Skip to main content
Normal View

Seanad Éireann debate -
Tuesday, 17 Dec 1991

Vol. 130 No. 17

Criminal Damage Bill, 1990: Committee Stage.

SECTION 1.

Amendments Nos. 1 and 2 are related and may be discussed together. I wish to inform the House that due to a misprint the word "program" in the first line of amendment No. 2 is misspelt and in the second line of the same amendment the phrase "for the purpose of section 5" should appear in brackets. Senators should note that. We regret any inconvenience caused.

I move amendment No. 1:

In page 3, subsection (1), between lines 9 and 10, to insert the following definition:

"‘access' in relation to data means access which unreasonably invades the privacy of the data;".

I welcome the Minister to the House. I always thought the spelling of "programme" was optional, that you could have "program" or "programme" but I am always willing to be corrected on the matter.

This amendment seeks to define more clearly what we mean in relation to the offence of accessing data. As I said on Second Stage, I regard the criminal offence as being far too wide. My main argument against this legislation is that effectively we have dual legislation, an updating of the 1861 legislation and an appendix in relation to unauthorised access to computer data and programmes.

As we relied so strongly on British legislation in relation to this Bill, we should follow their procedure in relation to it and have separate legislation. Britain has a Computer Misuse Act, 1990, and a Criminal Damage Act, 1971. We could usefully have followed that procedure especially since we follow so closely the wording of the British legislation. However, we have muddled the two together giving us an inadequate and unacceptable Bill. I still do not think it is too late for the Minister to separate the legislation. The Bill will have to go back to the Dáil since the Minister accepted an amendment there and it would be no harm for him to have a good think about the matter over the Christmas and see whether the wrong procedure was adopted in presenting the Bill in this manner.

We must try to improve by amendment the sections that are seriously inadequate. One area where the Bill would benefit is by defining the word "access" where it unreasonably invades the privacy or the confidentiality of the data. The civil law covers normal abuses of access to data. If we criminalise access to programmes or data, the very least we should do is define "access" and say it is an unreasonable invasion of the privacy or the confidentiality of the data rather than use a catch-all umbrella phrase.

Pirated software at present breaches the Copyright Act and that offence is dealt with under the civil law. Let us take the case of an employee using a computer in the employer's office to produce private letters. As the Bill stands, this is unauthorised access, without the person's consent. It would be unreasonable to think that accessing a programme or a file to produce a private letter would incur criminal liability. I am not saying that will happen but the Bill does not specify where the offence lies. The Bill is so broad that, as it stands, any unauthorised use of a computer to access data, which may not be of a serious nature, is an offence. We need to define "access" in more definite terms and state that it is accessing confidential financial secrets, files, for example, the medical files of somebody looking for a job or something of that nature.

We are dealing for the first time with the very complex area of computer hacking or unathorised access to data and we should not approach it in this clumsy fashion. Our first approach should be in the context of attempting to define it. What are we looking at? Are we looking at economic loss, private personal loss or the ordinary day to day use of a computer where somebody uses somebody else's pass in an office to gain access to a file which is not necessarily personal or sensitive. There is nothing in this legislation which provides parallel categories vis-á-vis other categories. It is a criminal offence. One must have a lawful excuse which means authorisation from the owner.

Sections 5 and 6 are the sections to which access refers — a person who, without lawful excuse, operates a computer to access data. It makes use of the computer unlawful unless the person can prove they have an excuse. That is the nub of it: any use of a computer to access data is unauthorised and is unlawful because it is unauthorised unless the person doing it can prove they have an excuse. There is no presumption of lawful excuse but, worse still, there is no attempt to indicate something that could better be dealt with by the civil code. It is simply a breach of regulation. It is not a terribly serious matter. It goes on every day, for example, photocopying from a book without permission. It happens regularly in the classroom that a book is photocopied and given to children. If the Copyright Act stated this was a criminal offence would a classroom of children be subjected to criminal law because they had infringed the copyright laws? The same type of principle is involved here — because one gains unauthorised access, whether of a serious or non-serious nature, one is subject to the criminal code and no distinction is made.

I ask the Minister to consider this amendment, to define access so that it will be seen as a serious matter for example, an unreasonable infringement of confidentiality, of secret or sensitive information of financial, medical or economic files — and let us know what he has in mind. Surely he is not talking about the day to day use of a computer. However, that is encompassed in the Bill as drafted and that is why, even at this late stage, we should abandon those sections dealing with computer hacking. We should ask the Law Reform Commission to look at this area, give them 12 months or two years to report back to us and then let us proceed with the legislation.

