54

CHAPTER FOUR

COMPARATIVE ANALYSIS OF OTHER JURISDICTIONS’ LAWS ON CYBER-CRIME

4.1 INTRODUCTION

As noted in chapter two, the current legislative framework in Nigeria is not up to standard in

the fight against cybercrime. The law in Nigeria that has been used in tackling cybercrime, to

a certain degree, is the Advanced Free Fraud Act alongside the Criminal Code and the

Economic and Financial Crime Commission. In chapter three, the prospective laws or bills on

cybercrime or related to cybercrime were discussed and their effectiveness. Most of the bills

had their own criticism, especially on provisions prohibiting “Unauthorised Access” into a

computer, “Data Retention” and “Misuse of device”.

It has been noted that because existing laws in many countries are not tailored to deal with

cybercrime, criminals increasingly conduct crimes on the Internet in order to take advantages

of the less severe punishments or difficulties of being traced1. Studies have shown that 75%

of Internet content was created in the United States of America, 20% came from Europe

while Asia created 5.95%, and Africa’s content input in the global knowledge base is only

0.5%.2 This shows the input of the western world in their contribution to the build-up of the

internet. The USA has been revealed to have the highest of internet user combined3 with the

highest number of cybercrime4; one would have imagined they would have come up with a

single cybercrime legislation to tackle this menace. It is in this light that this chapter seeks to

identify the various laws of different countries, known to be far advanced in information

technologies compared to Nigeria on how in their own way tackle cybercrime and if there is

any single legislation on cybercrimes in Nigeria. The various countries that will be discussed

in this chapter are United States of America, United Kingdom, Germany, China and Portugal.

1 International cybercrime From Wikipedia, the free encyclopedia Available at: http://en.wikipedia.org/wiki/International_cybercrime Accessed (9/8/2013)2 A. Chinedu “Tackling the cyber-crime menace in Nigeria” Available at: http://blueprintng.com/new/2013/01/tackling-the-cyber-crime-menace-in-nigeria/ Accessed (6/8/2013)3 The statistics is available at: http://en.wikipedia.org/wiki/List_of_countries_by_number_of_Internet_users 4 See: WikiNews, “Cybercrime ratings”, at:  http://en.wikipedia.org/wiki/cybercrimerating, (4/7/2013).

55

4.2 UNITED STATES OF AMERICA

The United States of America was probably the first country to criminalise hacking by

enacting legislation at federal as well as state level. Federal legislation operates at federal

level, governs the entire United States and is generally applicable. Individual State Laws are

only applicable in a specific State. For the purpose of this chapter, the provision of the federal

law will be discussed.

4.2.1 FEDERAL LAW

The Computer Fraud and Abuse Act 1986, is the most important federal legislation in respect

of unauthorised access and unauthorised to computers and it inserted computer crimes into

the Federal Code. The goal of the Act is to “protect the confidentiality, integrity, and

availability of computer data and systems”.5 There have been quite a few amendments to the

Federal Code in respect of computer-related offences.6 Section 1030(a) of the United States

Code7 states:

(a) Whoever –

(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defence or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation wilfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or wilfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains – (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); (B) information from any department or agency of the United States; or (C) information from any protected computer if the conduct involved an interstate or foreign communication;

5 J.B. Wolf “Chasing 21st Century Cybercriminals With Old Laws and Little Money” American Journal of Criminal Law Vol. 28 No 1 pp.109. (2000)6 S. S Kennedy & R.P. Flum “Computer Crimes” American Criminal Law Review Vol. 39 No.2 pp.279. (2002)7 Fraud and related activity in connection with computers

56

(3) intentionally, without authorization to access any non-public computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

(5)(A)(i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; (ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and (B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused) - (i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; (ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; (iii) physical injury to any person; (iv) a threat to public health or safety; or (v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;

From the provisions of this section, the mere accessing of any computer is not an offence;

there are other additional elements that have to be met before an authorised access can be

penalised by the act. The elements are; firstly it is directed at certain categories of data or

information. Certain categories of computers or computer systems are protected by the Act

such as government computer systems.8 These provisions initially excluded computers of

individuals (personal computers), most businesses and companies and limited the scope of

application of the Code.9 The original text of section 1030(a) (4) referred to a federal interest

computer but was subsequently amended by the National Information Infrastructure

Protection Act (NIIPA)10 to read protected computer. A protected computer will now include

government computers; financial institution computers and any computer which is used in

