BP-87E

TABLE OF CONTENTS

INTRODUCTION

DEFINITION OF COMPUTER CRIME

   A. The Computer As Instrument

   B. The Computer As Object
      1. Data Diddling
      2. Salami Techniques
      3. Scavenging

THE SIGNIFICANCE OF COMPUTER CRIME

THE CANADIAN CONTEXT

PARLIAMENTARY ACTION

   A. The Sub-committee on Computer Crime

   B. Legislative Response
      1. Criminal Law Amendment Act, 1985
      2. An Act to Amend the Copyright Act, S.C. 1988, c. 15

COMPUTER CRIME*

Over the past 20 years the technology of electronic data processing – the computer – has come to play a dominant role in business and government. It would be difficult to conceive of a person whose life is not in some way affected by the computer, for virtually everyone who has a bank account, engages in any kind of credit transaction, or has dealings with the government or any large organization is touched by it in some way. The computer is now an indispensable tool for banking, corporate records and various activities of government.(1)

But the very features of the technology that make it such a boon to society also increase its susceptibility to abuse. The absence of tangible printed records of credit transactions is testimony to the efficiency of the computer, yet it leaves the auditor without the accustomed "paper trail" for verifying accounts. A computer need not be manipulated at any particular place, but can be operated from a distance using telecommunications facilities. This too can increase the potential for abuse, for now a thief need not be near the site of the crime but can, from the relative safety of a computer terminal, acquire assets reduced to electronic impulses.

Losses attributed to criminal activities involving the use of computer systems are a subject of some controversy. No detailed study has ever been undertaken in Canada, in part because there is no consensus as to what exactly constitutes "criminal activity involving the use of computer systems." Moreover, the losses from computer crime cannot be established without some clear conception of what such crime entails, and an accurate record of its frequency. Governments can have some effect by defining which computer-related activities are to be

considered as being beyond acceptable standards of conduct. This may in turn have an effect on the degree to which computer abuse is reported.

One very obvious question prompted by the phrase "computer crime" is why conduct qualified by the adjective "computer" should be fenced off for special consideration. We do not study filing cabinet crime, auto crime or television crime. Why should the instrument of the act make any difference? Is not theft still theft whether perpetrated with break and enter tools or with a computer terminal?(2)

One response is that the law is not concerned only with the prohibited ends of conduct, but also with the means used to attain those ends.

The advent of the computer did not create a new crime, any more than than development of the automobile created a new form of larceny. As with the automobile, the criminal use of computer technology has increased the vulnerability of the community, and to the extent that the definition of crimes and the enactment of prohibitions is directed to the protection of the community, computer technology is a legitimate area of penal concern.(3)

Laws must not only enable the redress of wrongs or the punishment of the wrongdoer, they must also proscribe conduct; the complexity of the means for misconduct afforded by computer technology merits its special treatment.

Thus, just as the criminal law has been modified in some respects to take account of the automobile, so also will it be changed to accommodate the computer. But beyond this, even more fundamental issues arise. A distinction must be made here between types of computer crime or abuse, between the computer as the "instrument" of crime and as the "object" of crime.

   A. The Computer As Instrument

In some situations the computer is used as a means to an end. The criminal may feed false data into a computer in order to inflate the value of a cheque; or may fiddle with an accounting program to cover up embezzlement; or may forge bank deposit slips to gain an illicit windfall from customers who unknowingly use them to deposit money to the criminal’s account. In each case the thief uses the computer as the instrument of the crime. The means are novel, but the intent is common – to acquire someone else’s money without being entitled to it.

Where the computer is the instrument of crime we have familiar landmarks for identifying the conduct as criminal. An individual whose intent is to get his or her hands on a tangible gain – money – uses the computer as a metaphorical pistol pointed at a bank teller. Where the computer is the object of crime, however, things are not so clear. These situations are not limited to theft of the computer itself, but include things associated with it that have substantial value but that are not tangible and whose legal status is unclear. For example, the information stored in a computer can be of inestimable value to its processor and to others and can be "stolen" without damage to the computer and without "depriving" the owner of its use. This is true of perhaps the most valuable information in a computer – the program – the key to how the machine carries out its data processing. An even more intangible yet valuable "thing" that can be taken is computer time. So great is the capacity of a computer and so valuable are its services that use of it even for short periods of time can be worth a lot. The degree to which these intangibles can or should be protected is a significant issue for the law.

