Computer-Based Crime

Overview

• In Australia, computer-based offences or "cybercrime" is regulated by a series of Commonwealth laws under the Criminal Code Act 1995 (Cth) and supplemented by State and Territory laws that deal with specific issues (e.g. cyber-stalking and harrassment).

Background

• Computer-based offences or "cybercrime" refers to both: crimes directed at computers or other information communications technologies (ICTs) (such as computer intrusions and denial of service attacks), and crimes where computers or ICTs are an integral part of an offence (such as online fraud).
• Cybercrime is largely regulated by a set of national offences in the Criminal Code Act 1995 (Cth), many of which were introduced by amendments contained within the Cybercrime Act 2001 (Cth).
• The Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 , which came into effect on 6 April 2019, added new offences.
• States and territories are responsible for regulating cyber-stalking and harrassment laws, including, most recently, revenge porn offences.
• The threat environment for cybercrime related to cloud computing is constantly evolving due to the connectedness of infrastructure, applications and services. Unique threats apply to cloud computing services and architecture due to the sharing or outsourcing of resources, systems, applications and data security. Other threats include loss of control over resources; misuse of cloud computing resources; changes in delivery and receiving models; insecure interface or application programming interface (API); malicious insiders; data scavenging; data loss or leakage; service/account hijacking; risk profiling; and identity theft.

Legal Framework

Criminal Code Act 1995 (Cth) ('Criminal Code')

• Parts 10.7 and 10.8 of the Criminal Code Act 1995 (Cth) (‘Criminal Code’) criminalise the following offences:
  • Computer intrusions
  • Unauthorised modification of data, such as the destruction of data
  • Unauthorised impairment of electronic communications, such as denial of service attacks
  • Creation and distribution of malicious software (such as malware, viruses and ransomware)
  • Dishonestly obtaining or dealing in personal financial information
• Under the Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 , offences applying to hosting service providers include the failure to notify the Australian Federal Police within a reasonable time about material relating to abhorrent violent conduct in Australia; and failure to remove access to the content. These offences create an independent incident reporting regime that applies to the cloud sector. Other frameworks may intersect, such as the power of the eSafety Commissioner to publicly shame a hosting service that is providing access to or hosting abhorrent violent content

Hacking

• Section 478.1(1) of the Criminal Code provides for the offence of ‘unauthorised access to, or modification of, restricted data’. There are 3 elements:
  • An individual who causes unauthorised access to, or modification of, restricted data; and
  • This individual intends to cause the access or modification; and
  • The person is knows that the access or modification is unauthorised.

Denial-of-Service Attacks

• Section s 477.3(1) of the Criminal Code provides for the offence of 'unauthorised impairment of electronic communication’. There are 2 elements:
  • An individual perpetuates an offence if they cause any unauthorised impairment from a computer; and
  • That individual knows that the impairment is unauthorised.
• Under s 477.2 there is a related or alternative offence of 'unauthorised modification of data causing impairment'.

Phishing

• "Phishing" refers to online fraud whereby an individual seeks access to personal information such as credit card or bank details, usernames and passwords by pretending to be someone trustworthy.
• Under sections 134.2 and 135.1 of the Criminal Code, where the victim is a Commonwealth entity, the following acts are offences:
  • obtaining a financial advantage via deception
  • dishonestly obtaining a gain from a person
  • doing something with the intention of causing a loss to a person
  • causing a loss or a risk of loss to a person

Infecting IT systems with malware

• Section 478.2 of the Criminal Code provides for the offence of unauthorised impairment of data held on a computer disk. There are three elements:
  • A person causes any unauthorised impairment of the reliability, security or operation of data placed on a computer disk, credit card or another device that stores data electronically;
  • The person intends to cause the impairment; and
  • The person knows that the impairment is unauthorised.

Possession of hacking tools used to commit cybercrime

• Section 478.3 of the Criminal Code provides for the offence of possession or control of data with intent to commit a computer offence. There are 2 elements:
  • A person has possession/control of data; and
  • The person has possession or control of the data with the intention that it be used by the person or another person in committing an offence against Division 477 of the Criminal Code (referring to Serious Computer Offences) or facilitating the commission of such an offence.

Identity theft and identity fraud

• Division 372 of the Criminal Code criminalises dealing in identification information, dealing in identification information using a carriage service, possessing identification information and possessing equipment used to make identification information.
• A computer-based or "cyber" offence will fall within the scope of 'dealing in identification information using a carriage service' if the following elements are satisfied:
  • A person deals in identification information; and
  • Does so using a carriage service; and
  • Intends that any person will use the identification information to pretend to be (or come across as) another person (either living, dead, real or fictitious) for the purpose of committing an offence or facilitating the commission of an offence; and
  • The offence is an indictable offence against the law of the Commonwealth or a state or territory or is a foreign indictable offence.
• A person who produces ‘deep fakes’ that cause financial loss may fall under the fraud provisions in the Crimes Act 1900 (Cth) whereby someone ‘by any deception, dishonestly obtains property belonging to another, or obtains any financial advantage or causes any financial disadvantage’.

