environment. The image process … also enables the computer evidence … [to] be evaluated in the ‘environment in which the evidence was created’. Operating System and Application Software files are preserved so that all steps that the user took to create the evidence can be duplicated by the computer forensics specialist and if necessary an independent examiner. This is vitally important in a case wherein sophisticated programs have been used, such as accounting software, electronic mail and Internet applications, or graphic design programs. The adaptation of imaging to the investigation of computer data, together with the appropriate analysis software, now allows the forensic examiner access to data without fear of altering the original and with minimal disruption to the owner. A thorough search and complete identification of all evidence on a [computer system] can take many hours per computer, depending on the volume, type and complexity of data stored, and the complexity of the search criteria. Without the forensic image process the analysis would be impractical and invasive.

Forensic preview 8.

It is possible to forensically preview the contents of a ‘target’ computer (that is, examine the hard drive in a write-protected environment) prior to making a decision as to whether a forensic image is required. The preview is executed using

9.

a similar methodology as described above. The preview allows the examiner to search the ‘target’ computer for relevant material so that he/she can be confident the computer is relevant to the orders or legislation under which the search is being carried out. The forensic preview is not a substitute for full analysis. If relevant data is located the contents of the hard drive should still be preserved by a forensic image and fully analysed.

11.13 The Crimes Act 1914 (Cth) provisions do not apply straightforwardly to technological developments whereby large amounts of computer data are held not in a single computer or physically co-located banks of computers, but rather in distributed and more ephemeral forms in the ‘cloud’. This (literally) nebulous concept denotes a range of storage and delivery systems rather than a physical arrangement of data, including:20 [page 280] Public cloud — made available to the public or a large industry group and owned by an entity selling cloud services; Private cloud — operated solely for an entity and managed by the entity or a third party, on or off premise; Hybrid cloud — combining public and private clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability, such as balancing between clouds; Community cloud — supporting a specific community that has shared concerns, such as the same mission or policies, or similar security requirements or compliance considerations.

11.14 Cloud computing poses considerable technical and legal challenges to law enforcement and forensic investigators, including ensuring the integrity and authenticity of information obtained from service providers, wherever located.21 11.15 As physical limitations on data have evolved and storage has become more ephemeral or dispersed, law enforcement attention has shifted to those individuals or organisations that exercise control over access to data. In particular, Internet service providers (ISPs) and similar

intermediaries may be in a good position to preserve or to collect data for law enforcement use.22 Legislation, including at the international level the Convention on Cybercrime, tends to distinguish between ‘stored data’ and ‘traffic data’. Domestically, each country has its own requirements for law enforcement access to such data, often requiring the obtaining of an appropriate warrant which is subject to judicial supervision.

Convention on Cybercrime 11.16 The Council of Europe’s Convention on Cybercrime prefaces its treatment of procedural provisions with the following general guidelines:23 [page 281]

Article 14 — Scope of procedural provisions 1

2

3

Each Party shall adopt such legislative and other measures as may be necessary to establish the powers and procedures provided for in this section for the purpose of specific criminal investigations or proceedings. Except as specifically provided otherwise in Article 21, each Party shall apply the powers and procedures referred to in paragraph 1 of this article to: a the criminal offences established in accordance with Articles 2 through 11 of this Convention; b other criminal offences committed by means of a computer system; and c the collection of evidence in electronic form of a criminal offence. a Each Party may reserve the right to apply the measures referred to in Article 20 only to offences or categories of offences specified in the reservation, provided that the range of such offences or categories of offences is not more restricted than the range of offences to which it applies the measures referred to in Article 21. Each Party shall consider restricting such a reservation to enable the broadest application of the measure referred to in Article 20. b Where a Party, due to limitations in its legislation in force at the time of the adoption of the present Convention, is not able to apply the measures referred to in Articles 20 and 21 to communications being transmitted within a computer system of a service provider, which system: i is being operated for the benefit of a closed group of users, and

does not employ public communications networks and is not connected with another computer system, whether public or private, that Party may reserve the right not to apply these measures to such communications. Each Party shall consider restricting such a reservation to enable the broadest application of the measures referred to in Articles 20 and 21. ii

Article 15 — Conditions and safeguards 1

Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on [page 282]

2

3

Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality. Such conditions and safeguards shall, as appropriate in view of the nature of the procedure or power concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure. To the extent that it is consistent with the public interest, in particular the sound administration of justice, each Party shall consider the impact of the powers and procedures in this section upon the rights, responsibilities and legitimate interests of third parties.

11.17 The next two articles then deal with expedited preservation of stored and traffic data, in order to facilitate the collection of evidence by law enforcement. Article 16 — Expedited preservation of stored computer data 1

2

Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data, that has been stored by means of a computer system, in particular where there are grounds to believe that the computer data is particularly vulnerable to loss or modification. Where a Party gives effect to paragraph 1 above by means of an order to a person

3

4

to preserve specified stored computer data in the person’s possession or control, the Party shall adopt such legislative and other measures as may be necessary to oblige that person to preserve and maintain the integrity of that computer data for a period of time as long as necessary, up to a maximum of ninety days, to enable the competent authorities to seek its disclosure. A Party may provide for such an order to be subsequently renewed. Each Party shall adopt such legislative and other measures as may be necessary to oblige the custodian or other person who is to preserve the computer data to keep confidential the undertaking of such procedures for the period of time provided for by its domestic law. The powers and procedures referred to in this article shall be subject to Articles 14 and 15. [page 283]

Article 17 — Expedited preservation and partial disclosure of traffic data 1

2

Each Party shall adopt, in respect of traffic data that is to be preserved under Article 16, such legislative and other measures as may be necessary to: a ensure that such expeditious preservation of traffic data is available regardless of whether one or more service providers were involved in the transmission of that communication; and b ensure the expeditious disclosure to the Party’s competent authority, or a person designated by that authority, of a sufficient amount of traffic data to enable the Party to identify the service providers and the path through which the communication was transmitted. The powers and procedures referred to in this article shall be subject to Articles 14 and 15.

11.18 In Australia, a highly regulated set of rules governing law enforcement access to stored communications and telecommunications data is found in the Telecommunications (Interception and Access) Act 1979 (Cth). As with restrictions on telecommunications interception, where a warrant must be obtained in order to override the general prohibition on such interception (discussed in Chapter 2), there are also prohibitions on access to stored communications unless a warrant or other authorisation is obtained.24 The same applies to telecommunications data.25

11.19 The Convention on Cybercrime includes further provisions on production orders (Art 18), search and seizure of stored computer data (Art 19), real-time collection of traffic data (Art 20) and interception of content data [page 284] (Art 21). These international standards are reflected in numerous provisions of Australian law, including those of the Telecommunications (Interception and Access) Act 1979 (Cth), as well as a more general obligation imposed on service providers under the Telecommunications Act 1997 (Cth) to assist law enforcement: 313 Obligations of carriers and carriage service providers (1) A carrier or carriage service provider must, in connection with: (a) the operation by the carrier or provider of telecommunications networks or facilities; or (b) the supply by the carrier or provider of carriage services; do the carrier’s best or the provider’s best to prevent telecommunications networks and facilities from being used in, or in relation to, the commission of offences against the laws of the Commonwealth or of the States and Territories. (2) A carriage service intermediary must do the intermediary’s best to prevent telecommunications networks and facilities from being used in, or in relation to, the commission of offences against the laws of the Commonwealth or of the States and Territories. (3) A carrier or carriage service provider must, in connection with: (a) the operation by the carrier or provider of telecommunications networks or facilities; or (b) the supply by the carrier or provider of carriage services; give officers and authorities of the Commonwealth and of the States and Territories such help as is reasonably necessary for the following purposes: (c) enforcing the criminal law and laws imposing pecuniary penalties; (ca) assisting the enforcement of the criminal laws in force in a foreign country; (d) protecting the public revenue;

(e) safeguarding national security. Note: Section 314 deals with the terms and conditions on which such help is to be provided. …

11.20 It was noted in Chapter 8 that s 474.25 of the Criminal Code Act 1995 (Cth) imposes obligations on ISPs and Internet content hosts (ICHs) to report to the Australian Federal Police (AFP) any material passing through their services that constitutes child abuse or child pornography material. The [page 285] statutory obligation under s 313 of the Telecommunications Act 1997 (Cth) is broader, but can apply to the same sorts of objectionable content:26 Section 313 of the Telecommunications Act 1997 provides Australian government agencies (including state government agencies) with the ability to obtain assistance from the telecommunications industry when upholding Australian laws. Commonwealth agencies have used section 313 to prevent the continuing operation of online services in breach of Australian law (e.g. sites seeking to perpetrate financial fraud). The Australian Federal Police uses section 313 to block domains (websites) which contain the most severe child sexual abuse and exploitation material using the INTERPOL ‘Worst of ’ child abuse list. When a user seeks to access one of these sites, they are provided a block page that provides certain information, including reasons for the block, and contact details for any dispute about inclusion of the listing on the INTERPOL list.

11.21 Of course, law enforcement access to telecommunications data may be of little practical utility unless ISPs and other intermediaries store such data for sufficient periods of time to allow investigations. Practices appear to vary depending on considerations such as the size, resources and policies of providers, including their policies on subscriber privacy. This has led, both in Australia and elsewhere, to consideration of legal requirements for ‘data retention’ for a fixed period. The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) imposes obligations on Australian

telecommunications companies to retain specified ‘metadata’ pertaining to electronic communications for a period of two years.27 11.22 The operation of the new data retention scheme is explained as follows by the Attorney-General’s Department:28 [page 286]

Data retention The Australian Government is committed to providing our law enforcement and security agencies with the tools they need to keep our community safe by requiring the telecommunications industry to retain a limited set of metadata for two years. Data retention does not provide new powers for agencies to access metadata. It simply obliges telecommunications companies to retain and secure a limited set of records for two years. This will ensure that Australia’s law enforcement and security agencies are able to continue to have lawful access to metadata, subject to strict controls. In fact, data retention will be supported by existing as well as new safeguards, oversight and accountability mechanisms, including: significantly limiting the range of agencies permitted to access metadata introducing comprehensive, independent oversight of Commonwealth, state and territory law enforcement agencies by the Commonwealth Ombudsman introducing new requirements for the Attorney-General’s Department to publicly report on the operation of the data retention scheme each year introducing a new journalist information warrant regime, which requires ASIO and enforcement agencies to obtain a warrant prior to authorising disclosure of telecommunications data to identify a journalist’s source establishing Public Interest Advocates (PIAs) that may make submissions in relation to journalist information warrants a mandatory review of the data retention scheme by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) within three years of the scheme being fully implemented. The independent Inspector-General of Intelligence and Security will continue to oversight access to metadata by the Australian Security Intelligence Organisation (ASIO), and the Privacy Commissioner will continue to assess industry’s compliance with the Australian Privacy Principles as well as monitoring industry’s non-disclosure obligations under the Telecommunications Act. The Parliamentary Joint Committee on Intelligence and Security will review the

operation of the mandatory data retention scheme in four years.

[page 287] 11.23 thus:29

The contentious issue of what counts as ‘metadata’ is explained

Metadata Metadata is information about a communication (the who, when, where and how) — not the content or substance of a communication (the what). For phone calls, metadata includes the phone numbers of the people talking to each other and how long they talked — not what they said. For internet activity, metadata is information such as an email address and when it was sent — not the subject line of an email or its content. The Australian Government is not requiring industry to retain a person’s webbrowsing history or any data that may amount to a person’s web-browsing history. Metadata is used in almost every serious criminal or national security investigation, including murder, counter-terrorism, counter-espionage, sexual assault and kidnapping cases. Agencies use metadata to help: quickly rule innocent people out from suspicion and further investigation, for example by showing they had not been in contact with other suspects identify suspects and networks of criminal associates support applications to use more complex and intrusive tools, such as a warrant to intercept the content of communications provide evidence in prosecutions. Australian telecommunications companies must keep a limited set of metadata which is information about the circumstance of a communication for two years. It is not the content of the communication and web-browsing history is specifically excluded from the scheme. The legislation also requires telecommunications companies to secure the stored data by encrypting it and preventing unauthorised access. The set of metadata required to be retained and secured is defined by reference to the following six types of information: the identity of the subscriber to a communications service; the source of the communication; the destination of the communication; the date, time and duration of the communication; the type of the communication; and the location of the equipment used in the communication.

11.24 As for the obstacles to investigation posed by the adoption of encryption and other privacy measures by individuals, note the power available under s 3LA of the Crimes Act 1914 (Cth), discussed earlier at [11.9], to require persons ‘to provide any information or assistance that is reasonable and necessary to allow a constable to … access data’ in relation to search warrants for premises. It may be that future legislative developments will be required to [page 288] replicate such powers in a wider range of situations, including in relation to mobile devices, service providers and intermediaries, and cloud storage. Issues of law enforcement and prosecutorial access to evidence from overseas sources are discussed in Chapter 12.

Covert investigation powers 11.25 The use of covert investigation techniques in connection with online child exploitation was discussed in Chapter 9, in relation to child grooming. However, it should be noted that a significant body of law regulates covert surveillance and investigation more generally, including the use of warrants, and that this may apply in a variety of ways to the investigation of cybercrime. 11.26 As noted in Chapter 2, authorisations and warrants for telecommunications interception may be granted under numerous provisions of the Telecommunications (Interception and Access) Act 1979 (Cth), including Pt 2–2 (ASIO authorisations), Pt 2–3 (Emergency warrants), Pt 2–4 (Testing interception capability), Pt 2–5 (Law enforcement warrants); and, in relation to stored communications access,

under Pt 3–2 (ASIO authorisations) and Pt 3–3 (Law enforcement warrants).30 The most relevant to cybercrime investigations are law enforcement warrants, though where national security concerns arise other mechanisms may also play a role.31 11.27 Law enforcement warrants may be issued under the Telecommunications (Interception and Access) Act 1979 (Cth) to assist in the investigation of a ‘serious offence’, which is elaborately defined to include (s 5D) a range of crimes including murder, kidnapping, drug importation, treason, terrorism, dealing with explosives and lethal devices, foreign incursions and recruitment, as well as other offences punishable by life imprisonment or a maximum of at least seven years, involving planning and organisation or criminal groups. Also listed are specified sexual offences against children and offences involving child pornography (referring particularly to Div 474 of the Criminal Code Act 1995 (Cth)); ‘cybercrime offences’ (under Pt 10.7 of the Criminal Code Act); and counterpart offences under State and Territory law.32 [page 289] 11.28 The Surveillance Devices Act 2004 (Cth), along with counterpart legislation in the States and Territories, regulates the use of surveillance devices, defined as (s 6): (a) a data surveillance device, a listening device, an optical surveillance device or a tracking device; or (b) a device that is a combination of any 2 or more of the devices referred to in paragraph (a); or (c) a device of a kind prescribed by the regulations.

