“Harm” in the Harmful Digital Communications Act

The recent decision of Justice Matthew Downs about the Harmful Digital Communications Act seems to be misunderstood.  Ben Hill in the NZ Herald went so far as to state that the decision said that  posting intimate images on Facebook met the harm threshold detailed in the act. Far from it.

Some clarification might be helpful. The case involved a prosecution under one of the sections of the Harmful Digital Communications Act. Because of that a couple of basic criminal law propositions applied. First, the burden of proof was on the prosecution. Secondly to obtain a conviction the prosecution had to prove each of the three elements of the charge beyond a reasonable doubt.

A criminal trial can be divided up into two main phases – the prosecution phase and the defence phase. If the prosecution fails to provide any or sufficient evidence of any one of the elements of a charge, the charge may be dismissed.

In the case under appeal that is the point the case reached. Was there evidence of harm – serious emotional distress – suffered by the complainant? The District Court Judge looked at what was available and concluded that although there was evidence of emotional distress, he was not satisfied that it had reached the “serious” point. Because he concluded that there was insufficient evidence to support one of the elements the case was dismissed.

If that evidence had been available – that is evidence where a reasonable fact-finder, properly applying the law, could convict – then the Judge would have called upon the defendant to ascertain if he had evidence to add to the mix. It does not mean that the defendant was presumed guilty or that he had a burden to prove his innocence. But his evidence could help the Judge in the next step in the reasoning process which would be to assess whether or not the evidence satisfied him beyond a reasonable doubt that the complainant had suffered serious emotional distress. That is a different line of enquiry to that of ascertaining whether the evidence was present in the first place.

When the case went before Justice Downs on appeal by the Police there were two lines of argument. One was that the test applied by the District Court Judge was too high. That argument was rejected by Justice Downs. The second argument was that the Judge had not evaluated the available evidence properly when he concluded that there was no evidence of serious emotional distress.

This was the crux of the case. The District Court Judge had taken reactions by the defendant to the posting of her intimate images on a Facebook page – loss of sleep, tears, possible time off work, embarrassment – and concluded that individually these did not amount to serious emotional distress. Justice Downs said that was not the proper approach. The Judge should have looked at the total effect of all of these elements and taken them collectively. In addition he should have had regard to the context – a relationship breakdown, an apparently controlling and jealous husband who had threatened to put the pictures online. Looking at these factors collectively Justice Downs concluded that they did amount to sufficient evidence of serious emotional distress and therefore the prosecution had established a case that the defendant had to answer.

So the case is about how to evaluate whether or not a post has caused harm. In that sense it could be said that it is “lawyers law”. But does this mean that the defendant is automatically guilty. It does not. The case has been sent back to the District Court and the case for the defendant will be presented and argued. And then the Judge will have to consider whether the evidence takes him past the “beyond reasonable doubt” threshold to enter a conviction.

Prosecutions under the Harmful Digital Communications Act in the main have resulted in pleas of guilty. But each case must be looked at in the context of its own facts and circumstances. It may be morally wrong to post intimate images on a Facebook page. But there are a number of other elements that must be proven before that amounts to a criminal offence. One of those elements is that of actual harm – serious emotional distress as defined in the Act. If proof of that is lacking there is no offence. If the target of the communication dismisses the posting as of no consequence, no harm has been done.

And that is what the Act is about. It is not about the nature of the content. It is about whether or not the posting has caused harm as defined by the Act.

Justice Downs’ decision helps us in how the evaluation of harm should be approached.

Advertisements

Off-Shore Search Warrants

The Microsoft Ireland Case

The decision of the United States Court of Appeals for the Second Circuit in the case of Microsoft v US – otherwise known as Microsoft Ireland – has brought a breath of fresh air to the law relating to warranted searches for evidence online and whether those warrants can cover material located on servers in other jurisdictions – a concept known as extraterritoriality.

A search warrant was issued by the United States District Court for the Southern District of New York. It directed Microsoft to seize and produce the contents of an e-mail account it maintained for a customer. There was probable cause that the account was being used to further narcotics trafficking.

Microsoft, it must be emphasised, was not charged with any offence. It complied with the warrant as to data that was stored in the United States. However, to comply fully with the warrant it would need to access the customer’s content that was stored and maintained in its servers located in Ireland, and to import that data into the United States to deliver up to the Federal authorities. Microsoft moved to quash the warrant, but this was denied and the lower Court held Microsoft in civil contempt.

It is important to be aware of the legislative context. The warrant was issued under the provisions of the Stored Communications Act (SCA) which was enacted as Title II of the Electronic Communications Privacy Act 1986. The SCA is designed to protect the privacy of the contents of files stored by service providers and records held about subscribers by service providers.

It is also important to note that the SCA was passed in 1986 – thirty years ago when as the Court put it the “technological context was very difference from today’s Internet-saturated reality.” This context had a significant affect upon the way that the Court construed the Statute.

In addition the Federal Rules of Criminal Procedure limited the territorial scope of warrants to United States Territories, possessions or Commonwealth and the diplomatic missions and residencies of the United States in foreign countries.

The argument of the United States Government was based upon the concept of control of data and on that basis extended the reach of the warrant to premises owned, maintained or controlled by Microsoft. The concept of control for the purposes of discovery in civil proceedings may require a party to discover material in another jurisdiction, but could a search warrant have the same effect?

The starting point is the principle that the legislation enacted by Congress is meant to apply within the territorial jurisdiction of the United States unless a contrary intent clearly appears. This presumption is applied to protect against unintended clashes between US laws and those of other nations which could result in international discord. It was conceded that the warrant provisions of the SCA did not permit nor contemplate extraterritorial application. Indeed, the focus of the warrant provisions was upon protecting the privacy interest of users in their stored communications.

Under the focus on privacy if there were to be a warrant issued, the invasion of privacy would take place where the protected content of the customer was accessed which was in the Irish datacenter. That conduct – accessing the data – would take place outside the US, regardless of the fact that Microsoft was a US company. The Court held that the text of the statute, its legislative history, the use of the particular term “warrant” all lead to the conclusion that an SCA warrant could only apply to data held within the boundaries of the US.

It must be remembered that the decision is within the context of a particular statute which had a significant privacy purpose behind it. There are other ways to obatin the information sought such as the application of Mutual Assistance in Criminal Matters Treaties or the provisions of the Convention on Cybercrime 2001 – assuming a State is a signatory and has adopted those treaties into domestic law.

Applicability in New Zealand

Do the provisions of the Search and Surveillance Act 2012 have an extraterritorial reach in the case of computer searches.

Extraterritorial Searches?

There is one school of thought which says that it does, based on the very broad definition of a computer system which could conceivably include the Internet. A properly obtained warrant search warrant or remote access search warrant would allow an investigator to look for and locate data hosted in servers offshore.

In its considerations of search and surveillance procedures the Law Commission suggested that cross border searches could be specifically authorised under a search warrant. In my view that raises some very real difficulties, especially where there are no mutual assistance arrangements in place – although New Zealand has enacted the Mutual Assistance in Criminal Matters Act 1992. The proper course would be to use the provisions of that Act.

The Law Commission acknowledged that while principles of territorial sovereignty should be recognised to the maximum extent possible, observation of such principles may be impossible where the identity of the relevant jurisdiction is unknown.

The suggestion that search warrant authorisation would cure jurisdictional problems arising in a remote cross border search does not, in my view, solve the problem. The Law Commission suggested that if a remote cross border search was sought a warrant application:

(a) would require disclosure of that fact,

(b) that the search was or would likely to be a cross border search,

(c) together with the nature of any mutual assistance arrangements with the relevant country if the identity of that country was known.

Where a warrant was issued without specific authorisation for a cross border search, the enforcement agency would have to return to the issuing officer for further authorisation for a cross border search. Such a situation might become apparent in the course of executing the initial search warrant. This is the preferred option for the Law Commission given the “inconclusive state” of international law.

