CHAPTER 6

COMPARATIVE STUDY OF CYBER LAWS

6.1 INTRODUCTION

Privacy has no definite boundaries and it has different meanings for different people. It is
the ability of an individual or a group to keep their lives and personal affairs out of
public view or to control the flow of information about them. Privacy is the claim of
individuals, groups or institutions to determine for themselves when, how and to what
extent information about them is to be communicated to others.317 Privacy is the state of
being private and undisturbed, or a person's right to this. It also means freedom from
intrusion or public attention, or avoidance of publicity. In fact, right to privacy is more of
an implied obligation;318 it is the right to be let alone.319

6.2 RIGHT TO PRIVACY UNDER INDIAN CYBER LAW

One of the convincing reasons that require safeguarding of privacy rights is the view that
personal information is a specific property. Hence, an individual is well within his rights
to protect or control any flow of information about him and is legally entitled to
protection equal to property ownership protection.320 Although India has no specific data
protection laws, the sphere of personal liberty is regulated by the Constitution of India
(Article 21), which has been successfully interpreted in multiple cases dealing with the
issue of right to privacy and protection of confidential information.321 The debate on
protecting privacy over the Internet has led to the emergence of many technological and
legal changes in this sphere worldwide.

Today, right to privacy is recognized in a number of international documents: the

Universal Declaration of Human Rights 1948 (Art. 12); the International Covenant on
Civil and Political Rights 1996 (Art. 17); the European Convention on Human Rights
(Art.8). The Council of Europe Convention on Human Rights, aimed at securing privacy
317
Tayal, V., (2011) ―Cyber Privacy in the Indian Information Technology Regime: Issues and
Challenges‖ Edn-1st, Bharat Law Publications, Jaipur, p. 17.
318
Sharma, Vakul (2004), ―Information Technology: Law and Practice Cyber Law &E-Commerce‖,
Universal Law Publishing Co. (P) Ltd.
319
Warren and Brandeis: 'The Right to Privacy‖ (1890) Harvard Law Review, V IV, p (5).
320
Millar, Arthur (1971), the Assault on Privacy: Computer, Data Banks and Dossiers, p. 211.
321
Case: Govind v State of Madhya Pradesh, 1975 2 SCC 148.

181
protection in the context of information technology, came into force in 1985 and, thus
far, it has been ratified by 20 states. The Convention laid down the basic principles
governing data protection, trans border flow of information, establishment of
consultation committees and procedure for prospective amendment of the EU
Convention. The European Union Data Protection Directive 1998 reaffirmed the
principles introduced in the EU Convention.

In India, the Information Technology (IT) Act was passed in 2000 in order to deal with
the situation in the technological world which has been facing various cyber fallacies.
The Act envisages legal provisions on unauthorized access, damage to computer through
computer contaminants, hacking, breach of privacy and confidentiality, and publishing
false digital signature certificates for fraudulent purposes. Section 66E of the 2000
Information Technology Act includes explicit provisions pertaining to the violation of
privacy and defines the terms such as transmit, capture, private area, publish, etc.322
Further on, Section 72 of the 2000 Information Technology Act prescribes penalty for
breach of confidentiality and privacy, directly related to the confidentiality and privacy
of individuals.323 This section is narrow in scope as it is applies only to authorized
officials. It means that the provisions envisaged in this section apply only to persons who
are authorized to collect data. The application of these provisions is extremely limited
under this Act as it covers offences committed only by the authorities such as
Adjudicating Officers, members of the Cyber Regulations Appellate Tribunal (CRAT) or
Certifying Authorities.324

 NEW PROVISIONS TO PROTECT PRIVACY AND DATA IN INDIA

New provisions on privacy and data protection were introduced in the Indian information
technology regime by adopting the Information Technology (Amendment) Act in 2009.
Under Section 72A of this Act, any person (including an intermediary) rendering any
services under a lawful contract is required to act as stipulated in the terms of contract,
and is obliged not to disclose any personal information that could cause wrongful loss or
wrongful gain to any person. The breach of this duty is punishable with imprisonment for
322
The Information Technology (Amendment) Act, 2009, Section 66-E and explanation
323
The Information Technology (Amendment) Act, 2009, Section 72 and explanation
324
Tayal, Vimlendu (2011), ―Cyber Law Cyber Crime Internet and E-Commerce‖, Bharat Law
Publications, Jaipur, p. 210

182
a term which may extend to three years or with fine up to five lakh rupees or both. At the
same time, there are certain limitations and exceptions to one's exercise of right to
privacy as set out in Sections 67 and 69 pertaining to a ban against pornographic
materials and interest of national security, sovereignty, directions of controller to a
subscriber to extend facilities to decrypt information, respectively. With the enforcement
of the 2009 Information Technology (Amendment) Act, the amended Section 69 has
exemplified Internet censorship which can be justified on sound grounds. This section
empowers the Central Government or State Government and its authorized agency to
intercept, monitor or decrypt any information generated, transmitted, received or stored
in any computer resource if it is necessary or expedient to do so in the interest of the
sovereignty or integrity of India, defense of India, security of the state, friendly relations
with foreign States or public order or for preventing incitement to the commission of any
cognizable offence or for investigation of any offence.

Section 69A also allows blocking of certain websites if their content is of such nature as
described in Section 69. This provision is in conformity with the reasonable restrictions
that are envisaged to be imposed on fundamental rights guaranteed under the
Constitution of India, in case the same is found necessary to maintain public order,
national integrity, sovereignty and allied interests.

Further, Section 69B empowers the Central Government to authorize any agency of the
Government to monitor and collect traffic data or information generated, transmitted or
received or stored in any computer resource in order to enhance cyber security and for
identification, analysis and prevention of intrusion of computer contaminant.325

6.3 LAWS RELATING TO PRIVACY IN THE UNITED STATES OF AMERICA

(USA)

 Electronic Communication Privacy Act, 1986

The United States of America passed the Electronic Communication Privacy Act
(ECPA) in 1986, particularly for the purpose of regulating the Internet-related issues. It
is most commonly used for internet privacy lawsuits. This Act prohibits unauthorized

325
Chaubey, R.K. (2009), ―An Introduction to Cyber Crime & Cyber Law‖, Kamal Law House,
Calcutta, pp.45-46.

183
intentional access to facility or network and the interception of data. It is also an offence
to exceed an authorization to access a computer facility. The 1986 Electronic
Communication Privacy Act (ECPA) provides both criminal and civil penalties for
violations of privacy on the Internet. Civil penalties include statutory damages and
paying reasonable costs and expenses in individual cases giving rise to class action
lawsuits.

 Children Online Privacy Protection Act, 1998

The 1998 Children Online Privacy Protection Act (COPPA) was enacted by American
Government to protect the privacy of children below the age of thirteen. This Act
requires each website operator to obtain verifiable parental consent before collecting,
using and disseminating any of the above data. It also provides that the websites aimed at
children may not condition a child‘s participation in a game or receipt of a price on the
child‘s disclosure of personal information.

 Video Privacy Protection Act, 1988

The 1988 Video Privacy Protection Act was enacted to protect the privacy of
consumers‘, rental and purchase of videos. The Act applies to those persons who are
engaged in the business of rental, sale or delivery of pre-recorded video cassette tape or
similar audio visual materials. It prohibits the disclosure of purchase or viewing history
records of individual consumers without their informed written consent in advance of
disclosure, with certain exceptions. This statute may create a legal risk for companies
streaming videos for fee over the Internet. Disclosure of consumer data could leave these
companies opens to individual or class action lawsuits. The Act provides for statutory
and punitive damages.

 Computer Abuse and Fraud Act, 1984

The 1984 Computer Fraud and Abuse Act (CFAA), often designated as the anti-hacking
statute, prohibits unauthorized access to computer systems. The statute provides
penalties for unauthorized access and also prohibits exceeding any authorization. Under
the 1984 Computer Abuse and Fraud Act, one may not access a computer with
authorization and use such access to obtain or alter information in the computer.
Paragraph 5(A) of this statute also prohibits the transmission of viruses with the intention

184
of causing damage to a protected computer. The violation of this statute implies both
criminal and civil penalties. The damages are limited to economic losses and the action
must be brought within two years of the violation or within two years of the discovery of
the damage. Accordingly, this statute is often featured prominently in internet privacy
class action.

 The Health Insurance Portability and Accountability Act, 1996

The 1996 Health Insurance Portability and Accountability Act (HIPAA) include
provisions on privacy rights and confidentiality of health care information in medical
records. This Act sets national standards for the protection of privacy of health care
information. Thus, any person or entity involved in keeping, transferring and using
health information of another is required to ensure reasonable and appropriate
administrative, technical and physical safeguards (measures, policies and procedures) in
order to:

(a) Ensure the integrity and confidentiality of health care information;

(b) Safeguard against any reasonably anticipated threats or hazards to the security or
integrity of such information as well as the unauthorized uses or disclosure of such
information, and

(c) Ensure compliance with these safeguards by the officers and employees of such
person or entity.

In the United States, apart from the protections provided by the Federal statutes, an
individual‘s private information is also protected by State statutes. A number of States
have consumer protection and fraud laws which apply in many cases concerning the
violation of privacy and wrongful data-collection practices. For instance, the State of
Virginia has included the data collected over the Internet in its Privacy Protection Act.
Thus, any company that collects data by means of the Internet may face liability under
any or all of these rules in any jurisdiction where the data is available on the Internet.

In nations like India and the United States, right to privacy is not explicitly provided in
legal lexis but it is accepted as an implied right in the Constitutions of these two
counties. In the 1986 Electronic Communication Privacy Act (ECPA), the data holder‘s
consent is given due consideration as the lack of informed consent can be used as a

185
defense in the court of law. From the viewpoint of data protection, the 2009 Information
Technology (Amendment) Act of India introduces the distinction between a
contravention (infringement) and a criminal offence by introducing the element of
mensrea for qualifying the criminal offence.326

6.4 BREACH OF ONLINE PRIVACY

INDIA USA

A) Under Section 72 of the IT Act, A) The Electronic Communications

disclosing the personal information Privacy Act of 1986 is a criminal wiretap
without the consent of the person statute. On the basis of the
concerned is punishable as a criminal recommendation of the Federal Trade
Offence involving breach of privacy. Corporation (FTC), the Children‘s Online
Section 66-E also punishes violation Of Privacy Protection Act (COPPA), effective
privacy. of 2000, also provides protection to
individual privacy. Consent of the
individual negates liability.