11.29 The Surveillance Devices Act 2004 (Cth) allows law enforcement officers to obtain surveillance devices warrants in the investigation of

‘relevant offences’, defined to include Commonwealth as well as State offences with a federal aspect, carrying a penalty of life imprisonment or a period of three or more years. This would include many cybercrime offences under Commonwealth and other legislation. Note that s 476.2 of the Criminal Code Act 1995 (Cth) excludes surveillance under a surveillance devices warrant or authorisation from the scope of ‘unauthorised access, modification or impairment’. 11.30 Finally, the Crimes Act 1914 (Cth), along with counterpart legislation in other jurisdictions, provides for the regulation of ‘controlled operations’ (Pt IAB) and ‘assumed identities’ (Pt IAC) in the investigation of serious crimes. These mechanisms were initially introduced in relation to illegal drugs and organised crime investigations but their application to a wider range of offences has been enabled by legislation, including to the child abuse and child pornography offences in Div 474 of the Criminal Code Act 1995 (Cth). Interestingly, controlled operations certificates and assumed identity authorities do not appear to be routinely used in the covert investigation of child grooming activities, as discussed in Chapter 9.33

[page 290]

Questions for consideration 1.

S Brenner, writing in Cybercrime: Digital Cops in a Networked Environment, J M Balkin et al (eds), New York University Press, 2007, observes (p 213): For the most part, cybercrime investigations focus on digital evidence, for example, on the content of email messages, logs of computer activity, and data stored on laptops or desktop computers. Countries have developed the procedural law over the last century or so to deal with real, physical evidence such as guns, drugs, paper documents, fingerprints, and the like. Physical evidence can be lost but is not easily destroyed; and it is usually very difficult, if not impossible, to alter physical evidence. Digital evidence is fragile and can easily be destroyed or altered. An Internet Service Provider, for example, may routinely destroy logs documenting online activity; but these logs can contain evidence cybercrime investigators need. Investigators therefore need some way to ensure that evidence is preserved and can be made available for their use.

What means are there of ensuring the availability of digital evidence for cybercrime investigations? To what extent should service providers such as ISPs contribute to this task, and who should bear the cost? Are there dangers in ever-greater amounts of data being retained for law enforcement use? 2.

In G Urbas and K-K R Choo, ‘Resource Materials on TechnologyEnabled Crime’, Technical and Background Paper no. 28, Australian Institute of Criminology, 2008, techniques of cybercrime investigation are described (p 49): Law enforcement officers, usually assisted by trained computer forensic analysts with specialist skills in computer investigations, play a critical role in relation to electronic evidence. The strict evidentiary requirements for criminal prosecutions mean that there must be a demonstrable chain of custody in relation to any evidence collected, so that no reasonable doubt can be raised in relation to the authenticity and integrity of the data presented to court. To establish a chain of custody, organisations should ideally: create an evidence copy of an electronic record. Such copies can be created by various

means including reproducing the electronic record as a printed document or copying the electronic record to storage media (e.g. backup tape). maintain a custody log of the evidence copy, recording details such as who accessed the evidence, when the evidence was accessed and returned (if evidence was removed) and why the evidence was accessed. In particular, verification is needed that the contents of a computer have not been created, deleted or modified during search, seizure and subsequent analysis. In this regard, it is critical that the analysis be undertaken by appropriately trained and skilled computer forensic analysts …

If such evidentiary standards are not followed, what adverse consequences might there be? Are there other ways of ensuring integrity of investigations? 1.

S W Brenner, Cybercrime: Criminal Threats From Cyberspace, Greenwood Publishing, 2010, Ch 3: ‘Three Categories of Cybercrime’; for a similar Australian case, see M Russell, ‘Killer Brought Undone by Chilling Step-By-Step Murder Plan Jailed for 26 Years’, The Age, 30 April 2014: .

2.

See Australian Federal Police Act 1979 (Cth) s 8 (Functions); and AFP website, ‘What We Do’: .

3.

See ‘AHTCC: Fighting the Invisible’, Platypus Magazine, No. 80, October 2003: .

4.

See AFP, ‘High Tech Crime Operations’: .

5.

Added by the Cybercrime Act 2001 (Cth); see also Customs Act 1901 (Cth) s 200.

6.

Hart v Commissioner, Australian Federal Police [2002] FCAFC 392 (5 December 2002) at [6].

7.

Harts Australia Limited v Commissioner, Australian Federal Police [2002] FCA 245 (13 March 2002) per Drummond J at [126]–[128].

8.

Added by the Cybercrime Act 2001 (Cth); see also Customs Act 1901 (Cth) s 201.

9.

Hart v Commissioner, Australian Federal Police [2002] FCAFC 392 (5 December 2002), per French, Sackville and Nicholson JJ at [6]; see also Harts Australia Limited v Commissioner, Australian Federal Police [2002] FCA 245 (13 March 2002); Williams v Keelty [2001] FCA 1301 (13 September 2001); and Kennedy v Baker (with Corrigendum dated 17 June 2004) [2004] FCA 562 (6 May 2004). In Egglishaw v Australian Crime Commission [2006] FCA 819 (30 June 2006) at [34], Sundberg J rejected a submission that the provisions be read as mutually exclusive, stating that ‘there is nothing in the Act to suggest that the availability of one option precludes the choice of another. There is no hierarchy of options. After all, the Commission could just as easily have used the procedure provided for in ss 3K(1) or 3L(4) and (6)’.

10. G Urbas and P Grabosky, ‘Cybercrime and Jurisdiction in Australia’ in B-J Koops and S W Brenner (eds), Cybercrime and Jurisdiction: A Global Survey, TCM Asser Press, The Hague, 2006.

In December 2014, the Council of Europe’s Cybercrime Convention Committee (T-CY) issued a Guidance Note on Transborder Access to Data (Article 32): . 11. Section 3LAA, added by the Crimes Legislation Amendment (Serious and Organised Crime) Act (No. 2) 2010 (Cth). There is no counterpart in the Customs Act 1901 (Cth). 12. Added by the Cybercrime Act 2001 (Cth); see also Customs Act 1901 (Cth) s 201A. The penalty under s 3LA for failure to comply with such an order was initially imprisonment for six months, and remains so under s 201A of the Customs Act 1901 (Cth), but was increased by the Crimes Legislation Amendment (Serious and Organised Crime) Act (No. 2) 2010 (Cth). A critique of s 3LA is to be found in N J James, ‘Handing Over the Keys: Contingency, Power and Resistance in the Context of s 3LA of the Australian Crimes Act 1914’ (2004) 23(1) University of Queensland Law Journal 7, quoting the (then) Vice-President of the Australian Computer Society as saying that ‘the Act went a little too far, in that it erred on the side of giving too much power’ (p 18). 13. There appear to be no reported cases of a conviction under s 3LA arising from a failure to comply. However, a recent media report about the investigation of an alleged Australian hacker claimed that on an online discussion board he had posted, but later deleted, a message stating ‘When I got raided I was served a 3LA order to hand over my passwords’: W Ockenden and B Sveen, ‘Abdilo, Infamous Australian Teen Hacker, Raided by Police and Ordered to Surrender Passwords’, ABC News, 3 April 2015: . An earlier report on the alleged hacking activities is W Ockenden, ‘Abdilo, Australia-Based Computer Hacker, Live Streams Attack on US Education Sites’, ABC News, 21 January 2015: . 14. See Evidence Act 1995 (Cth) s 128, and its counterpart in other Uniform Evidence Law (UEL) jurisdictions; and note the forensic procedures powers in Pt ID of the Crimes Act 1914 (Cth) and similar State and Territory legislation. National DNA and fingerprint registers are maintained by the CrimTrac agency: . CrimTrac has also been given a function in relation to cybercrime, hosting the Australian Cybercrime Online Reporting Network (ACORN). 15. The issue or execution of a search warrant may be challenged on grounds that include the validity of the warrant or the manner in which a search was in fact conducted. For example, in an Australian Capital Territory child pornography case where videos and electronic devices were seized under a warrant that had the wrong address transcribed, an application was made to exclude the evidence under s 138 of the Evidence Act 1995 (Cth) but this was unsuccessful: R v PJ [2006] ACTSC 37 (2 May 2006). 16. Added by the Cybercrime Act 2001 (Cth); see also Customs Act 1901 (Cth) s 201B. The practicability of notifying overseas owners may be questioned: G Urbas and P Grabosky, ‘Cybercrime and Jurisdiction in Australia’, note 10 above, p 65. 17. See G Urbas and P Grabosky, ‘Cybercrime and Jurisdiction in Australia’, note 10 above, which also discusses the extraterritorial operation of the Surveillance Devices Act 2004 (Cth). 18. See G Urbas and K-K R Choo, ‘Resource Materials on Technology-Enabled Crime’, Technical and Background Paper no. 28, Australian Institute of Criminology, 2008, pp 58–9. 19. Crimes Act 1914 (Cth) s 3M; Customs Act 1901 (Cth) s 202, added by the Cybercrime Act 2001

(Cth). 20. D Vaile, K Kalinich, P Fair and A Lawrence, Data Sovereignty and The Cloud — Technical, Legal and Risk Governance Issues Around Data Hosting and Jurisdiction, Cyberspace Law and Policy Centre, UNSW Faculty of Law, July 2013, pp 9–10. 21. For issues relating to search warrants, forensic analysis and cloud services, see J Dykstra and A T Sherman, ‘Acquiring Forensic Evidence From Infrastructure-as-a-Service Cloud Computing: Exploring and Evaluating Tools, Trust and Techniques’ (2012) 9 (Supplement) Digital Investigation 90. 22. The Council of Europe’s Convention on Cybercrime does not define ‘stored data’, but Art 1 does define ‘computer data’ as ‘any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function’; and defines ‘traffic data’ as ‘any computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service’. 23. These provisions are found in Section 2 — Procedural law. 24. Chapter 3 of the Telecommunications (Interception and Access) Act 1979 (Cth) deals with preserving and accessing stored communications, which are defined in s 5 as those not passing over a telecommunications system and held on carrier-operated equipment such that access by a non-party to the communication requires the assistance of the carrier. Part 3–1A provides for both domestic and foreign preservation notices, under amendments added by the Cybercrime Legislation Amendment Act 2012 (Cth). Part 3–1 deals with access to stored communications with a warrant. 25. Chapter 4 of the Telecommunications (Interception and Access) Act 1979 (Cth) regulates permitted access to telecommunications data, which excludes information or documents containing the ‘contents or substance of a communication’ (s 172), but allowing, with appropriate authorisation, access to information or documents about what is often referred to as the ‘metadata’ of communications. 26. Parliament of Australia, House of Representatives Standing Committee on Infrastructure and Communications, Inquiry into the Use of Subsection 313(3) of the Telecommunications Act 1997 by Government Agencies to Disrupt the Operation of Illegal Online Services. This inquiry has held public hearings and received submissions, and is due to complete a final report by 1 July 2015. 27. Note that the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) passed the Parliament on 26 March 2015 and received Royal Assent on 13 April 2015. It is due to come into full operation on 13 October 2015. The Act inserts a new Part 5–1A — Data retention into the Telecommunications (Interception and Access) Act 1979 (Cth), with key provisions in Division 1 — Obligation to keep information and documents being s 187A (Service providers must keep certain information and documents), s 187AA (Information to be kept), s 187B (Certain service providers not covered by this Part), s 187BA (Ensuring the confidentiality of information) and s 187C (Period for keeping information and documents). A new Division 4C — Journalist information warrants is also inserted into Pt 4–1 of the Telecommunications (Interception and Access) Act 1979 (Cth) to ensure that law enforcement access to metadata that may identify journalists’ sources must be obtained under a warrant rather than an authorisation (s

180G). 28. Australian Government, Attorney-General’s Department, ‘Data Retention’: . 29. See note 28 above. 30. Information on telecommunications interception and other warrants issued may be obtained from sources such as the annual reports of parliamentary committees with oversight functions: . 31. For a detailed discussion, see S Rodrick, ‘Accessing Telecommunications Data for National Security and Law Enforcement Purposes’ (2009) 37(3) Federal Law Review 375; and, for a wider study of the operation of surveillance and interception powers in the context of privacy, see the Australian Law Reform Commission (ALRC) final report on Serious Invasions of Privacy in the Digital Era (2014): . 32. This definition is also used as a basis for providing mutual assistance to foreign countries, under amendments made by the Cybercrime Legislation Amendment Act 2012 (Cth). The Australian Crime Commission Act 2002 (Cth) also refers to ‘cybercrime’ as a type of ‘serious and organised crime’. 33. As noted in Chapter 9, one case in which chat-room communications were conducted using an approval granted under the Criminal Investigation (Covert Operations) Act 2009 (SA) was R v Barrie [2012] SASCFC 124 (15 November 2012). However, the ACT cases of R v Stubbs [2009] ACTSC 63 (26 May 2009) and R v Priest [2011] ACTSC 18 (11 February 2011) did not involve such certificates or authorities, and the evidence obtained covertly by police was still held to be admissible.