Electronic theft

• Electronic theft may involve matters such as the breach of confidence by a current or former employee or criminal copyright infringement.
• Section 478.1 of the Criminal Code criminalises such conduct. The elements are:
  • A person causes any unauthorised access to, or modification of, restricted data (which is data held in a computer and an access control system restricts access to it in accordance with the function of the computer); and
  • They intend to cause the access or modification; and
  • They know that the access or modification is unauthorised.

Telecommunications Service Offences

• Part 10.6 of the Criminal Code contains offences relevant to telecommunication services, including:
  • Exercising dishonesty using carriage services to obtain a gain or cause a loss
  • Interfering with telecommunications, such as:
    • Acting for a carriage or carriage service provider
    • Utilising interception devices, wrongfully delivering communications
    • Interfering with facilities or modifying a telecommunications device identifier
    • Possessing or controlling data or a device with intent to modify a telecommunications device identifier
    • Producing, supplying or obtaining data or a device with intent to modify a telecommunications device identifier
    • Copying subscription-specific secure data
    • Possessing or controlling data or a device with intent to copy an account identifier
    • Producing, supplying or obtaining data or a device with intent to copy an account identifier
  • More general offences, such as:
    • Using a telecommunications network to commit a serious offence
    • Using a carriage service to make a threat (only intention to cause fear and not actual fear is necessary)
    • Using a carriage device for a hoax threat (inducing a belief that a dangerous or harmful substance or thing is left in any place)
    • Using a carriage service to menace, harass or cause offence
  • Aggravated offences, such as:
    • Those involving private sexual material by using a carriage service to menace, harass or cause offence
    • Special aggravated offence involving the aforementioned aggravated offence but where 3 or more civil penalty orders were also issued
• Telecommunications service providers and carriers provide access to the cloud. Under the Telecommunications (Interception and Access) Act 1979 (Cth) law enforcement and security agencies can request reasonable assistance, including decryption and technical assistance, to access data within the cloud, or the metadata associated with access to the cloud. These obligations may be incompatible with service provider efforts to secure the cloud with strong encryption systems that are specifically designed to protect against interception and access.

Financial information offences

• Sections 480.4 and 480.5 of the Criminal Code provide for offences of 'dishonestly obtaining or dealing in personal information' and 'possessing or controlling a thing with an intent to obtain or deal in personal financial information'.

Serious computer offences

• Division 477 of the Criminal Code provides for an offence where:
  • A person gains unauthorised access, modification or impairment of data with intent to commit a serious offence. This offence must actually be committed, and not merely attempted.
  • A person gains unauthorised modification of data to cause impairment.
  • A person, without authorisation, impairs electronic communication.

Human trafficking

• Divisions 270 and 271 of the Criminal Code criminalise slavery and similar actions such as servitude, forced labour and the deceptive engagement of people in labour.

Child abuse material

• Section 474.22 of the Criminal Code makes it an offence to use a carriage service to access, transmit, make available, publish or distribute (all requiring intention as the fault element) child abuse material (requiring recklessness as the fault element).
• Child abuse material is regulated by sections 474.22 to 474.24 of the Criminal Code.

Harassment and use of private sexual material

• Under Commonwealth law, Section 474.17 of the Criminal Code provides for an offence where a person uses a carriage service in a manner that reasonable persons would regard as being, in all the circumstances, menacing, harassing or offensive. Section 474.17A creates an aggravated offence where private sexual material is transmitted, made available, published, distributed, advertised or promoted.
• Several States and Territories have enacted legislation dealing with intimate images. See, for example:
  • Crimes Act 1900 (NSW) ss 91P to s 91S - Record or distribute intimate image including to cause fear
  • Crimes Act 1900 (ACT) s 72 - Non-consensual distribution of intimate images
  • Summary Offences Act 1953 (SA) ss 26B-26C - Distribution of invasive image; humiliating or degrading film
  • Summary Offences Act 1966 (Vic) s 41DA - Distribution of intimate image
  • Criminal Code Act 1913 (WA) Chapter XXVA - Intimate images
  • Police Offences Act 1935 (Tas) ss 13A to 13D - Observation or recording in breach of privacy
  • Criminal Code Act 1899 (Qld) s 223 - Distributing intimate images
  • Criminal Code Act 1983 (NT) s 208AB - Distribution of intimate image without consent

Other laws

Online Safety

• The Online Safety Act 2021 (Cth) commenced 23 January 2022. The Act sets out the powers of the eSafety Commissioner (eg to regulate illegal and abhorrent content) as well as expectations for online service providers. See here for further details.