A) Here, the law is narrow as B) Section 2511(1) (a) of the ECPA

liability may be imputed only on a prescribes relevant punishment for any
person authorized under the IT Act to person who commits the breach and/or any
have access to any electronic book, person who such liability can be affixed to.
record, etc. (Section 72 of the IT Act).

Thus, the United States law has a broader application as it brings within its purview not
only the authorized persons but also anyone who intercepts the data. The consent factor
is common in the legal provisions of both countries, which is a notable reminder that the
informed consent standard has already been recognized and become part of the
Organization for Economic Co-operation and Development (OECD) principles and some
other International law instruments. The United States law seems to be exhaustive and

326
The Information Technology (Amendment) Act, 2009, amended Section 43 and Section 66.

186
extensive as it is particularly a privacy specific legislation. Even after introducing
amendments to Section 66E relating to privacy, the Indian provision still does not cover
all the areas pertaining to individual privacy. Section 72 is incomprehensive and
deficient in more than one way; it is only a brief and isolated legal provision on the right
to Internet privacy which regulates the penalty for breach of online confidentiality and
privacy.

Crime is as old as human civilization and cyber-crime is as old as the invention of the
computer, the wonder machine which changed the lives of human beings. Computers
have become an inherent part of everybody‘s life. They have been put to numerous uses,
ranging from personal to professional work and from entertainment to studies. The
increasing popularity of computers and their use in each and every field have given rise
to other technologies. It will not be wrong to say that computer is the driving force
behind the revolution in Information Technology. Due to this, privacy has become a
major concern. The Indian 2000 Information Technology Act provides punishment for
breach of privacy or confidentiality without the consent of the person concerned under
Section 72 of the Information Technology Act, 2000. The violation of privacy is also
punishable under the new Section 66-E. In the United States of America, the 1986
Electronic Communications Protection Act (ECPA) is a criminal wiretap statute and the
2000 Online Protection Act also provides protection to individuals‘ right to privacy. Both
countries have been working on this gradually but the privacy factor is an issue of a
much greater concern in India than in the United States.

6.5 THE CYBERCRIME LEGISLATION IN CHINA

The Chinese regulating system on cyber wrongdoing is a multi-dimensional and

comprehensive mechanism to protect the computers and the data stored on the
computer.92 According to the hierarchy of the issuing body, regulations on cyber
wrongdoings can mainly be divided into three levels:

(1) The Criminal Law issued by the National People‘s Congress (hereafter the NPC),
and the Amendments to the Criminal Law and Decisions issued by the Standing
Committee of the NPC (hereafter the SCNPC);

187
(2) Administrative regulations issued by the State Council (hereafter the SC) and

Departmental rules issued by the Ministries; and

(3) The Judicial Interpretations issued by the Supreme People‘s Court327 (hereafter the
SPC) and the Supreme People‘s Procurator ate328 (hereafter the SPP) and case law.

 Criminal Law, Amendments to the Criminal Law, and Decisions

Laws regarding crime and sanction can only be issued by the NPC and the SCNPC. 329
Legislations at this level contain two parts: the Criminal Law and its Amendments, and
the Decisions. The Criminal Law issued by the NPC and its Amendments issued by the
SCNPC serve as the basic legal instruments for dealing with cybercrime because of the
hierarchy of their issuing bodies. According to the Constitution and the Legislation Law,
the NPC is the supreme organ of State power,330 and it enacts and amends criminal, civil,
and state organic laws and other basic laws.331 The NPC Plenary normally meets once a
year to discuss national affairs. Outside the Plenary meetings, the NPC functions through
its Standing Committee, i.e. the SCNPC. The responsibility of the SCNPC is to enact and
amend laws other than those which can only be enacted by the NPC, and to partially
amend and supplement national laws enacted by the NPC when it is not in session,
provided that such amendments or supplements do not contravene the basic principles of
the national laws.332

327
The Supreme People‘s Court is the highest judicial organ of the PRC; its primary duty is to supervise
the local people‘s courts. More precisely, it has the authority to hear all kinds of cases, issue Judicial
Interpretations, supervise the trials of local courts, and administer national judicial affairs according
to the law. Because of the status and authority of the SPC, its Judicial Interpretation is regarded as
law in a broad sense and binding to the courts in China.
328
The Supreme People‘s Procuratorate is the highest procuratorial organ of the PRC. Its duties include
legal supervision and issuing Judicial Interpretation. The former is to ensure the unity and validity of
the implementation of national law; the latter is to apply the law in the administration of Justice. In a
broad sense, the Judicial Interpretation issued by the SPP is also regarded as law in a broad sense and
binding to the Public Prosecution.
329
Articles 7 and 8 of the Legislation Law, available at
http://www.for68.com/new/201007/he3750414359127010212997.shtml.Last visited June 2015.
330
Article 57 of the Constitution, available at http://english.gov.cn/2005-08/05/content_20813.htm.Last
visited June 2015.
331
Article 7 of the Legislation Law.
332
Article 7 of the Legislation Law.

188
Cybercrime under the Criminal Law and its Amendments contains five specific offences
and one non-specific article, including illegal access to computers (Art. 285), computer
interference (Art. 286), failing to fulfill the obligation of supervising information
network (Art. 286A), illegal use of the information network (Art. 287A), assistance of
cybercrime (Art. 287B) and the non-specific article ruling traditional crimes facilitated
by computers (Art. 287).

With regard to the Decision made by the SCNPC, so far the SCNPC has made two
Decisions regarding cyber wrongdoings. They are the Decision on Preserving Computer
Network Security 2000 and the Decision Regarding the Strengthening of Network
Information Protection 2012. Both of them confirm the necessity of regulating cyber
wrongdoings. The Decisions 2000 emphasizes the legal liability of the offender,
criminally, administratively or civilly.333 It states that the following six categories of
activities that threatening the security of computer network shall be punished under
relevant statutory provisions:

(1) Offences undermining the safe operation of a computer network, such as attacking a
computer information system or telecommunication network;

(2) Offences undermining national security and social stability, such as incitement to
subvert the state‘s political power or overthrow the socialist system;

(3) Offences undermining the order of the socialist economic market or social
management order through the internet, such as the dissemination of pornographic
images;

(4) offences infringing personal property and other legitimate rights of individuals, legal
persons and other organizations via the internet, such as insulting another person or
fabricating facts to slander another person;

(5) Other offences that are not covered in points (1) to (4);

333
Bin Liang and Hong Lu, ‗Internet Development, Censorship, and Cyber Crimes in China‘, Journal of
Contemporary Criminal Justice, vol. 26 1(2010): 103-120, p.112.

189
(6) illegal activities that violate the Regulations on Administrative Penalties for Public
Security334 via the Internet and are not deemed serious enough to be punished under
criminal law; infringements which violate other laws and administrative regulations
via the Internet, and are not deemed serious enough to be punished under criminal
law or the Regulations on Administrative Penalties for Public Security; and
infringements which violate civil laws. 335

From the above wordings one can see that the Decision 2000 focuses on the computer
and network, but not the data or information. As more and more data stored on
computers has been stolen and distributed online,336 the SCNPC issued the Decisions
2012337 to regulate such a phenomenon. The Decision 2012 focuses on the data stored on
digital devices that delivering a citizen‘s personal identity or that relating to a citizen‘s
personal privacy, and reaffirms that criminal liability should be pursued in accordance
with the criminal law where a crime has been committed.338

 Administrative regulations and departmental rules

Apart from the laws passed by the NPC and the SCNPC, to regulate activities involving
computer and network, in particular to deter activities that are ‗supposedly detrimental to
the interests of the State or the collectives‘, the Chinese executive organs have issued a
series of regulations, including administrative regulations and departmental rules. 339 The
administrative regulations and the departmental rules are excluded from the law in the

334
In 2006 the SCNPC enacted the Public Security Administration Punishments Law to replace the
Regulations on Administrative Penalties for Public Security Worth mentioning, the new Public
Security Administration Punishments Law is more or less the same as its predecessor Regulations on
Administrative Penalties for Public Security. Wrongful acts that violate laws yet are not serious
enough to pursue criminal liability shall be punished under this new Law as administrative offences.
(The Contradiction between Criminal Law and Public Security Administration Punishments Law),
RenminJiancha (People‘s Procuratorate), 5(2007): 26-28.
335
See more details on 2000 D15B6-xM{y9d : (National People‘s Congress Standing Committee
Decision concerning Preserving Computer Network Security 2000).
336
‗ (Comprehensive Interpretations on the Decision Regarding Strengthening Network Information
Protection), Kai Feng, 5 January 2013, available at http://www.kaiwind.com/xwzc/
news/201301/t165329.htm.Last visited June 2015.
337
(Decisions Regarding the Strengthening of Network Information Protection 2012).
338
See more details on 2012 D15B6-: (National People‘s Congress Standing Committee Decision
concerning Strengthening Network Information Protection 2012).
339
‗Internet Regulation in China: The Never-ending Cat and Mouse Game‘, Information and
Communications Technology Law, 13(2004): 41-57, p.44.

190
sense of the Legislation Law 2015.340 That means they cannot be used as the ruling basis
when judges adjudicate criminal cases. 341 However in judicial practice, they can serve as
argumentation in judgments. For example, the Regulation 1994342 defines technical
terms such as ‗computer‘ which can be used by judges in court. Moreover, they can be
deemed as the antecedent of the criminal response, and thus can to some extent imply the
future changes in the criminal law. For instance, section 23 of the Regulation 1994343
states that whoever endangers the security of the computer by inputting computer virus
or harmful data to computer systems shall be punished. Afterwards, the activities
threatening the security of computers were criminalized when the CL was revised in
1997. Another example is regarding the Measure 1997 (revised in 2011).344 Section 5(6)
of the Measure of 2011 states that citizens should not use the information network to
disseminate information that propagates feudalistic superstition, obscenity, pornography,
gamble, violence, and that instigates crime‘. Subsequently in 2015, the Amendment (IX)
to the CL criminalizes activities that using the information network to disseminate
information that propagates obscenity and instigates crimes.

Since executive organs not only produce a large volume of regulations and rules but also
frequently change them, it is unrealistic to describe and analyses all of them. Therefore,
the following provides only an outline of Chinese administrative regulations and
departmental rules rather than a detailed analysis.