8 See section 1030 (e) (2) of the United States Federal Code.9 Steve Shackelford Computer-Related Crime: An International Problem in Need of an International Solution (1992) Texas International Law Journal Vol. 27 No.2 pp.48810 1996. In general see the legislative analysis by the US Department of Justice in respect of the NIIPA Available at: http://www.usdoj.gov/criminal/cybercrime/1030-anal.html

57

interstate or foreign commerce or communications.11 Computers that are connected to the

Internet are now protected. The USA PATRIOT Act12 amended the provisions further

providing for protection against terrorism through a cyber-war.13 Secondly, a specific intent is

also required, for example the intent to defraud or the obtaining of an advantage or the

furtherance of a fraud. One of the main criticisms against the Act is that key concepts such as

without authorisation, use, affects and access were not defined.14 The Act was further

criticised on the basis that large corporations and businesses that are often targeted by

computer criminals, were initially not protected by the Act.15 The mere access, trespass or

browsing in respect of a computer or system is not an offence in terms of the Act. 16 The

above provision also prohibits Data Interference, System interference, Computer-related

fraud and Misuse of device. Also as regard Misuse of device, Section 1030(a)(6) of the

United States Criminal Code as inserted by the Computer Fraud and Abuse Act9 states:

“(a) Whoever –

(1) – (5)…

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if- (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States; shall be punished as provided in subsection (c) of this section.”

The prohibitions in respect of trafficking in passwords only apply to commerce and

government computers. The Act has been criticised because “affects interstate … commerce”

is not defined and the definition and scope thereof are unclear.17 Furthermore a perpetrator

should have the intention to defraud. The United States Code also prohibits the production

and use of or trafficking in counterfeit access devices18, provided that the perpetrator acts

11 Section 1030(e)(2) of the United States Federal Code.12 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorist Act 2001. This Act was promulgated after the 9/11 terrorist attacks in the USA.13 Kennedy op cit. supra pp.20814 B.D Cohen “Computer Crime” American Criminal Law Review Vol. 25 No. 3 (1988) p.36815 C.D Chen “Computer Crime and the Computer Fraud and Abuse Act of 1986” Computer Law Journal Vol. X No.1 pp.79 (1990)16 Ibid 17 Ibid 18 Section 1029(e)(1) provides “the term ‘access device’ means any card, plate, code, account number, electronic serial number, mobile identification number, personal identification number, or other telecommunications service, equipment, or instrument identifier, or other means of account access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds (other than a transfer originated solely by paper instrument)”. In addition section 1029(e)(2) provides that “the term ‘counterfeit access device’ means any access device that is counterfeit, fictitious, altered, or forged, or an identifiable component of an access device or a counterfeit access device”

58

with the intention to defraud.19 The intentional trafficking in and use of unauthorized access

devices within any one-year period and by such conduct obtaining anything of value in

excess of $ 1, 000 is also criminalised.20

4.3 UNITED KINGDOM

Like the US, UK does not have a singular law prohibiting the offences of cybercrime. Acts

that have been used in tackling cybercrime-related offences are; Computer Misuse Act

(Illegal Access, system and interference), Fraud Act (computer-related fraud), Forgery Act

(computer-related forgery) among others.

4.3.1 COMPUTER MISUSE ACT 1990

In 1987, the Scottish Law Commission produced a working paper in respect of computer-

related crimes.21 The ruling by the House of Lords in the case of R v Gold and Schifreen,22

that computer hacking was not a criminal offence under the British Forgery and

Counterfeiting Act of 1981, highlighted the need for legislative intervention to bring the

criminal law up to date with technology.23 In 1988 the Law Commission for England and

Wales produced a working paper dealing with computer misuse.24 Another working paper

was released by the Law Commission in October 1989 entitled Criminal law: Computer

misuse.25 The Computer Misuse Bill was introduced26 and in August 1990 the Computer

