Computer hacking involves identifying and exploiting vulnerabilities in others computer systems. Hackers can come in a variety of different forms: ranging from aggrieved Australian job applicants and sewage technicians to Canadian teenagers. Not all hackers interact directly with their victims computers. Some just use computer programmes known as viruses instead, such as whoever created the Stuxnet Virus, which may (or may not) have been targeted against Iran’s nuclear programme. Some hackers are highly skilled; others are no more than “script kiddies” who simply run the codes that others have written. Hackers form a vibrant community online, within that community various groups are to be found ranging from American kids to Russian mobsters.
There are a few common law offences that might be applied to computer crime, at least in theory, but to all intents and purposes Ireland’s computer crime laws are focused upon two items of legislation: the Criminal Damage Act 1991; and the Criminal Justice (Theft and Fraud Offences) Act 2001. When considering this legislation it must be kept in mind that prosecutions, not to mind convictions for computer hacking are virtually unheard of in Ireland or elsewhere. This is apparent not just in Ireland; hacking cases seem not to overburden the Courts of the USA, the UK or indeed anywhere else. This absence may reflect a hacking culture which is long on theorising, but short on implementation. Or it may reflect a reality that hacking is commonplace, but hackers either avoid detection entirely or at least avoid the legal consequences of their actions. If the latter proposition is correct, then it has to be recognised that the laws discussed below appear to have minimal, if any, deterrent effect.
This Act creates two basic computer crime offences: that of causing criminal damage to a computer; and that of unauthorised access. The Act’s approach is to create a number of statutory offences of criminal damage; damaging property; threatening to damage property; and possessing anything with intent to damage property. The Act defines damage as including damage to data, specifically:
‘…to add to, alter, corrupt, erase or move to another storage medium or to a different location in the storage medium in which they are kept (whether or not property other than data is damaged thereby), or…to do any act that contributes towards causing such addition, alteration, corruption, erasure or movement’.
‘… without lawful excuse damages any property belonging to another intending to damage any such property or being reckless as to whether any such property would be damaged shall be guilty of an offence’.
In order for an offence to be committed it must be shown that the accused person lacked a “lawful excuse” for what they did. Being “without lawful excuse” is defined by the Act as:
“…if at the time of the act…alleged to constitute the offence he believed that the person…whom he believed to be entitled to consent to or authorise the damage…the property in question had consented, or would have consented to or authorised it if he or they had known of the … and its circumstances…”
So there are three elements that must be proven before the offence can be established. There must be:
- Damage to data by a person;
- With intent to cause such damage or at least recklessness as to whether it would be caused;
- Without lawful excuse.
There is no reported Irish judgment of a person being convicted of an offence of damaging data contrary to the Criminal Damage Act 1991. Hence discussion of how the Act’s provisions might apply to such a case must use the facts of cases from other jurisdictions (the absence of such cases in Ireland is no reflection on the Gardai; there isn’t a great number of such cases in England and Wales either). One such case is that of Bow Street Magistrates Court and Allison. The facts were that:
“Joan Ojomo was an employee of American Express.…it was possible for her to access all customers’ accounts but she was only authorised to access those accounts that were assigned to her. However she accessed various other accounts and files which had not been assigned to her ..Having accessed those accounts and files without authority, she gave confidential information obtained from those accounts and files to… others…The information she gave to…others was then used to encode other credit cards and supply PIN numbers which could then be fraudulently used to obtain large sums of money from automatic teller machines…Using these methods, she and her fellow conspirators defrauded American Express of approximately $1,000,000”
If Joan Ojomo’s actions had taken place in Ireland, would she have commited an offence of damaging data? Probably not. She may have copied the data, but theft of information is not a criminal offence. There is nothing to suggest that she added to, altered, corrupted or erased any data. Hence it would seem that no offence could have been committed under this section of the Criminal Damage Act 1991. However, it is quite possible that offences would have been committed under another section of the Criminal Damage Act 1991 or other legislation. These possibilities are discussed below.
