14 March 2011

Cybercrimes

Reading 'The True Identity of Australian Identity Theft Offences: A Measured Response or an Unjustified Status Offence' by Alex Steel in 33(2) UNSW Law Journal (2010) 503-531 and 'Operation Titstorm: Hacktivism or Cyber-Terrorism?' by Kieran Hardy in 33(2) UNSW Law Journal (2010) 474-502

Steel comments that -
Much has been written about identity theft, with many making hyperbolic claims that it is the ‘fastest growing crime in the world’ or the ‘crime of the millennium’. In the last few years, Australian jurisdictions have felt the need to enact offences that are described as identity theft or identity crime offences, and are specifically targeted to deal with this phenomenon by prohibiting the possession of personal information with intent to commit further crimes. This poses the question whether such laws are properly framed and amount to a measured response to a new criminal phenomenon, or whether they are instead overly broad and in violation of fundamental legal principles. This article provides an analysis of those new laws.

After defining what is meant by identity theft and identity crime it provides an overview of some of the differences in the nature of digital crime that have led to calls for specific legislation, and some of the problems that face traditional approaches to investigating and preventing fraud. It goes on to examine the specific approaches taken in Australian identity theft law, considering whether the prohibited subject of the offences – identification information – is defined too widely. The core behaviour prohibited – possession – is then examined in detail. The article argues that possession is an inappropriate basis for criminalisation on both theoretical and practical grounds, and illustrates this by a comparison with the concept’s use in insider trading and child pornography offences. Similar issues are raised with the ‘dealing in information’ offence.

It is argued that the inadequacies of these provisions are the outcome of an approach to law making that creates criminal liability too early in the chronology of planning and executing crime. As a result the offences fail to exhibit sufficient external elements to satisfy fundamental requirements of the rule of law, and place too much unfettered discretion in the hands of law enforcement.
Hardy's discussion of hacktivism notes that -
On 10 February 2010, an internet based group of protesters calling themselves ‘Anonymous’ launched a cyber-attack on the Australian Parliament House website. Aptly named ‘Operation Titstorm’, the attack was launched by the group to protest against the Rudd government’s plans to introduce a mandatory internet filter banning pornographic images of animated characters, small breasted women and female ejaculation. It brought down the website for three days by flooding it with network traffic – up to 7.5 million requests per second – and it bombarded parliamentary email addresses with pornographic material (ironically, of the very kind the government intends to ban). It also plastered a selection of this questionable material across the Prime Minister’s homepage.

The message above was posted on an online activism forum in response to the attacks. Evidently, some members of Anonymous remain concerned that their activities may leave the realm of mischievous online protest and enter the largely uncharted waters of ‘cyber-terrorism’. On first glance, the attacks do not fit into what the general public would probably define as a 'terrorist act'. Nonetheless, important questions remain about the extent to which politically motivated cyberattacks will qualify as terrorism under Australian law.

This article analyses the facts of Operation Titstorm under the current definition of a terrorist act in the Criminal Code Act 1995 (Cth) (‘Code’). Although Operation Titstorm has not been, and most likely will not be, prosecuted under the legislation, this analysis is useful because it brings out some of the problems with applying the current anti-terrorism law framework to politically motivated cyber-attacks. Instead of first defining what is or is not an act of cyber-terrorism, this paper works inductively through the requirements of the Australian definition, examining what will qualify as an act of cyberterrorism under Australian law. It then considers whether any adjustments are necessary to conform to an appropriate definition.

Part II tests the facts of Operation Titstorm against the definition of a terrorist act under section 100.1 of the Code. Part III argues that only a low harm requirement is needed to prove that the political protest exception in section 100.1(3) does not apply, and that there are not sufficient safeguards in the current legislation to maintain a distinction between acts of ‘hacktivism’ and ‘cyberterrorism’.

To this end, this paper suggests some ways that the legislation could be improved, in order to reduce the risk that acts of hacktivism will be prosecuted as terrorist acts.

In its current form, Australia’s anti-terrorism legislation sets the threshold too low for prosecuting acts of terrorism against electronic systems. While this broad definition will necessarily include acts deserving of the label of cyber-terrorism, it may also include acts of online political protest that are unworthy of the serious penalties involved. This danger results from the low levels of harm and fault required of an act of terrorism against an electronic system in section 100.1(2)(f), combined with the prosecution’s low burden of proving that the political protest exception in section 100.1(3) does not apply.

The definition of a terrorist act in section 100.1 of the Code should be amended to mitigate this danger by including a serious economic harm requirement and an express fault element in section 100.1(2)(f). This would bring Australian’s anti-terrorism legislation in line with definitions of terrorism at international law and in comparable domestic jurisdictions, and with definitions of cyber-terrorism in computer science. It would reduce the risk of prosecuting undeserving offenders, prevent governments from using the anti-terrorism legislation to silence less serious forms of political protest against electronic systems, and avoid any potential chilling effect on the freedom of online political expression.

The government has recognised the vulnerability of Australia’s electronic infrastructure to cyber-attack – as well it should – but it should also recognise the threat to legitimate online protest that the current definition of a terrorist act creates. We need to ensure that our anti-terrorism legislation cannot be used to silence legitimate online political protest, lest things ‘start getting messy’.