19 Section 1029(a)(1) of the United States Code (2000 Edition)20 Section 1029(a)(2) of the United States Code (2000 Edition).21 C. Tapper “Computer Crime”: Scotch Mist? (1987) The Criminal Law Review p.4.22 [1988] 2 WLR 98423 A. Charlesworth “Legislation against Computer Misuse: The trials and tribulations of the UK Computer Misuse Act 1990” (1993) Journal of Law and Information Science Vol. 4 No.1 pp.82. 24 Law Commission Working Paper No. 110 Computer Misuse, 1988. HMSO. See in general MartinWasik Law Reform Proposals on Computer Misuse (1989) The Criminal Law Review 257 et seq.;Martin Wasik The Law Commission Working Paper on Computer Misuse (1988-89) 5 Computer Lawand Security Report 2 et seq.; Jeffrey Chapman Computer misuse – a response to Working Paper No.110 (1989) Computer Law & Practice Vol. 5 115 et seq.; Michael Heather Law Commission WorkingPaper No. 110 (1989) Computer Law & Practice Vol. 5 171 et seq.; Morag Macdonald Hacking (1989)Computer Law & Practice Vol. 5 195 et seq25 Law Commission Working Paper No. 186 Criminal law: Computer misuse, 1989. See in generalMartin Wasik Tackling technocrime: The Law Commission Report on Computer Misuse (1989)Computer Law & Practice Vol. 6 No. 1 23 et seq.26 For a broad overview of the Bill see Richard Dedman The Computer Misuse Bill 1990 (1990-91) 1Computer Law and Security Report 13 et seq.

59

Misuse Act27 came into effect.28 Section 1 of the Computer Misuse Act, 1990 criminalises

hacking. It states that:

“A person is guilty of an offence if- (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorised; and (c) he knows that at the time when he causes the computer to perform the functions that that is the case.”

The elements can be simply as: (1) access to computer or data, (2) unlawfulness i.e.

unauthorised access and (3) intention. Interestingly the actus reus consists in causing a

computer to perform any function with the intent to secure access and appears not to be

limited to the actual accessing of a computer.29 Section 17(5) of the Act states that access of

any kind by any person to any program or data held in a computer is unauthorised, if he is not

himself entitled to control access of the kind in question to the program and data, and he does

not have consent to access by him of the kind in question to the program or data from any

person who is so entitled.30 Unauthorised access includes instances where authorised users

deliberately exceed their authority. According to British authors Smith & Hogan the mens rea

element consists therein that the perpetrator must cause a computer to perform a function

with the intent to secure access to any program or data held in any computer, knowing that

the access he intends to secure is unauthorised.31 The Act also contains a specific provision as

to the required intent and states that the intent need not be directed at any particular program

or data, a program or data of any particular kind, or a program or data held in any particular

computer.32 Section 1(2) seems to introduce a kind of dolus generalis33, which has been said

to be useful since some hackers tackle whatever constitutes a challenge.34

4.3.2 FRAUD ACT 2006

This Act is used in tackling the offence of computer-related frauds in the United Kingdom.

Sections 1-8 of the Act prohibit the offence of obtaining by false pretences. Section 1 states

that:

27 The Computer Misuse Act 1990.28 See M. Wasik The Computer Misuse Act 1990 (1990) Criminal Law Review 767 et seq.; SteveShackelford Computer-Related Crime: An International Problem in Need of an International Solution(1992) Texas International Law Journal Vol. 27 No. 2 490 – 493; Chris Reed Electronic Finance Law (1991) 212 et seq.29 Smith and Hogan Criminal Law pp.725.30 T, Elbra “A practical guide to the Computer Misuse Act 1990” (1990) pp.5.31 Smith and Hogan Criminal Law 72632 Section 1(2) of the Computer Misuse Act, 1990.33 General intent34 D P van der Merwe Computers and the Law (2000) 179.

60

A person is guilty of fraud if he is in breach of any of the sections listed in subsection (2) (which provide for different ways of committing the offence). (2) The sections are— (a) section 2 (fraud by false representation), (b) section 3 (fraud by failing to disclose information), and (c) section 4 (fraud by abuse of position).

Section 2 of the Act therefore states that:

A person is in breach of this section if he— (a) dishonestly makes a false representation, and (b) intends, by making the representation— (i) to make a gain for himself or another, or (ii) to cause loss to another or to expose another to a risk of loss.

(2) A representation is false if— (a) it is untrue or misleading, and (b) the person making it knows that it is, or might be, untrue or misleading.