I urge the Minister to accept this amendment and to distinguish between the serious category of offence in relation to accessing computer data and the non-serious type of offence.

I support the amendment. We are introducing many new terms that have become acceptable in the computer world and it is important that we state as precisely as we can, what we mean by them. On Second Stage Senators expressed a great deal of concern about section 5. As pointed out by Senator Costello, when we say that a person without lawful excuse accesses information, people who are innocently accessing information and obtaining access to computer programmes might well be charged with a criminal offence. This view was very forcibly expressed by Senator Ryan and others on Second Stage and this amendment goes some way to clarify what is meant by access.

We have come to accept computer terminology but since we do not know what legal interpretation will be put on them the more precise we are the less likely we are to create difficulties afterwards. There is no doubt but that the area of computerisation is developing very quickly. Its introduction into the education area is now gathering momentum. Within ten years, computers could very well replace school books.

People access information on others passes over a period of time and a person could be charged with a criminal offence even though they accessed information quite innocently, as they saw it. If we do not clarify in as great a detail as possible what we mean by "accessing information" we could find ourselves in a serious situation when these new terms are interpreted legally. To interpret "access" in relation to data as meaning access which unreasonably invades the privacy of the data goes some way towards clarifying what we mean when we talk about access to computer information.

These amendments have the object of amending section 5 of the Bill so that it would not be an offence to access without authority any non-confidential data or data in relation to which the owner of the data does not have a reasonable expectation of privacy. I regret that I cannot agree to a restriction of this kind on the scope of section 5. The mischief which that section is designed to avoid covers deliberate penetration of computer systems without authority with the object of assessing particular data whether that data are sensitive.

The section endeavours to deter all forms of hacking, including accessing of various sytems in the expectation of coming across some information of interest to the hacker. The information accessed in the course of this trawl of data systems could include what the Senator described as data in relation to which the owner does not have a reasonable expectation of privacy. In fact, it probably would but we want to deter this practice which can cause damage and impose substantial financial burdens on industry.

It might be useful if at this stage I made some general comments about hacking as it arises in other amendments also. Hacking consists of getting access to computerised data without having authority to do so. It can be done either from inside or outside an organisation by someone not having any legitimate connection with it. Insider hacking takes place when an employee with legitimate access to the data equipment either uses it for a wrongful purpose or exceeds his level of authorisation in accessing particular data. The insider may, of course, be using a terminal that is located far from the central processing system of the organisation concerned.

Outsider hacking takes place when persons who have no legitimate connection with a data system gain access to it by using a telephone line in conjunction with an electronic device called a modem. It is the kind of activity that people most often think of when referring to hacking. I emphasise that hacking cannot be prevented by security measures, though it can be made very difficult. All systems are potentially vulnerable to insiders, and these include people with authorised access to a system connected to the system in question.

The outside hacker has many hurdles to overcome. He or she must first identify a telephone line connected to the computer and then ascertain the appropriate password to gain access to the system. However, telephone numbers of existing data lines and passwords and the methods by which they are changed are publicised and exchanged between hackers in western Europe and in North America by means of on-line "bulletin boards". Hacking has been made easier also by the development in recent years of interchangeable software that can be run on any hardware.

A hacker can cause considerable damage. If the computer system has only an information storing role, the hacker can erase the information or introduce false data. If it has an operational role, if it is dealing with, say, inter-bank fund transfers, air traffic control, stock control, automatic reordering, airline and hotel bookings, payrolls, the hacker can re-write these systems or add false data with the possibility of substantial damage and financial losses. In both cases he can introduce viruses or worms, that is, programs that replicate themselves and either use up the capacity of the system or delete existing data.

Even if no damage is caused — I want to emphasise this — hacking gives rise to further costs on industry. First, there is the cost of security measures and of monitoring the system to check whether there have been unauthorised attempts to enter it. Then there is the cost of investigating any instance of hacking, however trivial. Frequently the computer owner may be advised to close down a system and rewrite the software completely as a precaution. I think I have said enough to show that hacking is a serious, anti-social activity and it is right to criminalise it.