Cyber-stalking and harassment

• Section 13 of the Crime (Domestic and Personal Violence) Act 2007 (NSW) makes it an offence to stalk or intimidate another person with the intention of causing the other person to fear physical or mental harm.
  • Section 8 defines stalking as the following of a person about, the watching or frequenting of the vicinity of, or an approach to, a person’s place.
  • Section 7 defines intimidation as conduct (including cyberbullying) amounting to harassment or molestation of the person.
• Case law indicates that offenders tend to stalk their victim through electronic means:
  • GPS: Roncevic v Boxx [2015] ACTSC 53
  • spyware software: R v Gittany [No 5] [2014] NSWSC 49)
  • keylogging/keystroke technology: Mardine and Uysal [2014] FCCA 146)
  • downloading applications on phones to track locations and monitor phone calls: Casano and Antipov [No 3] [2016] FamCA 653
• The Federal Circuit Court of Australia has recognised that uploading information on to social media sites may constitute family violence: Moyne and Ashby [2014] FCCA 2309.

Regulatory & Policy Framework

• Cyber Incident Management Arrangements for Australian Governments
• Cyber Incident Response Plan
• Cyber Security Incident Emergency Sub Plan
• Cybersecurity, cybercrime and cybersafety – a quick guide to key internet links (Australian Parliamentary Library, 1 April 2019)
• eSafety
  • Regulatory Posture and Regulatory Priorities 2021-2022
  • Compliance and Enforcement Policy
• Information and Privacy Commission (IPC) Data Breach Policy
• International Cyber and Critical Technology Engagement Strategy 2021, administered by the Department of Foreign Affairs and Trade (DFAT)
• National Plan to Combat Cybercrime 2022

Relevant Organisations

• Attorney General’s Department (AGD) – cybercrime
• Australian Federal Police - investigates cybercrime offences, concentrating on cybercrime against Federal departments and agencies, critical infrastructure, and systems of national significance.
  • Cybercrime
  • Think U Know
  • Joint Policing Cybercrime Coordination Centre (JPC3), launched in 2022, coordinates the policing response to high harm, high volume cybercrime and undertakes an education and cooperative role with industry and the community.
• Australian Competition & Consumer Commission (ACCC)
  • Scamwatch
• Australian Institute of Criminology (AIC) - the AIC is Australia’s national research and knowledge centre on crime and justice, compiling trend data and disseminating research and policy advice.
• Australian Security Intelligence Organisation (ASIO) - Australia’s domestic intelligence agency and security service
• Australian Transaction Reports and Analysis Centre (AUSTRAC) - Australian Government agency responsible for detecting, deterring and disrupting criminal abuse of the financial system to protect the community from serious and organised crime.
• Australian Criminal Intelligence Commission (ACIC) - cybercrime. The ACIC is Australia's national criminal intelligence agency. One of the ACIC’s functions is to collect and analyse information and intelligence to identify, investigate, disrupt, or prevent cyber-related criminal activity.
• Department of Defence (DoD)
• Australian Signals Directorate (ASD) - Australia’s lead operational cyber security and signals intelligence agency.
  • Australian Cyber Security Centre
• Department of Home Affairs (DHA) - Cybercrime and identity security - DHA is responsible for cyber policy coordination, setting the strategic direction of cyber policy, operationalising cyber policy, and regulating relevant critical infrastructure industries and cyber security.
• Commonwealth Director of Public Prosecutions (CDPP) – cybercrime
• Department of Foreign Affairs and Trade (DFAT) – coordinates Australia’s international engagement on digital trade, cybercrime, cyber security, human rights, democracy, international security, internet governance and technology for development.
• Cyber and Infrastructure Security Centre (CISC) – the CISC supports and operationalises DHA’s policies.
• Office of National Intelligence (ONI)
• Cyber and Critical Technology Intelligence Centre
• eSafety Commissioner
• Department of Prime Minister and Cabinet (DPMC)
• Treasury

Inquiries & Consultations

• Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime , Report of the House Standing Committee on Communications, House of Representatives, Commonwealth of Australia (21 June 2010)
• Adequacy of existing offences in the Commonwealth Criminal Code and of state and territory criminal laws to capture cyberbullying , Report of the Legal and Constitutional Affairs Committee, Senate, Commonwealth of Australia (2018)
• A Morgan & I Voce, 2022. Data breaches and cybercrime victimisation . Statistical Bulletin no. 40. Canberra: Australian Institute of Criminology.

Industry Materials

• Australian National University - Cybercrime Observatory
• Roderick G Broadhurst, 'Cybercrime in Australia' in Antje Deckert and Richard Sarre (eds), The Australian and New Zealand Handbook of Criminology, Crime and Justice (Palgrave McMillan, 2017)
• Sam Murugesan and Irena Bojanova (eds), (2016) Encyclopedia of Cloud Computing (Wiley – IEEE Press)
• Miguel Ángel Díaz de León Guillén, Víctor Morales-Rocha and Luis Felipe Fernández Martínez, (2020) ‘A systematic review of security threats and countermeasures in SaaS 28(6) Journal of Computer Security 1, 5.
• World Economic Forum, The Global Risks Report 2022 (Report, 11 January 2022) 45 - 56

Related Topics

• Counter-Terrorism
• Espionage, Sabotage and Foreign Interference
• Hacking Back
• Security of Critical Infrastructure