In the case of Stevenson v R, [2012] NZCA 189.the police applied for a search warrant addressed to Microsoft for records that were kept in the USA. The request was directed to Microsoft in New Zealand who forwarded it to the American parent. The appellant challenged the issue of the warrant. The court held as follows:

‘Fourth, Mr Haskett submits that the warrant issued against Microsoft should be ruled invalid and the evidence obtained from that source excluded. He relies on the same grounds advanced in support of the challenge to the search warrant, which we have rejected. Additionally, however, he submits that the warrant for Microsoft was invalid because it purported to authorise search in the United States of America. The answer to that submission is, as Mr Ebersohn points out, that the Summary Proceedings Act does not require a warrant to be limited to the New Zealand jurisdiction although of course it could not be practically enforced outside of New Zealand.’ [2012] NZCA 189 at [57]

Could this approach – without any developed reasoning – be applied under the Search and Surveillance Act and particularly to remote access searches? The determinative language of the court would suggest it does.

Using the Court’s reasoning in Stevenson a remote access warrant, like a warrant under the Summary Proceedings Act, may not be limited to the New Zealand jurisdiction. No reference to a presumption of territorial application – which was a significant feature in Microsoft Ireland – was mentioned. Indeed the reverse proposition seems to be the position – if the Summary Proceedings Act did not provide that a warrant be limited to New Zealand, it had extraterritorial effect. That flies directly in the fact of established principle which is that the statute must expressly authorise extraterritoral application.

A Forgotten Fundamental Principle of Law

But just because the technology allows it, should extraterritorial searches just happen? Should the issue of a search warrant allow an extraterritorial remote access search, and should the fruits thereof be admissible? A strict ‘crime control’ approach would suggest an affirmative response.

On the other hand a principled approach that recognises the broader issues of the Rule of Law must recognise that there is a customary international law prohibition on conducting investigations in the territory of another state. (see Michael A. Sussman, ‘The Critical Challenges from International High-tech and Computer-related Crime at the Millennium’ Duke Journal of Comparative & International Law Volume 9, Number 2 (Spring 1999), 451 – 489.)

Remote access searches may violate territorial integrity and, whatever the constitutional constraints that exist within the searching country, such searches are prohibited as violations of international law. Notwithstanding the utopian vision of a separate jurisdiction for cyberspace, the reality is that data has a physical location within the territorial jurisdiction of a state.

And this brings us back to the fundamental principle. It was stated by the Second Circuit Court of Appeals. I referred to it a couple of paragraphs ago. If a domestic law is to have extraterritorial effect the statute must clearly say so. It cannot have that effect by some back door interpretation of what amounts to a computer system. This principle of law is hardly “inconclusive”.

Section 144A of the Crimes Act 1961 (NZ) has extraterritorial effect. It deals with sexual conduct with children and young people outside New Zealand. It is clear a clear and unequivocal assertion of extraterritorial application.

It is perhaps astonishing that this elementary principle has been overlooked not only by the Law Commission but also by the Court of Appeal in R v Stevenson.

There are ways of conducting offshore searches both in the digital and real word spaces. The utilisation of Mutual Assistance Treaties under the 1992 Act is one way. Or perhaps it is time to consider adopting the Convention on Cybercrime to adopt a principled approach to the access of data offshore.

DIXON v R –Game Over for Digital Property? I Think Not.

 

On 20 October 2015, the Supreme Court of New Zealand delivered its decision in the matter of an appeal by Jonathan Dixon against a conviction on a charge of accessing a computer for a dishonest purpose pursuant to s 249 Crimes Act[1].  It was alleged that Mr Dixon had accessed a computer system and dishonestly and without claim of right obtained any property.  In short, what Mr Dixon had done was to copy some digital footage from a CCTV security system operated by a bar in Queenstown.  Mr Dixon obtained the footage from a receptionist for the company and transferred the files onto a USB stick, deleting them from a desktop computer where they resided.

The Judge at first instance considered that the digital CCTV files were property within the meaning of the definition of that word in s 2 Crimes Act.  When the matter went before the Court of Appeal, the Court disagreed[2].  It concluded that digital information or a data file did not fall within the definition of property.

The Court of Appeal’s decision was the subject of considerable critical comment.  It was even suggested that the provisions of s 249 Crimes Act were “unfit for the purpose”.  Yet the decision should not have come as any surprise for there is a substantial body of authority, primarily in the civil arena, that supports the Court’s conclusion.  Subsequently the Court made  similar finding was reached in the case of Watchorn v R[3].

What the Court of Appeal did in Dixon however, was to substitute another charge which could have been proffered against Mr Dixon – that he accessed a computer and dishonestly and without claim of right obtained a benefit.  In its decision the Court of Appeal went to some pains to consider the nature of a benefit and substitute it at charge.

Mr Dixon appealed against that conclusion to the Supreme Court of New Zealand.  In its decision, the Supreme Court concluded that the Court of Appeal’s conclusion that a digital file did not amount to property was wrong.  It quashed Mr Dixon’s conviction for obtaining a benefit contrary to s 249(1)(a) and it reinstated his original conviction for obtaining property by accessing a computer system for a dishonest purpose. Phyrric victory does not adequately describe the outcome from Mr. Dixon’s point of view.

The Court started by considering the provisions of s 249(1) of the Crimes Act.

249 Accessing computer system for dishonest purpose

(1)        Every one is liable to imprisonment for a term not exceeding 7 years who, directly or indirectly, accesses any computer system and thereby, dishonestly or by deception, and without claim of right,—

(a)          obtains any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or

(b)          causes loss to any other person.

 

It then went on to consider the definitions of “access” and “computer system” contained in s 248 Crimes Act.  The Court observed that a relevant feature of the definitions was that “computer system” included “stored data” and “access” included receiving data from a computer system. The Court later observed that the definition of a computer system included “software” of which more later.

The Court then went on to consider the definition of “property” contained in s 2 of the Crimes Act.

property includes real and personal property, and any estate or interest in any real or personal property, money, electricity, and any debt, and any thing in action, and any other right or interest

Arnold J, writing for the Court, noted that the definition is:

(a)        inclusive rather than exclusive;

(b)        circular in that the property is defined as including real and personal property; and

(c)        in wide terms and, in particular, includes tangible and intangible property.

The Court went on to observe that within the broader statutory context the term “goods” in the Commerce Act 1986, the Consumer Guarantees Act 1993, the Fair Trading Act 1986 and the Sale of Goods Act 1908 is defined, to avoid doubt, to include computer software. It observed that, when considering the inclusion of software in consumer legislation the Commerce Committee stated:

The interest in the software the consumer receives does not differ significantly from other goods involving the transfer as an interest in intellectual property, and for which the guarantees and remedies relating to goods are more relevant and applicable to the guarantees and remedies related to services.  We recommend that computer software be added to the definition of goods for the avoidance of doubt.[4]

 

In reading the decision in a linear fashion, it was not immediately apparent at this stage of the Court’s reasoning what relevance software as goods might have to the issue of whether data was property but the issue becomes clear later in the Supreme Court’s decision.

The Court went on to consider the Judge’s finding that the definition of “property” in the Crimes Act was wide and, indeed, sufficiently wide to cover a digital file.  It then went on to consider the decision of the Court of Appeal.  The Court of Appeal’s starting point was that digital files were not property within the meaning of the definition of the Crimes Act because they were pure information.  The Court of Appeal had adopted what it described as an “orthodox” view that information, whether confidential or not, was not property.  It observed that the medium upon which information could be stored would be property but the information upon it would not.  Therefore, the digital footing could not be distinguished from information on this basis. The Court of Appeal observed that it was problematic to treat computer data as being analogous to information recorded in physical form.  It observed that a Microsoft Word document may appear to be the same as a visible sheet of paper containing text but in fact was simply a stored sequence of bytes.

The Court of Appeal considered whether or not it should depart from this orthodox view, observing that the distinction drawn between information which was not property and the medium upon which it was contained had been criticised as illogical and unprincipled.  The Court of Appeal’s view was that there were certain policy reasons militating against the recognition of information as property particularly in that such a decision could impact detrimentally upon the free flow of information and the freedom of speech.

The Court noted that when it enacted the computer crime sections of the Crimes Act there were also amendments to the definition of “property” but that these were limited.  The taking of confidential information or trade secrets was encompassed by s 230 Crimes Act. It considered that the provisions in s 249 relating to property were aimed at situations where a person accessed a computer and used, for example, a false or purloined credit card details to obtain goods unlawfully.