I refer to the offence of hacking as set out in the Bill. There are three ingredients in the offence and all of them must be present before an offence can be committed. First, at least one computer must be used. For example, an employee could take home with him a disc containing data he was not authorised to access and access the data by inserting the disc in his own computer. An outsider hacker will operate both his own and the target computer or computers. Second, there must be no lawful excuse; in other words, the person operating the computer must not believe he has the necessary authority or consent to do so or that he could get it retrospectively. This is provided for in section 6 (2).

Third, the person must operate the computer with intent to access data. The offence will not be committed by someone who gains access to data simply because he is incompetent or careless or has not been properly informed about the limits of his authority. It will also not be committed by someone whose intention in operating a computer is, say, to play a game on it. Reference was made to that kind of activity during the Second Stage debate by my learned colleague from the same city as myself. Neither will an offence under section 5 be committed by someone who steals a person's ATM card and uses it to obtain money. Here, again, the intention in operating the bank's computer is to obtain money. However, an offence of damaging data would be committed under section 2 of the Bill as the transaction would have altered the data in question. In addition, there would, of course, be an offence of theft.

It is essential for a successful prosecution under section 5 to prove each one of these ingredients of the offence beyond reasonable doubt. Therefore, a person whose intention it is to play a game on the computer does not satisfy a key condition necessary to establish a basis for such a prosecution. This is not to say that the use of an organisation's computer for such purposes by a student may not be as serious as using it for, say, penetrating records of examination results before they are published. The software for such games could undermine the integrity of the main computer. There are many examples of viruses being introduced in this way and causing serious damage not only to that computer but also to any other outside systems to which it is connected.

This morning in the newspapers there is a report of a survey which suggests that a third of our top 200 companies have suffered at least one computer virus attack and that most of them believe the risk from viruses is increasing. While section 5 does not make it an offence to play games on another person's computer without authority so long as that is the sole object of the operation, I do not wish to minimise the possibility of unwittingly causing damage by such a practice.

To return to the amendments, the House will agree that any form of hacking, whether or not it is confined to nonsensitive data, should be stopped and for this reason I cannot go along with the Senator's amendments.

I congratulate the Minister on putting on the record the most fascinating little essay on the whole question of computers, hacking and so on. I rather regret that although he read it beautifully, his scriptwriter did include one very obnoxious grammatical fault, that is the use of a noun as if it were a verb. "Accessing" is one of the most grotesque Americanisms——

I must ask the Senator to stick to the amendment, please.

I am sticking to the amendment very intimately.

The Senator is conducting an English class.

If I may continue about intimacy, I am interested in what the Minister said about playing——

The virus should not be so contagious that it would take over your good self.

I was going to draw the Minister's attention to the fact that with all these people playing with each other's programmes and so on one would hope that no virus might be contracted from the games they were playing.

On a serious note, I agree with much of what the Minister said but I wonder how appropriate is it? The reasoning behind the amendment, which I fully support, is that we are dealing with a kind of portmanteau legislation. Through certain sections of this Bill the Government are attempting to introduce material which is properly the subject of a completely separate Bill. The Minister, rather engagingly, acknowledged that were circumstances covered by this Bill where, in fact, no damage whatever was caused. May I remind the Minister that the title of the Bill is the Criminal Damage Bill, where it starts wandering into areas where no damage is caused I wonder how suitable is this kind of arrangement?

The question of computer hacking is important. Of course, there are serious difficulties and problems caused for companies, indeed Governments. Sensitive data can be obliterated by the introduction of viruses. In fact, we have just passed Friday the 13th and there is a celebrated virus which is called "Friday the 13th virus" because it is triggered by the date appearing on the computer clock. As a result, it cannibalises all the information from that date. I agree with much of what the Minister says but it is not directly germane to this Bill with the exception of computer viruses where, clearly, criminal damage can be caused. The Minister spoke about cases either of practical joking in certain instances or espionage, industrial espionage principally, but they are not, in my opinion, proper to a Bill that deals with criminal damage. For that reason I support the amendments which have been placed in the name of the Labour Party.

I listened intently to the Minister's reply and I found it very much off the mark. It was very informative about the substantial offence of computer hacking — unlawful and unauthorised accessing of data. It is a very serious matter.

What I was saying is that we have to establish what is sufficiently serious to warrant criminal prosecution. We must establish when a computer is operated in a matter which should be subject to legislation and when it is simply a matter that is of nuisance value and should not be subject to the courts. What the Minister is doing in this Bill is simply introducing a catch-all definition in relation to section 5 and 6, thereby ensuring that this legislation will be inoperable.