 Administrative regulations

The State Council, as the highest executive organ, issues administrative regulations. It
can ‗adopt administrative measures, enact administrative regulations and issue decisions

340
Article 7 of the Legislation Law rules that only the NPC and the SCNPC can make laws.Article 65 of
the Legislation Law rules that the SC can issue administrative regulations in accordance with the
Constitution and laws.Article 80 of the Legislation Law rules that Ministries, Committees and other
affiliated institutions of the SC can enact departmental rules.
341
Article 3 of the Provisions of the Supreme Peopl‘s Court on the Citation of Such Normative Legal
Documents as Laws and Regulations in the Judgements, Fa Shi [2009] No. 14.
342
Section 1 of the Safety and Protection Regulations for Computer Information Systems 1994, Decree
No. 147 of the State Council.
343
The Safety and Protection Regulations for Computer Information Systems 1994, Decree No. 147 of
the State Council
344
The Measures for Security Protection in the Administration of the International Networking of
Computer Information Networks 1997(2011revised), Decree No. 33 of the Ministry of Public
Security

191
inaccordance with the Constitution and the laws‘.345Since the 1990s the SC has published
dozens of regulations to control misuses of computers and network. In general, as
suggested by Kam C. Wong, these regulations can be categorised into three groups:

(1) Network monitoring and control,

(2) Security of network information system, and

(3) Protection of intellectual property and facilitation of E-commerce.346

(1) Network monitoring and control

Regulations under this category are enacted to regulate the network from the aspects of
its content, the responsibility of the Internet service providers, and others. For example,
the Interim Provisions on the Management of International Networking of Computer
Information Network (1997 revised) attaches pre-requisites to companies engaged in
internet services business.347 Article 19 of the Regulations on the Administration of
Business Sites of Internet Access Services 2002 further requires such companies to
establish a system by means of which unlawful activities on the network can be
detected.348

(2) Security of network information system

Regulations under this category are issued to protect the security of computer
information systems and to prohibit illegal behaviors from jeopardizing such systems.
The Regulation 1994 is one such example. As the first official Regulation on computer
security, it requested individual companies to establish their own mechanisms to protect
computers from being hacked.349

(3) Protection of intellectual property and facilitation of E-commerce

As the Internet and E-commerce became an important stimulus to the Chinese economy,
hackers rapidly noticed the potential profits in this field. Relevant misuse of them

345
Article 89 of the Constitution.
346
Kam C. Wong, Cyberspace Governance in China, New York: Nova Science Publishers, 2011.
347
Article 9 of the Interim Provisions on the Management of International Networking of Computer
Information Networks, Decree No. 195 of the State Council.
348
(Regulations on Administration of Business Premises for Internet Access Services), Decree No. 363
of the State Council, at http://www.china.org.cn/business/laws_regulations/2007-06/22/content_
1214798.htm.
349
Article 13 of the Regulations of the People‘s Republic of China for Safety and Protection Regulations
for Computer Information Systems 1994, Decree No. 147 of the State Council.

192
quickly appeared. In this context, regulations protecting intellectual property and E-
commerce have been enacted. For example, the Regulations 2001 (2011 and 2013
revised) provides a safeguard to the rights of the copyright owner of computer software
to address the relationships arising in the dissemination and use of such software. 350

 Departmental rules

The Ministries can issue departmental rules in the sectors of which they are in charge in
accordance with the Constitution and the legislations, decisions, and regulations issued
by the NPC, the SCNPC and the SC.351 In legislation, the departmental rules are regarded
as implementations of the laws or regulations deriving from a higher level in the
hierarchy.352In practice, they are issued for more occasions where statutory legislation or
regulation on a certain issue is absent or where loopholes exist.353 In general, the
departmental rules regulating cyber wrongdoings are grouped into four major categories:
registration of domain names,354 network monitoring and control, and security of
network information system, and protection of intellectual property and facilitation of E-
commerce.355

(1) Registration of domain names

Rules under this category perform ‗an important mechanism for censorship of
Internetwebsite operators: to restrict the creation of new websites and keep track of who

350
See more details on the Regulations on the Protection of Computer Software 2001, Decree No. 339 of
the State Council.
351
Article 90 of the Constitution; cf. Article 80 of the Legislation Law. Several legal scholars regard the
power of the Ministries on issuing departmental rules to enhance administrative functions as the most
important development in Chinese administrative law since the 1980s. See e.g. Jan Michiel Otto and
Yuwen Li, ‗An Overview of Law-Making in China‘, in Jan Michiel Otto, Maurice V. Polak, Jianfu
Chen and Yuwen Li (eds.), Law-Making in the People‘s Republic of China, Netherlands: Kluwer
Law International, 2000, p. 3.
352
Article 80 of the Legislation Law
353
Jan Michiel Otto and Yuwen Li, ‗An Overview of Law-Making in China‘, in Jan Michiel Otto,
Maurice V. Polak, Jianfu Chen and Yuwen Li (eds.), Law-Making in the People‘s Republic of China,
Netherlands: Kluwer Law International, 2000, p. 3.
354
Domain Name System is a distributed, replicated name service whose primary purposes are to map
host Names into corresponding Internet addresses, map Internet addresses into hostnames, and locate
daemons for electronic mail transfer. It gives the world domain suffixes, such as .edu, .com, .gov, and
a series of country codes. See e.g. Peter B. Danzig, Katia Obraczka, Anant Kumar, ‗An Analysis of
Wide-Area Name Server Traffic: A study of the Internet Domain Name System‘, ACM SIGCOMM
Computer Communication Review, vol. 22 4(1992): 281-292.
355
Kam C. Wong, Cyberspace Governance in China, New York: Nova Science Publishers, 2011.

193
theinformation content providers of a website are‘.356 This series of rules includes the
Measures for the Administration of Internet Domain Names of China 2004, the Measures
of the China Internet Network Information Centre for Resolving Disputes Regarding
Domain Names (2012 Revised) and others.

(2) Network monitoring and control

Administrative rules under this category include the Provisions on the Interconnection of
Designated Networks with Public Networks 1996, issued by the Ministry of Post and
Telecommunications, and the Implementing Measures for the Provisional Regulations
for the Administration of International Networking of Computer Information Networks
1998, issued by the Information Task Force of the State Council.

(3) Security of network information system

One notable example in this category is the Measure 1997 (2011 revised). This Measure
states that no individual or unit shall use a network in a way that endangers state security,
threatens public interests or infringes a citizen‘s rights; nor May individuals or units
produce or disseminate illegal information.357

(4) Protection of intellectual property and facilitation of E-commerce

Rules under this category are enacted to protect intellectual property and promote E-
commerce. Two examples are the Measures for the Registration of Computer Software
Copyright 1992, issued by the Ministry of Machinery and Electronics Industry, and the
Interim Regulations on the Administration of Software Products 1998, issued by the
Ministry of Electronic Industry.

China has a multi-level regulating system on cyber wrongdoings, with the CL and its two
Amendments the basic and principal instruments. Although both of the two Amendments
expanded the scope of cybercrime, the reasons for expansions were different. The
Amendment (VII) was issued in 2009 to cover the gap that rose together with the
increasing popularity of personal computers. After this Amendment, the ‗two points and
one dimension‘ approach was established. This approach draws a clear distinction

356
Ibid
357
Article 4 of the Measures for Security Protection in the Administration of the International
Networking of Computer Information Networks 1997(2011revised), Decree No. 33 of the Ministry of
Public Security.

194
between the genuine computer crime (i.e. the crimes which target the security of the
computer information system and the data, offences under Articles 285 and 286) and
traditional crimes facilitated by computers (i.e. offences under traditional criminal
provisions). In addition, this approach distinguishes the genuine cybercrimes that not
damaging the function of computers from those damaging the function of computers.
Moreover, under this approach, mere hacking is criminalized only when the hacked
computer information system involved in the State affairs, national defense or
sophisticated technology. For computers belonging to individuals and companies, the
actor must either have obtained some information from the hacked computer or
controlled it in some way, before being held liable for a criminal sentence. With these
distinctions and clarifications, the ‗two points and one dimension‘ approach appears to
be a systematic approach. During this period, one main drawback is that the protection
on data is relying on the protection on the computer. In 2015, the Amendment (IX) was
issued, and showed some changes with respect to the approach. Firstly, the subject of the
newly inserted offences is not ‗computer information system‘ but ‗information network‘
– the one in fact has already included by the definition of‗ computer‘. Secondly, the ‗two
points and one dimension‘ approach no longer exists since the genuine cybercrime and
traditional crimes are not regarded essentially different under the new Amendment. For
instance, the preparation and assistance of traditional crime facilitated by computers are
now regarded as complete cyber-crime.

The changes in the approach of the CL raise two problems in particular. Firstly, the
Amendment (IX) expands the scope of cybercrime to a large degree. For instance, China
decides to pursue criminal liability of network service provider when they fail to filter
illegal information online when other countries decide not.256 Secondly, the
inconsistency between the Amendment (IX) and the ‗two points and one dimension‘
approach leads to confusions between traditional criminal provisions and cybercrime
provisions, and further reduces the possibility for judges to make far-reaching
interpretations. 358

358
For instance, section 230 of the Communications Decency Act of the United States (47 USC § 230)
rules That ‗No provider or user of an interactive computer service shall be treated as the publisher or
speaker of any
Information provided by another information content provider‘. Section 26 of Electronic Transactions
Act (Chapter 88) of Singapore also rules that ‗(1) a network service provider shall not be subject to
any civil or criminal liability under any rule of law in respect of third-party material in the form of
electronic records to which he merely provides access if such liability is founded on — (a) the

195
One possible reason for the changes in the approach is the politicization in the field of
criminal law. As shown by the fact, the main amendments to the criminal law had
already been reflected in the administrative regulations, the departmental rules and
Judicial Interpretations. Compared with the CL and its amendments, these regulatory
instruments are more vulnerable to political intervention. Due to this politicization, the
worry on social stability and national security drives the legislators to replace the
previous approach with a more stringent one so as to enhance the control over
cyberspace. For instance, Article 1 of the Cyber Security Law (draft) states that its aim is
to protect the cyber security and the national

Security. In addition, the Measures for Security Protection Administration of the