(3) “Representation” means any representation as to fact or law, including a representation as to the state of mind of— (a) the person making the representation, or (b) any other person.

(4) A representation may be express or implied.

(5) For the purposes of this section a representation may be regarded as made if it (or anything implying it) is submitted in any form to any system or device designed to receive, convey or respond to communications (with or without human intervention).

Sections 6 and 7 prohibits the possession of articles for the use of frauds and the also

prohibition of making or supplying articles for use in frauds respectively. Section 8 defines

Articles as to “include any program or data held in electronic form.”

4.3.3 THE PROTECTION OF CHILDREN ACT 1978

This Act deals with the offences related to child pornography, a classification of cybercrime.

It prohibits any one from taking, distribute or have any indecent photograph. Section 1(1) of

the Act states that:

(1)It is an offence for a person— (a)to take, or permit to be taken or to make, any indecent photograph or pseudo-photograph of a child. . .; or (b)to distribute or show such indecent photographs or pseudo-photographs; or (c)to have in his possession such indecent photographs or pseudo-photographs, with a view to their being distributed or shown by himself or others; or (d)to publish or cause to be published any advertisement likely to be understood as conveying that the advertiser distributes or shows such indecent photographs or pseudo-photographs, or intends to do so.

Section 2 (3) of the act states that in proceedings under this Act relating to indecent

photographs of children a person is to be taken as having been a child at any material time if

it appears from the evidence as a whole that he was then under the age of 16.

61

4.4 GERMANY

Germany, like two countries previously discussed doesn’t have a harmonized cybercrime

law, but most offences relating cybercrime are criminalised under the German Criminal

Code, 2009.35 The offences classified as cybercrime that are prohibited by the German Code

are; Illegal access, illegal interception, data interference, system interference, misuse of

devices, computer-related forgery, computer-related fraud and offences related to child

pornography.

4.4.1 THE GERMAN CRIMINAL CODE, 200936

Section 202a of the code deals with or prohibits the act of Data espionage. The section states

that:

(1) Whosoever unlawfully obtains data for himself or another that were not intended for him and were especially protected against unauthorised access, if he has circumvented the protection, shall be liable to imprisonment of not more than three years or a fine.

(2) Within the meaning of subsection (1) above data shall only be those stored or transmitted electronically or magnetically or otherwise in a manner not immediately perceivable.

The Code in this provision focuses on electronic data. It also states that the data should not be

directly visible. The element of procurement would in all probability require that the data be

removed or that a copy at least be made, which means that the mere unauthorised access to

the data would not amount to any procurement. As regard Illegal interception, like Phishing,

section 202b of the code states that:

Whosoever unlawfully intercepts data (section 202a (2)) not intended for him, for himself or another by technical means from a non-public data processing facility or from the electromagnetic broadcast of a data processing facility, shall be liable to imprisonment of not more than two years or a fine, unless the offence incurs a more severe penalty under other provisions.

Also, as regard, Data interference, the Code provides for various actions in respect of the

unauthorised modification of data. Section 303a(1) criminalises data tampering and provides

that, anybody who unlawfully deletes, suppresses, renders useless, or alters data shall be

35 Strafgesetzbuch (‘STGB’) English version available at: http://www.gesetze-im-internet.de Accessed: (2/8/2013)36 Ibid

62

sentenced to imprisonment not exceeding 2 years or to a fine. Also an attempt to commit the

offence is also criminalised.37

A further offence of computer sabotage, System interference is contained in section 303b (1)

of the Code. It states that:

Whosoever interferes with data processing operations which are of substantial importance to another by;

1. committing an offence under section303a (1); or

2. entering or transmitting data (section 202a (2)) with the intention of causing damage to another; or

3. destroying, damaging, rendering unusable, removing or altering a data processing system or a data carrier,

shall be liable to imprisonment of not more than three years or a fine.

An attempt to commit the offence is criminalised in section 303b (3) of the code. The

provisions of section 303b are much more detailed and provide for more severe penalties to

instances where the offender causes major financial loss, or acts on a commercial basis or as

a member of a gang whose purpose is the continued commission of computer sabotage.38 In

regards of the offence of Misuse of Device, Section202c of the code prohibits acts

preparatory to data espionage and phishing. The section states that:

Whosoever prepares the commission of an offence under section 202a or section 202b by producing, acquiring for himself or another, selling, supplying to another, disseminating or making otherwise accessible

1. passwords or other security codes enabling access to data (section 202a (2)), or

2. software for the purpose of the commission of such an offence,

shall be liable to imprisonment of not more than one year or a fine.