How can one possibly criminalise all use of a computer? Obviously it is not intended that the legislation should apply to computer games but what is there in any of the sections to declare exceptions or indicate areas not subject to the application of the legislation? All areas of computer operation are covered by the legislation.

Section 5 states that a person who without a lawful excuse operates a computer (a) within the State with intent to access any data kept either within or outside the State or (b) outside the State with intent to access any data kept within the State shall, whether or not he acceses any data, be guilty of an offence and shall be liable on summary conviction to a fine not exceeding £500 or a term of imprisonment not exceeding three months. Where is the categorisation there? Where is the serious offence and the non-serious offence? Where are the games? Where is the provision for use of a computer merely for entertainment purposes or reckless use of a computer by the employee?

Surely there is an onus to report on the employer, or the owner of the computer; no such onus is contained in this legislation. The owner may allow the computer to be operated because it contains no sensitive material. The onus to report should only exist if the computer contains serious material that can be abused, and the legislation has not specified that. We need to look at the question of owner expectation, to establish what is an invasion of personal privacy and confidentiality of material in the computer. Those questions are relevant to this legislation.

Many offices throughout this country operate in such a way that there is no question of accessing certain files which are potentially damaging. As Senator Norris said why create an offence when no damage has been caused? That is the nub of it. One can access information, operate a computer or interfere with computer data. One cannot use a computer without using the programme and a programme is largely neutral. There is nothing sensitive about the contents of a programme. Why criminalise this activity and make it subject to imprisonment or a very substantial fine where no damage may have occurred?

I have taken time to reply to this amendment in order to take into account anxieties raised by Senators on Second Stage and the tabling of the amendments made it necessary to deal adequately with the points raised then and again today on the amendment. I do not know what Senator Norris meant when he said we were playing games; I wonder what games he was talking about. If they were computer games we will stick with that. If some other kind of play acting is involved maybe he could explain that.

I stated already that there are three main ingredients necessary to substantiate an offence. I do not think it is necessary for me to outline them again, but if Senators feel that I should spell them out in a shortened version I will do so. The amendment as proposed has the object of amending section 5 of the Bill so that it would not be an offence to access without authority any non-confidential data or data in relation to which the owner of the data does not have a reasonable expectancy to private information. Despite what the Senators have said, I regret that I cannot agree to a restriction of this sort in section 5.

The provisions of the Bill are extremely wide, in fact absurdly so. Section 5 is about unlawful accessing, to use this very displeasing term. The section applies to a person who, without lawful excuse, operates a computer (a) within the State with intent to access any data kept either within or outside the State, or (b) outside the State with intent to access any data kept within the State Precisely how is it proposed to prosecute people who commit offences outside the jurisdiction of the State? I cannot follow this. Presumably this section is intended to cover multinational corporations with international financial transactions or, for example, dubious occurrences within the new financial centre, but to claim to control people who operate outside the State is a wide, and impractical proposition. What policing authority will be vested with responsibility for investigating this form of offence, for example? I cannot believe that the Garda who, for lack of resources, have, unfortunately, already found themselves incapable of dealing with massive fraud and in a very regrettable comparison with Northern Ireland——

May I remind the Senator that we are dealing with amendments Nos. 1 and 2 on section 1?

That is what I am dealing with, a Leas-Chathaoirligh, thank you very much.

Acting Chairman

It refers to the definition of access.

I am talking about the enormous scope of the Bill and the question of access.

Acting Chairman

We will have to stick to amendment No. 1 for the moment. The Senator will have an opportunity to deal with other matters at a later stage.

One cannot have access in isolation, a Leas-Chathaoirligh, one must have access to something. It would be quite nonsensical for me to talk about access without talking about access to what, and the criminal events that arise therefrom. Data means information in a form which can be accessed — that horrible word again — by means of a computer and includes a programme. That presumably means that somebody who acquires a programme inside or outside the State which gives access to computers is committing an offence. I wish to make the general point, a Leas-Chathaoirligh, that the terms in which this Bill is framed——

Acting Chairman

The Seantor will have an opportunity later to make general points.

——are so wide and general that they make it virtually incapable of applications. I would like to return to the point on criminality on which the Minister has not fully staisfied me. Matters are being criminalised here which, the Minister himself acknowledges, might cause no damage.