[page 291]

Chapter 12 Prosecuting and Sentencing Cyber Criminals

Chapter contents Prosecutorial decision-making Jurisdiction issues Convention on Cybercrime Australian laws Sentencing and punishment

12.1 12.10 12.13 12.15 12.18

Questions for consideration

12.0 This final chapter considers prosecutorial and judicial responses to cybercrime. In the Australian criminal justice system, prosecutors play a key role in deciding which cases to take to court (applying their guidelines and discretion), which charges will be pursued (these may not coincide with those initially charged by police), at which level (indictable or summary), whether to accept pleas to lesser offences (again applying guidelines and discretion), and which evidence to adduce in court in the case of a contested trial. Judges and magistrates play an adjudicative role, ruling mainly on legal and procedural issues such as the admissibility of evidence. Juries are sometimes called upon to decide on factual issues and deliver a verdict in more serious cases, but where there is a guilty plea or the matter is heard by a judge alone or at the summary level by a magistrate, no jury is involved. Sentencing is entirely a matter for judicial officers.

Prosecutorial decision-making 12.1 The Commonwealth Director of Public Prosecutions (CDPP) and prosecutors who work under the CDPP’s direction run prosecutions for

indictable Commonwealth offences, such as the offences found in the Criminal Code Act 1995 (Cth) and other Commonwealth Acts.1 State and Territory [page 292] prosecution services play a similar role in their respective jurisdictions, and where both Commonwealth and State or Territory offences are involved, co-operative arrangements decide which agency will have carriage of a prosecution. In cybercrime cases, it is not uncommon for charges to be laid both under Commonwealth and State or Territory legislation. 12.2 role:2

CDPP prosecutions of cybercrime play an increasingly prominent

Commonwealth criminal activity continues to evolve and expand reflecting changes in contemporary society and posing significant threats to Australia. Rapid technological development and the increasingly international nature of society enables innovative, highly coordinated and sophisticated criminal activity. A large part of the CDPP’s practice involves serious and organised criminal activity as offenders constantly look for vulnerabilities to exploit for criminal gain.

12.3 Prosecution services exercise considerable discretion in relation to referrals from law enforcement and other agencies, and make decisions about how to proceed according to published policies and guidelines:3

Prosecution Policy of the Commonwealth The Prosecution Policy of the Commonwealth underpins all of the decisions made by the CDPP throughout the prosecution process and promotes consistency in decision making. It is a public document and applies to all Commonwealth prosecutions. The Prosecution Policy outlines the relevant factors and considerations which are taken into account when our prosecutors are exercising their discretion. The Policy also serves to inform the public and practitioners of the principles which guide the decisions made by the CDPP. The Prosecution Policy provides a two-stage test that must be satisfied before a prosecution is commenced:

there must be sufficient evidence to prosecute the case; and it must be evident from the facts of the case, and all the surrounding circumstances, that the prosecution would be in the public interest. In determining whether there is sufficient evidence to prosecute a case the CDPP must be satisfied that there is prima facie evidence of the elements of the offence and a reasonable prospect of obtaining a conviction. The existence of a prima facie case is not sufficient. [page 293] In making this decision, our prosecutors must evaluate how strong the case is likely to be when presented in court. They must take into account matters such as the availability, competence and credibility of witnesses, their likely effect on the arbiter of fact, and the admissibility of any alleged confession or other evidence. The prosecutor should also have regard to any lines of defence open to the alleged offender and any other factors that could affect the likelihood or otherwise of a conviction. The possibility that any evidence might be excluded by a court should be taken into account and, if that evidence is crucial to the case, this may substantially affect the decision whether or not to institute or proceed with a prosecution. Prosecutors need to look beneath the surface of the evidence in a matter, particularly in borderline cases. Having been satisfied that there is sufficient evidence to justify the initiation or continuation of a prosecution, the prosecutor must then consider whether the public interest requires a prosecution to be pursued. In determining whether this is the case, prosecutors will consider all of the provable facts and all of the surrounding circumstances. The public interest factors to be considered will vary from case to case, but may include: whether the offence is serious or trivial; any mitigating or aggravating circumstances; the youth, age, intelligence, physical health, mental health or special vulnerability of the alleged offender, witness or victim; the alleged offender’s antecedents and background; the passage of time since the alleged offence; the availability and efficacy of any alternatives to prosecution; the prevalence of the alleged offence and the need for general and personal deterrence; the attitude of the victim; the need to give effect to regulatory or punitive imperatives; and the likely outcome in the event of a finding of guilt. These are not the only factors, and other relevant factors are contained in the Prosecution Policy.

12.4 Other aspects of prosecution policy may relate to the calling of witnesses, including alleged victims of offending.4 In child exploitation cases, these victims may be particularly vulnerable. There are protective provisions that may apply under Commonwealth laws; for example, allowing vulnerable [page 294] persons to give evidence remotely or using closed-circuit television (CCTV) technology. The Crimes Act 1914 (Cth) includes several such provisions:5 15YI Closed-circuit television (1) Evidence in a proceeding from a person to whom subsection (1A) applies (the vulnerable person) must be given by means of closed-circuit television unless: (a) the vulnerable person is at least 16 and chooses not to give evidence by that means; or (b) the court orders that the vulnerable person is not to give evidence by that means; or (c) the court is not equipped with facilities for evidence to be given by means of closed-circuit television. Note: Section 15YL provides for alternative arrangements if a vulnerable person does not give evidence by means of closed-circuit television. (1A) This subsection applies to the following persons: (a) for a child proceeding—a child witness; (b) for a vulnerable adult proceeding—a vulnerable adult complainant; (c) for a special witness proceeding—a special witness for whom an order under subsection 15YAB(3) is in force for this section. (2) The court must not make an order under paragraph (1)(b) unless satisfied that it is not in the interests of justice for the vulnerable person’s evidence to be given by means of closed-circuit television. (3) This section does not affect the operation of any law in relation to the competence of a person to give evidence.

15YJ Giving evidence by closed-circuit television (1) If the vulnerable person’s evidence is given by means of closed-circuit television from a location outside a courtroom: (a) that location is taken to be part of the courtroom in which the proceeding is being held; and (b) the court may order that a court officer be present at that location; and [page 295] (c) the court may order that another person be present with the vulnerable person: (i) to act as an interpreter; or (ii) to assist the vulnerable person with any difficulty in giving evidence associated with a disability; or (iii) to provide the vulnerable person with other support.

12.5 Prosecutors also play an important role as ‘gatekeepers’ of the criminal justice system, including in deciding on charges that reflect fairly the level of criminality supported by available evidence, and avoiding duplicitous or overly numerous charges. In some cases, they may engage in ‘charge negotiation’ with legal representatives of a defendant, recognising that a guilty plea may relieve victims from the stress of having to give evidence in a contested proceeding.6 12.6 Prior to and during proceedings, prosecutors have to manage evidence, including witnesses who are called to give evidence in court. Importantly in cybercrime cases, technical evidence will often be adduced from ‘expert witnesses’ such as forensic examiners. The admissibility of opinion evidence from such persons is governed by numerous rules, including the specialised knowledge exception to the prohibition on opinion evidence found in the Evidence Act 1995 (Cth). This also includes specialised knowledge of matters relating to child sexual offences:7 79 Exception: opinions based on specialised knowledge (1) If a person has specialised knowledge based on the person’s training, study or

experience, the opinion rule does not apply to evidence of an opinion of that person that is wholly or substantially based on that knowledge. (2) To avoid doubt, and without limiting subsection (1): (a) a reference in that subsection to specialised knowledge includes a reference to specialised knowledge of child development and child behaviour (including specialised knowledge of the impact of sexual abuse on children and their development and behaviour during and following the abuse); and (b) a reference in that subsection to an opinion of a person includes, if the person has specialised knowledge of the kind [page 296] referred to in paragraph (a), a reference to an opinion relating to either or both of the following: (i) the development and behaviour of children generally; (ii) the development and behaviour of children who have been victims of sexual offences, or offences similar to sexual offences.

12.7 Where juries are involved, technical evidence must be presented carefully so as to ensure proper comprehension, including in cybercrime prosecutions:8 Computer crime prosecutions very often are, or can be forced into being, a form of ‘complex litigation,’ chock full of confusing technological terms and concepts. The average juror is generally ignorant of both the theory and practice of computer science. Even ‘computer savvy’ jurors are unlikely to have the training or experience to comprehend complex issues involving networking, security theory and practice, computer architecture, operating systems, system administration, or programming. A conscientious juror may well (and should) have a problem concluding that all reasonable doubt has been eliminated by evidence that he or she does not fully understand.

12.8 Defence lawyers play the role of challenging prosecution evidence, including that of expert witnesses, and may in some cases also call their own experts. This was the situation in the following case, previously discussed in Chapter 2.9

R v Tahiraj [2014] QCA 353 (19 December 2014) at [85]–[88] (notes omitted)

The appellant emphasised that at no stage did the judge direct the jury as to how to deal with the expert evidence which was an important feature of the trial. The significant question was whether the prosecution was able to negative the hypothesis raised by the defence expert witness, Dr Schatz. In a number of areas the experts called by the prosecution disagreed with Dr Schatz. The judge gave no direction to the jury as to how to deal with these areas of conflict despite the complex nature of the expert evidence. Mr Lisman, Mr Wright and Dr Schatz, the appellant contended, agreed that any wireless attack using the appellant’s wireless network rather than a 3G connection would be visible on the intercepted traffic of the [page 297] appellant’s router. Mr Wright considered the required pineapple device would need a large, external antenna and a large power source. Dr Schatz considered the inbuilt antenna would be sufficient to capture the signal of the wireless network. Mr Wright considered a pineapple device would need to be within 30 metres of the appellant’s Toshiba laptop whereas Dr Schatz believed it could be 100 metres away if an external antenna was used. Otherwise Dr Schatz agreed with Mr Tilley that the pineapple device would need to be within 20 metres of the appellant’s router to connect to the wireless network. Mr Wright believed a device using a 3G connection would require two antennae. Mr Lisman and Mr Wright considered that any pineapple device intercepting communications between the appellant’s Toshiba laptop and router would need to be closer to the laptop than the router, whereas Dr Schatz considered it could be further away. Mr Lisman believed that an eight letter password would take 25 years to crack whereas Dr Schatz gave evidence that an eight letter password from the dictionary could be cracked in seconds. The appellant contended that the judge’s directions did not sufficiently deal with the issues in conflict between the expert witnesses. The judge should have tailored a direction so that the jurors knew and understood where the relevant evidence was in conflict. Gummow and Callinan JJ explained in Velevksi v The Queen that conflicting expert evidence calls for careful evaluation as it deals with generally unfamiliar and technical matters and will always require careful and usually more elaborate directions from the trial judge to the jury. It is true the judge did not give the directions on expert evidence contained in the Supreme and District Court Bench Book. But as this Court explained in R v Robinson, the Bench Book is not a statute prescribing mandatory directions. The judge told the jury that they were the sole judges of fact and made clear that the critical issue in the case was whether the prosecution had negatived beyond reasonable doubt on each count the hypothesis raised by Dr Schatz that someone may have maliciously hacked into the appellant’s computer and committed the seven counts. The appellant in his contentions has rightly identified the areas of conflict between the expert witnesses in this case. But in the end the differences between them were not great. Dr Schatz’s evidence established the hypothetical possibility of someone hacking into the appellant’s computer and committing the offences without his involvement or

knowledge. The prosecution case was that, on the whole of the evidence, the possibility of this occurring was not a reasonable one and could be excluded beyond reasonable doubt.

12.9 Commonwealth prosecution statistics over the last decade show a steady increase in matters under Pts 10.6 and 10.7 of the Criminal Code Act 1995 (Cth), and CDPP annual reports have since 2008–09 reported against individual offence sections. Summaries compiled from these reports follow (Tables 12.1 and 12.2). [page 298] Table 12.1: Commonwealth cybercrime prosecutions under the Criminal Code Act 1995 (Cth) Pt 10.6, 2008–14

[page 299]

[page 300] Table 12.2: Commonwealth cybercrime prosecutions under the Criminal Code Act 1995 (Cth) Pt

10.7, 2008–14

[page 301]

[page 302]

Jurisdiction issues 12.10 Although some early views about cyberspace considered it to be beyond the reach of national laws, in practice most crimes involving computers and the Internet are dealt with according to traditional jurisdictional principles. The three main ways jurisdictional issues arise are in relation to whether:10 1. 2. 3.

a state (ie, country, state or territory with its own laws) has legislative power with respect to particular conduct: ‘prescriptive jurisdiction’; courts have power to hear a particular dispute or matter: ‘adjudicative jurisdiction’; and law enforcement agencies have power to enforce laws: ‘enforcement jurisdiction’.

12.11 The first kind of jurisdiction, also known as ‘subject-matter’ or ‘legislative’ jurisdiction, pertains to whether the alleged crime occurred within the territory of the respective state. However, cybercrime often poses challenges in identifying where a crime occurred, and countries have to re-assess whether their procedural laws are adequate to deal with new situations. As noted by Susan Brenner (2001):11 Cybercrime is often transnational crime, which raises the issue of jurisdiction to prosecute the offender. Countries must examine their procedural law and, if necessary, amend it so they can legitimately exercise jurisdiction over cybercrimes. Traditionally, jurisdiction has been equated with territory, with the scope of a country’s being defined by the limits of its territorial boundaries. This territorial notion of jurisdiction to prosecute becomes problematic when dealing with cybercriminals. Determining where a cybercrime was ‘committed’ can be difficult, since the perpetrator and the victim can be located in different countries and since the perpetrator may utilize computer systems in several countries in the course of attacking the victim. One approach to this problem is to broaden the territorial notion of jurisdiction to prosecute so that it allows the nation to prosecute whenever the offender’s conduct occurred in whole or in part in the prosecuting nation’s territory. This approach would, for example, give the country jurisdiction to prosecute a cybercriminal (a) when both the victim(s) and the perpetrator were located in the country at the time the crime was committed and the perpetrator utilized computer technology located in that country; (b) when either the victim or the perpetrator was located in that country during the commission of the crime; and/or (c)

when any part of the crime was committed, planned or facilitated in that country. Finally, countries can impose their own penal law on their citizens when the citizens are abroad, which means that a country could prosecute one of its nationals for committing a cybercrime even though the actual commission of the offense was carried out in another country

[page 303] and did not have harmful effects on people or property located within the prosecuting jurisdiction. Because it exploits technology, cybercrime can create problems for investigators who must obey procedural rules crafted to deal with the investigation of crime in the ‘real world’ of physical space, not the virtual world of cyberspace. Procedural law may, for example, only provide authorization to search for and seize tangible evidence. Since the prosecution of cybercrimes usually requires collecting and analyzing intangible evidence, this omission can be a serious problem for investigators. Countries must, therefore, evaluate their procedural law governing evidence-collecting and -analysis and amend it, as necessary, so that it does not suffer from this and other limitations.