Another case is that of McKinnon v The United States of America, the facts of which were that the appellant:
“Using his home computer … through the internet, identified US Government network computers with an open Microsoft Windows connection and from those extracted the identities of certain administrative accounts and associated passwords. Having gained access to those accounts he installed unauthorised remote access and administrative software called “remotely anywhere” that enabled him to access and alter data upon the American computers at any time and without detection by virtue of the programme masquerading as a Windows operating system. Once “remotely anywhere” was installed, he then installed software facilitating both further compromises to the computers and also the concealment of his own activities. Using this software he was able to scan over 73,000 US Government computers for other computers and networks susceptible to similar compromise. He was thus able to lever himself from network to network and into a number of significant Government computers in different parts of the USA”
The installation of the “remotely anywhere” software could amount to criminal damage. Installing a program onto a computer would typically involve adding to or altering the hard drive or “storage medium” of the computer in question. Scanning different computers would not, however. Other actions of the appellant in McKinnon v The United States of America were even more clearly criminal damage. Having gained access to some 97 US Government computers he:
“… deleted data from them including critical operating system files from nine computers, the deletion of which shut down the entire US Army’s Military District of Washington network of over 2000 computers for 24 hours, significantly disrupting Governmental functions…”
This would appear to fall within the definition of criminal damage, assuming that it could be proven that the alleged perpetrator knew that he was damaging data when he was alleged to have done so and that the data damage could be proven to have been caused by the perpetrator himself. But if this could be proven, then it could be argued that he was reckless at the very least, and it is hard to see what lawful excuse he could offer for deleting data on US Government computers whilst sitting at home in London. Were such a case to come before the Irish Courts, then it would be interesting to see how the Courts would treat the matter of jurisdiction. The Criminal Damage Act 1991 is designed to have extra-territorial effect, damage is defined as including “…to do any act within the State that damages property outside the State…” How far the Courts might be willing to push such a definition remains to be seen. The appellant in McKinnon “…installed unauthorised remote access and administrative software called “remotely anywhere”…” Were an Irish Court to consider an equivalent case, then it might be willing to regard the installation of such software as an “…act within the State that damages property outside the State…” But if once installed such software were to cause damage to the US computers, then this might well be regarded as damage caused within the jurisdiction of the US, not Irish, Courts.
“…without lawful excuse operates a computer… within the State with intent to access any data kept either within or outside the State, or… outside the State with intent to access any data kept within the State…”
There are three elements to the offence. Firstly, a computer has to be operated. Secondly it has to be operated with “…intent to access any data…” Thirdly, there can be no lawful excuse. Again the offence is intended to have extra-territorial effect. The offence may be committed by someone who “…operates a computer… within the State with intent to access any data kept …outside the State…” or vice-versa. Finally, the offence will be committed:
“…whether or not the person intended to access any particular data or any particular category of data or data kept by any particular person”
Actions analogous to those discussed in both Bow Street Magistrates Court and Allison and McKinnon v The United States of America would appear to amount to the offence of unauthorised access. In Bow Street Magistrates Court and Allison Joan Ojomo:
“…did not have authority to access the data she used… At no time did she have any blanket authorisation to access any account or file not specifically assigned to her to work on. Any access by her to an account which she was not authorised to be working on would be considered a breach of company policy and ethics and would be considered an unauthorised access by the Company. The computer records showed that she accessed 189 accounts that did not fall within the scope of her duties. Her accessing of these accounts was unauthorised”
Given that she did not have a lawful excuse, there is no reason to think that an Irish Court would come to a different decision if equivalent facts were before it. In McKinnon v The United States of America the appellant was alleged to have gained unauthorised access to US Government computers. Were such allegations to be proven, then it is hard to see how the Irish Courts would not have convicted in an equivalent case. The difficulty with obtaining such convictions is that the penalties are not particularly high: “…a fine not exceeding £500 or imprisonment for a term not exceeding 3 months or both”
This Act creates the very broad offence of “unlawful use of computer” providing that:
A person who dishonestly, whether within or outside the State, operates or causes to be operated a computer within the State with the intention of making a gain for himself or herself or another, or of causing loss to another, is guilty of an offence.
Not only is the offence very broad, the penalty is very harsh, someone convicted of such an offence upon indictment “…is liable…to a fine or imprisonment for a term not exceeding 10 years or both” Although such offences may also be summarily tried. The term “dishonestly” is defined as meaning: “…..without a claim of right made in good faith”. The terms “gain” and “loss” are also defined.
The territorial extent of the offence seems unclear. To again apply this offence to the facts of McKinnon. Such an offence would involve a person operating a computer within the State so that he could cause the operation of a computer outside the State in the USA. The operation of the computer within the State would clearly be an offence, if it were done dishonestly and with the appropriate intent. The following actions might be offences contrary to section 9:
“Using his home computer … through the internet, [McKinnon] identified US Government network computers with an open Microsoft Windows connection and from those extracted the identities of certain administrative accounts and associated passwords. Having gained access to those accounts…”
But the operation of the computer in the USA might not be an offence, since they involved the operation of a computer outside the State:
“Having gained access to those accounts he installed unauthorised remote access and administrative software called “remotely anywhere” that enabled him to access and alter data upon the American computers at any time…”
The argument might be made that actions, such as gaining access to a US computer, which were clearly directed by McKinnon would fall within the Irish offence. But the installation of a program on that US computer would typically involve inserting an installation program onto the hard-drive, which would then complete the installation automatically. Manual functions directed from Ireland might amount to offences contrary to section 9, but automatic functions undertaken by a computer program in the USA would not