Before the Supreme Court counsel for the Crown stepped away from arguing that pure information was property.  Rather, the argument was focused upon the fact that digital files were property because they could be owned and dealt with in the same way as other items of personal property.  Thus the Court was able to sidestep dealing with the major finding of the Court of Appeal and could approach the problem from a different angle.

Another reason for the Court not considering the “pure information as property” issue was that Mr Dixon had dismissed his lawyer prior to the hearing and, accordingly, the point was not fully argued, and therefore it was considered that it was not an appropriate occasion to reconsider what the Court of Appeal had referred to as the orthodox view.

The Supreme Court started with considering the issue of context and observed that the meaning of the word “property” varies with its context.  It referred to comment made by Gummow and Hayne JJ in Kennon v Spry [5]where they stated:

The term “property” is not a term …with one specific and precise meaning.  It is always necessary to pay close attention to any statutory context in which the term is used.

The Court then went on to observe that within the context of s 249(1)(a) and in light of the definition of “property” in s 2, there was no doubt that the digital files at issue were property and not simply information.  The Court considered that digital files are identifiable, have a value and are capable of being transferred to others.  They also have a physical presence although that cannot be detected by means of the unaided senses.  It may be that they could be classified as tangible or intangible but nevertheless the Court concluded that digital files were property for the purposes of s 249(1)(a). However, the Court omitted to discuss inconvenient issue of the necessity of exclusive possession as an element of property

 

The rationale for such a finding started with a consideration of the history of the amendments made to the Crimes Act in 2003.  In crafting a new suite of changes to modernise the criminal law in relation to crimes against rights and property, focus was upon the concept of being “deprived of property” rather than the concept of “things that were capable of being stolen”, for it was that latter concept that underpinned property crimes in the 1961 Crimes Act prior to its amendment in 2003.

When the amending bill was first proposed, there was a specific definition of “property” for the purposes of a new Part 10 relating to crimes against property.  That new definition arose as a result of the 1999 decision of the Court of Appeal in R v Wilkinson[6] where the Court held that the concept of things capable of being stolen did not cover intangible property.

The new definition for the purposes of Part 10 proposed:

Property includes real and personal property, and all things, animate or inanimate, to which any person has any interest or over which any person has any claim; and also includes money, things in action and electricity.

The Supreme Court considered that had this definition remained, digital files would have been included on the basis that they are things in which a person has an interest.

However, when the bill was reported back by the Law and Order Select Committee, it was observed that the definition of “property” and for the purposes of Part 10, differed from the definition of “property” in s 2 and concluded that there should be one definition for the Act as a whole.  The Law and Order Select Committee recommended that the definition be removed from Part 10 and the definition of “property” in s 2 be amended.  The problem is that the definition of “property” in s 2 is not as widely stated as the proposed definition for Part 10.

The Court then went on to consider the nature of a document which had an extended definition for the purposes of Part 10.  Quite clearly from the definition of a document material held in electronic form falls within such a definition and the Court of Appeal reached a similar conclusion in R v Misic[7] which was decided before the extended definition was enacted.

Anderson J, writing for the Court in Misic, said:

… we have no difficulty accepting that the computer program and computer disk in question are each a document for the purposes of s 229A. Essentially, a document is a thing which provides evidence or information or serves as a record. The fact that developments in technology may improve the way in which evidence or information is provided or a record is kept does not change the fundamental purpose of that technology, nor a conceptual appreciation of that function. Legislation must be interpreted with that in mind. …

 

He went on to say:

It is unarguable that a piece of papyrus containing information, a page of parchment with the same information, a copper plate or a tablet of clay, are all documents. Nor would they be otherwise if the method of notation were English, Morse code, or binary symbols. In every case there is a document because there is a material record of information. This feature, rather than the medium, is definitive.

The Supreme Court then turned to consider the provisions of ss 249-252 Crimes Act dealing with computer crimes and considered, contrary to the view of the Court of Appeal, that the word “property” included in s 249(1)(a) was included for a purpose that was broader than the mere use of credit card details used in conjunction with computer to unlawfully obtain goods.

The Court considered that the broader purpose could be justified by starting with the definition of a computer system which included items such as “software” and “stored data”, which is also referred to in s 250 which deals with damaging or interfering with a computer system.  The Court observed that there was no doubt that Parliament had stored data in mind when those provisions were drafted.  Similarly, “access” is defined to include receiving data from a computer and is received even although it is copied rather than permanently removed.

The Court observed[8]

Given that Parliament contemplated situations where a person copied stored data from a computer, which of the offences might apply where the person taking the data did so without authority?  There are three possibilities – ss 249, 250 and 252.  It is not obvious that s 250 would apply.  If someone simply took a copy of existing data, but did not damage, delete or modify it, could it be said that the person “interfered with” or “impaired” the data?  We rather doubt that it could.  Section 252 could apply.  It creates an offence of intentionally accessing the computer system without authority and provides for a maximum penalty of two years’ imprisonment.  However that offence focuses on unauthorised access implicit, it does not address the issue of dishonest purpose.  Where the access if for dishonest purpose, s 249 applies and there are significantly higher maximum penalties.

 

The Court then discussed the situation where a person without authority located, copied and dealt with valuable digital files contrary to the interests of the file’s owner.  The inclusion of that conduct is consistent with the features of the legislation to which reference had been made.

Looking at the issue conceptually, of those concepts identified in s 249(1)(a) – property, privilege, service, pecuniary advantage, benefit or valuable consideration – property seemed most apt to capture what was obtained by Mr Dixon as the result of the unauthorised access.  Thus from a conceptual view of what it was that the accused did and what he took, the word “property” seemed the most suitable word to encompass the situation.

 

The Supreme Court then referred to the fundamental characteristics of property as being something that was capable of being owned and transferred.  It observed that the digital files which were downloaded onto his USB stick and then deleted from the computer upon which they were stored, were a compilation of sequenced images.  This file had an economic value and was capable of being sold.  Although the files remained on the CCTV system, the compilation contained what was valuable in the full files.  The compilation had a material presence.  It altered the physical state of the medium upon which it was stored – the computer disk or USB stick – illustrated by the fact that electronic storage space can be fully utilised.

This aspect of material presence led to a discussion of some American cases where a different approach to computer files as property has been adopted.  The Court referred to the case of South Central Bell Telephone Company v Barthelemy[9] where the physical processes and characteristics of software were examined.  The response to the suggestion that software was merely knowledge or intelligence – perhaps another way of stating information – the Court observed that the software was knowledge recorded in a physical form which had a physical existence and which took up space on a tape, disk or hard drive and made physical things happen which could be perceived by the senses.  The software was ultimately recorded and stored in the physical form on a physical object.

The Court also referred to a number of other American cases, although noted that the US Courts had not been consistent on the point with some holding that software is intangible property. The decision of Ronald Young J in Erris Promotions Limited v CIR[10] where the argument was whether or not software code was tangible property.  The Judge held that it was intangible rather than tangible. The issue of tangibility or intangibility is something of a red herring, having regard to the fact that property can be tangible or intangible according to the definition of property in s.2 of the Crimes Act 1961

In considering the Court of Appeal’s approach in Dixon where it was noted that it was problematic to treat computer data as being analogous to information recorded in physical form, the Supreme Court made two comments.  It firstly observed that the definition of “document” of was broad enough to include electronic documents or files.  In this regard I observe that the word “document” is used probably for two reasons.  The first is the file extension .doc which infers that the file created is a document.  The second is that a word processing program is designed to create a file of information which resembles a paper document but which in reality is quite different, being in electronic form.  We use the word “document” because it is a word with which we are familiar.  Perhaps a better word would be “file” although the definition of “document” is really directed towards the result of a technological process.

In the United States, electronic records and databases had been treated as property capable of being converted although they were intangible.  The case of Thyroff v Nationwide Mutual Insurance Co[11] considered whether the tort of conversion could apply to the misappropriation of electronic records and data.  The Court’s approach was consistent with the overall view of computer or electronic files in the US – that being that there is an economic value to electronic information which should receive the protection of law.