This leads to a brief discussion of how computer crime is carried out. A computer has five principal component parts. First there is the input, which converts data and instructions from human-readable to machine-readable codes. The central processing unit controls and coordinates the machines and the data based on its operating instructions, or program, also known as software. This is the heart of a cybernetic machine. All other processes are basically mechanical and repetitious, but made significant by the vast memory capacity and great speed of their operation; software is qualitatively different in that it governs how these data are processed. Next, the logical and memory units perform calculations, decision-making and storage functions in response to commands from the control unit. Finally, the output unit converts processing results back into human-readable language or symbols. A typical computer system may also use telecommunications facilities in order to link the central unit with terminals or printers located elsewhere.(4)

Virtually every component part of a computer system is vulnerable to invasion and abuse. Personnel can alter data at the input stage; operations and systems programmers can manipulate data and software; transmission of data over common carrier lines can be tapped; and both authorized and unauthorized users can interfere with computer operations at terminals. The methods used to perpetrate theft or fraud by computer range from the ingenious to the banal. The following are some examples:

This is described as "the simplest, safest, and most common method used in computer related crime."(5) Anyone who creates, records, transports, encodes, examines, checks or otherwise has access to data that will enter a computer has an opportunity to change that information to his or her advantage before it enters processing. For example, a time clerk who filled out data forms for payroll purposes noticed that overtime claims were entered into the computer by employee number and not name. He accordingly put his number against the claims of other employees who worked overtime frequently, and received extra income over a period of time.(6)

This form of automated crime is so named because it involves stealing small amounts of assets from a large number of sources without noticeably reducing the whole. For example, in the "round down" fraud, the processing of bank interest calculations is altered. Typically, interest calculations are rounded to the nearest cent and distributed among all accounts involved. The perpetrator modifies the program so that the remainder of all accounts rounded down are funnelled to an account over which he or she has control. Supposedly such a technique is virtually undiscoverable, since customers would not notice the absence of fractions of a cent and auditors would not delve too deeply into such a program; although the return is not great, this crime might accumulate a tidy profit over time.(7)

      3. Scavenging

This, one of the less sophisticated forms of computer crime, involves the securing of information that may be left in or around a computer system after it has been used for a job. Scavenging can be as simple as searching trash barrels for copies of discarded computer listings or carbon papers from multiple-part forms used in input. In another example, time-sharing computers are involved. Frequently, computer tapes are not erased but merely written over by the next user. A person seeking information can secure a tape used by a competitor, enter a small amount of data, and read the entire tape back out, scavenging the information from the previous job.(8)

The foregoing are just a few of the techniques used to perpetrate a computer-assisted crime. Many can be combatted through improved security and personnel evaluation and clearance methods. When theft or fraud is carried out by use of a computer the victim will usually eventually find out, because tangible property is being affected. But what of the "theft" of software or other information, or of computer services? This can be carried out, often without damage, instantaneously and without the owner’s awareness. Code numbers, passwords and encryption devices are used to prevent unauthorized use. But these may be only as reliable as the personnel to whom they are divulged. The close association of various clients and businesses can vitiate these security devices(9) and there are techniques for overriding access controls by exploiting weaknesses in how the computer responds to unauthorized attempts to breach security.(10)

The overall significance of computer crime is difficult to assess. Some contend that the statistics available are not reliable because there is a particularly profound unwillingness to report computer-related crime. One writer has identified four reasons why discovered crimes are not reported or prosecuted:

1) the overall or imagined fear of the loss of public confidence;

2) the difficulty of proving that a crime has been committed;

3) concern about possible liability for failure to prevent the incident;

