Written by Richard Wee & Daniel Tan
Introduction
In this never-before-seen digitalised era where people are accustomed to storing a wealth of their personal information in their mobile phones and laptops, cyberattacks and/or cybercrimes such as hacking are notably ghastly. This article addresses the legal actions that may be taken against a cyber criminal who misuses computers.
Computer Crimes Act 1997
The Computer Crimes Act 1997 (“CCA”) criminalises abuse of computers. It is vital to note the definition of “computer” to understand the purview of the statute.
Section 2(1) of the CCA provides that:
“computer” means an electronic, magnetic, optical, electrochemical, or other data processing device, or a group of such interconnected or related devices, performing logical, arithmetic, storage and display functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device or group of such interconnected or related devices, but does not include an automated typewriter or typesetter, or a portable hand held calculator or other similar device which is non-programmable or which does not contain any data storage facility
Therefore, a mobile phone or laptop falls within the definition of “computer”.
The provisions in relation to offences are found in Section 3 to Section 8 of the CCA.
Section3 | Unauthorized access to computer material
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorized; and (c) he knows at the time when he causes the computer to perform the function that is the case.
(a) any particular program or data; (b) a program or data of any particular kind; or (c) a program or data held in any particular computer. (3) A person guilty of an offence under this section shall on conviction be liable to a fine not exceeding fifty thousand ringgit or to imprisonment for a term not exceeding five years or to both. |
Section 4 | Unauthorized access with intent to commit or facilitate commission of further offence
(a) to commit an offence involving fraud or dishonesty or which causes injury as defined in the Penal Code [Act 574]; or (b) to facilitate the commission of such an offence whether by himself or by any other person. (2) For the purposes of this section, it is immaterial whether the offence to which this section applies is to be committed at the same time when the unauthorized access is secured or on any future occasion. (3) A person guilty of an offence under this section shall on conviction be liable to a fine not exceeding one hundred and fifty thousand ringgit or to imprisonment for a term not exceeding ten years or to both. |
Section 5 | Unauthorized modification of the contents of any computer (1) A person shall be guilty of an offence if he does any act which he knows will cause unauthorized modification of the contents of any computer. (2) For the purposes of this section, it is immaterial that the act in question is not directed at— (a) any particular program or data; (b) a program or data of any kind; or (c) a program or data held in any particular computer. (3) For the purposes of this section, it is immaterial whether an unauthorized modification is, or is intended to be, permanent or merely temporary. (4) A person guilty of an offence under this section shall on conviction be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding seven years or to both; or be liable to a fine not exceeding one hundred and fifty thousand ringgit or to imprisonment for a term not exceeding ten years or to both, if the act is done with the intention of causing injury as defined in the Penal Code. |
Section 6 | Wrongful communication (1) A person shall be guilty of an offence if he communicates directly or indirectly a number, code, password or other means of access to a computer to any person other than a person to whom he is duly authorized to communicate. (2) A person guilty of an offence under this section shall on conviction be liable to a fine not exceeding twenty five thousand ringgit or to imprisonment for a term not exceeding three years or to both. |
Section 7 | Abetments and attempts punishable as offences (1) A person who abets the commission of or who attempts to commit any offence under this Act shall be guilty of that offence and shall on conviction be liable to the punishment provided for the offence. (2) A person who does any act preparatory to or in furtherance of the commission of any offence under this Act shall be guilty of that offence and shall on conviction be liable to the punishment provided for the offence: Provided that any term of imprisonment imposed shall not exceed one-half of the maximum term provided for the offence. |
Section 8 | Presumption A person who has in his custody or control any program, data or other information which is held in any computer or retrieved from any computer which he is not authorized to have in his custody or control shall be deemed to have obtained unauthorized access to such program, data or information unless the contrary is proved. |
In a hypothetical scenario where an offender:
- plants a malware in an electronic link to infect another computer, he may be liable under Section 5 of the CCA.
- Hacks into another computer through any means to obtain data of the victim, he may be liable under Section 3 and/or Section 4 of the CCA
Hacking and the Laws of Privacy
There is no definition for “hacking” in the CCA. Nonetheless, the High Court in the case of Toh See Wei v Teddric Jon Mohr & Anor [2017] 11 MLJ 67 shed light on the definition – “Hacking means unauthorised access to the computer system”.
Apart from invoking the CCA to hold hackers legally culpable, the laws of privacy may also be applicable. It is noted that there has been no express recognition of the right to privacy until the Federal Court ruling in the case of Sivarasa Rasiah v Badan Peguam Malaysia & Anor [2010] 2 MLJ 333 where it held that “personal liberty” in Article 5(1) of the Federal Constitution includes the right to privacy. In spite of this, considering the Federal Court’s decision in the case of Fernandez v Sistem Penerbangan Malaysia & Ors [2005] 3 MLJ 681, the right to privacy cannot be enforced by an individual against another individual because the right, being constitutional in nature, can only be enforced by an individual against the Legislative or the Executive or its agencies. This however does not mean that a cyber victim is left without any legal recourse.
The High Court, for the first time, recognised the invasion of privacy as an actionable tort in the landmark case of Lee Ewe Poh v Dr Lim Teik Man & Anors [2011] i MLJ 835. Thus, in the event where an offender invades the privacy of the victim through misuse of a computer, the victim may sue the offender under the tort of invasion of privacy. The argument on the need to treat invasion of privacy as a dire issue highlights the need to punish offenders who invade one’s privacy. As the High Court stated in the case Toh See Wei: “We cannot treat this matter lightly…”
Conclusion
Misuse of Computers such as hacking and installing malware on an electronic link is captured within the CCA. The recognition of the tort of invasion of privacy may be invoked in cases which are not captured within the CCA. As we are more and more active in the cyber world, it is good to know our rights in that world.
Published on 5 August 2020
Photo by John Schnobrich on Unsplash