International Networking of Computer Information Networks (2011 revised) emphasizes
that no individual or company shall use a network in a way that endangers state security
or threatens public interests. In sum, during the last two decades, transitions can be
noticed within the understandings of cybercrime and the legislative approaches against
cybercrime. Within the arena of the criminal law and the Judicial Interpretations,
contradictory scenarios can be observed in relation to the position on criminalizing the
wrongful online activities. Apart from the CL and the Judicial Interpretations, Chinese
executive organs have also issued an enormous amount of instruments supplementing the
CL, including administrative regulations and departmental rules. Unlike the transitions in
the positions reflected in the CL and the Judicial Interpretations, from the beginning the
supplementary instruments demonstrate the government‘s desire to enhance the control
over cyberspace. 359

6.6 THE CYBERCRIME LEGISLATION IN ENGLAND

 The evolution of Computer Misuse Act

The history of criminalizing computer misuses can be divided into three periods: pre
1990, the judges tried to apply traditional criminal provisions to deal with computer
crime, and found them inappropriate in cyber context; from 1990 to 2006, after the

making, publication, dissemination or distribution of such materials or any statement made in such
material; or (b) the infringement of any rights subsisting in or in relation to such material; (1A) a
network service provider shall not be subject to any liability under the Personal Data Protection Act
2012 in respect of third-party material in the form of electronic records to which he merely provides
access‘.
359
For the details of how the main amendments to the criminal law have been reflected in the
administrative regulations, the departmental rules and Judicial Interpretations,

196
promulgation of the ECMA, the English legislators and judicial agencies started to apply
cybercrime legislation and found the legislation gradually out-dated; the third period is
from 2006 to the present day, in which the system of criminalizing cyber wrongdoings
has been gradually established in England.

 Pre 1990:

Initial attempts to use traditional criminal law tackling computer misuses Before the
promulgation of the ECMA 1990, scholars believed that the then ‗existing legislation and
the common law could deal adequately with the problems thrown up by the use of
computers and information technology‘.360 The Law Commission also considered that
‗the general criminal law [was] sufficient to deal with most forms of computer
misuses‘.361 This opinion was popular up until the end of the 1980s, when in several
high-profile cases judges found it hard to stretch the then existing laws ruling certain
behaviors.362 In this period, judges explored traditional criminal provisions from criminal
damage to theft and forgery. However, none of them could appropriately apply to
computer misuse without causing more problems. The attempts are as follows.

(1) The first attempt: Criminal Damage Act

At the beginning of the legal fight against computer misuse, traditional criminal
provisions could apply to some forms of computer crime. For instance, deleting
computer data stored on a disc tended to fall within the scope of section 1(1) of the
(England) Criminal Damage Act 1971363 (hereafter the ECDA 1971).364 Section 1(1)
states that ‗a person who without lawful excuse destroys or damages any property
belonging to another intending to destroy or damage any such property or being reckless
as to whether any such property would be destroyed or damaged shall be guilty of an
offence‘.

360
Andrew Charlesworth, ‗Legislating against Computer Misuse: The Trials and Tribulations of the UK
Computer Misuse Act 1990‘, Journal of Law and Information Science, 1(1993): 80-93, p. 81.
361
The Law Commission, Computer Misuse working Paper No. 110,
362
Andrew Charlesworth, ‗Legislating against Computer Misuse: The Trials and Tribulations of the UK
Computer Misuse Act 1990‘, Journal of Law and Information Science, 1(1993): 80-93.
363
Criminal Damage Act 1971, available at http://www.legislation.gov.uk/ukpga/1971/48/contents. Last
visited March 2015.
364
Stefan Fafinski, ‗Access Denied: Computer Misuse in an Era of Technological Change‘, Journal of
Criminal Law, vol. 70 5 (2006): 424-442, p. 425.

197
However, this provision was insufficient: it only applied when a physical property was
destroyed or damaged. It is stated clearly in section 10(1) of the CDA 1971 that ‗in this
Act, ―property‖ means property of a tangible nature…‘ Taking the intangible nature of
computer data into consideration, the requirement of ‗tangible‘ property in the CDA
1971 limited its use in combating the addition, deletion or damage of computer data
stored on a disc. To apply the CDA 1971 on computer misuses, some expansion had
been made when interpreting ‗tangible property‘.365

In the case Cox v. Rilley, the defendant deleted the data stored on a card and therefore
made the card inoperable.366 He claimed that the damage was made to the data rather
than the card, and the card per se suffered no impairment, thus the physical property –
the card was not damaged. With this argument, he maintained that his behavior fell
outside of the scope of the CDA 1971.367 Countering such an argument, the Divisional
Court rejected it by stating that ‗we would not answer the question posed by the justices
―can the erasing of a program from a circuit card which is used to operate a computerized
saw constitute damage within the meaning of the Criminal Damage Act 1971?‖ with the
emphatic answer yes‘.368 It can be seen from this statement that the tangibility of the
property remained a central issue when ruling such cases. Also with regard to this case,
the Law Commission shared a similar opinion with the Divisional Court; it expressed
that ‗the program itself is intangible but, so long as the defendant is charged with causing
damage to some tangible part of the computer‘s hardware on which the information is
stored…then, it seems clear, he can be convicted of damage to that hardware if he deletes
or alters a program‘.369

Despite this issue, the CDA seemed to be a potential measure to combat computer crimes
in the early stages, supported by the court judgment of the case Cox v. Rilley and the

365
Ibid
366
Cox v. Rilley, [1986] 83 Cr App R 54, DC.
367
See Martin Wasik, ‗Criminal Damage/Criminal Mischief‘, Anglo-American Law Review, vol. 17
(1988): 37-45. See also Stefan Fafinski, ‗Access Denied: Computer Misuse in an Era of
Technological Change‘, Journal of Criminal Law, vol. 70 5 (2006): 424-442
368
Stefan Fafinski, ‗Access Denied: Computer Misuse in an Era of Technological Change‘, Journal of
Criminal Law, vol. 70 5 (2006): 424-442, pp. 425-426. Regarding this case, David Bainbridge argued
that it was the magnetic impulses that conveyed information rather than the storage media that were
damaged in cases as such. See David I. Bainbridge, ‗Hacking-The Unauthorized Access of Computer
Systems; the Legal Implications‘, The Modern Law Review, vol. 52 (1989): 236-245, pp. 240-241
369
The Law Commission, Computer Misuse working Paper No. 110

198
Law Commission‘s position. Some scholars also supported this view. For instance,
David Bainbridge concluded in his article that a hacker indeed did not damage the
storage media itself, what he did was change the information the media conveyed. This
act damaged the integrity of the storage media and thus the actor was guilty of criminal
damage.370 However, this route, as suggested by Martin Wasik, ‗would probably [make]
the law undesirably wide merely to include criminal mischief within the simple offence
of criminal damage‘.371 Thus, other routes were also explored during that period.

(2) The second attempt: Theft Act

The second possible route was to employ abstraction of electricity - section 13 of the
(England) Theft Act 1968372 (hereafter the ETA 1968) - to regulate computer crimes.373
This section reads that ‗a person who dishonestly uses without due authority, or
dishonestly causes to be wasted or diverted, any electricity shall on conviction be liable
to imprisonment for a term not exceeding five years.‘

This offence aims at the acts of bypassing electricity meters, and it seems to have
nothing to do with computer misuse. Nonetheless, as argued, a person who uses
another‘s computer without authority will inevitably dishonestly use electricity without
due authority, thus resulting in a violation of section 13 of the TA 1968.374 No cases
were adjudicated based on this section of the TA 1968 in England, but a case which
happened in Hong Kong can serve as an example of using this offence to deal with
computer misuses.375

In the Hong Kong case, the defendant discovered a password by coincidence and gained
access to a Cable and Wireless plc. email system. He confessed that he did this out of
curiosity rather than for any kind of personal gain. He was prosecuted and found guilty

370
David I. Bainbridge, ‗Hacking-The Unauthorized Access of Computer Systems; the Legal
Implications‘, The Modern Law Review, vol. 52 (1989): 236-245, p. 241.
371
Martin Wasik, ‗Criminal Damage/Criminal Mischief‘, Anglo-American Law Review, vol. 17 (1988):
37-45, pp. 44-45.
372
The Theft Act 1968, available at http://www.legislation.gov.uk/ukpga/1968/60/contents.
373
Stefan Fafinski, ‗Access Denied: Computer Misuse in an Era of Technological Change‘, Journal of
Criminal Law, vol. 70 5 (2006): 424-442, pp. 426-428. Section 13 of the Theft Act 1968 outlaws the
behavior of ‗dishonestly [use] without due authority, or dishonestly [cause] to be wasted or diverted,
any electricity‘.
374
ibid
375
Hong Kong was a British territory before 1 January 1997.

199
under section 15 of the Theft Ordinance, which is worded identically to section 13 of the
TA 1968.376

 Current Legislation on Cybercrime

The ECMA 1990 sets the structure of cybercrime legislation, and the EPJA 2006 and the
SCA 2015 make several adjustments to it in order to match the development in
cybercrime. These three Acts constitute the cybercrime legislation system in England.

 Offences against the security of computer

Adopting the framework of offences introduced in the Convention on Cybercrime of the

Council of Europe, offences under this category include access offences (i.e. hacking),
impairment of data, interception of data, and misuse of devices, as well as the one
introduced in 2015: unauthorized acts causing severe damage.

 Access offences

Section 1 and 2 of the ECMA penalizes hacking, including unauthorized access to

computer materials with and without intent to commit further offences. The analysis of
these two offences is conducted under four elements, including computer, access,
authorization, and fault element.

(1) Computer

Although section 1 and section 2 are entitled ‗unauthorized access to computer material‘,
the term ‗computer‘ remains undefined in English criminal law. It was a specific
decision made by the legislators, following the recommendation of the Law Commission.
The debate behind this decision is discussed in 5.4 the scope of cybercrime.

Analyzing sections 1 and 2 one can notice that in England it is the data stored on a
computer, rather than the computer itself that is protected by the cybercrime legislation.
Taking section 1 as an example, Securing access to any program of data held in any
particular computer constitutes a crime. The ‗program or data held in any particular
computer‘, as explained in section 17(6) of the ECMA, refers to ‗any program or data
held in any removable storage medium which is for the time being in a computer, and a

376
Stefan Fafinski, ‗Access Denied: Computer Misuse in an Era of Technological Change‘, Journal of
Criminal Law, vol. 70 5 (2006): 424-442, p. 426.

