Cybercrime
The Invisible Thief
Case in Brief:
Andy is a Computer Science student who likes to study hacking and computer security. One day, he hacked into a company’s computer system, deleted some contents from the company’s website, and copied some clients’ information. What will he do with those clients’ information?
Offences discussed
Q & A
Has Andy broken any law?
Andy may have committed a number of offences as follows.
- Logging onto the company’s serverBy logging onto the company’s server without authorization, Andy has committed the offence of “unauthorized access to computer by telecommunications” under Section 27A of the Telecommunications Ordinance (Chapter 106). The maximum penalty for the offence is a fine of $20,000
- Copying clients’ information and deleting some contents of the company’s websiteBy deleting some contents from the company’s website, Andy has committed the offence of criminal damage (“misuse of a computer” by erasing data held in a computer) under Sections 59(1A) and 60(1) of the Crimes Ordinance (Chapter 200). His action of removing data amounts to misuse of a computer according to Section 59(1A) of the Crimes Ordinance (Chapter 200). The offence carries a maximum sentence of 10 years’ imprisonment.Furthermore, he may have also committed the offence of “access to a computer with criminal or dishonest intent”, with a dishonest intent to cause loss to another, contrary to Section 161(1)(d) of the Crimes Ordinance (Chapter 200). If convicted, he may face a maximum penalty of 5 years’ imprisonment.By copying the company’s clients’ information from the company’s website, Andy may have committed the offence of “access to a computer with criminal or dishonest intent”, with a view to dishonest gain for himself or another under Section 161(1)(c) of the Crimes Ordinance (Chapter 200). The “gain” here is gaining information which he did not have at the time. The maximum penalty for the offence is 5 years’ imprisonment.
- Leaving a nickname on the websiteBy leaving his nickname to depict his presence, Andy has committed the offence of criminal damage (“misuse of a computer” by adding data to its contents) under Sections 59(1A) and 60(1) of the Crimes Ordinance (Chapter 200). Adding his hacker name means he has added data to the computer or to the computer storage systems. This is misuse of a computer according to Sections 59(1A)(c) of the Crimes Ordinance (Chapter 200). The contents of the computer have been changed. This is criminal damage just as much as if Andy had painted his name on a wall in a street. If convicted, Andy could face a maximum sentence of 10 years’ imprisonment.
- Using clients’ credit card information to purchase “points” for online gamesAndy may have committed the offence of theft contrary to Section 9 of the Theft Ordinance (Chapter 210). The reduction of the credit balances in the clients’ accounts constituted Andy’s appropriation of property belonging to the clients, and may be considered theft. The offence carries a maximum sentence of 10 years’ imprisonment.
- Installing programs on other players’ computers by making false claimsAndy made false representations, that is, he lied to trick other game players into installing programs on their computers so that Andy would be able to control their accounts. By so doing, Andy has committed the offence of criminal damage (“misuse of a computer” by adding programs to the contents of the computer) under Sections 59(1A) and 60(1) of the Crimes Ordinance (Chapter 200). The maximum sentence is 10 years’ imprisonment.In addition, by making the false representations, Andy may have committed the offence of fraud contrary to Section 16A of the Theft Ordinance (Chapter 210). If convicted, Andy may face a maximum penalty of 14 years’ imprisonment.
- Transferring virtual weapons and coins out of other players’ accountsThe virtual weapons and coins in the players’ accounts are intangible property belonging to the players. By “transferring” (i.e. removing) the virtual weapons and coins out of the players’ accounts, Andy has committed the offence of theft, contrary to Sections 2 and 9 of the Theft Ordinance (Chapter 210). The offence carries a maximum penalty of 10 years’ imprisonment.Furthermore, when Andy used computer programmes to transfer virtual weapons and coins out of the players’ accounts, Andy also committed the offence of “access to a computer with criminal or dishonest intent”, with a view to dishonest gain for himself or another under Section 161(1)(c) of the Crimes Ordinance (Chapter 200) (or with a dishonest intent to cause loss to another under Section 161(1)(d) of the same Ordinance). If convicted, Andy may face a maximum sentence of 5 years’ imprisonment.
If Andy hacked into a Hong Kong website when he is outside Hong Kong territory, can the law enforcement bodies in Hong Kong take action against Andy?
Criminal law is essentially territorial in its application. The courts of a particular jurisdiction deal with offences committed by persons within the jurisdiction. It is only exceptionally that the criminal law of a particular jurisdiction extends beyond the boundaries of that jurisdiction.
The “internationality” of the Internet raises issues about where an offence is actually committed where the Internet is involved. Is it committed in the jurisdiction where the Internet is accessed or in the jurisdiction where the effect of the access to the Internet occurs?
If Andy voluntarily comes to Hong Kong, Hong Kong’s courts would have jurisdiction. If he hacked into the Hong Kong website from a jurisdiction with which Hong Kong has an extradition agreement, Hong Kong might ask that jurisdiction to extradite Andy to Hong Kong. Hong Kong’s courts would then have jurisdiction over Andy.
Can the clients whose information was stolen take legal action either to sue the company that was holding their information, or to sue Andy, in order to seek compensation?
Yes, victims of wrongdoings are always free to sue the wrongdoers in civil courts to claim damages. The action would be against Andy as the one who has brought about the loss. If however the company did not have systems in place to prevent Andy’s activities, the company could be liable to its clients for failing adequately to protect against computer hacking (either in contract or in tort). However, even if a successful action is brought against Andy, Andy may not have sufficient means to satisfy the judgment. This is always something to be considered before starting a civil action against an alleged wrongdoer.
The usual causes of action in civil suits are all available to victims of wrongdoings committed on the Internet.