Sections 267 and 269 of the code have the combine effect of prohibiting the act of forgery

and forgery of data intended to provide proof. Section 269 states that:

Whosoever for the purposes of deception in legal commerce stores or modifies data intended to provide proof in such a way that a counterfeit or falsified document would be created upon their retrieval, or uses data stored or modified in such a manner, shall be liable to imprisonment of not more than five years or a fine.

Also the attempt of this crime is also punishable.39

37 Section 303a (2)38 See s.303b (2) & (4)39 See Sections 267 (2) % 269 (2)

63

Also sections 263a and 263 have the combined effect of prohibiting and criminalising the

offence of computer-related fraud. Sections 184b, 184c and 18d criminalise the offences

related to child pornography.

4.4.2 LAW ON COPYRIGHT AND NEIGHBOURING RIGHTS, 200740

On offences related to infringements of copyright and related rights, Sections 106, 107, 108,

108a and 108b of this law have the combined effects of prohibiting offences on Unauthorized

Exploitation of Copyrighted Works; Unlawful Affixing of Designation of Author;

Infringement of Neighbouring Rights; Unlawful Exploitation on a Commercial Basis; and

Unauthorised interference with technical protection measures and information necessary for

rights management, respectively. Section 106 states that:

(1) Whoever reproduces, distributes or publicly communicates a work or an adaptation or transformation of a work, other than in a manner allowed by law and without the right holder’s consent, shall be punished with imprisonment for up to three years or a fine.

(2) An attempt shall be punishable.

4.4.3 GERMAN CODE OF CRIMINAL PROCEDURE, 200841

The law on the Expedited preservation of stored computer data can be found in this law,

which is covered by Sections 94, 95 and 98 of this code. These sections provided that objects

which may be of importance as evidence for the investigation shall be impounded or

otherwise secured and if the object is not surrendered, by the person who holds custody, it

shall be seized.42 It further provides that seizure can only be ordered by the judge, in exigent

circumstances, by the public prosecution office and the officials assisting it.43 The procedures

to carry out this seizure are also stated in section 98.

With respect to traffic data, Expedited preservation is covered by Section 100g.44 The section

states that:

1) If certain facts give rise to the suspicion that a person, either as perpetrator, or as inciter or accessory,

40 (“URHG”)41 STRAFPROZESSORDNUNG (“StPO”)42 Section 9443 Section 9844 Information on Telecommunications Connections

64

a) has committed a criminal offence of substantial significance in the individual case as well, particularly one of the offences referred to in Section 100a subsection (2), or, in cases where there is criminal liability for attempt, has attempted to commit such an offence or has prepared such an offence by committing a criminal offence or

b) has committed a criminal offence by means of telecommunication; then, to the extent that this is necessary to establish the facts or determine the accused's whereabouts, traffic data (section 96 subsection (1), section 113a of the Telecommunications Act) may be obtained also without the knowledge of the person concerned. In the case referred to in the first sentence, number 2, the measure shall be admissible only where other means of establishing the facts or determining the accused's whereabouts would offer no prospect of success and if the acquisition of the data is proportionate to the importance of the case. The acquisition of location data in real time shall be admissible only in the case of the first sentence, number 1.

2) Section 100a subsection (3) and Section 100b subsections (1) to (4), first sentence, shall apply mutatis mutandis. Unlike Section 100b subsection (2), second sentence, number 2, in the case of a criminal offence of substantial significance, a sufficiently precise spatial and temporal description of the telecommunication shall suffice where other means of establishing the facts or determining the accused's whereabouts would offer no prospect of success or be much more difficult.

3) If the telecommunications traffic data is not acquired by the telecommunications services provider, the general provisions shall apply after conclusion of the communication process.

4) In accordance with Section 100b subsection (5) an annual report shall be produced in respect of measures pursuant to subsection (1), specifying: 1. the number of proceedings during which measures were implemented pursuant to subsection (1); 2. the number of measures ordered pursuant to subsection (1) distinguishing between initial orders and subsequent extension orders; 3. in each case the underlying criminal offence, distinguishing between numbers 1 and 2 of subsection (1), first sentence; 4. the number of months elapsed during which telecommunications call data was intercepted, measured from the time the order was made; 5. the number of measures which produced no results because the data intercepted was wholly or partially unavailable.