12.12 The concept of ‘territory’ as a basis for asserting jurisdiction is quite flexible, as it can relate to one or more of the following factors:12 the location of an alleged offender at the time of a crime’s commission, or its planning, facilitation etc.; the location of an alleged offender at the time of prosecution; the citizenship or residence of an alleged offender; the location of any victim of the alleged crime; the citizenship or residence of a victim; or the location of any equipment used, including networks.

Convention on Cybercrime 12.13 The Council of Europe’s Convention on Cybercrime deals with jurisdiction and related issues in its procedural and international cooperation provisions:13

Article 22 — Jurisdiction 1

Each Party shall adopt such legislative and other measures as may be necessary to establish jurisdiction over any offence established in accordance with Articles 2 through 11 of this Convention, when the offence is committed: a in its territory; or b on board a ship flying the flag of that Party; or c on board an aircraft registered under the laws of that Party; or [page 304] d

2

3

4 5

by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State. Each Party may reserve the right not to apply or to apply only in specific cases or conditions the jurisdiction rules laid down in paragraphs 1.b through 1.d of this article or any part thereof. Each Party shall adopt such measures as may be necessary to establish jurisdiction over the offences referred to in Article 24, paragraph 1, of this Convention, in cases where an alleged offender is present in its territory and it does not extradite him or her to another Party, solely on the basis of his or her nationality, after a request for extradition. This Convention does not exclude any criminal jurisdiction exercised by a Party in accordance with its domestic law. When more than one Party claims jurisdiction over an alleged offence established in accordance with this Convention, the Parties involved shall, where appropriate, consult with a view to determining the most appropriate jurisdiction for prosecution.

Article 23 — General principles relating to international co-operation The Parties shall co-operate with each other, in accordance with the provisions of this chapter, and through the application of relevant international instruments on international co-operation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence. Article 24 — Extradition 1

a

This article applies to extradition between Parties for the criminal offences established in accordance with Articles 2 through 11 of this Convention, provided that they are punishable under the laws of both Parties concerned by deprivation of liberty for a maximum period of at least one year, or by a

2

more severe penalty. b Where a different minimum penalty is to be applied under an arrangement agreed on the basis of uniform or reciprocal legislation or an extradition treaty, including the European Convention on Extradition (ETS No. 24), applicable between two or more parties, the minimum penalty provided for under such arrangement or treaty shall apply. The criminal offences described in paragraph 1 of this article shall be deemed to be included as extraditable offences in any extradition treaty existing between or among the Parties. The Parties undertake [page 305]

3

4

5

6

7

to include such offences as extraditable offences in any extradition treaty to be concluded between or among them. If a Party that makes extradition conditional on the existence of a treaty receives a request for extradition from another Party with which it does not have an extradition treaty, it may consider this Convention as the legal basis for extradition with respect to any criminal offence referred to in paragraph 1 of this article. Parties that do not make extradition conditional on the existence of a treaty shall recognise the criminal offences referred to in paragraph 1 of this article as extraditable offences between themselves. Extradition shall be subject to the conditions provided for by the law of the requested Party or by applicable extradition treaties, including the grounds on which the requested Party may refuse extradition. If extradition for a criminal offence referred to in paragraph 1 of this article is refused solely on the basis of the nationality of the person sought, or because the requested Party deems that it has jurisdiction over the offence, the requested Party shall submit the case at the request of the requesting Party to its competent authorities for the purpose of prosecution and shall report the final outcome to the requesting Party in due course. Those authorities shall take their decision and conduct their investigations and proceedings in the same manner as for any other offence of a comparable nature under the law of that Party. a Each Party shall, at the time of signature or when depositing its instrument of ratification, acceptance, approval or accession, communicate to the Secretary General of the Council of Europe the name and address of each authority responsible for making or receiving requests for extradition or provisional arrest in the absence of a treaty. b The Secretary General of the Council of Europe shall set up and keep updated a register of authorities so designated by the Parties. Each Party shall ensure that the details held on the register are correct at all times.

Article 25 — General principles relating to mutual assistance

1

2

The Parties shall afford one another mutual assistance to the widest extent possible for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form of a criminal offence. Each Party shall also adopt such legislative and other measures as may be necessary to carry out the obligations set forth in Articles 27 through 35. [page 306]

3

4

5

Each Party may, in urgent circumstances, make requests for mutual assistance or communications related thereto by expedited means of communication, including fax or e-mail, to the extent that such means provide appropriate levels of security and authentication (including the use of encryption, where necessary), with formal confirmation to follow, where required by the requested Party. The requested Party shall accept and respond to the request by any such expedited means of communication. Except as otherwise specifically provided in articles in this chapter, mutual assistance shall be subject to the conditions provided for by the law of the requested Party or by applicable mutual assistance treaties, including the grounds on which the requested Party may refuse co-operation. The requested Party shall not exercise the right to refuse mutual assistance in relation to the offences referred to in Articles 2 through 11 solely on the ground that the request concerns an offence which it considers a fiscal offence. Where, in accordance with the provisions of this chapter, the requested Party is permitted to make mutual assistance conditional upon the existence of dual criminality, that condition shall be deemed fulfilled, irrespective of whether its laws place the offence within the same category of offence or denominate the offence by the same terminology as the requesting Party, if the conduct underlying the offence for which assistance is sought is a criminal offence under its laws.

12.14 The Convention on Cybercrime thus provides a comprehensive foundation for international harmonisation of substantive and procedural laws in relation to cybercrime, including in the provision of various cooperation mechanisms.

Australian laws 12.15

The Criminal Code Act 1995 (Cth) provides a number of different

levels of jurisdictional reach, all based on geographical territory but variously extended. For cybercrime offences, the level of jurisdictional reach is ‘extended geographical jurisdiction — category A’:14 [page 307]

15.1 Extended geographical jurisdiction—category A (1) If a law of the Commonwealth provides that this section applies to a particular offence, a person does not commit the offence unless: (a) the conduct constituting the alleged offence occurs: (i) wholly or partly in Australia; or (ii) wholly or partly on board an Australian aircraft or an Australian ship; or (b) the conduct constituting the alleged offence occurs wholly outside Australia and a result of the conduct occurs: (i) wholly or partly in Australia; or (ii) wholly or partly on board an Australian aircraft or an Australian ship; or (c) the conduct constituting the alleged offence occurs wholly outside Australia and: (i) at the time of the alleged offence, the person is an Australian citizen; or (ii) at the time of the alleged offence, the person is a body corporate incorporated by or under a law of the Commonwealth or of a State or Territory; or (d) all of the following conditions are satisfied: (i) the alleged offence is an ancillary offence; (ii) the conduct constituting the alleged offence occurs wholly outside Australia; (iii) the conduct constituting the primary offence to which the ancillary offence relates, or a result of that conduct, occurs, or is intended by the person to occur, wholly or partly in Australia or wholly or partly on board an Australian aircraft or an Australian ship. Note: The expression offence is given an extended meaning by subsections 11.2(1) and 11.2A(1), section 11.3 and subsection 11.6(1).

12.16

The fact that offences against Australian law can be committed

outside the country raises issues of mutual legal assistance in regard to evidence-gathering, as well as extradition if suspects are required to be brought into the country for prosecution. These matters are governed by the Mutual Assistance in Criminal Matters Act 1987 (Cth) and the Extradition Act 1988 (Cth), along with a host of supporting regulations and bilateral, as well as multilateral, agreements. It should also be noted that the Convention on Cybercrime provides mechanisms for mutual assistance and extradition between signatories even in the absence of direct countryto-country agreements. [page 308] 12.17 While there have been few if any cybercrime cases in which suspects have been extradited to Australia, the Griffiths case discussed in Chapter 7 provides a vivid example of extradition from Australia to the United States. It will be recalled that Hew Raymond Griffiths was a resident of New South Wales (NSW) who, without ever having physically travelled to the United States, was part of an online piracy group (DrinkOrDie) that committed copyright violations under that country’s laws. Griffiths’ extradition was requested by US authorities, and his eligibility to be extradited fell to be decided by a NSW magistrate. Although the initial decision was in favour of Griffiths, ruling that he was not eligible for extradition, subsequent appeals in the Federal Court of Australia and a special leave application to the High Court of Australia all went against Griffiths, and he was subsequently sent to the United States and was convicted there on a guilty plea, spending almost a year in prison there before being returned to Australia. The saga is described below:15 … in the Griffiths extradition case, there was some confusion about where the alleged crimes had actually occurred. The Magistrate considering the ‘double criminality’ test under the Extradition Act 1988 (Cth) considered that Griffiths’ conduct had occurred in the State of New South Wales, where Griffiths lived, and that this made it impossible to apply the hypothetical test of whether the conduct would have constituted an extradition offence had it occurred in New South Wales. In contrast, the Federal Court judge and the bench of the Full Federal Court

asserted, respectively, that ‘it is wrong to characterise the acts of Mr Griffiths as acts physically committed in New South Wales’ and ‘the conduct constituting the offence, given its continuing character, can properly be said to have occurred in the United States and this includes Mr Griffiths’ own conduct notwithstanding his actual physical presence in New South Wales’. In these statements, the courts have identified an important characteristic of cybercrime that has few parallels in other branches of criminal law. The criminal conduct that is constituted by an offender located in Country A uploading files to servers in Country B, and joining with others in Country B and in other countries in conspiring to publish material without authorisation, is criminal conduct that occurs in Country B (and possibly also in Country A and elsewhere). This fact requires no legislative extension of jurisdiction beyond territory — it is simply the consequence of ‘action at a distance’ that is facilitated by the Internet. The consequence that an offender may be extradited to a country he has never physically visited is not novel because of any fundamental change in legal jurisdiction principles or extradition law — it is novel because this is a relatively novel way of committing crimes. The offender is being extradited to a country he has ‘virtually’ visited and in which he has committed offences.

[page 309]

Sentencing and punishment 12.18 A final set of issues to consider is the level and kinds of punishment that are appropriate to impose on those who are convicted of cybercrime offences. Some reference has already been made in Chapter 8 to sentencing considerations for child pornography offending, but it is useful to consider sentencing more generally. 12.19 For Commonwealth offences, sentencing principles and factors are mainly governed by Pt IAB of the Crimes Act 1914 (Cth), while similar State or Territory legislation applies in those jurisdictions. Matters relevant to federal sentencing are listed in s 16A of the Crimes Act 1914 (Cth):16 16A Matters to which court to have regard when passing sentence etc. — federal offences (1) In determining the sentence to be passed, or the order to be made, in respect of any person for a federal offence, a court must impose a sentence or make

an order that is of a severity appropriate in all the circumstances of the offence. (2) In addition to any other matters, the court must take into account such of the following matters as are relevant and known to the court: (a) the nature and circumstances of the offence; (b) other offences (if any) that are required or permitted to be taken into account; (c) if the offence forms part of a course of conduct consisting of a series of criminal acts of the same or a similar character— that course of conduct; (d) the personal circumstances of any victim of the offence; (e) any injury, loss or damage resulting from the offence; (ea) if an individual who is a victim of the offence has suffered harm as a result of the offence—any victim impact statement for the victim; (f) the degree to which the person has shown contrition for the offence: (i) by taking action to make reparation for any injury, loss or damage resulting from the offence; or (ii) in any other manner; [page 310] (fa) the extent to which the person has failed to comply with: (i) any order under subsection 23CD(1) of the Federal Court of Australia Act 1976; or (ii) any obligation under a law of the Commonwealth; or (iii) any obligation under a law of the State or Territory applying under subsection 68(1) of the Judiciary Act 1903; about pre-trial disclosure, or ongoing disclosure, in proceedings relating to the offence; (g) if the person has pleaded guilty to the charge in respect of the offence— that fact; (h) the degree to which the person has co-operated with law enforcement agencies in the investigation of the offence or of other offences; (j) the deterrent effect that any sentence or order under consideration may have on the person; (k) the need to ensure that the person is adequately punished for the offence; (m) the character, antecedents, age, means and physical or mental condition of the person; (n) the prospect of rehabilitation of the person; (p) the probable effect that any sentence or order under consideration would have on any of the person’s family or dependants.

12.20 For those convicted of Commonwealth offences, sentencing options include imprisonment, fines and a range of orders that may be imposed, including release on recognisance orders, good behaviour bonds and deferred sentencing. Capital and corporal punishment have been abolished.17 Sentencing for computer-related crimes exhibits considerable variation, in part due to the fact that courts may be unfamiliar with newer forms of offending, but also because many of those being prosecuted are relatively young, with no or few prior criminal convictions. Some judges have resorted to fairly creative orders in response to computer misuse, such as forfeiture of computer equipment or restrictions on usage of computers and the Internet.18 12.21 A recent addition to these sentencing provisions has been the opportunity for victims to be able to make a victim impact statement (VIS) in [page 311] order to make clear to sentencing courts the impact that offending has had on them. This addition is found in s 16AAA of the Crimes Act 1914 (Cth), added in 2013:19 16AAA Victim impact statements (1) A victim impact statement, for an individual who is a victim of an offence, is an oral or written statement for which the following requirements are satisfied: (a) the statement must be made by one of the following: (i) the individual; (ii) if the court gives leave, a member of the individual’s family; (iii) a person appointed by the court; (b) the statement must describe the impact of the offence on the victim, including details of the harm suffered by the victim as a result of the offence;

(c) if the statement is written, the statement must be: (i) signed or otherwise acknowledged by the maker of the statement; and (ii) given to both the prosecutor and the offender (or the offender’s legal representative) at a reasonable time before the hearing for determining the sentence to be passed on the offender; (d) if the statement is to be oral, a written or oral summary of the statement must be given to both the prosecutor and the offender (or the offender’s legal representative) at a reasonable time before the hearing for determining the sentence to be passed on the offender. (2) However, the court may order that the requirement in paragraph (1)(d) does not apply to a particular oral statement. (3) The Minister may, in writing, prescribe a form for victim impact statements. Such a form does not restrict how victim impact statements may be made. (4) The Minister may delegate, in writing, his or her power under subsection (3) to: (a) the Secretary of the Department; or (b) an SES employee, or acting SES employee, in the Department.