The Court observed that the position in England was different, although the cases in England involved civil aspects of electronic information as property.  It observed that the case of Your Response Limited v Datateam Business Media Limited[12] concluded that it was not possible to exercise a common law possessory liens over an electronic database on the basis that it was not tangible property of a kind capable of forming subject matter of torts that are concerned with interference and with possession.  The Court in Your Response Limited followed the decision of OBG Limited v Allan[13].  What should be observed in those cases, and a matter which the Supreme Court seems to have sidestepped, is that possessory liens and some other torts involving interference with property are premised upon the concept of exclusivity of possession.  In the electronic environment it is capable for a person to obtain a copy of a data file by dishonestly accessing a computer, but by leaving the “original” upon the target computer.  In Dixon’s case, although the digital file that he took was a compilation of a larger CCTV record, nevertheless the original CCTV record remained in the possession of the “owner”.  Thus, two people had possession or control of the same data and the element of exclusivity was absent.

The issue of tangibility or intangibility of an electronic file is, as observed above, resolved by the provisions of s 2 Crimes Act which includes both tangible or intangible property.  The Court then went on to say that what emerged from the brief discussion of the US authorities is that although they differ as to whether software is tangible or intangible, there is general agreement that software is property.  The Court then encompassed data files as property by observing, “There seems no reason to treat data files differently from software in this respect”.

From a technological point of view, software files are operating instructions for a computer.  Data files are raw information which may be processed by a software program.  A .doc file created by the utilisation of the software Microsoft Word is rendered readable by the software.  Software does something within the computer environment.  Data is something that software manipulates.  This is recognised by the separation of “software” from “stored data” in the definition of a computer system in s. 248 of the Crimes Act 1961. The Supreme Court chose not to address this functional difference between software and data.  Although the Court had discussed the nature of software as goods, that merely heightens the distinction between software and data.  There can be no doubt that data can have a value, although it must be associated with some form of processing software to be rendered comprehensible.  But data is not protected by the Consumer Guarantees Act or other consumer protection legislation.

Finally, the Court made some observations about the decision in Watchorn, observing that the digital files that Mr Watchorn obtained were property for the purposes of s 249(1)(a) and that he should have been convicted.

In considering the Supreme Court’s decision, the first thing that should be noted is that the Court went to some pains to state that its definition of “property” was within the context of the legislation and particularly within the context of s 249(1) Crimes Act.  Given that limitation, it could well be argued that its holding that a digital file amounts to property is limited in application.

However, it may well be if the decision is utilised in a broader sense, that there will be certain unintended consequences and one comes to mind.  It involves the person who accesses a computer system dishonestly and without claim of right, and obtains a digital file containing embarrassing or damaging information.  That information, if published, could have significant consequences.  The “hacker” for so he is, puts the information onto a USB stick.  The information is delivered to a third party.  There are no criminal implications in the hacker giving the third party the USB stick.  Property in the USB stick itself and as a medium is validly transferred.  What of the digital file on the USB stick?  The third party is aware that it was obtained dishonestly and by unauthorised access to a computer system.  The question which may need to be asked and answered is whether or not the receipt of the digital file on the USB stick would be sufficient to constitute the offence of receiving by the third party.

What to do?  Clearly the information as property issue needs to be addressed and it may well be that the answer lies in considering adopting the American approach together with clarifying the fact that digital data to exist must be associated with a medium be it a hard drive, a USB drive or stored in the Cloud.  It is this aspect of a digital file that gives it its tangibility albeit limited.

The issue of virtual property remains an open question and must depend upon the nature of the terms and conditions that exist between the provider and the customer.  It may be that legislation will address this problem in the future, recognising that in a paradigm of continuing disruptive change, changes to perception of whether what may fall within the category of intangibles may have value needs to be recognised along with a further recognition that existing remedies under “traditional” fields of law, such as intellectual property and breach of confidence, may be too limited to accord sufficient protection.  The concept of no property in pure information could remain;  information that is not associated with a medium could remain as intangible and without property implications.  But the digital file associated with a medium could have a level of tangibility sufficient to attract the protection of the civil and criminal law.

But wait! There’s more! What proprietary interests does a subscriber have to that piece of virtual real estate in Second Life? And if it is “property” acquired during the course of a relationship, may it attract the attention of the Property (Relationships) Act 1976? What about that “amped up” magic sword that the player uses in Word of Warcraft. The game is not over. In fact, it has only just begun.

____________________________________________________

[1] [2015] NZSC 147

[2] [2014] 3 NZLR 504

[3] [2014] NZCA 493

[4] Consumer Protection (Definitions of Goods and Services) Bill 2001 (154–2) (select committee report) at 4.

[5] [2008] HCA 56, [2008] CLR 366 at [89]

[6] [1999] 1 NZLR 403 (CA).

[7] [2001] 3 NZLR 1 (CA).

[8] Above n 1 at [36]

[9] 643 So 2d 1240 (Lou 1994).

[10] [2004] 1 NZLR 811 (HC).

[11] 8 NY 3d 283 (NY 2007).

[12] [2014] EWCA Civ 281, [2015] QB 41.

[13] [2007] UKHL 21, [2008] AC 1.

Digital Property and Computer Crimes – Collisions in the Digital Paradigm IVA

The Court of Appeal decision in Watchorn v R [2014] NZCA 493 was another case involving property in digital data.  The accused had been convicted on three charges alleging breaches of s 249 of the Crimes Act in that he had access to his employers computer system and dishonestly or by deception and without claim of right obtain property.

Mr Watchorn was an employee of TAG, an oil and gas exploration company, which was engaged in both prospecting and the production of oil and gas.  There was no question that on the 7th June 2012 Mr Watchorn downloaded extensive and sensitive geoscience data from TAG’s computer system onto a portable hard drive.  An executive of TAG described the geoscience folder as holding the “secret recipe” because it contained data relating to the discovery of sites of oil and gas.  The information had a very high value to TAG. Had it been disclosed to a competitor it would have been extremely damaging to the company and beneficial to that competitor.

On the day after the download took place Mr Watchorn and his family went to Canada for four weeks so that he could visit his mother who was ill.  Whilst he was in Canada he met a representative from a company called New Zealand Energy Corporation Limited (NZEC) based in Canada but which carries on business in New Zealand. NZEC is a competitor of TAG.  Following this meeting Mr Watchorn was offered a job with NZEC.

On 31 July 2012 Mr Watchorn down loaded similar TAG information to that which he had downloaded on the 7th June and downloaded it on to a USB memory stick.  On the same day he gave notice of his intention to resign from TAG and commence employment with NZEC.

TAG was very concerned about material being downloaded from its computer system and the day after Mr Watchorn gave notice, TAG’s solicitors sent a letter to Mr Watchorn reminding him of his obligations for confidentiality and inviting him to return an apparently missing hard drive.

Mr Watchorn responding by stating that the only thing he had on his personal hard drive was relating to some of the things that he had helped put in place as well as technical data and work from previous employment.

On 28 August 2012 the police executed search warrants including one at the premises of NZEC.  Mr Watchorn was initially interviewed by the police, then re-interviewed on the 7th December 2012 and arrested.  There was some disparity between the various explanations that Mr Watchorn had given to the police relating to whether or not he had taken the portable hard drive with him to Canada.  However there was no evidence indicating any disclosure of information to NZEC while Mr Watchorn was in Canada, when he later accessed the down loaded material at NZEC’s premises or at any other time.  In fact the evidence was that the data down loaded on the 7th June was not disclosed at any time to any person.

The Court of Appeal noted its decision in Dixon v R where it was held that digital CCTV footage stored on a computer was not “property” as defined in the Crimes Act and so the obtaining of such data by accessing a computer system could not amount to “obtaining property” within the meaning of s 249(1)(a) of the Crimes Act.  The Court accepted that that analysis must apply to the kind of data obtained by Mr Watchorn and observed that it was bound to follow Dixon.  However the issue was whether or not the Court would follow the approach adopted in Dixon and substitute convictions based upon an alternative charge of obtaining a benefit.

The first thing the Court did was to consider whether or not there had to be a “dishonest purpose” for obtaining a benefit.  Despite the fact that the heading to s 249 states “accessing the computer system for dishonest purpose” the Court held that that was not an accurate summary of the offence itself.  It observed that the ingredients of s 249(1) do not include a dishonest purpose.  What the Crown must prove is that the accused “accessed a computer system and thereby dishonestly or by deception or and without claim of right obtained a benefit.”  In light of the definition of “dishonestly” in s 217 of the Crimes Act all the Crown had to prove was that Mr Watchorn did not have TAG’s authorisation to down load the data that he down loaded to his hard drive on the 7th June.