Sections 100a and 100b45 of this law gives conditions regarding the order of interceptions of

telecommunications and the procedures on how to get such orders from the court.

45 Order to Intercept Telecommunications

65

4.5 CHINA

In 1994, the Chinese State Council issued the first law on computer crime, which is the

Ordinance on protecting the safety of computer system46. In 1997, 2000, 2009 China Criminal

Law was amended to increase new Cybercrimes,47 in 2011 China Supreme People’s Court

and Supreme People’s Procuratorate issued the judicial interpretation on Cybercrime.48

4.5.1 CRIMINAL LAW OF THE PEOPLE’S REPUBLIC OF CHINA

In China’s Criminal Law, five classifications of Cybercrimes were prescribed, which are

illegal accessing, illegal obtaining computer data, illegal controlling computer system,

providing computer program or tools for illegal accessing or controlling computer system,

and sabotaging computer system. According to the first paragraph of Article 285 of China

Penal Code, Crime of illegal accessing is, invading the computer information system in the

fields of State affairs, national defence construction or sophisticated science and technology.

This provision seems to only cover government’s computers and not individuals or corporate

companies.

While Art.252 of the Criminal Law of China prohibits illegal interception of data; it states

that;

Whoever conceals, destroys or unlawfully opens another person’s letter, thereby infringing upon the citizen’s right to freedom of correspondence, if the circumstances are serious, shall be sentenced to fixed-term imprisonment of not more than one year or criminal detention.

According to the first paragraph of Article 286, it provides for the offence of sabotaging a

computer system. It states that;

Whoever in violation of States regulations, deletes, alters, adds or jams the functions of the computer information system, thereby making it impossible for the system to

46 PI Yong “New China Criminal Legislations in the Progress of Harmonization of Criminal Legislation against Cybercrime.” Shared with the Council of Europe for publication in December 2011 Available at: http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/documents/countryprofiles/Cyber_cp_china_Pi_Yong_Dec11.pdf Accesses: (3/8/2012)47 In 1997 China Penal Code was amended to add Article 285, 286 and 287, which stipulated two CIA Cybercrimes (Illegal Access and Sabotaging computer system) and other tool-type Cybercrime, in which computer systems are used as the tools of crime. In 2000 Decision on Protecting Security of Network was passed by National Council to combat 21 tool-types Cybercrime. In March 2009 the 7th Amendment of China Penal Code became effective, which stipulate three new Cybercrime to combat new types of Cybercrime in the China networked economy, See PI Yong “New China Criminal Legislations in the Progress of Harmonization of Criminal Legislation against Cybercrime, Ibid 48 See Interpretation to the Judicial Problems on Dealing with Criminal Cases related to Endangering the Safety of Computer System, which became effective on 1th, September 2011 and interprets the application of China Penal Code to new Cybercrime in 7th Amendment of China Penal Code.

66

operate normally, if the consequences are serious, shall be sentenced to fixed-term imprisonment of not more than five years or criminal detention; if the consequences are especially serious, he shall be sentenced to fixed-term imprisonment of not less than five years.

As regard data interference, the second paragraphs prescribes for that offence. The article

states that:

Whoever, in violation of State regulations, delete, alters or adds the data stored in or handled or transmitted by the computer information system or its application program, if the consequences are serious, shall be punished in accordance with the provision of the preceding paragraph.

The third paragraph of this article also prohibits the use of programs like viruses to interfere

with data or the system. The article therefore states that;

Whoever intentionally creates or spreads destructive programs such as the computer viruses, thus affecting the normal operation of the computer system, if the consequences are serious, shall be punished in accordance with the provision of the first paragraph.

Article 287 of this law prohibits the use of computers to commit forgery or fraud. The Article

states that:

Whoever uses computers to commit the crimes such as financial fraud, theft, embezzlement, misappropriation of public funds, theft of State secrets, or other crimes shall be convicted and punished in accordance with the relevant provisions of this Law.