[page 312] 12.22 A consideration for judges faced with sentencing offenders who have violated vulnerable victims is to properly understand the effects of the crimes, even in the absence of a victim impact statement. In the case of R v Tahiraj, discussed above ([12.8], and also see [2.22]), the sentencing judge had noted that intimate material posted online is impossible to remove completely as copies are posted to different sites. This can lead to further victimisation, as described in the case:20 In January 2009 the appellant posted a recording of the incident constituting count 1, both conversation and video, on the internet and bragged triumphantly about it. Strangers began to pester and abuse her on the internet. On 8 April 2009 police went to her school and interviewed her. She asked for her student boyfriend to be present. At that stage she had told no-one what had happened. She had no adult support and she did not seem to have been told she was not obliged to participate. Thrice during the interview she told police she did not want to talk about it but they persisted. Only after sustained questioning did she reluctantly provide details. Whilst she had not given a victim impact statement, she undoubtedly felt humiliated and embarrassed at the time of the original incident (count 1) and when the video of it was

posted on the internet (count 3). There was no suggestion that anyone who knew her was aware of the incident. Her internet acquaintances knew her only by her user name. She seemed to have dealt with the situation sensibly and there was no evidence of any continuing distress. The police interview was seriously concerning. Police made no attempt to contact her parents or grandparents. They interviewed her at school in the context where ordinary discipline required her to answer their questions. Police initially misled her as to the subject matter of the proposed interview which continued without an adult support person. She was not told she was under no obligation to answer questions. The police ignored her statement that she did not want to talk about it and continued their questioning, pressing her for answers in front of her boyfriend. The police interview was the most humiliating and embarrassing part of her whole experience. This was an example of why victims of sex crimes are often reluctant to report them.

12.23 While it is hard to predict developments in sentencing for cybercrime, one prospect is that offenders will seek to rely on forms of ‘computer addiction’ as a mitigating factor. Although this has not featured significantly in reported Australian proceedings, academic literature suggests it may be relied upon in the future:21 In sentencing hearings, it is likely that offenders will raise a range of new mitigating considerations. In view of the ever-expanding use of personal computers, it is likely that ‘computer addiction’ (or ‘internet addiction disorder’) will be raised more often as a mitigating factor, or even as a defence vitiating intent.

[page 313] 12.24 A countervailing consideration is that some cyber offenders, sentenced to imprisonment and having no other outlet for their computer skills, may educate other inmates in ways that improve their prospects on release.22 Alternatively, a condition of sentencing or supervised release may be that offenders engage in some forms of community service, such as educating the public about the dangers of becoming involved in cybercrime.23 12.25 Finally, more attention may need to be redirected from punishment of the cybercrime offender to restoration of affected victims and communities. It was noted in Chapter 6 that legislative provisions have been introduced in the Criminal Code Act 1995 (Cth) to assist

identity theft victims in recovering their misused personal and financial details.24 Australian legislative and other responses to cybercrime at all levels would benefit from an approach that seeks to enhance resilience and recovery on the part of computers, computer systems, data, individuals and communities.

[page 314]

Questions for consideration 1.

The Commonwealth Director of Public Prosecution (CDPP) Prosecution Policy of the Commonwealth — Guidelines for the Making of Decisions in the Prosecution Process includes the following guidance:25 2.2 The decision whether or not to prosecute is the most important step in the prosecution process. In every case great care must be taken in the interests of the victim, the suspected offender and the community at large to ensure that the right decision is made. A wrong decision to prosecute or, conversely, a wrong decision not to prosecute, both tend to undermine the confidence of the community in the criminal justice system. 2.3 It follows that the objectives previously stated — especially fairness and consistency — are of particular importance. However, fairness need not mean weakness and consistency need not mean rigidity. The criteria for the exercise of this discretion cannot be reduced to something akin to a mathematical formula; indeed it would be undesirable to attempt to do so. The breadth of the factors to be considered in exercising this discretion indicates a candid recognition of the need to tailor general principles to individual cases. How does this apply in cybercrime cases? What (if any) particular considerations arise?

2.

In K Soukieh, ‘Cybercrime — The Shifting Doctrine of Justification’ (2011) 10(1) Canberra Law Review 221, an infamous case is discussed: It is worth mentioning here the controversial case of Vasiliy Gorshkov, who was sentenced to thirty-six months in a US prison after being convicted on 20 counts of conspiracy, various computer crimes, and fraud committed against the Speakeasy Network of Seattle, Washington. Gorshkov had been lured from Russia to the US by FBI agents posing as potential employers, and then arrested. There being no extradition treaty between the two countries, and limited cooperation between law enforcement agencies, the FBI sourced their information about Gorshkov by hacking a pair of computers in Russia. In an unprecedented response the Russian Federal Security Service charged the agent (Michael Schuller) with ‘unauthorised accesses’. Whatever the merits of these charges, the whole incident shows how, in the absence of any international consensus, enforcement activities can be misconstrued as either an attack on national sovereignty, or, as in [this example], be open to politicisation. Where international co-operation is lacking, are such methods justifiable in order to bring cyber criminals to justice? What are the risks involved?

3.

In D R Mason, ‘Sentencing Policy and Procedure as Applied to Cyber Crimes: A Call for Reconsideration and Dialogue’ (2006–07) 76 Mississippi Law Journal 903, the following questions are raised (at 907): Does the digital and Internet age challenge or require us to re-examine our notions of case disposition and punishment? What should we do differently? If our goals may be different with regard to cyber criminals, what should our primary sentencing goals be? Do we seek to impose punishment that approximately equals the harm done, or do we focus on deterrence? Do we seek to rehabilitate offenders, or should we focus on protecting the public through incapacitation? Should our sentencing practices and concerns focus more on the offender or on the harm caused to victims? What sentencing policies would you favour in responding to cybercrime?

1.

Director of Public Prosecutions Act 1983 (Cth).

2.

Commonwealth Director of Public Prosecutions: .

3.

Commonwealth Director of Public Prosecutions: .

4.

Commonwealth Director of Public Prosecutions: .

5.

Crimes Act 1914 (Cth) Part IAD — Protecting vulnerable persons includes provisions on admissibility of sexual reputation evidence, cross-examination and use of CCTV and video recordings. These provisions apply in specified proceedings, including those involving charges under Div 474 of the Criminal Code Act 1995 (Cth) for online child exploitation offences (s 15Y).

6.

R Smith, P Grabosky and G Urbas, Cyber Criminals on Trial, Cambridge University Press, 2004, Ch 3: ‘The Prosecutor as Gatekeeper’; see also C Corns, Public Prosecutions in Australia: Law, Policy and Practice, Thomson Reuters, 2014.

7.

As amended by the Evidence Amendment Act 2008 (Cth). The admissibility of child sexual abuse evidence from experts has been the subject of cases such as HG v The Queen (1999) 197 CLR 414.

8.

W E Sprague, ‘Uncharted Waters: Prosecuting Phishing and Online Fraud Cases’ (2006) 1 Journal of Digital Forensic Practice 143, cited in G Urbas and K-K R Choo, ‘Resource Materials on Technology- Enabled Crime’, Technical and Background Paper no. 28, Australian Institute of Criminology, 2008.

9.

The defendant’s appeal against conviction for offences including hacking using a remote access tool (RAT) known as ‘Poison Ivy’ and procuring a child under the age of 16 years was not successful.

10. J Clough, Principles of Cybercrime, Cambridge University Press, 2010, pp 405–6. 11. S Brenner, ‘Cybercrime Investigation and Prosecution: The Role of Penal and Procedural Law’ (2001) Murdoch University Electronic Journal of Law at [56]–[57] (notes omitted). 12. See D Ireland-Piper, ‘Extraterritorial Criminal Jurisdiction: Does the Long Arm of the Law Undermine the Rule of Law?’ (2012) 13 Melbourne Journal of International Law 122. 13. Council of Europe, Convention on Cybercrime. Article 22 is in Section 3 of Chapter II —

Measures to be taken at the national level; while Arts 23–25 are in Chapter III — International cooperation, along with articles relating to spontaneous information, mutual assistance, trans-border access, etc. 14. Criminal Code Act 1995 (Cth) ss 475.2 and 476.3, respectively applying extended geographical jurisdiction—category A to Pts 10.6 and 10.7; see also G Urbas, ‘Cybercrime, Jurisdiction and Extradition: The Extended Reach of Cross-Border Law Enforcement’ (2012) 16(1) Journal of Internet Law 7. Note that for terrorism offences under the Criminal Code Act 1995 (Cth), the widest form of jurisdiction (Category D) is applied, not requiring any nexus to Australia (thus ‘universal jurisdiction’). 15. G Urbas, ‘Cybercrime, Jurisdiction and Extradition: The Extended Reach of Cross-Border Law Enforcement’, note 14 above, citing the Federal Court proceedings of United States of America v Griffiths [2004] FCA 879 (7 July 2004); Griffiths v United States of America [2005] FCAFC 34 (10 March 2005); and the High Court leave application in Griffiths v United States of America [2005] HCATrans 666 (2 September 2005). 16. These provisions are to be applied by all courts sentencing offenders for Commonwealth offences, including the State and Territory courts. See also ALRC Report 103, Same Crime, Same Time: Sentencing of Federal Offenders (2006): . 17. Crimes Act 1914 (Cth) s 16D (No corporal punishment); Death Penalty Abolition Act 1973 (Cth). 18. R Smith, P Grabosky and G Urbas, Cyber Criminals on Trial, note 6 above, Ch 7: ‘Judicial Punishment in Cyberspace’; and Ch 8: ‘Sentencing Cyber Criminals’. Note that restrictions on computer use may also feature as bail conditions or in sentencing for other crimes. 19. Added by the Crimes Legislation Amendment (Law Enforcement Integrity, Vulnerable Witness Protection and Other Measures) Act 2013 (Cth). 20. R v Tahiraj [2014] QCA 353 (19 December 2014) at [114], [118]. 21. K-K R Choo, R Smith and R McCusker, ‘Future Directions in Technology-Enabled Crime: 2007– 09’, Research and Public Policy Series no. 78, Australian Institute of Criminology, 2007, p 89; see also M Griffiths, ‘Does Internet and Computer “Addiction” Exist? Some Case Study Evidence’ (2000) 3(2) Cyber Psychology and Behaviour 211. 22. R M Foley and J Gao, ‘Correctional Education: Characteristics of Academic Programs Servicing Incarcerated Adults’ (2004) 55(1) Journal of Correctional Education 6. 23. A case where a convicted offender was required to undertake community service including ‘instructing the public on the dangers of hacking’ is noted in R Smith, P Grabosky and G Urbas, Cyber Criminals on Trial, note 6 above, p 122. 24. Criminal Code Act 1995 (Cth) Division 375 — Victims’ certificates. There may be other forms of cybercrime for which similar victim assistance mechanisms would be of benefit. A promising example is the Enhancing Online Safety for Children Act 2015 (Cth), which allows victims of online bullying to take steps to have offending content removed. 25. Commonwealth Director of Public Prosecutions, Prosecution Policy of the Commonwealth — Guidelines for the Making of Decisions in the Prosecution Process, 2014, p 4: .