200
computer is to be regarded as containing any program or data held in any such
medium‘.377 Under this explanation, it can be concluded that securing access to data will
inevitably cause computer to respond to some extent. The security of computer and data
thus seem to be the same. It is true? Data contains information, and it is therefore
protected, especially its confidentiality. Mere hacking to data damages the confidentiality
of data, thus it is criminalized. In this sense, the computer is just a physical container for
data.378 As Clough suggests, ‗what is punished is in fact unauthorized access to
computer data, rather than the computer itself.‘379

Taking one step further, this rationale of protecting data also relates to the discussion on
whether ‗data‘ belongs to ‗property‘ discussed before the promulgation of the ECMA,
and, even to the relationship between traditional criminal law and cybercrime legislation.
If, the judgment in the case of Cox v. Rilley is taken into consideration, ‗property‘ must
be tangible and physical, thus a computer and hardware in a computer are property, and
data is not.

Therefore, if one obtains access to a computer, this computer itself suffers no damage
and no traditional provisions apply to this scenario. As the Law Commission maintains,
‗if it is not a crime to use someone else‗s lawnmower without their permission, so long
as it is returned undamaged. By analogy, it is not an offence to make unauthorized use of
a computer.‘380

Then, one question subsequently emerges: mere hacking does not damage computer,
why is it criminalized under the ECMA? It can thus be concluded that it is the damage to
data that is prohibited in the ECMA. To be clearer, mere hacking changes the data or
program held in the computer since the actor must have caused the computer to function
or respond through mere hacking, and cause the data suffering damage, deletion or
addition. If the ECMA protects computer only, apparently section 1 should not be
drafted. It is thus clear that section 1 protects data, rather than computer. Same rationale

377
section 17(6) of the Computer Misuse Act 1990
378
Orin S. Kerr, ‗The Problem of Perspective in Internet Law‘, Georgetown Law Journal, vol. 91
11(2002): 357-406, pp. 359-361.
379
Jonathan Clough, ‗Data Theft? Cybercrime and the Increasing Criminalization of Access to Data‘,
Criminal Law Forum, vol. 22 (2011): 145-170, p. 157.
380
The Law Commission, Computer Misuse working Paper No. 110,

201
applies to section 2. It is also clear that the difference between the ECMA and the
traditional criminal law is that the former protects the intangibles, and the latter protects
the tangibles.

(2) Access

The term ‗access‘ is interpreted in a broad way in England namely; it refers to acts
causing ‗a computer to perform any function. In fact, the Law Commission rejected the
wording ‗gain access to computer system or data‘ used in the Convention on Cybercrime
and its Explanatory Report and chose the phrase ‗causes a computer to perform any
function‘. The reasons for this choice, as listed by Jonathan Clough, are as follows:
‗firstly, [any definition] may be thought to encompass obtaining physical access to a
computer; secondly, it could be thought to extend to obtaining a hard copy of data stored
in a computer; thirdly, it was felt that such an offence might apply to electronic
eavesdropping and thereby go beyond protecting the integrity of computers to protecting
the confidentiality of data‘.381 Disagreeing with the Law Commission‘s choice and
Jonathan Clough‘s explanation, Martin Wasik argued that the interpretation adopted by
England is too broad, so that simply switching on a computer or attempting to enter a
password without authority would fall within the scope of this expression.382

(3) Authorization

In the legal context of England, access is unauthorized if (a) the person is not himself
entitled to control access of the kind in question to the program or data; and (b) he does
not have consent to access by him of the kind in question to the program or data from
any person who is so entitled (section 17(5)).

(4) Fault element

Under section 1, an intention to secure access or to enable any such access to be secured
and the knowledge of such access is unauthorized constitute the mensrea of this offence.
In other words, it is not necessary that the access to a computer must be for fraudulent or

381
Jonathan Clough, The Principles of Cybercrime, Cambridge: Cambridge University Press, 2010, pp.
62-63.
382
Martin Wasik, Crime and the Computer, New York: Oxford University Press, 1991, pp. 91-92.

202
other malicious purposes.383 In addition, the offence under section 1 is accomplished at
the very point when the offender intends to and tries to secure access, so prosecutors do
not need to prove that the intended access has been achieved.384 If unauthorized access is
conducted to commit or facilitate further offences, section 2(1) applies.385 It is immaterial
for the purposes of section 2 whether the further offence is to be committed on the same
occasion as the unauthorized access offence or on any future occasion (section 2(3)), just
as it is immaterial for whether the commission of the further offence is possible or not
(section 2(4)). As suggested by the Law Commission, this offence ‗particularly aims at
those cases where the conduct is engaged in with the intention of committing a further
offence, in circumstances where the conduct is not sufficiently proximate to the
completed offence to constitute an attempt‘.386

 Impairment of data

Section 3 of the ECMA, substituted by the EPJA 2006, rules that a person is guilty if he
does any unauthorized act in relation to a computer, and at the time when he does the act
he knows that it is unauthorized (section 3(1)). It must be proven that by conducting such
offence he either intends to, or is reckless to whether the act will

(a) Impair the operation of any computer;

(b) Prevent or hinder access to any program or data held in any computer;

(c) Impair the operation of any such program or the reliability of any such data; or

(d) Enable any of the things mentioned in paragraphs (a) to (c) above to be done
(section 3(2)).

Initially, section 3 of the ECMA 1990 was introduced to criminalize the unauthorized
modification of contents of computer, including ‗erasing or altering data, distributing

383
According to section 1(2) of Computer Misuse Act, the intent of the offender can be (a) any particular
program or data; (b) a program or data of any particular kind; or (c) a program or data held in any
particular Computer.
384
Jonathan Clough, the Principles of Cybercrime, Cambridge: Cambridge University Press, 2010, pp. 49-
50.
385
In fact, the Law Commission recommended that if there was no further intention to commit other
crimes when securing access, there was no criminal offence. This recommendation was not accepted
by the legislators. See Tan Limin and M. Newman, ‗Computer Misuse and the Law‘, International
Journal of Information Management, 11(1991): 282-291, pp. 283-284
386
The Law Commission, Computer Misuse working Paper No. 110,

203
malware and adding a password without authorization to restrict access to a file‘,387 as to
impair the operation of a computer or program or the reliability of data.388

Some scholars suggest that an offence under section 3 can also damage a computer
physically, and thus it falls within the scope of the Criminal Damage Act 1971 as well.389
Apart from the potential overlap with the CDA 1971, the phrase ‗impair the reliability of
data‘ remained unclear.

For instance, in the case Zezev and Yarimaka v. Governor of HM Prison Brixton and
another,390 the defendant claimed that section 3 did not apply to his case because he did
not delete the data but changed it, and his act only impaired the reliability of data, not the
computer. He claimed that: ‗section 3 is confined to those who damage the computer so
that it does not record information that is fed into it. If information is accurately fed into
the computer but the information is untrue, that does not impair the operation of the
computer because t is meant to record the information as inputted and has done so. Nor is
anyone prevented or hindered from accessing that data‘.391 Lord Chief Justice Woolf,
however, rejected this argument. He expressed that ‗if an individual, by misusing or
bypassing any relevant password, places in the files of the computer a bogus e-mail by
pretending that the password holder is the author when he is not, then such an addition to
such data is plainly unauthorized, as defined in section 17(8); the intent to modify the
contents of the computer as defined in section 3(2) is self-evident. Reading this
interpretation together with the legislative approach (i.e. focusing on data) behind the
ECMA, one issue emerges: the threshold of ‗impairing‘ the reliability of data or the
operation of programs is uncertain. A crime would be committed and completed as long
as the data or program has been added, deleted, modified, and suppressed, in one word,
impaired.

387
The Law Commission, Computer Misuse No. 186 (1989),
388
Section 3 of the Computer Misuse Act 1990.
389
See B. J. George Jr., ‗Contemporary Legislation Governing Computer Crimes‘, Criminal Law
Bulletin, vol. 21 5(1985): 389-412
390
Zezev and Yarimaka v. Governor of HM Prison Brixton and another, [2002] 2 Cr App R 33.
391
Jonathan Clough, the Principles of Cybercrime, Cambridge: Cambridge University Press, 2010, p.
116.

204
The court further extended the ambit of this offence by holding the DoS attack392
accountable, as the case R v. Lennon393 shows. In fact, the new phenomenon of DoS
attack had led to a debate on whether such activity is covered under section 3. In reaction
to this debate, the APIG suggested enacting a new offence of impairing access to data.394
The application of section 3 in the case R v. Lennon reflects the judges‘ rejection of the
APIG‘s proposal and preference on broadening the actusreus of section 3. The
interpretation above is obviously broad. Therefore, the problematic section 3 was
replaced with a new one. Under the new section 3, all forms of DoS attacks are
incriminated irrespective of whether an attack as such modifies data or not. The term
‗unauthorized act‘ expressly shows that it does not make sense anymore to prove that
there is an unauthorized modification of data, and a mere unauthorized act ‗in relation to
a computer‘ is enough for incrimination.395 However, Kit Burden and Creole Palmer
criticized such an extensive legislation. They argued that the offenders did not gain
access to the target system or modify it in certain forms of DoS attack, thus the ECMA
should not cover such acts.396 For instance, the actor may impair a computer through
sending a large quantity of emails to the targeted network server. Under such occasions,
the actor does not intend to hack the computer at all, let alone be punished under the
ECMA.397 Burden and Creole are partly right. Their argument only holds true for the old
ECMA, which protects data rather than computer. The newly introduced section 3, as its
wording indicates, protects not the reliability of data, but the computer. Therefore, the
actor does not hack the computer defectively, but he damaged the computer, which under
the new section 3 shall be punished. This new section 3, as rightly pointed out by