“Dishonestly” in s 217 states “In relation to an act or omission means done or omitted without a belief that there was express or implied consent to, or authority for, the act or omission from a person entitled to give such consent or authority”.

 The Supreme Court in R v Hayes [2008] 2 NZLR 321; [2008] NZSC 3 stated that dishonestly requires an absence of belief that there was consent or authority and that it is not necessary to prove that the belief was reasonable.

The Court of Appeal observed that if Mr Watchorn actually believed he was authorised to download the data then the element of “dishonestly obtaining” that data would not be proven.  Whether he downloaded the data for the purpose of taking it with him to Canada or alternatively to make a backup actually did not address the question as to whether he believed he was authorised to do it.  The evidence before the Court was that the TAG Executives said that Mr Watchorn had no authority implied or otherwise to take TAG geoscience data or the material contained with the TAG drilling and TAG electronic site and well files.  Mr Watchorn’s claim that he thought that he was authorised to download the files and take them to Canada was contrary to his version of events when interviewed by the police.

The Court then went on to consider the issue of “claim of right”, differentiating the concepts of “dishonesty” and “claim of right” by noting that dishonesty addresses whether Mr Watchorn believed he was authorised to download the data.  Claim of right addressed whether or not he believed even if he wasn’t authorised that downloading was permissible.  Mr Watchorn argued that he had a defence of claim of right because he believed there was an industry wide practice in the oil and gas field of employees transferring from one firm to another downloading data relevant to the employees work before leaving the employ of the owner of the data.  There was no evidence in Watchorn’s case that implied entitlement did exist and no evidence that Mr Watchorn believed that it did.  The fact that he had downloaded data from previous employers did not provide a proper foundation for a finding that he was lawfully entitled to do so.

After considering some other issues the Court went on to consider whether or not it should substitute the convictions against Mr Watchorn for convictions based on obtaining a benefit.  In Dixon the benefit had been the opportunity to sell a digital CCTV footage that had been obtained by accessing his employer’s computer.  In this case there was no evidence that Mr Watchorn had tried to sell the data but the issue was whether or not the word “benefit” was limited to a financial advantage or something wider.

The Court referred to a High Court decision of Police v Leroy  (HC Wellington CRI 2006-485-58, 12 October 2006 Gendall J) where a District Court Judge had held that the term benefit meant a benefit that could result in the advancement of a person’s material situation and was limited to a benefit of a financial nature.

Gendall J held otherwise.  He said that a non-monetary advantage may nevertheless comprise a benefit.  The advantage might be the acquisition of knowledge or information to which one was not otherwise entitled.  An advantage might be an invasion of another’s privacy.  It might be knowledge or information that could be used to exploit another person.  He gave the example of wrongful access of email communications of another for the advantage of disclosure or for use for political purposes or the purposes of embarrassment.  He held that information obtained might also be used for the benefit or advantage of a wrong doer enacting in such a way as to harass another in breach of the Harassment Act 1997 or be used to assist in the breach of a protection order under the Domestic Violence Act 1995.  It was noted that the words property, pecuniary advantage and valuable consideration relate to matters financial but the same is not necessarily true of benefit, privilege or service and the Court concluded that it was not necessary to confine the concept of benefit to financial benefits.

However that conclusion did not necessarily resolve Mr Watchorn’s case.  The Court considered the legislative history of the computer and other provisions of Part 10 of the Crimes Act 1961 in considering whether or not the scope of the word “benefit” was limited to a financial advantage and concluded that it did not.  However it concluded that the issue of what constituted a benefit in Watchorn’s case was more nuanced than that of Dixon.  The Court considered that it was arguable on the facts of Watchorn’s case that the advantage that he gained was his ability to access the data outside his work environment and without the supervision of his colleagues including after he had left the employment of TAG.  Indeed the Court said that it could be argued that he did not in fact exploit the advantage given to him by selling the data or making it available to his new employer.  It did not in fact reduce the ability that he had to do any of those things.

However the problem was that the Crown did not actually formulate the nature of the benefit that Mr Watchorn might have received.  The failure of articulating such a benefit meant that Mr Watchorn did not have any notice of that allegation that he could properly contest.  The Court held that he was entitled to such notice.  The Court considered that the evidence that could be adduced might include whether or not there was in fact any advantage to him in having possession or control of the data and because the prosecution had restricted its theory of the case to obtaining property the entitlement that Mr Watchorn had to prior notice of the benefit was not present.

The Court distinguished Watchorn from Dixon where in the latter case the Court was able to identify the benefit Mr Dixon hoped to obtain from the facts proven at trial.  Accordingly the Court was not prepared to substitute new verdicts and indeed the grounds for substituting such verdicts were not meet.

 Comment

This case is helpful because it demonstrates the importance of bringing a proper charge under the Computer Crimes sections of the Crimes Act.  The case of Police v Robb [2006] DCR 388 demonstrated the need for a prosecuting authority to exercise considerable care in drafting the charge that it brings.  In Robb the allegation arose pursuant to s 250(2)(a) of the Crimes Act in that it was contended that the accused deleted files the property of his employer without authorisation.  Part of the problem facing the Court was the mental element in the offence.  The Judge held that “deletion” in and of itself did not amount to damaging or interfering of the computer system contrary to s 250.  To establish a criminal offence of damaging or interfering with a computer system it was necessary to exclude innocent or accidental data deletion.  The Judge observed that wiping a file required an additional conscious decision over and above simple deletion.  Forensic evidence could not determine whether a file was deliberately deleted or not.

It is quite clear from both the decisions in Dixon and Watchorn that any charge suggesting the obtaining of property where what in fact has been obtained is digital material cannot be sustained and one of the alternatives in s. 249 must be considered.  For this reason the Court’s exposition of the nature of a benefit and the crystallisation of that benefit must be undertaken by a prosecuting authority.

However the final paragraph of the decision of the Court of Appeal in Watchorn is instructive.  The Court said “the decisions of this Court in Dixon and the present case have identified some drafting issues and inconsistencies in some Crimes Act provisions.  We respectfully suggest that consideration be given to remedial legislation.”

Obviously the question of the nature of any property in digital data must be considered but at the same time it must be carefully thought out.  Although it might be attractive for the definition of property simply to include digital data the problem that arises is that what amounts to copyright infringement within the digital space could well become a criminal offence and the presently incorrect adage advanced by copyright owners that “copyright infringement is theft” could well become a reality.

Digital Data and Theft – Collisions in The Digital Paradigm IV

 

Under the law in New Zealand a digital file cannot be stolen. This follows from the Court of Appeal decision in Dixon v R [2014] NZCA 329 and depends upon the way in which various definitions contained in the Crimes Act coupled with the nature of the charge were interpreted by the Court.

Mr. Dixon, the appellant, had been employed by a security firm in Queenstown. One of the clients of the firm was Base Ltd which operated the Altitude Bar in Queenstown. Base had installed a closed circuit TV system in the bar.

In September 2011 the English rugby team was touring New Zealand as part of the Rugby World Cup. The captain of the team was Mr Tindall. Mr Tindall had recently married the Queen’s granddaughter. On 11 September, Mr Tindall and several other team members visited Altitude Bar. During the evening there was an incident involving Mr Tindall and a female patron, which was recorded on Base’s CCTV.

Mr Dixon found out about the existence of the footage of Mr Tindall and asked one of Base’s receptionists to download it onto the computer she used at work. She agreed, being under the impression that Mr Dixon required it for legitimate work purposes. The receptionist located the footage and saved it onto her desktop computer in the reception area. Mr Dixon subsequently accessed that computer, located the relevant file and transferred it onto a USB stick belonging to him.

Mr Dixon attempted to sell the footage but when that proved unsuccessful he posted it on a video-sharing site, resulting in a storm of publicity both in New Zealand and in the United Kingdom. At his trial the judge Phillips found that Mr Dixon had done this out of spite and to ensure that no one else would have the opportunity to make any money from the footage.

A complaint was laid with the Police and Mr Dixon was charged under s. 249(1)(a) of the Crimes Act 1961.