Index References are to paragraph

A access, unauthorised Australian legislation …. 2.16 Criminal Code Act 1995 (Cth) …. 2.17–2.38 Convention on Cybercrime provisions …. 2.5–2.14 key elements of …. 2.6 Criminal Code Act 1995 (Cth) …. 2.17–2.38 unauthorised modification, application to …. 3.24–3.27 exceeding authorised access …. 2.8 early Australian prosecutions …. 2.10 external early cases …. 2.12 lack of early prosecutions …. 2.11 fraud brought about by …. 5.19 R v Idolo …. 5.19 meaning …. 2.8 password, unauthorised use of …. 2.18 remote access …. 2.8 s 474.14 Criminal Code Act 1995 (Cth) …. 2.23–2.26 absolute liability …. 2.25

foreign law, inclusion of offence against …. 2.25 impossibility no bar to prosecution …. 2.26 penalty …. 2.25 R v Columbus prosecution under …. 2.28 s 477.1 contrasted …. 2.27 telecommunications network, involvement of …. 2.25 terrorism offences, used in combination with …. 2.29 two offences under …. 2.24 ss 476.1–476.2 Criminal Code Act 1995 (Cth) …. 3.15–3.16 malware makers and users, application to …. 3.16 modification, definition …. 3.15 unauthorised access, modification or impairment …. 3.15 s 477.1 Criminal Code Act 1995 (Cth) …. 2.19–2.22 elements of …. 2.20 forms of offences under …. 2.19 manipulation of victims by hacking …. 2.22 scope of application …. 2.21 s 474.14 contrasted …. 2.27 s 478.1 Criminal Code Act 1995 (Cth) …. 2.30–2.32 Anders v Anders …. 2.32 mobile phones, application to …. 3.26 nature of offence …. 2.31 restricted data definition …. 2.30 scope of …. 2.31 shoulder surfing …. 2.18 unauthorised interception differentiated …. 2.33 addiction, computer

mitigating factor, claims of …. 12.23 advance fee scams see also fraud, online; scams, online Nigerian 419 …. 1.9, 5.7 online scam …. 5.7 variants …. 5.8 Anders v Anders s 478.1, consideration of …. 2.32 Australian Capital Territory legislative provisions child pornography definition …. 8.11 child pornography offences and penalties …. 8.19 forgery offences …. 5.23 fraud offences …. 5.14 grooming and procuring …. 9.9 stalking offences …. 10.4 unauthorised access …. 2.16 unauthorised impairment …. 4.6 unauthorised modification …. 3.13 automatic teller machines see also credit card skimming fraud and Kennison v Daire …. 5.17 shoulder surfing …. 6.12

B

botnets botmasters, prosecutions …. 3.5 DDoS attacks botnets, launched by …. 4.0 nature of …. 3.4, 3.12, 3.33 Operation Titstorm …. 3.31, 4.2 R v Walker …. 4.3 victims …. 4.1–4.2 nature of …. 3.4 purposes used for …. 3.4 robustness of …. 3.4 tool of cybercrime, as …. 1.15 Brown v Tasmania computer-related fraud prosecution …. 5.16

C capable guardians absence of and ‘routine activity theory’ …. 1.18 child grooming age of consent …. 9.8 Australia, legislative provisions …. 9.9 Carly Ryan, Australian case of …. 9.5 children new technologies, use of …. 9.4 Convention on Cybercrime, no reference to …. 1.13 covert online investigations …. 9.21

admissibility of evidence so obtained …. 9.23, 9.26 AFP and FBI joint investigation …. 9.25 assumed identity authorities …. 9.28 controlled operations certificates …. 9.28 police aiding/abetting argument …. 9.27 R v Priest …. 9.25–9.26 R v Stubbs …. 9.21–9.22 Criminal Code Act 1995 (Cth) age of recipient …. 9.16–9.20 mental state, requisite …. 9.16–9.18 s 474.25 reporting obligations …. 8.24 s 474.25A engaging in sexual activity using a carriage service …. 9.10–9.11 s 474.26 procuring using a carriage service …. 9.12 s 474.27 grooming using a carriage service …. 9.13 s 474.27A transmission of indecent communication …. 9.15 s 474.29 defences …. 9.18 sexual activity not required …. 9.14 early predatory behaviour, focus on …. 9.6 first prosecution in United Kingdom …. 9.4 Lanzarote Convention provisions …. 9.7 nature of …. 9.0, 9.2 predators mask identity and age …. 9.3 new technologies, use of …. 9.2 process of …. 9.2 targeting of victims …. 9.1

webcam child exploitation …. 9.29–9.32 webcam child sex tourism (WCST) …. 8.5, 9.29 Australian prosecutions, recent …. 9.32 operational structures of …. 9.31 purchasers as accessories …. 9.32 ‘Sweetie’ investigation …. 9.29–9.31 child pornography abuse of children in production of …. 8.31 AFP power to block websites …. 11.20 arrest rates …. 8.2 artistic or literary works …. 8.14 Holland v The Queen …. 8.14 Australian laws …. 8.8–8.17 availability of, growth …. 8.1 child exploitation manipulation of by hacking software …. 2.22 s 477.1 prosecution under …. 2.22 child sex offender register …. 8.32 Combating Paedophile Information Networks in Europe (COPINE) …. 8.25 Commonwealth DPP statement on child exploitation …. 8.8 telecommunications-based offences, purpose of …. 8.8 conduct, offending …. 8.16 Convention on Cybercrime offences under …. 1.13, 8.6–8.7 Criminal Code Act 1995 (Cth) s 474.19 offences …. 8.17 s 474.20 offences …. 8.17

s 474.21 defences …. 8.17–8.18 s 474.24 aggravated forms of offences …. 8.18 definitions Criminal Code Act 1995 (Cth) …. 8.9–8.11 State and Territory provisions …. 8.11 importation of material, prosecutions …. 8.20 Internet illegal content, prosecutions …. 8.20 live abuse transmissions …. 8.4 constructive presence of participants …. 8.4 webcam child sex tourism (WCST) …. 8.5 offenders, types of …. 8.26–8.28 prevalence of …. 8.0 s 474.25 Criminal Code Act 1995 (Cth) reporting obligations on ISPs or ICHs …. 8.24 sentencing …. 8.29 abuse of children in production of …. 8.31 factors to consider in …. 8.30 penalties, increases in …. 8.29 seriousness of offences, determining …. 8.25 COPINE scales of severity …. 8.25 offenders, types of …. 8.26–8.28 typology of offending …. 8.28 sexting ISP reporting obligations …. 8.24 nature of …. 8.21 non-consensual …. 8.23 prosecution of minors …. 8.21–8.22

sexual pose/sexual activity meaning …. 8.15 ‘low level’ cases …. 8.15 R v Silva …. 8.15 State and Territory legislative offences and penalties …. 8.19 terminology …. 8.6 child abuse material …. 8.6 child exploitation material …. 8.6 typology of online offending …. 8.28 victim identification and rescue …. 8.3 virtual pornographic images …. 8.12 cartoon depictions …. 8.13 McEwen v Simmons …. 8.13 virtual private networks (VPNs) trade through …. 8.1 child sexual offences see child grooming; child pornography Commonwealth Crimes Act 1914 (Cth) …. 3.14 DPP (Cth) v Rogers …. 3.14 unauthorised modification offences …. 3.14 Cybercrime Act 2001 (Cth) see Criminal Code Act 1995 (Cth); Cybercrime Act 2001 (Cth) legislative provisions child pornography definition …. 8.11 child pornography offences and penalties …. 8.19 forgery offences …. 5.23 fraud offences …. 5.14 grooming and procuring …. 9.9

stalking offences …. 10.4 unauthorised access …. 2.16 unauthorised impairment …. 4.6 unauthorised modification …. 3.13 prosecutions see prosecutions telecommunications, power to legislate in respect of …. 1.11 computer disk impairment of data held on …. 4.11 computer systems see also data; hacking access meaning …. 2.8 remote …. 2.8 unauthorised see access, unauthorised Convention on Cybercrime, offences under access, illegal …. 1.13, 2.5 data interference …. 1.13 devices, misuse of …. 1.13 interception, illegal …. 1.13 system interference …. 1.13 definition …. 2.5 content Convention on Cybercrime, offences under …. 1.13 child pornography …. 1.13 racist and xenophobic material …. 1.13 legal response to illegal or harmful …. 1.1 Convention on Cybercrime

access, illegal key elements of …. 2.6 offence of …. 1.13, 2.5 Australia, ratification and adoption of …. 1.13 categories of offences …. 1.13 excluded offences …. 1.14 interception, illegal key elements of …. 2.6 offence of …. 1.13, 2.5 international co-operation provisions …. 1.13 optional protocol …. 1.13 racist acts, criminalisation …. 1.14 paramount international agreement on …. 1.16 procedural provisions …. 1.13 reflection of technology at time of drafting …. 1.15 signatories …. 1.13 unauthorised access see access, unauthorised unauthorised impairment see impairment, unauthorised unauthorised interception see interception, unauthorised unauthorised modifications see modifications, unauthorised cookies modification, whether …. 3.22 Copyright Act 1968 (Cth) commercial-scale infringement …. 7.16 criminal or civil charges …. 7.12 infringement notice scheme …. 7.18 infringement offences under …. 7.14

infringing copy, definition …. 7.15 Ng, Tran and Le early prosecution for online infringement …. 7.11 offences under …. 7.16–7.17 online crimes, no specific provisions …. 7.10 Criminal Code Act 1995 (Cth) provisions, application of …. 7.10 prosecution statistics …. 7.21 Duarte prosecution …. 7.22 Ly v The Queen …. 7.23 penalties imposed in successful …. 7.22 s 132AC commercial-scale infringement …. 7.16 s 132AD making infringing copy commercially …. 7.18 fault element of offences …. 7.19 indictable and summary offences …. 7.18 strict liability offences …. 7.18 intermediaries, application to …. 7.20 copyright crimes, online Australian laws Copyright Act 1968 (Cth) …. 7.11 online infringement, no specific laws …. 7.10 s 474.14 Criminal Code Act 1995 (Cth) …. 7.10 s 477.1 Criminal Code Act 1995 (Cth) …. 7.10 s 477.2 Criminal Code Act 1995 (Cth) …. 7.10 s 478.1 Criminal Code Act 1995 (Cth) …. 7.10 categories of and protective provisions …. 7.2 Convention on Cybercrime offences under …. 1.13, 7.8

scope of …. 7.9 Copyright Act see Copyright Act 1968 (Cth) counterfeit trademark goods definition …. 7.5 forms of …. 7.6–7.7 non-physical items …. 7.7 criminal penalties for …. 7.3–7.4, 7.12 civil remedies, whether more appropriate …. 7.12 file-sharing services …. 7.24 BitTorrent technology …. 7.24 United States enforcement against file-sharers …. 7.24 intellectual property definition …. 7.1 protection of rights …. 7.2 intellectual property crime …. 7.13 online infringement, nature of …. 7.0 online piracy prosecution ‘DrinkOrDie’ case …. 7.25, 12.17 extradition proceedings …. 7.26 pirated copyright goods, definition …. 7.5 Trade-Related Aspects of Intellectual Property Rights (TRIPs) Agreement …. 7.4 Council of Europe Convention on Cybercrime see Convention on Cybercrime covert investigations see also investigating cybercrime access to stored data, authorisations and warrants …. 11.26

assumed identity authorities …. 9.28, 11.30 child grooming, as to …. 9.21 admissibility of evidence so obtained …. 9.23, 9.26 AFP and FBI joint investigation …. 9.25 assumed identity authorities …. 9.28 controlled operations certificates …. 9.28 police aiding/abetting argument …. 9.27 R v Priest …. 9.25–9.26 R v Stubbs …. 9.21–9.22 controlled operations certificates …. 9.28, 11.30 interceptions, authorisations and warrants …. 11.26 surveillance device warrants …. 11.29 credit card impairment of data held on …. 4.11 credit card skimming as part of larger criminal schemes …. 6.0 Australian losses due to …. 6.14 Convention on Cybercrime provisions applicable to …. 6.15 Criminal Code Act 1995 (Cth) financial information offences …. 6.16–6.19 identity crime offences …. 6.20–6.22 financial information offences …. 6.16–6.19 dealing in …. 6.16–6.17 deceptive conduct and …. 6.16–6.17 personal financial information, definition …. 6.16 R v Zehir …. 6.18 s 480.4 Criminal Code Act 1995 (Cth) …. 6.17

s 480.5 Criminal Code Act 1995 (Cth) …. 6.17 s 480.6 Criminal Code Act 1995 (Cth) …. 6.17 foreign national arrested for …. 6.14 Hancock v R credit cards, dealing in stolen details …. 6.19 nature of …. 5.7 skimmed data, uses of …. 6.13 techniques used …. 6.12 Crimes Act 1914 (Cth) assumed identity authorities …. 9.28, 11.30 controlled operations certificates …. 9.28, 11.30 search and seizure provisions s 3K …. 11.3 s 3L …. 11.5 s 3LA …. 11.9, 11.24 s 3LAA …. 11.8 sentencing principles and factors s 16A …. 12.19 unauthorised modification, offences of …. 3.14 DPP (Cth) v Rogers …. 3.14 Criminal Code Act 1995 (Cth) Cybercrime Act 2001 (Cth) additions to …. 1.11 s 474.14 anti-terrorism prosecutions …. 2.29 copyright offences …. 7.10 unauthorised access provisions …. 2.23 s 474.19

child pornography …. 8.17 s 474.20 child pornography …. 8.17 s 474.21 child pornography defences …. 8.17 s 474.24 aggravated child pornography …. 8.17 s 474.25 ISP reporting obligations …. 8.24 s 474.25A engaging in sexual activity using a carriage service …. 9.10–9.11 s 474.26 procuring using a carriage service …. 9.12 s 474.27 grooming using a carriage service …. 9.13 s 474.27A transmission of indecent communication …. 9.15 s 474.29 defences to child sexual exploitation offences …. 9.18 ss 476.1–476.2 malware …. 3.16 unauthorised access provisions …. 3.15 unauthorised impairment …. 4.7 s 477.1 child pornography …. 2.22 copyright offences …. 7.10 fraud, online …. 2.21

hacking …. 2.21 unauthorised access provisions …. 2.19 unauthorised impairment …. 4.8 s 477.2 copyright offences …. 7.10 unauthorised modification …. 3.17–3.23 s 477.3 unauthorised impairment …. 4.9 s 478.1 copyright offences …. 7.10 unauthorised access provisions …. 2.30 unauthorised modification …. 3.24–3.27 s 478.2 unauthorised impairment …. 4.11 s 480.4 financial information offences …. 7.10 identity crimes …. 6.17 s 480.5 financial information offences …. 7.10 identity crimes …. 6.17 s 480.6 financial information offences …. 7.10 identity crimes …. 6.17 criminal laws cybercrimes prosecuted under existing laws …. 1.9 no existing applicable to cybercrime, where …. 1.9–1.10 Criminal procedure law

legal response to cybercrime …. 1.1 critical infrastructure impairment of …. 4.14 R v Boden …. 4.22–4.23 Stuxnet …. 4.33 terrorist act, Criminal Code Act 1995 (Cth) definition …. 4.24 vulnerability of …. 4.15 cyber espionage commercial and industrial …. 4.30 national security and …. 4.30 cyberwarfare …. 4.32–4.35 legislation …. 4.31 state secrets, prohibitions on unauthorised access/disclosure …. 4.30 Stuxnet …. 4.33 Cyber Security Strategy Australian Government’s …. 4.16 critical infrastructure impairment of …. 4.14 vulnerability of …. 4.15 cyberterrorism, risks of …. 4.21 cyberbullying see also cyberstalking and harassment Children’s e-Safety Commissioner …. 10.16 powers and role …. 10.16 removal of material, notices requiring …. 10.19 definition …. 10.14 Enhancing Online Safety for Children Bill 2014 (Cth) …. 10.16