4) the user’s belief that public exposure of the incident would be tantamount to an admission of vulnerability, as well as instruction to others on how to commit the crime.(11)

Research has confirmed this unwillingness to publicize such incidents. The manager of a data processing division of a large corporation defrauded his employer by using $61,000 of computer time to operate his own computing business. The company declined to bring charges against him because it had already been a victim of a bigger fraud, which it did not want revealed. In another case, a public utility company "handled internally" a situation in which three employees had appropriated the company’s computer system in order to trade on the commodities market.(12)

One body of opinion holds that computer abuse, even if widespread, should not be of special concern to legislators. According to this view, crime using computers is fully prosecutable under existing substantive law (with perhaps some modification in procedural law, especially in rules of evidence). Other abuse, such as "theft" of information or of computer time, should be left to the civil law so as to prevent stifling innovation.

One critic(13) contends that actual computer-assisted crime is much less prevalent than popularly believed, though a certain mystique has unfortunately been attached to the whole area. He points to the celebrated Rifkin case in which a computer technician in California managed to have $10 million transferred through a bank computer to a Swiss bank account. The press characterized him as a "computer wizard" who had somehow manipulated the machine in some arcane way, when in fact he had done no more than steal a transfer code and impersonate a bank officer by telephone; his acts were prosecuted under existing penal law.(14) The same critic doubts the accuracy of reports of some other computer crimes, maintaining that some "crimes" are, in a practical sense, impossible to commit. He contends, for example, that the "round down" computer fraud (see p. 4) is a myth, both impractical in view of existing banking procedures and logically incapable of bringing in more than miniscule returns.(15)

As for the security of computer systems, it is contended that this should not be an area for the penal sanction, but one in which users and owners should look after their own interests by improving security and exercising civil remedies. The attachment of criminal consequences to unauthorized use could have serious effects on the computer industry. For example, the common recreational and private use of "spare" computer time by programmers, operators and other users is regarded by many as a job perquisite akin to use of a company telephone for limited personal calls. Making unauthorized access a crime would cause such activities to be viewed as theft of private property.(16)

Opponents of this laissez-faire view, however, contend that, because the role of computer technology is so great and can affect so many people beyond its owners and direct users, some form of legislative intervention is necessary. In addition, it is said that computer time and efficiency are so valuable that the existing lax industry standards of security should no longer be tolerated.

The distinction between computer as instrument and computer as object is useful in an analysis of Canadian criminal law respecting computers and the reforms of the 1980s.

Where the computer was used as the instrument of crime, there have been successful prosecutions under various provisions of the Criminal Code. A supervisor of accounts with a large company used a computer system to generate cheques payable to a fictitious company he had created by changing the numbers in invoices of regular customers. The cheques were sent to an accomplice, and the company lost over $100,000. The supervisor was convicted of fraud (section 338 of the Code) and sentenced to imprisonment.

In another case, an employee of a stockbroker had permission to trade on his own account. He removed his trading losses from the employer’s computer, manipulated balance figures after each day’s dealings and doctored ledger books to make them balance also. In this way his losses could not be traced and were periodically written off. Over a period of six months he acquired between $65,000 and $100,000. He was subsequently convicted of theft and received a prison sentence of three years.(17) The major problem in such cases was not so much the application of substantive criminal law to the impugned conduct, as the detection and proof of the activities.(18)

Where the computer was the object of abuse, more serious problems arose because much of the conduct in this area was imperfectly dealt with, or not dealt with at all, by the Criminal Code. A celebrated case took place at the University of Alberta in 1977. The computer system there, a substantial one serving the whole university community, was connected to over 300 terminals on campus, and also to telecommunication facilities. In the summer of 1977 the system was experiencing an unusual number of "crashes" or shutdowns, up to five crashes in a week, where more than one crash a week was considered unsatisfactory. It was determined that the crashes were not being caused by equipment failure, but by improper programming. It was apparent that some unauthorized person was gaining access to the system, examining areas of batch data, interfering with the input of data, and acquiring other users’ confidential passwords. University personnel monitored the system and, employing the computer’s ability to identify the origin of its user, apprehended a student at one of the terminals. An investigation determined that the student, Christensen, had been working closely with two others, McLaughlin and Astels. All three were charged under the Criminal Code with theft of telecommunication service:

Everyone commits theft who fraudulently, maliciously, or without colour of right…

(b) uses any telecommunication facility or obtains any telecommunication service.(19)

They were also charged with mischief:

Everyone commits mischief who wilfully…

(c) obstructs, interrupts or interferes with the lawful use enjoyment or operation of property.(20)

At trial, Astels was acquitted on both counts, owing to a reasonable doubt as to whether he had been informed that he was prohibited from using the computer; hence, he could plead "colour of right." Christensen, the student caught "red-handed," was convicted of both charges. The judge found that the computer could be considered a telecommunication facility within the definition in section 287(2):

… "telecommunication" means any transmission, emission, or reception of signs, signals, writing, images, sounds or intelligence of any nature by radio, visual, electronic or other electromagnetic system.

The judge based his decision on the fact that the computer system was connected by telephone and coaxial cables to the telephone system and that there could be dial up connection through telephone lines to the central processing unit. The "crash" caused by Christensen had interfered with and interrupted the lawful use of university property and accordingly he was also guilty of mischief.(21) McLaughlin was also convicted under section 287. It was found that he had given Christensen programs and information and encouraged him to use the computer. He was thus found to be a party to the offence under section 20 of the Code in that he had aided and abetted the commission of the offence. He was acquitted of the mischief charge, however, because no evidence linked him with the "crash" which his friend had caused. He had aided in the theft but not the consequent mischief.

McLaughlin appealed his conviction on the ground that a computer system was not a "telecommunication facility." The Alberta Court of Appeal allowed the appeal,(22) and this decision was upheld by the Supreme Court of Canada on 18 July 1980. The Court ruled that, although the computer system was connected to telephone facilities and was an electronic system, its function was not the transmission and reception of information, the hallmark of telecommunication. Rather, its raison d’être was data processing:

… the function of the computer is not the channelling of information to outside recipients so as to be susceptible in that respect to unauthorized use. Rather, it is to permit the making of complex calculations, to process and correlate information and to store it and enable it to be retrieved.(23)

Mr. Justice Estey added:

Had Parliament intended to associate penal consequences with the unauthorized operation of a computer, it no doubt would have done so in a section of the Criminal Code or other penal statute in which the term which is now so permanently embedded in our language is employed. The court would not be expected by Parliament to glean from words generally associated with the communications industry an intent to attach penal consequences to the unauthorized operation of a computer.(24)

The decision caused something of a stir in the computer industry. It was interpreted to mean that there was nothing to prevent or deter anyone from making unauthorized use of computer facilities. This was not entirely true. It should be remembered that Christensen was convicted of "mischief," which can be treated as an indictable offence and carry up to a five-year sentence, for causing the "crash." But it was questionable whether a mischief charge would stand for unauthorized access and use in the absence of a crash, for section 387 required obstruction and interruption of, or interference with, a property owner. Conceivably, a skilled intruder could use a computer without directly contravening those prohibitions.

The McLaughlin case was the most detailed Canadian judicial treatment of issues related to the computer as the object of abuse, but there were other significant issues dealing with certain "intangibles" related to computers which existing Canadian criminal law did not clearly address. For example, information or data stored in a computer, particularly software or programs, can be extremely valuable. Such data can be taken in an instant, without damage to computer hardware, or without depriving the owner of the data store therein. Did taking computer data in itself constitute an offence under the Criminal Code?

That issue came before the courts in the case of R. v. Stewart.(25) The accused, Stewart, a self-employed consultant, was charged with the offences of counselling theft and fraud by attempting to obtain from a hotel security officer a copy of a computerized list of the names and addresses of the hotel’s employees. The employee list was sought by the accused’s client, who wanted to organize the employees into a union.