392
DoS attack is defined as ‗a malicious attempt to disrupt the operation of a specific computer, network,
web site or other entity in cyber space‘. See Home Office, Cyber Crime Strategy cm 7842, UK: The
Stationery Office Limited, 2010. DoS attack has several forms, such as sending millions of spams to
a server of a company, to prevent ‗legitimate‘ users from obtaining access to or using Internet service.
See Kit Burden and Creole Palmer, ‗Internet Crime: Cyber Crime – A New Breed of Criminal?‘
Computer Law and Security Report, vol. 19 3(2003): 222-227, p. 223.
393
R v. Lennon, [2006] EWHC 1201. In this case the offender sent huge amount of emails to his former
employer‘s computer and thus choked the computer with rubbish, making it unable to function. The
court ruled that section 3 of the ECMA applied to this case.
394
‗Revision of the Computer Misuse Act-Report of an Inquiry by the All Party Internet Group‘, June
2004,
395
Jonathan Clough, The Principles of Cybercrime, Cambridge: Cambridge University Press, 2010, pp.
107-108.
396
Kit Burden and Creole Palmer, ‗Internet Crime: Cyber Crime – A New Breed of Criminal?‘
Computer Law and Security Report, vol. 19 3(2003): 222-227, p. 223.
397
ibid

205
Professor Ian Walden, ‗shifts the locus of the crime from the ―contents of the computer‖,
to potentially any point in a network which is held to be ―in relation to‖ the target
computer.‘398 It is thus clear that the approach of sections 1 and 2 is different from that of
the new section 3: the former focuses on data while the latter focuses on computer.
Nonetheless, Burden and Creole are partly right because the term ‗in relation to
computer‘ is left undefined, which can be interpreted dramatically broad if judges would
like to. This phenomenon presents an enormous potential of controlling cyberspace
strictly and infringing online freedom.\

6.7 THE CYBERCRIME LEGISLATION IN SINGAPORE

The first piece criminalizing cyber wrongdoings in Singapore is the SCMA 1993. Soon
after, due to the rapid development of information technology, Singapore found the
SCMA 1993 inapplicable either for lack of substantial provisions or lack of enforcement
measures. Therefore, Amendments to the SCMA are enacted in 1996, 1998, 2003 and
2013 respectively. Since there was limited discussion on cybercrime before the
promulgation of the SCMA 1993, the history of the SCMA can be divided into two
periods:

(1) From 1993 to 1996, applying the first computer specific legislation, and

(2) After 1996, expansions and amendments.

 From 1993 to 1996: the first computer specific legislation

The SCMA 1993 is the first legislation criminalizing computer misuses in Singapore,
incorporating those offences ‗which [are] unique to computer technology‘.399 It was
passed ‗to make provision for securing computer material against unauthorized access or
modification and for matters related thereto‘.400 The SCMA 1993 contained three parts:
part I Preliminary, part II Offences, and part III Miscellaneous and General.

As the first step, part I defined and explained some key terms used in the SCMA 1993,
especially those technical ones such as ‗computer‘, ‗data‘, and ‗electronic device‘.

398
Ian Walden, ‗Computer Crime‘, Computer Law, (2003): 295-329.
399
Parliamentary Debates, Singapore Official Report, col. 301.
400
Long Title of the Singapore Computer Misuse Act, 1993.

206
Taking the Computer Misuse Act of England as its legislative source key, 401 the SCMA
1993 borrowed the definitions and explanations directly from its English counterpart
only with one exception ‗computer‘,402 since England left this term undefined in its
Computer Misuse Act. Part II, sections 3 to 7, was the core of the SCMA 1993. It is
interesting to point out that sections 3, 4 and 5 were borrowed from sections 1, 2 and 3 of
the England Computer Misuse Act 1990,403 and section 6 resembled sections 301.2 of
Canada Criminal Code – unauthorized use of a computer.404 Among these four
provisions, section 3 criminalized knowingly using a computer to secure access to
program or data without authorization. Offences under section 4 were in principle the
same conduct as that under section 3, yet carrying a heavier punishment for the intent to
commit or facilitate the commission of other offences. To be specific, section 4
criminalized unauthorized access with the purpose of committing or facilitating further
crimes ‗involving property, fraud, dishonesty or which caused bodily harm‘. 405 Section 5
criminalized behaviors that modify the contents of computers without authority. Section
6 criminalized unauthorized use or interception of computer services. However, section 6
was arguably overlapped with sections 3 and 4. It was argued that no interception or use
stated in section 6 could be conducted without securing access to a computer system or
modifying data stored on it, i.e. the acts proscribed by sections 3, 4 and 5. 406 This issue
will be clarified in 6.3 Current Cybercrime Legislation in Singapore. Section 7 penalized
abetting and attempting to commit the offences under the SCMA 1993, performing as a
401
Legislative Source Kay of Computer Misuse Act (Chapter 50A).Unless otherwise stated, the
abbreviations used in the references to other Acts and statutory provisions are references to the
following Acts and statutory provisions. The references are provided for convenience of users and are
not part of the Act: UK CMA 1990 : United Kingdom, Computer Misuse Act 1990 (c. 18) Canada
CLAA 1985 : Canada, Criminal Law Amendment Act 1985 (c. 19) S Aust. EA 1929 : South
Australia, Evidence Act 1929
402
See Christopher Lee Gen-Min, ‗Offences Created by the Computer Misuse Act 1993‘, Singapore
Journal of Legal Studies, (1994): 263-331, p. 265. For information on the phenomenon that England
refused to set out a definition for computer, see Chapter 5 Cybercrime Legislation in England
403
See e.g. Katherine S. Williams and Indira Mahalingam Carr, ‗The Singapore Computer Misuse Act –
Better Protection for the Victims?‘ Journal of Law and Information Science, vol. 5 2(1994): 210-226.
404
Section 6 of the SCMA 2013; cf section 301.2 of Canada Criminal Code 1989.
405
section 4(2) of the Singapore Computer Misuse Act 1993. This section was widely criticized for its
lack of clarity. See e.g. Katherine S. Williams and Indira Mahalingam Carr, ‗The Singapore
Computer Misuse Act – Better Protection for the Victims?‘ Journal of Law and Information Science,
vol. 5 2(1994): 210-226.
406
See e.g. AssadaEndeshaw, ‗Computer Misuse Law in Singapore‘, Information and Communication
Technology, vol. 8 1(1999): 5-33, p. 14. In this article the author argues that section 6 introduced a
novel concept of using or intercepting a computer service without authority, and such an act was as
the same as theft of computer service or time. He also emphasised that section 6 should be merged
into section 3 and 4 because every authorized access to a computer or data held on them was likely to
result in theft of service or time of the computer.

207
measure to strengthen the impact of the SCMA 1993. Part III of the SCMA 1993
incorporated procedural matters, including setting up the extra-territorial application
scope of the SCMA,407 and empowering the police to have access to or inspect the
operation of any computer that they had reasonable cause to suspect it had been involved
in offences under the SCMA.408 Generally speaking, the SCMA establishes the
framework of cybercrime legislation in Singapore. However, it was criticized for its lack
of clarity of definitions and provisions, the consequent vague application scope, and the
overlaps among sections.409 In this context, a proposal for amending the SCMA 1993
was raised and adopted shortly after.

 After 1993: expansions and amendments

The Evidence (Amendment) Act 1996: an effort to enhance administrative powers As a

response to the criticism that the definition of ‗computer‘ was lacking clarity, the
Evidence (Amendment) Act 1996 (hereafter the SEAA 1996) substituted one paragraph
under the definition of ‗computer‘ - ‗such other device as the Minister may by
notification prescribe‘.410 From this substitution one can notice that the SEAA 1996 does
not reply directly to the criticism on the clarity, neither did it explain the ‗computer‘ in
further detail.

Rather, it enhanced the flexibility of the term by granting the Minister the right to extend
the list by official notification. This amendment was commented as mainly to strengthen
administrative powers in the field of criminalizing cyber wrongdoings.411

 The Computer Misuse (Amendment) Act 1998:

Introductions of new offences and increases of penalties Since the Evidence

(Amendment) Act 1996 did not clarify the definitions and provisions, as well as to
respond to the inability of the SCMA to regulate newly emerged computer misuses such
as DoS attacks and trafficking access code, the Singapore Computer Misuse
(Amendment) Act 1998 (hereafter the SCMAA 1998) was enacted. For the first, the

407
Section 8 of the SCMA 1993.
408
5 Section 14 of the SCMA 1993.
409
Christopher Lee Gen-Min, ‗Offences Created by the Computer Misuse Act 1993‘, Singapore Journal
of Legal Studies, (1994): 263-331.
410
Section 3 of the SCMA 1996.
411
Indira Mahalingam and Katherine S. Williams, ‗A Step Too Far in Controlling Computers? The
Singapore Computer Misuse (Amendment) Act 1998‘, International Journal of Law and Information
Technology, vol. 8 1(2000): 48-64, p. 50

208
SCMAA 1998 intended to further strengthen ‗the level and nature of the protection of
computer systems‘ that had already been emphasized under the Evidence (Amendment)
Act 1996. For the second, it also intended to enhance the protection for ‗protected
computer‘.412 Therefore, the SCMAA 1998 enacted a new version of section 4,
introduced two new offences with regard to unauthorized obstruction of the use of a
computer and disclosure of access code, and increased the punishment on unauthorized
access to the ‗protected computers‘.

Firstly, the SCMAA 1998 affirmed the change in the definition of ‗computer‘ made by
the Evidence Act 1996. It then introduced a definition of ‗damage to a computer or the
integrity or availability of data, a program or system, or information‘, including ‗material
loss, modification or impairment on medical records, physical injury or death of people,
and public health or public safety‘.413

Secondly, the SCMAA 1998 enacted a new section 4, in which exceeding their authority
to commit further crimes was outlawed. Before the SCMAA 1998, the issue that whether
section 4 applies to accesses ‗exceeding authority‘ was uncertain.414 For instance, one
staff of a cinema used his authority to access the cinema cash card computer system and
made some gains by altering computer records. Although reported as computer misuse,
this actor was prosecuted under the Singapore Penal Code for criminal breach of trust
because of the unclear coverage of section 4. In the Parliamentary debate, this issue was
heatedly discussed and addressed. One of the speakers supported the original section 4
by suggesting that the original intent of the SCMA was to punish unauthorized access. If
‗exceeding authority‘ was to be criminalized as a separate offence, the original intent was
subsequently amended which seemed unnecessary and unfavorable. To further illustrate
that it was not necessary to charge the offenders for a computer misuse apart from the
offence it intended to commit or facilitate, Mr Chin Tet Yung, another supporter of the
original section 4, suggested that the offenders could be charged with the offences that
their access was intended to facilitate. In addition, Mr Chin Tet Yung further pointed out
that when the authorized offender obtained access to do an unauthorized act, he was

412
AssadaEndeshaw, ‗Computer Misuse Law in Singapore‘, Information and Communication
Technology, vol. 8 1(1999): 5-33, p. 16.
413
Section 2(1) of the SCMA 1998.
414
Parliamentary Debate, Singapore Official Report, 30 July 1998, cols. 398.