On the prohibition of offences related to child pornography, this is covered by the combine

articles of 363, 364, 366, and 367 Criminal Law of China. Also Articles 217, 218 and 220 of

this law, covers the offences related to infringements of copyright and related rights

combined with relevant provisions of the Copyright Law of China.

On Expedited preservation and partial disclosure of traffic data; Article 14 of the of Regulation on Internet Information Service of the People’s Republic of China, states that;

Internet information service providers, which provide news and publishing services as well as services such as electronic bulletin, shall record and provide the content of the information published, the time of publishing, the internet address or domain name of publishing; the internet access service providers shall record the information of the users such as their online time, their user names, internet address or domain names, calling telephone number and other information. Both Internet information service providers and internet access service providers shall keep the records for 60 days, and provide the records to relevant State authority when it is inquired.

67

This article provides for the preservation of data, not data retentions like other jurisdictions

provide for, and such records should not exceed 60 days. Other laws that provide for similar

provisions are Article 19 of Working Rules on Interim Regulation of International

Networking of Computer Information Network and Article 10 of Regulations on Internet

Surfer Service Sites. Also Articles 14 and 15 of the Provisions for the Administration of

Internet Electronic Bulletin, have similar provisions as to the one stated above.

4.6 PORTUGAL

Portugal is part of the few countries that have legislated and enacted a cybercrime law in their

country. The laws applicable used in tackling cybercrime in Portugal are; the Cybercrime

Law 2009 and the Penal Code of Portugal.

4.6.1 CYBERCRIME LAW 200949

Article 2 of the law defines some legal terms like;

Computer System means any device or set of connected or related devices, in which one or more of these produces, running a program, the automated processing of data, and the network that supports communication between them and the set of data stored, processed, retrieved or transmitted by that or those devices, with a view to its operation, use, protection and maintenance.

Computer Data means any representation of facts, information or concepts in a format capable of being processed by means of a computer system, including programs able to make a computer system to perform a function;

Traffic data means computer data relating to a communication made through a computer system, generated by this system as part of a chain of communication, indicating the origin of the communication, the destination, route, time, the date, size, duration or type of underlying service.

“Interception” means the act intended to capture information in a computer system, using electromagnetic devices, acoustic, mechanical or other

Article 6 of the law prohibits any illegal or unauthorised access into a computer system. The

Article states that:

1. Any person who, without legal permission or without being authorized to do so by the owner, in any manner accedes to a computer system, shall be punished with imprisonment up to 1 year or with a fine of up to 120 days.

49 Law nr 109/2009

68

2 - The same penalty will be applied to whoever illegally produces, sells, distributes or otherwise disseminates within one or more computer systems devices, programs, a set of executable instructions, code or other computer data intended to produce the unauthorized actions described under the preceding paragraph.

3 - The penalty will be imprisonment up to 3 years or a fine if access is achieved through violation of safety rules.

4 - The penalty will be imprisonment of 1 to 5 years if: a) by means of this access, the agent becomes aware of commercial or industrial secrets or confidential information protected by law, or b) The benefit or pecuniary advantage obtained is of considerably high value.

5 - The attempt is punishable, except regarding paragraph 2.

6 - In the cases referred to in paragraphs 1, 3 and 5 the prosecution depends on of the complaint.

The implication of paragraph I and 6 of the Article is that any illegal or unlawful arrest is

punishable but prosecution will only occur depending on complaints made. Paragraph 2 of

the article prohibits the selling or distribution of programs or codes that can lead or cause

unauthorised access into a computer. The article confers stricter punishment on the illegal

access if the person becomes aware of commercial or industrial secrets or confidential

information protected by law, or the benefit or pecuniary advantage obtained is of

considerably high value.

On illegal interception of data, Article 7 of the law states that:

1. Any person who, without legal permission or without being authorized to do so by the owner, other right holder of the system or part of it, through technical means intercepts transmissions of computer data processed within a computer system, to there directed or from there proceeding, will be punished with imprisonment up to 3 years or a fine.

2 - The attempt is punishable.

3 - The same penalty provided for in paragraph 1 will be applied to those who illegally produce, sell, distribute or otherwise disseminate within one or more computer systems devices, software or other computer data intended to produce the unauthorized actions described under that paragraph.

Under this article, attempt to intercepts computer data without authorisation is punishable

under the law, likewise the use of Computer forensic tools are also prohibited by this article.