Acquitted at trial, the accused was convicted on appeal. In a two-to-one decision, the Ontario Court of Appeal held that confidential information, such as a list of employees, came within the meaning of the terms "property" and "anything," as those terms are used in connection with the offences of theft and fraud at sections 283 and 338 (now sections 322 and 380) of the Criminal Code.(26) Accordingly, the accused was found guilty of both offences, although he could be convicted of only one since both counts flowed out of the same delict.

In his reasons for judgment, Mr. Justice Houlden held, on the one hand, that the accused was guilty of counselling a section 283(1)(d) theft, since, had he been successful in obtaining the information, he would have dealt with it in such a way that it could not have been returned to its owner, the hotel, in the same condition as it had been at the time of the taking, (i.e., the information would have lost its "confidential" character). On the other hand, he found that for the offence of fraud it was sufficient to prove a risk of prejudice to the economic interests of the hotel; it was not necessary to show actual economic loss by reason of the fraud. Since the hotel could have profited from selling its list of employees to promotional groups, the unauthorized taking of the list by the accused would have caused a risk of prejudice to the hotel’s economic interests.

In a concurring judgment, Mr. Justice Cory added that, although information per se was not property, there was a "right of property" in confidential information which came within the meaning of the term "property" at section 283(1). Citing copyright as an example of an enforceable proprietary interest, he held that the accused was guilty of counselling theft since he had sought to obtain an unauthorized copy of the computerized list from the security officer, thereby infringing the hotel’s property interest in the list.

In a dissenting judgment, Mr. Justice Lacourcière would have sustained the acquittal on the ground that the term "anything" at section 283 had to be defined and qualified within the context of property, and that confidential information simply did not fit within that context. In his view, it was up to Parliament and not the courts to broaden the criminal definition of the property concept if the needs of Canadian society required it. Moreover, he felt that the mere loss to the hotel of the "confidentiality" of its information was not sufficiently prejudicial to its economic interests as to constitute a criminal fraud.

Mr. Stewart appealed his conviction for theft to the Supreme Court of Canada. If the majority judgment of the Ontario Court of Appeal had been sustained on appeal, it might have had far-reaching social implications, for what was at stake was not simply the attempted theft of a computerized list of employees but, more important, the broader issue of theft of information at large, regardless of its storage medium. Should information be treated as property, whether "confidential," "copyrightable" or otherwise? Was the criminal law an appropriate vehicle to sanction its misappropriation?

In a reversal of the Ontario Court of Appeal decision, the Supreme Court of Canada held that confidential information does not come within the meaning of the word "anything" in section 282 (now section 322) of the Criminal Code. To be the subject of theft, "anything" must be property in the sense that it has to belong to someone and it must be capable of being taken or converted in a manner that results in a deprivation of the victim. The Court found that confidential information does not constitute "property" for the purposes of the criminal law respecting theft and cannot per se be the subject of a taking, or of a conversion when the owner is not deprived of it.

Writing for a unanimous court, Mr. Justice Lamer also held that the nature of the information taken would not support a conviction for fraud, since the complainant had not been deprived of any money or economic advantage.

On 9 February 1983, the subject-matter of Bill C-667, an Act to amend the Criminal Code and the Canada Evidence Act in respect of Computer Crime, was referred to the Standing Committee on Justice and Legal Affairs. The bill, introduced by the Hon. Perrin Beatty apparently in response to the legislative vacuum created by McLaughlin (the Stewart case had not come before the courts), sought, among other things, to (1) amend the definition of "property" in the Criminal Code to include computer software products, (2) create the offence of "computer theft" (the fraudulent diversion of a computer program to one’s own or another person’s use), and (3) expand the mischief provisions to encompass the unauthorized destruction, alteration or damage of computer programs.