209
already using a computer in an unauthorized way and therefore misused that computer.
In responding to this opinion, the then Minister Mr. Wong KanSeng emphasized that the
idea of the new section 4 was not to prosecute the use of a computer for a proper and
lawful purpose, but to remove the uncertainty that a person who had authority to access a
computer might find himself guilty of an offence if he were to use the computer to
commit a further crime. Besides, he pointed out that prosecuting the offenders under
other laws because of the intended crime such as theft and extortion was admittedly
practical, but it was more appropriate to update the law and prosecute them under the
SCMA if they actually abused their authority in using the computer.415 This statement
also indicates that Singapore would like to use the SCMA to deal with those misuses
committed through using computer rather than relying on traditional criminal provisions,
to emphasize the illegal nature of unauthorized usage of the computer.

Thirdly, two new offences created by the SCMAA 1998 were unauthorized obstruction
of the use of computer (new section 6A) and unauthorized disclosure of access code
(new section 6B).416 Section 6A was to penalize the so-called E-mail bombing, and
section 6B was to criminalize unauthorized disclosure of passwords or access codes.417

The fourth change was the increased penalties imposed on cyber offences, especially on
the offences committed on a ‗protected computer‘. Acting as a limitation to the enhanced
penalties, the threshold of offences under relevant sections had been raised
correspondingly.418 The term ‗protected computer‘ introduced by section 6C referred to
the computers or programs or data that are ‗used directly in connection with or necessary
for

‗(a) the security, defense or international relations of Singapore;

415
Ibid. The then Minister also assured that such act would not be charged twice for the same offences
based on the same facts. Like the example of extortion, the offender would only be charged once, and
under the SCMA if this change were passed. Judgments on later cases show that the offender faced at
least two charges, one under section 4, and the other one under provisions regarding the crimes they
intended to commit. See e.g. Public Prosecutor v. Law Aik Meng [2007] 2 SLR 814; [2007] SGHC
33, and Navaseelan Balasingam v. Public Prosecutor [2007] 1 SLR 767; [2006] SGHC 228.
416
After the 2007 Revised Edition of the SCMA, sections 6A, 6B and 6C are renumbered as sections 7,
8 and 9. The original section 7 on abets and attempts are renumbered as section 10.
417
Parliamentary Debate, Singapore Official Report, 30 July 1998, cols. 398-399.
418
AssadaEndeshaw, ‗Computer Misuse Law in Singapore‘, Information and Communication
Technology, vol. 8 1(1999): 5-33, p. 17.

210
(b) The existence or identity of a confidential source of information relating to the
enforcement of a criminal law;

(c) The provision of services directly related to communications infrastructure, banking

and financial services, public utilities, public transportation or public key
infrastructure; or

(d) The protection of public safety including systems related to essential emergency
services such as police, civil defense and medical services‘.419 It is noteworthy that
the requisite knowledge from (a) and (d) was presumed, meaning that the offender
was presumed to know the device he accessed was for national security or other
functions listed, unless the contrary was proved.420 The enhanced penalty for
protected computers, together with the presumption of requisite knowledge, argued
by Endeshaw, jointly indicated ‗a determination by the government to stamp out
any attempts at intrusion into sites considered vital to the economic and national
security of Singapore‘.421

 The Computer Misuse (Amendment) Act 2003:

An expansion of enforcement powers Considering the enforcement measures listed in the

SCMA were not enough to prevent threats to computers, in 2003 the legislature again
enacted the Singapore Computer Misuse (Amendment) Act 2003 (hereafter the SCMAA
2003). It inserts a new provision under section 12 as 12A, stating that an authorized
police officer had the power to impose an on-the-spot fine of up to $3000 on a person
reasonably suspected of having committed an offence of this category. It inserts a new
provision as 15A under section 15, aiming at preventing threats to national security and
essential services,422 and others. Section 15A is intended to authorize the Minister to take
measures to prevent a threat to a computer for the purpose of national security. If
necessary, the Minister can also authorize any person or organization to take such a

419
Section7 of the SCMA 1998
420
Ibid
421
AssadaEndeshaw, ‗Computer Misuse Law in Singapore‘, Information and Communication
Technology, vol. 8 1(1999): 5-33, p. 18.
422
Essential service‘ under section 15A was referred to as ‗(a) services directly related to
communications infrastructure, banking and finance, public utilities, public transportation or public
key infrastructure; and (b) emergency services such as police, civil defence or medical services‘.
Section 3 of SCMA 2003.

211
measure.423 This effort, as suggested by some, reflected the same purpose as legislative
changes in many Western countries - against terrorism.424

 The Computer Misuse (Amendment) Act 2013: further expansions of

enforcement powers

The Computer Misuse (Amendment) Act 2013 was enacted to entitle the government to
take measures to prevent, detect and counter attacks on critical information infrastructure
425
(hereafter the CII) to ensure Singapore‘s cyber security, national security, essential
services, defense or foreign relations. Amendments made by the SCMAA 2013 are
mainly regarding enforcement powers for the purpose of strengthening national interests.

Firstly, the SCMA was renamed as Computer Misuse and Cyber security Act426, and its
long title was changed to reflect the attention paid to national interests. As suggested by
the second Minister of Home Affairs, this Amendment ‗[would] accurately reflect the
scope of the Act, including its objective of securing Singapore against cyber threats that
may endanger our national interests‘.427

Secondly, this Amendment replaced 15A with a new version – the one delegating more
powers to government officers and even to individual persons.428 As commentated by the
members of the Second Reading429 of the Computer Misuse (Amendment) Bill 2013, the

423
Section 15A of the SCMA 2003.
424
See e.g. Christine Doran, ‗Politics, the Net, and Gender in Singapore‘, Review of History and
Political Science, vol. 2 6(2014): 1-16.
425
‗Critical information infrastructure‘ refers to ‗systems which are necessary for the delivery of
essential services to the public in various key sectors‘. See Parliamentary Debate, Singapore Official
Report, 14 January 2013, 3. 03 pm.
426
Considering that most of the materials on cybercrime legislation in Singapore adopt the term
‗Computer Misuse Act‘, this thesis sticks to it, rather than the new name, in order to avoid
misunderstanding.
427
Parliamentary Debates, Singapore Official Reports, 14 January 2013, 3.03 pm. The Long title was
amended from ‗An Act to make provision for securing computer material against unauthorized access
or modification and for matters related thereto‘ to ‗An Act to make provision for securing computer
material against unauthorized access or modification, to require or authorize the taking of measures to
ensure cyber security, and for matters Related thereto‘.
428
See e.g. Parliamentary Debates, Singapore Official Reports, 14 January 2013, 3.17 pm-3.22 pm the
speeches given by MrHri Kumar Nair and Mr Christopher de Souza.
429
With respect to the law-making process in Singapore, a bill is introduced to the Parliament without
debate as the First Reading. After this introduction, the bill will be read by the Members of
Parliament (hereafter the MPs) in charge for a second time (not the Second Reading). During this
stage the MPs in charge have an opportunity to debate on the general principles of the bill. To be
specific, the bill has been read twice before it goes to the Second Reading. Then, if the MPs in charge
think the bill is beneficial to Singapore, they will vote for it and the bill will get an opportunity for the
Second Reading. In the Second Reading, the bill progresses to the Committee of the Whole

212
new 15A would ‗empower and allow the Minister to order a person or organization to act
against any cyber-attack even before it has begun‘,430 and the immunity under section
15A (6) would ‗confer criminal and civil immunity on anyone who in good faith
implements any measure or acts according to directions he receives under the Act‘.
Additionally, a new offence is created by this Amendment under 15A (4), to achieve the
aims set out in its long title, especially to prevent crimes potentially violating national
security.

To sum up, Singapore started to arm both its courts and law enforcement agencies, and
even relevant organizations from the early 1990s to fight against computer crime,
following England and some other jurisdictions. Nonetheless, whereas England reacted
actively in establishing legislation on cybercrime, it remained relatively passive in
amending its Act and granting law enforcement agencies powers. Compared with
England, Singapore seems more aggressive. This observation can be manifested by the
four Amendments to the SCMA and the powers allocated to government officers. More
importantly, as shown in both the Parliamentary debate and scholars‘ analysis, to protect
the national interest serves as the main reason for this aggressive approach.

 Current Legislation on Cybercrime

Singapore has a number of legal statutes that apply to computer misuse and computer
related misuses, including the Singapore Computer Misuse Act, the Singapore Penal
Code, the Singapore Undesirable Publications Act, and others. Among these statutes, the
SCMA, as introduced above, is the primary legal instrument against cybercrime,
including the crimes targeting computer, and the traditional crimes facilitated by
computers.

 Offences against the security of computer

Learning from England and Canada, the SCMA contains 6 sections criminalizing acts
that threatening the security of data and computer, including acts that unauthorized
access to computer materials (section 3), access with intent to commit or facilitate

Parliament or to a Select Committee comprising several MPs to examine it section by section. MPs
who support the bill in principle but do not agree with certain clauses can propose amendmentsTo
those clauses at this stage. Following its report back to the House, the bill will go through the Third
Reading Where only minor amendments will be allowed before it is passed.
430
1 Parliamentary Debate, Singapore Official Reports, 14 January 2013, 3.22 pm.

213
commission of offence (section 4), unauthorized modification of computer material
(section 5), unauthorized use or interception of computer service (section 6),
unauthorized obstruction of use of computer (section 7), and unauthorized disclosure of
access code (section 8).

 The Scope of Cybercrime and the Enforcement Measures

This section focuses on two topics, namely, the scope of cybercrime in Singapore and the
enforcement measures the SCMA grants to the officials. The extent to which the term of
‗cybercrime‘ should reach and be regulated has always been a hot topic. The English,
Canadian and American cybercrime legislations have great influence on the SCMA. The
attitudes on the scope of cybercrime in these three jurisdictions also have significant
influence on Singaporean scholars. Besides, it can be seen from the historical review of
the SCMA that the enforcement measures granted to officials keep expanding. It seems
the argument on the potential abuse of powers and the consequent infringements of
online freedom do not get sufficient attention.