Enhancing Online Safety for Children Act 2015 (Cth) Children’s e-Safety Commissioner …. 10.19 complaints about material, provisions as to …. 10.18 definitions …. 10.17 nature of …. 10.14 proliferation and diversification …. 10.14–10.15 revenge porn …. 10.31 suicide, urging or assisting …. 10.20 discussions or debates exemption …. 10.22 s 474.29A Criminal Code Act 1995 (Cth) …. 10.21 suicide pacts …. 10.22 vilification …. 10.23 Additional Protocol to the Convention on Cybercrime …. 10.24 Australian laws …. 10.25 voyeurism …. 10.26–10.30 Crimes Act 1900 (NSW) offences under …. 10.28 R v McDonald and Deblaquiere …. 10.30 upskirting and downblousing …. 10.27 Victoria, legislative provisions …. 10.29 cybercrime descriptors of …. 1.3–1.4 examples of …. 1.5 expanded definition …. 1.5 categories of …. 1.5–1.6 investigating see investigating cybercrime issues in combatting accessibility …. 1.18

anonymity …. 1.18 capable guardians, absence of …. 1.18 global reach …. 1.18 portability and transferability …. 1.18 scale of Internet use …. 1.18 meaning …. 1.0–1.8 new forms of criminality, whether …. 1.6 tools of …. 1.15 traditional criminal law categories and …. 1.2 Cybercrime Act 2001 (Cth) see also Criminal Code Act 1995 (Cth) amendments to Crimes Act 1914 (Cth) …. 11.1 amendments to Criminal Code Act 1995 (Cth) …. 4.9 amendments to Customs Act 1901 (Cth) …. 11.1 definitions access to data held in a computer …. 2.17 unauthorised access, modification and impairment …. 2.17 scope of …. 1.11–1.12 shoulder surfing …. 2.18 State or Territory offences falling under …. 2.21 unauthorised access, modification and impairment definition …. 2.17 intention to commit a serious offence, with …. 2.19 non-electronic means, through …. 2.18 offences …. 2.17 password, unauthorised use of another person’s …. 2.18 cyberspace

term …. 1.4 cyberstalking and harassment Australia, legislative provisions …. 10.4 Australian prosecution R v Henderson …. 10.3 Convention on Cybercrime, not referred to …. 1.13 Criminal Code Act 1995 (Cth) menacing, harassing or offensive meaning …. 10.8 method or volume may cause the harassment …. 10.6 no specific stalking offence …. 10.5 reasonable person standards …. 10.7 s 474.15 threat, using a carriage service to make …. 10.7 s 474.16 hoax threat, using a carriage service to make …. 10.7 s 474.17 menace or harass, using a carriage service to …. 10.7 s 477.1, application to …. 2.21 cross-jurisdictional application …. 10.12 cyberbullying see cyberbullying definitions, State and Territory …. 10.2 existing stalking legislation, application to electronic …. 10.10 cross-jurisdictional issues …. 10.10–10.11 DPP v Sutcliffe …. 10.10 methods of …. 10.1 nature of …. 10.1 revenge porn …. 10.31 suicide, urging or assisting …. 10.20 discussions or debates exemption …. 10.22 s 474.29A Criminal Code Act 1995 (Cth) …. 10.21

suicide pacts …. 10.22 telephone, harassment by …. 10.9 Crowther v Sala …. 10.9 trolling …. 10.13 R v Hampson …. 10.13 vilification …. 10.23 Additional Protocol to the Convention on Cybercrime …. 10.24 Australian laws …. 10.25 voyeurism …. 10.26–10.30 Crimes Act 1900 (NSW) offences under …. 10.28 R v McDonald and Deblaquiere …. 10.30 upskirting and downblousing …. 10.27 Victorian legislative provisions …. 10.29 cyberterrorism advocating terrorism, offence of …. 4.29 Convention on Cybercrime, not referred to …. 1.13 critical infrastructure impairment of …. 4.14, 4.19 R v Boden …. 4.22–4.23 vulnerability of …. 4.15 Cyber Security Strategy …. 4.21 definition, no universally accepted …. 4.17 Internet planning of, prosecution R v Lodhi …. 4.27 meaning …. 4.17–4.18 risk of, varying assessments …. 4.20 terrorist act, definition …. 4.24

cybervandalism see also hacktivism; modification, unauthorised cyberwarfare Australia, potential impact …. 4.34 emergence of …. 4.32 law of armed conflict, application of …. 4.35 Stuxnet …. 4.33

D data see also modification, unauthorised computer data definition …. 2.5 Convention on Cybercrime procedural provisions as to …. 1.13 definition …. 2.5 metadata purposes used for …. 11.23 retention and securing obligations …. 11.23 what constitutes …. 11.23 Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) fixed retention periods under …. 11.21 motivations for …. 11.22 definitions and meanings access to a computer system …. 2.8 communication …. 2.33 computer data …. 2.5 computer system …. 2.5

counterfeit trademark goods …. 7.5 cybercrime …. 1.0, 1.5 forged document …. 5.21 fraud, common law definition …. 5.14 hacking …. 2.1 identity crime …. 6.2 identity fraud …. 6.2 identity theft …. 6.2 impairment of electronic communication to or from a computer …. 4.7 intellectual property …. 7.1 modification …. 3.15 pirated copyright goods …. 7.5 restricted data …. 2.30 spam …. 5.25 telecommunications service …. 2.33 telecommunications system …. 2.33 terrorist act …. 4.24 unauthorised access, modification or impairment …. 3.15 designs protective provisions …. 7.2 distributed denial-of-service (DDoS) attacks botnets, launched by …. 4.0 nature of …. 3.4, 3.12, 3.33 Operation Titstorm …. 3.31, 4.2 R v Walker …. 4.3

victims …. 4.1–4.2 Duarte online copyright infringement prosecution …. 7.22 Ly v The Queen …. 7.23

E economic criminal law legal response to cybercrime …. 1.1 encryption software investigators compelling assistance as to …. 11.9, 11.24 s 3LA Crimes Act 1914 (Cth) …. 11.9, 11.24 use of power, extent …. 11.10 TrueCrypt, deniable software …. 1.15 extradition Convention on Cybercrime, provisions as to …. 1.13, 12.13 ‘DrinkOrDie’ prosecution and extradition case …. 7.25–7.26, 12.17 Extradition Act 1988 (Cth) …. 12.16

F forgery, online as part of larger criminal schemes …. 6.0 Australian forgery offences …. 5.23 application of existing laws to …. 5.22 counterfeit currency …. 5.24 Convention on Cybercrime offences under …. 1.13, 5.10

scope of …. 5.11 forged document, meaning …. 5.21 identity documents see identity crimes fraud, online as part of larger criminal schemes …. 6.0 Australian fraud offences laws …. 5.14 adaptation of existing to online prosecutions …. 5.15 Brown v Tasmania …. 5.16 automated systems and …. 5.18 Kennison v Daire …. 5.17 capable of prosecution under existing law, where …. 1.9 common law definition of fraud …. 5.14 Convention on Cybercrime offences under …. 1.13, 5.10 scope of …. 5.12 Criminal Code Act 1995 (Cth) s 477.1, application to …. 2.21 financial motivation of …. 5.1 identity documents see identity crimes online scams see scams, online responses to scams …. 5.20 unauthorised access or modification, by …. 5.19 R v Idolo …. 5.19

H hacker

see also hacking; hacktivism Black Hats …. 2.2 changes in meaning of …. 2.1 Grey Hats …. 2.2 inter-generational conflicts …. 2.1 White Hats …. 2.2 modifications by …. 3.8 hacking Criminal Code Act 1995 (Cth) s 477.1, application to …. 2.21 early cases of …. 2.12 hacktivism …. 2.3 malware distributed by …. 3.2 manipulation of victims by …. 2.22 meaning …. 1.6, 2.1 changes in …. 2.1 definition, no universally accepted …. 2.1 no existing criminal law applicable, where 1.9 hacktivism charges under Criminal Code Act 1995 (Cth) …. 3.33 cybervandalism, also known as …. 3.30 examples …. 3.28 1989 NASA attack …. 3.29 meaning …. 2.3, 3.28 motivations …. 3.31 responses to …. 3.30 Hancock v R

credit cards, dealing in stolen details …. 6.19 harassment see cyberstalking and harassment high-tech crime (HTC) tools availability of …. 3.12 home-jacking nature of …. 3.21 s 477.2 application to …. 3.22 homicide computer-related means, committed by …. 1.2

I identity crimes as part of larger criminal schemes …. 6.0 Convention on Cybercrime provisions applicable to …. 6.15 corporations, protection of …. 6.28 R v Moylan …. 6.28 Criminal Code Act 1995 (Cth) financial information offences …. 6.16–6.19 offences …. 6.20–6.22 definitions identity crime …. 6.2 identity fraud …. 6.2 identity theft …. 6.2 early prosecution R v Zehir …. 6.18 fictitious person, creation of …. 6.1

financial information offences …. 6.16–6.19 dealing in …. 6.16–6.17 deceptive conduct and …. 6.16–6.17 Hancock v R …. 6.19 personal financial information, definition …. 6.16 R v Zehir …. 6.18 s 480.4 Criminal Code Act 1995 (Cth) …. 6.17 s 480.5 Criminal Code Act 1995 (Cth) …. 6.17 s 480.6 Criminal Code Act 1995 (Cth) …. 6.17 National Identity Security Strategy …. 6.3 offences …. 6.20–6.22 corporations, protection of …. 6.28 dealing in identification information …. 6.21 definitions …. 6.20 interception combined with …. 6.25 scope of offence …. 6.22–6.23 phishing see phishing real person’s identity, use of …. 6.1 scale of in Australia …. 6.3 victims of …. 6.25 Commonwealth Victims’ Certificates …. 6.26–6.27 impairment, unauthorised see also botnets Australian laws …. 4.6–4.14 Convention on Cybercrime computer sabotage …. 4.4–4.5 system interference, meaning …. 4.4

critical infrastructure impairment of …. 4.14 R v Boden …. 4.22–4.23 terrorist act, Criminal Code Act 1995 (Cth) definition …. 4.24 vulnerability of …. 4.15 s 476.1 Criminal Code Act 1995 (Cth) …. 4.7 impairment of electronic communication to or from a computer, definition …. 4.7 s 477.1 Criminal Code Act 1995 (Cth) …. 4.8 s 477.3 Criminal Code Act 1995 (Cth) …. 4.9 elements of …. 4.10 offence under …. 4.9 s 478.2 Criminal Code Act 1995 (Cth) data held on a computer disk, credit card or device …. 4.11 related offences …. 4.12 wireless network, piggy-backing …. 4.13 intellectual property see also copyright crimes, online definition …. 7.1 extending protection to online …. 1.1 protection of rights …. 7.2 interception, unauthorised Convention on Cybercrime meaning …. 2.13 scope …. 2.13 nature of …. 2.33 Telecommunications (Interception and Access) Act 1979 (Cth)

admissibility of unauthorised recordings …. 2.35 authorisations and warrants …. 2.36 communication, definition …. 2.33 exceptions to general prohibition …. 2.34 general prohibition under …. 2.34 interception devices …. 2.37–2.38 penalty …. 2.35 telecommunications service, definition …. 2.33 telecommunications system, definition …. 2.33 unauthorised access differentiated …. 2.33 international co-operation Convention on Cybercrime, provisions as to …. 1.13 international laws Convention on Cybercrime see Convention on Cybercrime Trade-Related Aspects of Intellectual Property Rights (TRIPs) Agreement …. 7.4 Internet scale of global use …. 1.18 Internet content hosts (ICHs) child pornography/abuse material s 474.25 Criminal Code Act 1995 (Cth), reporting obligations …. 8.24 Internet service providers (ISPs) anti-spam filters …. 5.27 child pornography/abuse material s 474.25 Criminal Code Act 1995 (Cth), reporting obligations …. 8.24 data, preservation/collection for law enforcement …. 11.15 data retention period, obligations …. 11.21–11.22

liability child abuse material and …. 7.20 copyright infringements and …. 7.20, 7.24 metadata, obligations as to purposes used for …. 11.23 retention and securing obligations …. 11.23 what constitutes …. 11.23 s 313 Telecommunications Act 1997 (Cth) statutory obligation to assist in upholding Australian laws …. 11.19–11.20 investigating cybercrime assumed identity authorities …. 9.28, 11.30 Australia, procedural provisions Convention provisions reflected in domestic law …. 11.19 data retention periods, fixed …. 11.21 general obligation on providers to assist law enforcement …. 11.19–11.20 stored data, law enforcement access to …. 11.18 Australian Federal Police role …. 11.1 controlled operations certificates …. 9.28, 11.30 Convention on Cybercrime procedural provisions …. 11.16–11.17, 11.19 conditions and safeguards …. 11.16 expedited preservation and partial disclosure of traffic data …. 11.17 expedited preservation of stored computer data …. 11.17 interception of content data …. 11.19 production orders …. 11.19 real-time collection of traffic data …. 11.19

scope of …. 11.16 search and seizure of stored computer data …. 11.19 covert see covert investigations Crimes Act 1914 (Cth) search and seizure provisions …. 11.3–11.15 encryption and passwords investigators compelling assistance as to …. 11.9, 11.24 High Tech Crime Operations (HTCO) unit …. 11.2 law enforcement warrants serious offence investigations …. 11.27 specified child sexual offences investigations …. 11.27 metadata purposes used for …. 11.23 retention and securing obligations …. 11.23 what constitutes …. 11.23 search and seizure see search and seizure powers surveillance device warrants …. 11.29