I understand that the powers of the Bill do not derive from the Title and I hope that the authorities in this House do also. When I attempted to put down amendments on another Bill which would have saved the Government some trouble, the advice incorrectly given was that the Title controls the content of the Bill. I am sure the Minister will return to me and say that it may be called the Criminal Damage Bill but he can put whatever he likes in it. If he does, that will clarify at least one theoretical point that will be of value to the House.

It is curious that a Bill that describes itself as the Criminal Damage Bill wanders into areas which are only marginal, if at all——

Acting Chairman

It is the Senator's good self that is wandering now.

As the Acting Chairman would know, there is more joy in heaven over one sheep that returns than over 99 that stay within the fold; would that there were 99, or even 59 or 60 Members here debating this important matter. Here we have an attempt to criminalise matters very widely in a Bill whose scope is already wide.

Acting Chairman

The Senator is pushing the Chair. He had an opportunity to speak on Second Stage.

There is an attempt to criminalise matters where no damage has occurred.

I acknowledge what the Senator is saying. The title of the Bill is Criminal Damage Bill, 1990. In an age of computers and modern technology it is right and proper that we include in this Bill crimes that can be committed by means of computer. That is why we are dealing with it and that is my only response to that.

The point made by Senator Norris is relevant. How is it intended to prosecute offences in and outside the State? The point is relevant to a discussion on how unauthorised accessing is allowed to operate and the lack of definition for it. We would need a super police force to enforce this provision and our police force is more than stretched already, trying to deal with existing white collar crimes of fraud and so on.

In relation to amendment No. 2, I do not think the Minister has replied to the remarks I made. There is first, the question of the unreasonable invasion of the confidentiality of the data belonging to the owner, to indicate the seriousness of the offence. That is covered by amendment No. 1. Amendment No. 2 states that there must be a reasonable expectation by the owner of confidentiality on his part. That side of it has to be taken into consideration. There are many owners of computers and section 6 refers to consent being got from the owner of the computer. Many computer owners would consider that a large quantity of the data is not of a private or a confidential nature. That is a reasonable assumption. If one desires to criminalise unauthorised accessing, some distinction is necessary as to what constitutes sensitive material in the data bank or what constitutes a serious infringement of privacy.

We must also consider the mens rea aspect. The Bill does not cover the state of mind of the owner as to what constitutes a serious matter. Surely this is relevant and I ask the Minister to refer to that in his reply.

There is a quantity of menu-type material in computer data banks. For example, a type of electronic bulletin or notice board operates within a network of computers and it exists in a semi-public, semi-private fashion for those who access it in the network. There may be no authorisation given by any of the individual owners of computers in use but the material is intended to be accessible to anybody looking for information on an electronic notice board; in respect of a bulletin of that nature it is not intended to get anybody's permission.

How does one distinguish between the catch-all definition in section 5" without lawful excuse" and "lawful excuse" as defined in section 6 as the consent of the owner? This constitutes a misuse of terminology or, if not, definitions of the terms used should be provided at the beginning of the section and it is not. I am trying to improve that situation with these two amendments to indicate where a serious breach and interference with data takes place to ensure that we do not criminalise all accessing of data but only serious cases where damage has been done. That is the major fault of this Bill.

We all agree we are totally opposed to unauthorised accessing of data and to serious criminal offences where vast sums of money are defrauded through the abuse of data information and so on. We will not deal effectively with this problem by means of legislation which does not define the categories of crime. How are we going to deal with it? Will it be policed and how can we ensure that we do not interfere with non-serious matters and criminalise matters that should not be criminalised?

Acting Chairman

Is amendment No. 1 being pressed?

May I ask the Minister to reply to the remarks I made in relation to the owner's reasonable expectation of confidentiality?

I repeat the reasons the amendments are not being accepted. They would defeat the purpose of sections in the Bill with the result that it would not be an offence to access nonconfidential data without authority or data in relation to which the owner does not have a reasonable expectation of privacy. Senator Costello referred to the question of distinguishing between private and non-private data. The object of this section is not to protect privacy, though it may well help to do so. The section is intended to deter the practice of penetrating systems without authority, causing losses to industry, whether or not the data used are sensitive. I hope that covers the queries raised by the Senator.

Amendment put.
The Committee divided: Tá, 14; Níl, 20.