 The scope of cybercrime

Before discussing the scope of cybercrime in Singapore, one important topic is the scope,
or the definition, of ‗computer‘. In the SCMA 1993, the term ‗computer‘ under section
2(1) was defined as ‗an electronic, magnetic, optical, electrochemical, or other data
processing device, or a group of such interconnected or related devices, performing
logical, arithmetic, or storage functions, and includes any data storage facility or
communications facility directly related to or operating in conjunction with such device
or group of such interconnected or related devices, but does not include an automated
typewriter or typesetter, a portable hand-held calculator or other similar device which is
non-programmable or which does not contain any data storage facility‘.

According to scholars, on the one hand, this definition was ‗sufficiently wide and
exclusive to protect technology that may appear afterwards‘, and ‗sufficiently clear to
avoid questions of whether a hand-held calculator falls within the reach of the Act or not‘
at the same time.431 On the other hand, it was commented by others as being clumsily

431
See e.g. Christopher Lee Gen-Min, ‗Offences Created by the Computer Misuse Act 1993‘, Singapore
Journal of Legal Studies, (1994): 263-331, pp. 267-268. In this article the author argues that ‗but does

214
worded and ambiguous.432 For instance, it was not clear whether or not tampering with
chips inside ‗non-programmable‘ devices was covered,433 and neither was whether
household devices such as washing machines with storage and computing capability
were covered.434Therefore, the Evidence (Amendment) Act 1996 amended the definition
of ‗computer‘. The new definition, as suggested previously, grants the government the
power to list out devices that they do not recognize as computer. Although being
criticized as ‗a novel extension for administrative convenience‘,435 this definition was
still affirmed in the SCMAA 1998, and applies till now. Since there has already been a
definition on ‗computer‘, one may assume that a consensus on the definition of
‗cybercrime‘ may not be hard to reach. Is this true? The answer is negative. Moreover,
scholars in Singapore reach a consensus that the definition of cybercrime or computer
crime is in fact not clear,436 so as to its scope. Mainly there are three different opinions
on the definition of computer crime/cybercrime.

Firstly, to some scholars, the terms ‗computer crime‘ and ‗cybercrime‘ are different. For
instance, Warren B. Chik believes that ‗computer crime‘ refers to crimes ‗committed
against the computer, the materials contained therein such as software and data, and its
uses as a processing tool‘, including ‗hacking, denial of service attacks, unauthorized use
of services and cyber vandalism‘; while cybercrime means ‗criminal activities committed
through the use of electronic communications media‘, including ‗cyber-fraud and

not include‘ indicated that certain devices were not considered sufficiently computer-like and that
they fell outside the Act. He then further pointed out that any other data processing devices that did
not fall in the exclusion list were likely to be a computer under the SCMA 1993
432
See e.g. Indira Mahalingam and Katherine S. Williams, ‗A Step Too Far in Controlling Computers?
The Singapore Computer Misuse (Amendment) Act 1998‘, International Journal of Law and
Information Technology, vol. 8 1(2000): 48-64, p. 49. See also Katherine S. Williams and Indira
Mahalingam Carr, ‗The Singapore Computer Misuse Act – Better Protection for the Victims?‘
Journal of Law and Information Science, vol. 5 2(1994): 210-226, p. 212. This article argues that the
wording ‗other data processing device‘ could be applied to a device that using biological memory
which might occur after the SCMA 1993.
433
Assafa Endeshaw, ‗Computer Misuse Law in Singapore‘, Information and Communications
Technology Law, vol. 8 1(1999): 5-33, p. 8.
434
See e.g. Christopher Lee Gen-Min, ‗Offences Created by the Computer Misuse Act 1993‘, Singapore
Journal of Legal Studies, (1994): 263-331, pp. 267-268.
435
Indira Mahalingam and Katherine S. Williams, ‗A Step Too Far in Controlling Computers? The
Singapore Computer Misuse (Amendment) Act 1998‘, International Journal of Law and Information
Technology, vol. 8 1(2000): 48-64, p. 50.
436
See e.g. Terry Johal, ‗Controlling the Internet: The Use of Legislation and Its Effectiveness in
Singapore‘, in 15th Biennial Conference of the Asian Studies Association of Australia, Canberra,
2004.

215
identity theft through such methods as phishing, pharming, spoofing and through the
abuse of online surveillance technology‘.437 There is another distinction between
computer crime and cybercrime. That is, whether is covered by the existing criminal law.
For instance, scholars such as Douglas H. Hancock suggest that offences under the
SCMA are computer crimes, and offences under the existing laws are cybercrime. To be
clearer, computer crimes are generally new and technology-specific, and they threaten
the integrity, availability and confidentiality of the computer, data, and programs stored
on the computer. Therefore, they need a new and specialized statute. On the contrary,
cybercrimes are merely old crimes committed with new means, and thus fall within the
regime of the existing laws.438

Secondly, some scholars acknowledge that computer crime and cybercrime are different,
and the term ‗computer crime‘ is more appropriate. However, to what acts these two
terms are referring is unclear. These scholars do not and cannot define them. By citing
the words of Colin Tapper, an English scholar, they express their confusion: ‗does the
phrase connote crimes directed at computers, or crimes utilizing computers, or merely
crimes in any way at all related to computers?‘439 To this question, Colin himself states
that computer (related) crime is ‗so inherently vague as a concept.‘

Thirdly, more scholars tend to regard computer crime and cybercrime as the same, as
several other jurisdictions do. This group of scholars define computer crime as ‗criminal
activities against a computer or facilitated by or committed by the use of a computer‘.440
However, they admit that this definition is still unclear with respect to crimes facilitated
by or committed by the use of a computer. They cannot reach a consensus on the issue
that to what extent the phrases ‗facilitated by‘ and ‗by the use of‘ should reach.

437
Warren B. Chik, ‗Challenges to Criminal Law Making in the New Global Information Society: A
Critical Comparative Study of the Adequacies of Computer-Related Criminal Legislation in the
United States, the United Kingdom and Singapore‘, available on www.law.ed.ac.uk/ahrc/
complaw/docs/chik.doc/.
438
Ibid. See also Douglas H. Hancock, ‗To What Extent Should Computer Related Crime be the Subject
of Specific Legislative Attention?‘ Albany Law Journal of Science and Technology, 12(2001): 97-
124.
439
Colin Tapper, ‗Computer Crime: Scotch Mist?‘ Criminal Law Review, (1987): 4-22.
440
See e.g. Na Jin-Choen, Wu Hao, Ji Yong, Tay Mia Hao, and Ramanathan Mani Kandan, ‗Analysis of
Computer Crime in Singapore using Local English Newspapers‘, Singapore Journal of Library and
Information Management, vol. 38 (2009): 77-102, p. 78.

216
From a statutory perspective, computer crime in Singapore includes mere hacking,
hacking to facilitate further crimes, unauthorized modification and obstruction of
computer data or system, and trafficking passwords or publishing other means of
hacking, i.e. the genuine cybercrime.

Singapore has been active in promulgating and amending its Computer Misuse Act. The
approach it takes is remarkable for the overlaps and repeats within provisions. Firstly, it
learned from the England Computer Misuse Act and introduced hacking offences
threatening the security of data, including mere hacking, hacking for further crimes,
modification of data, and others. At the same time, it borrowed the Canadian equivalent
provisions and introduced hacking offences focusing on the computer‘s processing and
storage capability, for instance, using computer services without authority. Secondly,
two offences inserted by the SCMAA 1998 are overlapped with previous offences, which
make them difficult for judges to apply.

Therefore, some scholars stated that the idea behind these overlapped provisions was to
ensure the incrimination of computer misuses. For this purpose, Singapore does not
distinguish between computer and data. Any offence that violates either computer or data
shall be prosecuted. However, as suggested, these two approaches are not necessarily
contradictive. As the information technology develops, cybercrime starts to target both
the security of data and the function of computers. This development suggests that the
adoption of one approach, i.e. protecting either data or computer, may be insufficient.
Thus, they two can be complementary.

The other characteristic of the Singaporean approach against cybercrime is its broad
enforcement measures. The enforcement measure has been expanded dramatically since
its birth, driven by the concern over national security. Admittedly, such expansion can be
partly explained by the fact that traditional enforcement measures cannot tackle the
newly emerged forms of computer misuse. However, the new forms of computer misuses
cannot account for all expansions. The introduced new provisions, the enhanced
penalties, the ever-expanding enforcement measures, and the extra-territorial effect
attached to the SCMA all indicate Singapore‘s position on criminalizing and deterring
computer misuse – to enhance national security, even though such enhancement impairs
privacy and online freedom. This ideology can also be illustrated by the fact that it took

217
Singapore more than one decade to pass the Personal Data Protection Act to protect
personal information.441One possible reason for this ideology is that Singapore‘s political
culture leads it to deploy Internet technology in ways that reflect concerns for social
order and the maintenance of hierarchy.442 Just as pointed out by Junhao Hong,
Singapore uses law more to protect and serve government interests than to protect
individual interests because of its similarities in ideological and political structures with
China.443 It is interesting to point out that both in Singapore and China, the use of
Internet are deemed to link with democracy and political ideology; the issue of whether
information technology can promote democracy in these two jurisdictions, and even in
the whole Asian-Pacific region, has been under heated discussion.444

441
Gabriela Kennedy, Sarah Doyle and Brenda Lui, ‗Data Protection in the Asia-Pacific Region‘,
Computer Law and Security Review, vol. 25 (2009): 59-68.
442
Randolph Kliver and Indrajit Banerjee, ‗Political Culture, Regulation, and Democratization: The
Internet in Nine Asian Nations‘, Information, Communication and Society, vol. 8 1(2005): 30-46, p.
36.
443
Junhao Hong, ‗The Control of the Internet in Chinese Societies: Similarities, Differences, and
Implications of the Internet Policies in China, Hong Kong, Taiwan, and Singapore‘, Proceedings of
the Asia Internet Rights Conference. Seoul, S. Korea, November 2001.
444
See e.g. Nina Hachigian, ‗The Internet and Power in One-Party East Asian States‘, The Washington
Quarterly, vol. 25 3(2002): 41-58. See also ShanthiKalathil and Taylor C. Boas, Open Networks,
Closed

218