That section provides as follows:

249 Accessing computer system for dishonest purpose

(1) Every one is liable to imprisonment for a term not exceeding 7 years who, directly or indirectly, accesses any computer system and thereby, dishonestly or by deception, and without claim of right,—

(a) obtains any property, privilege, service, pecuniary advantage, benefit, or valuable consideration;

The indictment against Mr Dixon alleged that he had “accessed a computer system and thereby dishonestly and without claim of right obtained property.”

The issue before the Court was whether or not digital footage stored on a computer was “property” as defined in the Crimes Act.

“Property” is defined in section 2 of the Crimes Act in the following way:

property includes real and personal property, and any estate or interest in any real or personal property, money, electricity, and any debt, and any thing in action, and any other right or interest.

The Court considered the legislative history of the definition, noting that in the Bill that introduced the new computer crimes a separate definition of property specifically for those crimes had been provided. The definition was discarded by the Select Committee which rejected the suggestion that there should be different definitions of the word property for different offences.

The Court also noted that in the case of Davies v Police [2008] 1 NZLR 638 (HC) it was held  that internet usage (the consumption of megabytes in the transmission of electronic data) is “property” but in that case the Judge specifically distinguished internet usage from the information contained in the data. Thus, Dixon was the first case where the Court had to consider “property” as defined in the context of “electronically stored footage or images”.

In considering the decision of the trial Judge, the Court was of the view that he had been influenced by the very wide definition of property and the inclusion of intangible things, and that the footage in question seemed to have all the normal attributes of personal property. The Court also observed that Base Ltd who operated the CCTV system did not lose the file. What it lost was the right to exclusive possession and control of it. The Court considered the trial judge’s holding that the files were within the scope of the definition of property reflected “an intuitive response that in the modern computer age digital data must be property.” (para 20)

The Court concluded otherwise and held that digital files are not property within section 2, and therefore Mr Dixon did not obtain property and was charged under the wrong part of section 249(1)(a). Rather, held the Court, he should have been charged with accessing a computer and dishonestly and without claim of right obtaining a benefit.

The Court referred to the English decision of Oxford v Moss (1979) 68 Cr App R 183 which involved a University student who unlawfully acquired an examination paper, read its contents and returned it. The Court held that was not theft. The student had obtained the information on the paper – confidential it may have been, but it was not property, unlike the medium upon which it was written.

The Court of Appeal noted that Oxford v Moss was not a closely reasoned decision but it remained good law in England and had been followed by the Supreme Court of Canada in Stewart v R [1988] 1 SCR 963. Oxford v Moss had also been followed in New Zealand. In Money Managers Ltd v Foxbridge Trading Ltd (HC Hamilton CP 67/93 15 December 1993) Hammond J noted that traditionally the common law had refused to treat information as property, and in Taxation Review Authority 25 [1997] TRNZ 129 Judge Barber had to consider whether computer programs and software constituted goods for the purpose of the Goods and Services Tax Act 1985. He drew a distinction between the medium upon which information or data was stored – such as computer disks – and the information itself.

The Court considered the nature of confidential information and a line of cases that held that it was not property. The traditional approach had been to rely on the equitable cause of action for breach of confidence.

The Court went on to consider whether or not the digital footage might be distinguishable from confidential information. Once again it noted the distinction between the information or data and the medium, observing that a computer disk containing the information was property whilst the information contained upon it was not. It observed that a digital file arguably does have a physical existence in a way that information (in non-physical form) does not, citing the decision in R v Cox (2004) 21 CRNZ 1 CA at [49]. Cox was a case about intercepted SMS messages. The relevant observation was directed to the issue of whether or not an electronic file could be the subject of a search. The Court in Cox noted

“Nor do we see anything in the argument that the electronic data is not “a thing”. It has a physical existence even if ephemeral and that in any event the computer componentry on which it was stored was undoubtedly “a thing”.

Any doubt on this particular issue has been resolved by the Search and Surveillance Act 2012. However, as I will discuss below, although a digital file does have a physical existence, it is not in coherent form. One of the subtexts to the Court of Appeal’s observations of the “electronically stored footage” was that, when stored electronically it has a continuity similar to film footage. For reason that I will discuss later, this is not the case.

The Court then went on to discuss the nature of information in the electronic space. The Court stated at [31]:

It is problematic to treat computer data as being analogous to information recorded in physical form. A computer file is essentially just a stored sequence of bytes that is available to a computer program or operating system. Those bytes cannot meaningfully be distinguished from pure information. A Microsoft Word document, for example, may appear to us to be the same as a physical sheet of paper containing text, but in fact is simply a stored sequence of bytes used by the Microsoft Word software to present the image that appears on the monitor.

Having reviewed the background to the extension of the definition of “property’ following the decision in the case of R v Wilkinson [1999] 1 NZLR 403 (CA) where it was held that credit extended by a bank was not capable of being stolen because the definition of things capable of being stolen was limited to moveable, tangible things, and the fact that although the definition of document extended to electronic files the word “document” – thereby extending the definition of property to include electronic files – did not appear in the definition of “property”, along with the fact that the Law Commission in its hastily produced and somewhat flawed report Computer Misuse (NZLC R54 1999) referred to a possible redefinition of information as a property right, the Court took what it described as the orthodox approach. Parliament was taken to be aware of the large body of authority regarding the status of information and had it intended to change the legal position, it would have expressly said so by including a specific reference to computer-stored data.

This holding did not make section 249(1) of the Crimes Act meaningless. The section would still extend to cases where, for example, a defendant accesses a computer and uses, for example, credit card details to unlawfully obtain goods. In this case, the Court observed, Mr. Dixon had been charged under the wrong part of the section.

It is clear that prosecuting authorities will have to move with care in future. Under the Dixon holding, someone who unlawfully obtains an e-book for a Kindle or other reader could not be charged with theft, because an e-book is information in digital form. If the same book in hard copy form were taken without payment and with the requisite intention from a bookstore, a charge of theft could follow.

Comment

There can be no doubt that the decision of the Court of Appeal is correct technologically and in law and, although I do take a few minor points with the way in which the technological realities have been articulated.

The issue of where the property lies within medium\information dichotomy has been with us for a considerable period of time. I can own the book, but I do not “own” the content and do with it as I wish because it is the “property” of the author. The particular property right – the “copy right” gives the author the control over the use of the content of the book – the author may lose possession and control of the medium but he or she does not lose control of the message.

But the “copy right” has its own special statute and those legislatively created special property rights do not extend to the provisions of the Crimes Act – even although copyright owners frequently mouth the mantra that copyright infringement is “theft”. Clearly the decision in Dixon emphasising the principle that information is not property for the purposes of theft must put that myth to rest.

Information or Data in the Digital Space

To clearly understand the import of the decision in Dixon it is necessary to understand the nature of information or data in the digital space. The Court of Appeal refers to “information” because that is the basis of the “orthodox” conclusion that it reached. Information implies a certain continuity and coherence that derives from the way in which it was communicated in the pre-digital paradigm. Lawyers are so used to obtaining information that is associated primarily with paper, the medium takes second place to the message. Lawyers focus upon the “content layer” – an approach that must be reconsidered in the Digital Paradigm. For reasons which I shall develop, the word “data” can (and perhaps should) be substituted.

The properties of electronic and digital technologies and their product require a review of one’s approach to information. The nature of the print and paper based medium as a means of recording and storing information, and the digital equivalent are radically different. Apart from occasional incidents of forgery, with paper-based documents, what you saw was what you got. There was no underlying information embedded or hidden in the document, as there is with meta-data in the digital environment. The issue of the integrity of the information contained on the static medium was reasonably clear.

Electronic data is quite different to its predigital counterpart. Some of those differences may be helpful. Electronic information may be easily copied and searched but it must be remembered that electronic documents do pose some challenges.

Electronic data is dynamic and volatile. It is often difficult to ensure it has been captured and retained in such a way as to ensure its integrity. Unintentional modifications may be made simply by opening and reading data. Although the information that appears on the screen may not have been altered, some of the vital meta-data which traces the history of the file (and which can often be incredibly helpful in determining its provenance and which may be of assistance in determining the chronology of events and when parties knew what they knew) may have been changed.