Article 4 of the Law prohibits the act or the attempt to in any way affect the ability to use or

damage or remove or render unusable or inaccessible programs or other computer data of

others without their permission or authority. The prosecution here only depends on the

69

complaint by the victim. Also article 5 of the law also prohibits system interference in

criminalising the offence of computer sabotage. The attempt to commit this offence is not

punishable under this article.

Articles 3, 4, 5, 6 and 7 prohibit the misuse of devices to commit computer forgery, computer

damage, computer sabotage, illegal access and unlawful interception respectively.

Article 3 of the cybercrime law prohibits computer related forgery. The article states that:

1 - Whoever, with intent to cause deception in legal relations, enters, modifies, deletes or suppresses computer data or otherwise interferes with computer data to produce information or documents that are not genuine, with the intention that they can be considered or used for legally relevant purposes as if they were, is punished with imprisonment up to 5 years or a fine of 120 to 600 days.

2 - When the actions described in the previous paragraph relate to the data registered or incorporated in a banking card or any other device that allows the access to a payment system or to a communications system or to a conditioned access service, the penalty is 1 to 5 years in prison.

3 - Whoever, acting with intent to cause injury to others or to obtain an unlawful gain for him or her or for others, makes use of a document made of computer data that were the subject of the acts referred to in paragraph 1 or a card or other kind of device in which it were registered or incorporated the data of the acts referred to in the preceding paragraph, shall be punished with the penalties provided for in either number, respectively.

4 - Whoever imports, distributes, sells or holds for commercial purposes any device that allows the access to a computer system, to a payment system, to a communications system or to a conditioned access service, on which was committed any of the actions referred to in paragraph 2 is punished with imprisonment of 1 to 5 years.

5 - If the facts referred to in the preceding paragraphs are committed by an official employee in the performance of their duties, the penalty is imprisonment of 2 to 5 years.

Article 8 of the cybercrime law prohibits the illegal reproduction of protected program.

Unlike previous countries laws considered and the Nigerian prospective laws discussed this

article expressly confers copyright on computer software.

On Expedited preservation of stored computer, Article 12 of the cybercrime law covers this

area. The Article states that:

1 – If, during the proceedings, when gathering evidence in order to ascertain the truth, it is required to obtain specified computer data stored on a computer system, including traffic data, which might be lost, changed or no longer available, the competent

70

judicial authority orders the person who has the control or availability of such data, including the service provider, to preserve the data in question.

2 - The preservation can also be ordered by the criminal police force, authorized by the judicial authority or even not in emergency or danger in delay but, in this case, notice must be given immediately to the judicial authority, by the report described under Article 253 of the Code of Criminal Procedure.

3 - A preservation order describes, under penalty of nullity: a) the nature of the data; b) the origin and destination, if known, and c) the period of time covered by the preservation order, up to three months.

4 - In compliance with the preservation order addressed to it, whoever has availability or control over such data, including the service provider, preserves immediately the data concerned, protecting and maintaining their integrity for the appointed period of time, in view to allow the competent judicial authority to effectively obtain that information, and remains obliged to ensure the confidentiality of the implementation of these procedures.

5 - The competent judicial authority may order the renewal of the measure for periods of time according to the limit specified in c) of paragraph 3, providing all the requirements, up to a maximum of one year.

This article provides for preservation of data instead of data retention proposed by Nigerian

legislative bill on cybercrime. Article 14 of this law allows for the court to order for the

release of data or communication by the person who is in control of it.

Article 18 allows for the interception of communications in proceedings relating to crimes: a)

described under this Act, or b) committed by the means of a computer system or, when it is

necessary to gather evidence in electronic form if such crimes are described in Article 187 of

the Code of Criminal Procedure. The paragraph 2 of the articles states that The interception

and recording of transmissions of computer data can only be allowed during the investigation,

by founded decision of the judge or by request of the Prosecution Service, if there are reasons

to believe that this is essential to establish the truth or that gathering the evidence would

otherwise be impossible or very difficult to obtain by other means.

4.6.2 THE PENAL CODE OF PORTUGAL

This law prohibits offences related to cybercrimes like computer related fraud, child

pornography. Article 221 prohibits computer and communications fraud; also the attempt to

commit this act is also punishable. It further states that the prosecution only relies on the

complaint. Article 176 prohibits offences related to Child pornography.