J jurisdiction adjudicative …. 12.10 Australian laws …. 12.15–12.17 ‘DrinkOrDie’ prosecution and extradition case …. 7.25–7.26, 12.17 extended geographical jurisdiction …. 12.15 extradition legislation and agreements …. 12.16 mutual assistance legislation and agreements …. 12.16 Convention on Cybercrime …. 12.13–12.14

extradition …. 12.13 international co-operation …. 12.13 mutual assistance …. 12.13 enforcement …. 12.10 prescriptive …. 12.10 also known as subject-matter or legislative …. 12.11 territory as basis for …. 12.11–12.12 broad concept of …. 12.11 cybercriminals and …. 12.11

K Kennison v Daire fraud and ATM machines …. 5.17

L laws Australian Commonwealth …. 1.11–1.12 unauthorised access, as to …. 2.16 Convention on Cybercrime see Convention on Cybercrime cybercrimes prosecuted under existing …. 1.9 international …. 1.13 no existing applicable to cybercrime, where …. 1.9–1.10 Ly v The Queen online copyright infringement prosecution …. 7.23

M malware denial-of-service (DDoS) attacks …. 3.4, 3.12, 3.33 distribution of, prevalent methods blended threats …. 3.1, 6.9 hacking …. 3.2 Trojan horse …. 3.2 virus …. 3.2 worm …. 3.2 forms and evolution of …. 3.1 monetisation of …. 1.15 prosecution of disseminators and users, issues …. 3.3 responses to, prevalent …. 3.3 ss 476.1–476.2 Criminal Code Act 1995 (Cth) makers and users, application to …. 3.16 tool of cybercrime, as …. 1.15 unauthorised modifications achieved by …. 3.0–3.3 use to gain access or compromise computer systems …. 1.6 metadata purposes used for …. 11.23 retention and securing obligations …. 11.23 what constitutes …. 11.23 mobile phones definition of computer, whether extends to …. 3.26 destruction of or modification to …. 3.26–3.27 fraud using …. 6.8 scams involving …. 5.6

SMiShing …. 5.6, 6.5 SMS spammers …. 5.29 modification, unauthorised Australian laws …. 3.13–3.26 botnets botmasters, prosecutions …. 3.5 nature of …. 3.4 purposes used for …. 3.4 Convention on Cybercrime provisions …. 3.9–3.12 alteration of data …. 3.10 data interference …. 3.9–3.10 deletion of data …. 3.10 explanatory notes …. 3.10–3.11 misuse of devices …. 3.9 robustness of …. 3.4 system interference …. 3.9 cookies, use of …. 3.22 early prosecutions …. 3.7 R v Whiteley …. 3.7 fraud brought about by …. 5.19 R v Idolo …. 5.19 impairment, causing …. 3.6 malware, by see malware nature of …. 3.0 page-jacking …. 3.36 s 477.2 Criminal Code Act 1995 (Cth) …. 3.17–3.23 cookies …. 3.22

criminal investigation under, case study …. 3.19–3.20 home-jacking …. 3.21 impairment …. 3.18–3.19 recklessness …. 3.18 scope of …. 3.19 spyware …. 3.23 unauthorised modification offence …. 3.18 s 478.1 …. 3.24–3.27 mobile phones, application to …. 3.26 spoofing …. 3.34–3.35 DNS spoofing …. 3.35 motivation …. 3.34 nature of …. 3.34 website defacement …. 3.28–3.33 charges under Criminal Code Act 1995 (Cth) …. 3.33 hacktivism see hacktivism motivations …. 3.31 political tool as …. 3.32 responses to …. 3.30

N New South Wales legislative provisions child pornography definition …. 8.11 child pornography offences and penalties …. 8.19 forgery offences …. 5.23

fraud offences …. 5.14 grooming and procuring …. 9.9 stalking offences …. 10.4 unauthorised access …. 2.16 unauthorised impairment …. 4.6 unauthorised modification …. 3.13 voyeurism offences …. 10.28 Nigerian 419 online fraud scheme …. 1.9, 5.7 Northern Territory legislative provisions child pornography definition …. 8.11 child pornography offences and penalties …. 8.19 forgery offences …. 5.23 fraud offences …. 5.14 grooming and procuring …. 9.9 stalking offences …. 10.4 unauthorised access …. 2.16 unauthorised impairment …. 4.6 unauthorised modification …. 3.13

O onion routing tool of cybercrime, as …. 1.15 Tor technology …. 1.15

P page-jacking liability, or enforcement action for …. 3.36 password investigators compelling assistance as to …. 11.9, 11.24 s 3LA Crimes Act 1914 (Cth) …. 11.9, 11.24 use of power, extent …. 11.10 unauthorised use of another person’s …. 2.18 patents protective provisions …. 7.2 pharming see also identity crimes; scams, online nature of …. 5.7, 6.6 phishing see also identity crimes; scams, online blended threats using …. 6.9 detection and response to …. 6.10 loss, who bears …. 6.11 nature of …. 5.7, 6.4 spear or puddle …. 6.5 telephone cold calls …. 6.7 plant breeder’s rights protective provisions …. 7.2 privacy protection see also cyberbullying; cyberstalking legal response of …. 1.1 prosecutions

CDPP prosecutions …. 12.2 statistics of 2008–14 cases …. 12.9 discretion of prosecutors evidence, which to adduce in court …. 12.0 pleas, whether to accept …. 12.0 which cases to pursue …. 12.0 which charges to pursue …. 12.0 expert evidence …. 12.6 conflicting …. 12.8 presentation of …. 12.7 jurisdiction issues see jurisdiction legislation, Commonwealth, State and Territory, charges under …. 12.1 opinion evidence …. 12.6 child sexual offences, as to …. 12.6 Prosecution Policy, Commonwealth …. 12.3 evidence, sufficient to prosecute …. 12.3 public interest …. 12.3 prosecutors …. 12.1 ‘gatekeepers’ of the justice system …. 12.5 technical evidence, presentation of …. 12.7 witnesses, protective provisions as to …. 12.4 closed-circuit television, evidence by …. 12.4

Q Queensland legislative provisions

child pornography definition …. 8.11 child pornography offences and penalties …. 8.19 forgery offences …. 5.23 fraud offences …. 5.14 grooming and procuring …. 9.9 stalking offences …. 10.4 unauthorised access …. 2.16 unauthorised impairment …. 4.6 unauthorised modification …. 3.13

S scams, online advance fee …. 5.7 variants …. 5.8 Australian financial losses due to …. 5.3 devices and procedures …. 5.6 electronic means, emergence of …. 5.4 malware …. 5.7 new and emerging techniques …. 5.7 Nigerian 419 …. 1.9, 5.7 pharming see pharming phishing see phishing responses to …. 5.20 romance …. 5.2 death of a victim …. 5.3 skimming see credit card skimming

telephone cold calls …. 6.7 victims, targeting of …. 5.5 search and seizure powers accessing computers/devices, powers as to …. 11.9 passwords and encryption, overcoming …. 11.9 use of …. 11.10 cloud arrangements community cloud …. 11.13 hybrid cloud …. 11.13 investigations, issues as to …. 11.14 private cloud …. 11.13 public cloud …. 11.13 compensation for damage …. 11.12 Crimes Act 1914 (Cth) provisions …. 11.1–11.15 s 3K …. 11.3 s 3L …. 11.5 s 3LA …. 11.9, 11.24 s 3LAA …. 11.8 data connected to but remote from premises …. 11.7 examination and seizure provision …. 11.5–11.6 forensic image process …. 11.12 forensic preview …. 11.12 Grant v Marshall …. 11.12 ISPs, potential role in access to data …. 11.15 legislation, applicable …. 11.1 notification to owner …. 11.11 removal and examination, power of …. 11.4, 11.6

use of equipment to analyse …. 11.8 use of electronic equipment to examine …. 11.3–11.4 at search premises …. 11.5 scope of provision …. 11.4 security law cyber-attacks as security threats …. 1.1 sentencing child pornography, in …. 8.29 abuse of children in production of …. 8.31 factors to consider in …. 8.30 penalties, increases in …. 8.29 conditions on …. 12.24 mitigating factors, addiction claims …. 12.23 options …. 12.20 s 16A Crimes Act 1914 (Cth) principles and factors …. 12.19 victims court understanding of effects on …. 12.22 impact statements …. 12.21 restoration of …. 12.25 sex tourism see webcam child sex tourism (WCST) sexting ISP reporting obligations …. 8.24 nature of …. 8.21 non-consensual …. 8.23 prosecution of minors …. 8.21–8.22 skimming see credit card skimming

SMS see mobile phones Snell v Pryce exceeding authorised access prosecution …. 2.10 social media sites see also cyberstalking and harassment child grooming and …. 9.2 Children’s e-Safety Commissioner, powers as to …. 10.19 cyberbullying and …. 10.15, 10.17–10.18 online safety and …. 10.17, 10.31 scams involving …. 5.6–5.7 South Australia legislative provisions child pornography definition …. 8.11 child pornography offences and penalties …. 8.19 forgery offences …. 5.23 fraud offences …. 5.14 grooming and procuring …. 9.9 unauthorised access …. 2.16 unauthorised impairment …. 4.6 unauthorised modification …. 3.13 spam address-harvesting software …. 5.27–5.28 Australia, anti-spam legislation civil not criminal penalties …. 5.27 definitions, key …. 5.27 prohibitions under …. 5.28 Convention on Cybercrime, not referred to …. 1.13

filters, anti-spam …. 5.27 issue as to …. 5.25 meaning …. 5.25 motive …. 5.26 prevalence …. 5.26 prosecutions …. 5.29 SMS spammers …. 5.29 spoofing DNS spoofing …. 3.35 motivation …. 3.34 nature of …. 3.34 spyware see also cyberstalking and harassment unauthorised modification by …. 3.23 suicide see also cyberbullying discussions or debates exemption …. 10.22 online urging or assisting …. 10.20 s 474.29A Criminal Code Act 1995 (Cth) …. 10.21 suicide pacts …. 10.22 Surveillance Devices Act 2004 (Cth) warrants issued under …. 11.29

T Tasmania legislative provisions child pornography definition …. 8.11

child pornography offences and penalties …. 8.19 forgery offences …. 5.23 fraud offences …. 5.14 grooming and procuring …. 9.9 stalking offences …. 10.4 unauthorised access …. 2.16 unauthorised impairment …. 4.6 unauthorised modification …. 3.13 Telecommunications Act 1997 (Cth) s 313 statutory obligation on carriage service providers to assist in upholding Australian laws …. 11.19–11.20 Telecommunications (Interception and Access) Act 1979 (Cth) admissibility of unauthorised recordings …. 2.35 authorisations and warrants …. 2.36 communication, definition …. 2.33 exceptions to general prohibition …. 2.34 general prohibition under …. 2.34 interception devices …. 2.37–2.38 law enforcement warrants under serious offence investigations …. 11.27 specified child sexual offences investigations …. 11.27 penalty …. 2.35 telecommunications service, definition …. 2.33 telecommunications system, definition …. 2.33 Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) data retention periods, fixed …. 11.21–11.22

metadata purposes used for …. 11.23 retention and securing obligations …. 11.23 what constitutes …. 11.23 telephone scams Australian Bankers’ Association warning …. 6.7 blended threats …. 6.9 nature of …. 6.7–6.8 terrorism advocating, offence of …. 4.29 Internet use in planning …. 4.28 R v Lodhi …. 4.27 s 474.14 Criminal Code Act 1995 (Cth) prosecutions under combined with anti-terrorist offences …. 2.29 terrorist act, Criminal Code Act 1995 (Cth) definition …. 4.24 other offences referring to …. 4.26 trade marks protective provisions …. 7.2 Trojan horse malware distributed by …. 3.2 distribution, method of …. 3.2 examples …. 3.2 insertion method …. 3.2 self-executing …. 3.2 nature of …. 3.0 trolling see also cyberstalking and harassment

nature of …. 10.13 R v Hampson …. 10.13

V victims child pornography victim identification and rescue …. 8.3 identity theft, of …. 6.25 Commonwealth Victims’ Certificates …. 6.26–6.27 restoration of …. 12.25 victim impact statements …. 12.21 Victoria legislative provisions child pornography definition …. 8.11 child pornography offences and penalties …. 8.19 forgery offences …. 5.23 fraud offences …. 5.14 grooming and procuring …. 9.9 stalking offences …. 10.4 unauthorised access …. 2.16 unauthorised impairment …. 4.6 unauthorised modification …. 3.13 voyeurism offences …. 10.29 vilification online, nature of …. 10.23 Additional Protocol to the Convention on Cybercrime …. 10.24

Australian laws …. 10.25 viruses Love Bug virus …. 1.10 malware distributed by …. 3.2 examples …. 3.2 insertion method …. 3.2 self-executing …. 3.2 self-replicating …. 3.2 no existing criminal law applicable, where …. 1.9 voyeurism Crimes Act 1900 (NSW) offences under …. 10.28 nature of …. 10.26 R v McDonald and Deblaquiere …. 10.30 upskirting and downblousing …. 10.27 Victorian legislative provisions …. 10.29

W warrants access to stored data, authorisations and warrants …. 11.26 interceptions, authorisations and warrants …. 2.36, 11.26 law enforcement warrants serious offence investigations …. 11.27 specified child sexual offences investigations …. 11.27 surveillance device warrants …. 11.29 webcam child sex tourism (WCST) Australian prosecutions, recent …. 9.32

nature of …. 8.5, 9.29 operational structures of …. 9.31 purchasers as accessories …. 9.32 ‘Sweetie’ investigation …. 9.29–9.31 website defacement charges under Criminal Code Act 1995 (Cth) …. 3.33 hacktivism see hacktivism motivations …. 3.31 political tool as …. 3.32 responses to …. 3.30 Western Australia legislative provisions child pornography definition …. 8.11 child pornography offences and penalties …. 8.19 forgery offences …. 5.23 fraud offences …. 5.14 grooming and procuring …. 9.9 stalking offences …. 10.4 unauthorised access …. 2.16 unauthorised impairment …. 4.6 unauthorised modification …. 3.13 wireless network piggy-backing, whether impairment …. 4.13 worm malware distributed by …. 3.2 examples …. 3.2 insertion method …. 3.2

self-executing …. 3.2 self-replicating …. 3.2