To understand the difficulty that the electronic paradigm poses for our conception of data it is necessary to consider the technological implications of storing information in the digital space. It is factually and paradigmatically far removed from information recorded on a medium such as paper.

If we consider  data as information written upon a piece of paper it is quite easy for a reader to obtain access to that information long after it was created. The only thing necessary is good eye sight and an understanding of the language in which the document is written. It is information in that it is comprehensible and the content informs. Electronic data in and of itself does not do that. It incoherent and incomprehensible, scattered across the sectors of the medium on which it is contained. In that state it is not information in that it does not inform.

Data in electronic format is dependent upon hardware and software. The data contained upon a medium such as a hard drive requires an interpreter to render it into human readable format. The interpreter is a combination of hardware and software. Unlike the paper document, the reader cannot create or manipulate electronic data into readable form without the proper hardware in the form of computers.[1]

There is a danger in thinking of electronic data as an object ‘somewhere there’ on a computer in the same way as a hard copy book is in a library.  Because of the way in which electronic storage media are constructed it is almost impossible for a complete file of electronic information be stored in consecutive sectors of a medium. An electronic file is better understood as a process by which otherwise unintelligible pieces of data are distributed over a storage medium, are assembled, processed and rendered legible for a human user. In this respect the “information” or “file” as a single entity is in fact nowhere. It does not exist independently from the process that recreates it every time a user opens it on a screen.[2]

Computers are useless unless the associated software is loaded onto the hardware. Both hardware and software produce additional evidence that includes, but is not limited to, information such as metadata and computer logs that may be relevant to any given file or document in electronic format.

This involvement of technology and machinery makes electronic information paradigmatically different from traditional information where the message and the medium are one. It is this mediation of a set of technologies that enables data in electronic format – at its simplest, positive and negative electromagnetic impulses recorded upon a medium – to be rendered into human readable form. This gives rise to other differentiation issues such as whether or not there is a definitive representation of a particular source digital object. Much will depend, for example, upon the word processing program or internet browser used.

The necessity for this form of mediation for information acquisition and communication explains the apparent fascination that people have with devices such as smart phones and tablets. These devices are necessary to “decode” information and allow for its comprehension and communication.

Thus, the subtext to the description of the electronically stored footage which seems to suggest a coherence of data similar to that contained on a strip of film cannot be sustained. The “electronically stored footage” is meaningless as data without a form of technological mediation to assemble and present the data in coherent form.  The Court made reference to the problem of trying to draw an analogy between computer data and non-digital information or data and referred to the example of the Word document. This is part of an example of the nature of “information as process” that I have described above. Nevertheless there is an inference of coherence of information in a computer file that is not present in the electronic medium – references to “sequence of bytes” are probably correct once the assembly of data prior to presentation on a screen has taken place –  but the reality is that throughout the process of information display on a screen there is constant interactivity between the disk or medium interpreter, the code of the word processing program and the interpreter that is necessary to display the image on the screen.

In the final analysis there are two approaches to the issue of whether or not digital data is property for the purposes of theft. The first is the orthodox legal position taken by the Court of Appeal. The second is the technological reality of data in the digital space. Even although the new definition of property extends to intangibles such as electricity it cannot apply to data in the digital space because of the incoherence of the data. Even although a file may be copied from one medium to another, it remains in an incoherent state. Even although it may be inextricably associated with a medium of some sort or another, it maintains that incoherent state until it is subjected to the mediation of hardware and software that I have described above. The Court of Appeal’s “information” based approach becomes even sharper when one substitutes the word “data” for “information”. Although there is a distinction between the medium and the data, the data requires a storage medium of some sort. And it is this that is capable of being stolen

Although Marshall McLuhan intended an entirely different interpretation of the phrase, ‘the medium is the message,’[3] it is a truth of information in digital format.

 

[1] Burkhard Schafer and Stephen Mason, chapter 2 ‘The Characteristics of Electronic Evidence in Digital Format’ in Stephen Mason (gen ed) Electronic Evidence (3rd edn, LexisNexis Butterworths, London 2012) 2.05.

[2] Burkhard Schafer and Stephen Mason, chapter 2 ‘The Characteristics of Electronic Evidence in Digital Format’ 2.06.

[3] Marshall McLuhan, Understanding Media : The Extensions of Man (Massachusetts Institute of Technology  Cambridge 1994) Ch 1

 

An International Criminal Tribunal for Cyberspace – Judge Stein Schjolberg’s Recommendation

At the 13th International Criminal Law Congress in Queenstown Judge Stein Schjolberg of Norway presented a paper on and the arguments for an International Criminal Tribunal for Cyberspace.

Stein Schjolberg is an extraordinary Court of Appeal Judge in Norway. He was appointed as a Judge in 1984 and as the Chief Judge of Moss Tingrett Court from 1994-2010. Until 1984 he served as a prosecutor and Assistant Commissioner of Police in Oslo.

Judge Schjolberg is an international expert on cybercrime, and one of the founders of the global harmonization on computer crime     legislation. He was a Fulbright-Hays Scholar at Stanford Research Institute (SRI International) in 1981-1982. In cooperation with INTERPOL he organized the First INTERPOL Training Seminar for Investigators of Computer Crime in Paris, 1981. Judge Schjolberg has served as an expert on cybercrime for several international institutions.

He has published widely on computer crime and cybercrime legislation, in addition to court technology issues. He was appointed by the National Center for State Courts, United States, as a member of the International Think Tank on Global Court Technology in 1999-2001.

Judge Schjolberg was in 2007-2008 appointed by ITU in Geneva as the Chairman of the global High-Level Experts Group (HLEG) on cybersecurity, including almost 100 experts from around the world. The HLEG published two reports in 2008, The Chairman´s Report and the Global Strategic Report on Cybersecurity. Judge Schjolberg was awarded the ITU Silver Medal, in recognition of his contribution as the Chairman of the HLEG.

Judge Schjolberg is the Chair of the EastWest Institute (EWI) Cybercrime Legal Working Group. This post is an outline of his September address. His website is Cybercrime Law. This note outlines Judge Schjolberg’s paper

The Need for an International Criminal Tribunal for Cyberspace

At the moment there is no recognised international substantive cybercrime law although the European Convention on Cybercrime (see below) is a start.  The difficulty is that several Governments, international organisations and vital private institutions in the global information of financial infrastructures have been targeted by global cyber attacks in the recent years.

These cyber attacks of the most serious global concern that intentionally cause substantial and comprehensive disturbance of critical communications and information infrastructure should be within the jurisdiction of an International Criminal Tribunal.  Other cybercrimes such as illegal access, illegal interception, data interference, system interference, misuse of devices, forgery, fraud and offences related to child pornography could also be included in the statute.  Those acts may be prosecuted domestically as well as internationally whenever the conduct is considered as cybercrime of global concern. Any intrusions upon religious or political values in cybercrime legislation is a matter that Judge Scholberg considers should be avoided.

Judge Scholberg considers

“the International Tribunal should have the power to prosecute persons committing or ordering to be committed the most serious violations of international cybercrime law, namely the following acts committed wilfully against computer systems, information systems, data, information or other property protected under the relevant international criminal law; by destroying damaging or rendering unusable critical communication and information infrastructures, causing substantial and comprehensive damage to or interference with national security, civil defence, public administration and services, public health and safety, or banking and financial services.”

International Initiatives

In 2010 four main working groups were established in order to make recommendations for new international legal responses to cybercrime.  The United Nations initiated a comprehensive study of the problem of cybercrime. The Twelfth United Nations Congress on Criminal Prevention and Criminal Justice in Salvador Brazil April 2010 recommended in the Salvador Declaration, article 42, to invite the UN Commission on Crime Prevention and Criminal Justice to convene an open ended intergovernmental expert group to conduct a comprehensive study on the problem of cybercrime as well as the response to it.  The recommendation was adopted by the Commission, and by the United Nations General Assembly in its Resolution 65/230.  This comprehensive study is to examine the topics “with a view to examining options to strengthen existing and to propose new national and international legal or other responses to cybercrime”.