In response to the order of reference, a Sub-committee on Computer Crime was established on 10 March 1983 with representation from the three parties. In the course of its hearings, the Sub-committee heard considerable evidence from a wide range of witnesses with expertise in such diverse fields as computer technology, security and management, computer law, the law of intellectual property, law enforcement, banking, privacy rights and consumer protection.(27) The Report of the Sub-committee on Computer Crime was tabled in the House of Commons on 29 June 1983.(28)

In its report, the Sub-committee agreed that the existing law was inadequate to deal with a number of computer-related abuses and concluded that, even though the extent of computer crime in Canada was not known, there was a sufficient potential for it to do serious harm to justify the enactment of criminal sanctions. However, the Sub-committee was not persuaded that the best way to proceed was expressly to include computer software products in the definition of "property." In its view, to treat computerized data as property might lead to more problems than it would solve, given the special status afforded information in our socio-legal system. Moreover, the Sub-committee felt that it would be inconsistent to proscribe the misappropriation of computerized data without proscribing the misappropriation of information stored in other media.

For these reasons, the Sub-committee opposed the suggestion that the theft provisions of the Criminal Code be expanded expressly to cover the misappropriation of computerized information. Instead, it recommended the creation of two new offences prohibiting certain computer-related misconduct.

1. the unauthorized access (without colour of right) to a computer system; and
2. the unauthorized destruction and alteration (without colour of right) of computerized data.

The Sub-committee expressed the view that the enactment of criminal sanctions was but one way of discouraging computer-related abuses. Stressing the desirability of prevention over punishment, it recommended that the computer industry and institutional users adopt appropriate security measures and that computer ethics be made an integral part of computer training. Moreover, finding that the misappropriation of computerized data could not be dealt with in isolation from the broader issue of information misappropriation, the Sub-committee concluded that a comprehensive approach to the problem had to be taken. In its view, legislative action was also needed to provide enhanced civil remedies to guard against information misappropriation; it therefore recommended that other relevant laws (copyright, patent, trade secrecy, etc.) be examined and modified where necessary.

Criminal Code amendments dealing with computer crime came into effect on 4 December 1985. The various legislative provisions are substantially in keeping with the recommendations of the Sub-committee on Computer Crime. On the one hand, unauthorized use of a computer is proscribed by section 342.1:

1. Everyone who, fraudulently and without colour of right,

(a) obtains, directly or indirectly, any computer service,

(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system, or

(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system.

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.

2.  In this section,

"computer program" means data representing instructions or statements that, when executed in a computer system, cause the computer system to perform a function;

"computer service" means a device that, or a group of interconnected or related devices one or more of which,

(a) contains computer programs or other data, and

(b) pursuant to computer programs,

(i) performs logic and control, and

(ii) may perform any other function;

"data" means representations of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer system;

On the other hand, section 430 proscribes mischief in relation to data:

(1.1) Everyone commits mischief who wilfully

(a) destroys or alters data;

(b) renders data meaningless, useless or ineffective;

(c) obstructs, interrupts or interferes with the lawful use of data; or

(d) obstructs, interrupts or interferes with any person in the lawful use of data or denies access to data to any person who is entitled to access thereto.

(5) Everyone who commits mischief in relation to data

(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or

(b) is guilty of an offence punishable on summary conviction.

(5.1) Everyone who wilfully does an act or wilfully omits to do an act that it is his duty to do, if that act or omission is likely to constitute mischief causing actual danger to life, or to constitute mischief in relation to property or data,

(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding five years; or

(b) is guilty of an offence punishable on summary conviction.

(8) In this section, "data" has the same meaning as in section 342.1.

These measures avoid the problems that would have ensued from treating computerized data as property. By proscribing actions relative to, rather than focusing on ownership of, computerized data, the types of misconduct encountered in McLaughlin and Stewart are effectively dealt with, but without venturing into the more dangerous zone of information ownership.

Also in keeping with the recommendations of the Sub-committee were additional steps taken to address the issue of unauthorized appropriation of software materials. As a result of 1988 amendments to the Copyright Act, "computer program" is now defined and included in the definition of "literary works" protected under the Act. In addition to the civil remedies available for infringement of copyright, the Act makes such infringement an offence punishable on summary conviction or indictment. Additional 1988 amendments increased the penalties for that offence to a maximum of $1,000,000 and/or five years’ imprisonment for conviction on indictment.