On June 27th 2010 the EastWest Institute established a cybercrime legal working group in order to advance consideration of a treaty or a set of treaties on cybersecurity and cybercrime.  The members are independent non-governmental global experts on cybersecurity and cybercrime.  The working group is to develop recommendations for potential new legal mechanisms on combating cybercrime and cyber attacks and develop a consensus building set of proposals related to international law.  The group had its first meeting in Brussels on March 1-2 2010.  To obtain the widest range of input it is desirable to include in such working groups the global private sector and industry in the process of establishing a global treaty or a set of treaties on cybersecurity and cybercrime.

The United States and the European Union established a working group in cybersecurity and cybercrime at the EU/US summit in November 2010.  The group is tasked with developing collaborative approaches to a wide range of cybersecurity and cybercrime issues. Among its efforts is advancing the Council of Europe Convention on Cybercrime, including a programme to expand accession by all EU member States, and collaboration to assist States outside the region in meeting its standards and becoming parties.

Commonwealth leaders at a meeting for Law Ministers and Attorneys General from 44 countries in Sydney July 2011 recommended that the Commonwealth Secretary establish a multi-disciplinary working group of experts.   The purpose of this group is to

“review the practical implications of cybercrime in the Commonwealth and identify the most effective means of international co-operation and enforcement, taking into account, amongst others, the Council of Europe convention on cybercrime, without duplicating the work of other international bodies”.

The Convention on Cybercrime

The 2001 Council of Europe Convention on Cybercrime was an historic milestone in the war against cybercrime and came into force on 1 July 2004.  32 States have ratified the Convention.  However, Russia has not signed the Convention and has made a statement that they do not accept all of its articles.  However by ratifying or acceding to the convention, States agree to ensure that their domestic laws criminalise the conduct described in the substantive criminal law section.

The Convention on Cybercrime is an example of a legal measure. Although of a regional nature it could well be that other countries might consider the possibility of acceding to the Convention or use the convention as a guideline or at least as a reference for developing their internal legislation and by implementing the standards and principals it contains in accordance with their own legal system and practice.

However the Convention, it should be remembered, is based upon criminal cyber conduct of the late 1990s.  New methods of conduct in cyberspace underpinned by criminal intent must be addressed by the criminal law.  Phishing, botnets, spam, identity theft, crime in virtual worlds, terrorist use of the internet and massive co-ordinated cyber attacks against information infrastructures must be considered.

Governmental and vital private institutions in the global information and financial infrastructure have been targeted by global cyber attacks.  In 2011 the UK Government was a target when cyber attacks were launched on Whitehall and the defence industry. Both the Canadian and South Korean Governments suffered global cyber attacks.  In Australia the computer system in the Parliament was accessed in March 2011 by global cyber attacks and the Prime Minister’s and several Ministers’ computers may have been compromised.   The European Union has been targeted by cyber attacks and the Commission of the European Union and in 2011 the EU External Actions Service became the victim of a large scale cyber attack that severally affected email systems.  The French Government experienced cyber attacks on the countries finance economy and unemployment ministry in 2010 and 2011 over a 2 month period before the G20 meeting and in private industry the UK and US Stock Exchanges have been the targets of global cyber attacks aimed to spread panic and leading global financial markets.  The parent company of NASDAQ in New York has been one of the victims and in conjunction with Wikileaks, global cyber attacks were launched against Visa, Mastercard and Paypal.

These are only a few examples that some countries demonstrate that critical information infrastructures maybe under attack.  The issue of cyber attacks and the nature of cyber crime and the threat to critical information infrastructure is not imaginary.  It is here and now.  Cyber attacks on sensitive national information infrastructure are rapidly emerging as one of the most alarming national security threats that may be faced by a State and are becoming matters of global concern.

Setting Up the International Criminal Tribunal for Cyberspace

Judge Scholberg has proposed a Tribunal to deal with criminal global cyber attacks against critical Government and private industry information infrastructures, or where such cyber attacks endanger peace.  He proposed one way that this could be achieved is by expanding the jurisdiction of the International Criminal Court whilst recognising that any such ratification would have to be accepted by China, Russia, and the United States to have any realistic effect.  He considered that some form of Tribunal is currently the only global alternative. It may be that in the future the global community could then try for a more permanent global court solution for cyberspace.

Judge Scholberg considered that under Chapter 7 of the United Nations Charter, the UN Security Council could establish an International Criminal Tribunal for Cyberspace for the investigation prosecution and sentencing for global cyber attacks.  He considered that the framework of the United Nations charter was the most effective means for this, given that it would be binding on all members of the United Nations.

There are precedents for such activity.  The Security Council asserted its rights, authority and jurisdiction based on the Charter when it established the International Criminal Tribunal for Rwanda and the International Criminal Tribunal for the former Yugoslavia. In the case of the International Criminal Tribunal for Cyberspace, the UN Security Council would have the authority to refer cases to it and could request an investigation.

Judge Schjolberg considers cyberspace the fifth common space after land, sea, air, and outer space.  There is great need for co-ordination, co-operation and legal measures among all nations.  Superintendance of behaviour with global consequences to information or information infrastructure is largely uncoordinated and limited to local or domestic law. Judge Scholberg considers that it is necessary to make the international community aware of the need for a global response to urgent and increasing cyber threats and acts of cyber warfare.

An International Criminal Tribunal for Cyberspace would be fully independent and would be established to ensure that the gravest global cyber attacks in cyberspace do not go unpunished.

Judge Schjolberg considered that the chamber of an International Criminal Tribunal for Cyberspace should consist of 16 permanent Judges all appointed by the United Nations.  These Judges could be divided between 3 trial chambers and 1 appeals chamber.  Judges would be appointed for a period of less than 4 years.

Another alternative may be that 5 of the permanent judges be appointed from each of the 5 veto holding permanent members of the United Nations Security Council.  He considered that the seat of the International Criminal Tribunal could be the Hague or Singapore or both.

Prosecution of International Cybercrime

The prosecutor would be a separate part of the International Criminal Tribunal for cyberspace and be responsible for the investigation and prosecution of the most serious cyber attacks or cybercrimes of global concern.  The prosecutor’s office should be independent not only of the Security Council, but also of any state or any international organisation or other organs of the Tribunal.  The prosecutor should not seek or receive instructions from any Government or from any external source but could be advised by the prosecutor’s advisory board that may consist of 5 prosecutors appointed from the 5 veto wielding permanent members of the UN Security Council.

Judge Schjolberg proposes another possibility. Perhaps the advisory board members could have the power of each to veto any indictments before the International Criminal Tribunal for Cyberspace. However, abstention should not be regarded as a veto.

Procedural matters would not be subject to a veto and the veto should not be used to prevent a decision by the prosecutor to open any investigation or to avoid discussion of an issue.

The prosecutor’s office would be assisted in the investigation of cyber attacks by global enforcement through co-ordination with Interpol and a global virtual task force.

The Global Assembly of Interpol has approved the establishment of the Interpol Global Complex for Innovation (IGCI) which includes a digital crime centre based in Singapore.  It is expected to go into full operation in 2014 and to employ a staff of 300 people.

The Interpol Digital Crime Centre (IDCC) would be active in 3 main areas – cybercrime investigative support, research and innovation and cybersecurity.  The IDCC is expected to

“serve as a global hub for cybercrime issues, co-ordinating with national cybercrime investigators and authorities in Interpol’s member countries and with private partners in the technology industry.  The IDCC will bring all affected groups together to generate innovative solutions leading to the ultimate goal of creating a secure cyber world”.

In addition the prosecutor’s office would have the power to seek the most efficient assistance from experts in a global virtual task force established with key stake holders in the global information and communications technology industry, the financial services industry, the private sector, non-governmental organisations, academia and global law enforcement through Interpol.  Experts could be sourced from Google, Facebook, You Tube, Apple, Microsoft and similar organisations.  The global virtual task force should work together in a strong partnership to co-ordinate integrate and share information for the prevention and effective combating of global cybercrimes and deliver real time responses to cyber attacks.  Their goal should be to ensure that all global means and resources available are used to prevent identify and take real time actions against cyber threats.

Conclusion

Judge Schjolberg’s proposals are an example of the incremental growth of international institutions designed to deal with conduct that has a global impact. It seems that there is a recognition of the problem by the international community. Judge Scholberg’s proposed solution is on the table. We await further developments or proposals with interest.