  • Cosgrave, Liam.
  • Costello, Joe.
  • Doyle, Avril.
  • Hourigan, Richard V.
  • Jackman, Mary.
  • Kennedy, Patrick.
  • McDonald, Charlie.
  • McMahon, Larry.
  • Neville, Daniel.
  • Norris, David.
  • Ó Foighil, Pól.
  • O'Reilly, Joe.
  • Raftery, Tom.
  • Ross, Shane P. N.

Níl

  • Bennett, Olga.
  • Byrne, Sean.
  • Cassidy, Donie.
  • Dardis, John.
  • Fallon, Sean.
  • Farrell, Willie.
  • Finneran, Michael.
  • Fitzgerald, Tom.
  • Foley, Denis.
  • Haughey, Seán F.
  • Honan, Tras.
  • Keogh, Helen.
  • Kiely, Dan.
  • Kiely, Rory.
  • Lanigan, Michael.
  • Lydon, Don.
  • McGowan, Paddy.
  • Mullooly, Brian.
  • O'Brien, Francis.
  • Wright, G. V.
Tellers: Tá, Senators Costello and Neville; Níl, Senators Wright and Fitzgerald.
Amendment declared lost.
Amendment No. 2 not moved.

I move amendment No. 3:

In page 4, between lines 5 and 6, to insert the following new subsection:

"(2) For the purpose of section 6, the accessing of data shall be deemed to have been ‘authorised' person has lawfully been granted use of a computer from which the data may be accessed, and mere breach of any conditions or regulations attaching to such use shall not render the access of the data unauthorised".

What we are trying to do here, as in the other two amendments, is to define more precisely the application of the Bill. This Bill is very broad and we could usefully limit its application by inserting the words "mere breach of any conditions or regulations attaching to such use". In the normal world there is a very wide use of computers, and the manner and purpose for which the employee may use them very often overstep the bounds of the specific work intended under the contractual relationship between the employer and employee. Very often an employee will write a letter which may not actually be part of the business in which he is employed. Such a matter is a mere breach of the contractual relationship and the authorisation whereby an owner gives specific consent to an employee to use the computer for purposes to do with the business. Where such authorisation is not given the use may constitute a criminal offence. Why should it be made into a criminal offence if the breach is not of a serious nature? We should have a category specifying petty breaches of regulations or conditions which constitute unauthorised use and operation of a computer but do nobody any harm. This unauthorised use may take up five minutes of the employee's working time but that is not a criminal matter, at worst, it would be a civil matter. These are nuisance elements in all walks of life and just because we have new technology does not mean we should simply create a criminal offence right across the board.

There are other areas in the normal interaction between people in relation to modern technology which can be specified. Let us say, for example, I had a Banklink card and I decided to give my spouse the number, despite the specific prohibition by the bank which says nobody should have access to that confidential number, except the bank customer who has been given it specifically for his or her purposes. One is supposed to erase or destroy the number as soon as one gets it, retain it only in one's memory and not to pass it on to anybody else. If I were to give the card to my spouse or a member of the family to extract a certain amount of money from a bank, that would involve operating through the bank computer and feeding material into it without the authorisation of the owner of the computer, which is the bank. I would say that is a mere breach of a condition or regulation attaching to the use and not a serious unauthorised use or abuse of the computer. It is not a form of accessing that should be liable to a criminal offence.

No doubt the Minister will say the Bill is not intended to or does not cover this area, as with the games, but, nevertheless, the legislation is so broad that it does cover this area. Why introduce legislation covering far more than is intended and therefore impossible to police? The Bill is unworkable, unenforceable and will create more problems than it will solve. We have a problem we all recognise, but let us not solve it in this amateurish fashion. Let us solve it by a proper examination and identification of where the serious criminal offences occur and not the mere breaches of regulations or conditions agreed or imposed by an owner.

We have an opportunity here to improve this legislation, bad as it is. If I had a choice I would simply jettison the entire section. That would be my advice to the Minister and I would like him to consider it. Obviously it does not come directly from the Minister but this Bill has been ill-thought out in terms of its combined effort not just to update the criminal damages legislation but to bring in legislation on the misuse of computers.

This amendment will move towards defining where actual damage is caused, where an offence meriting criminal liability occurs. If we define areas that can be eliminated, then we are doing a useful day's work. In other words, we are saying that offences that are mere breaches or that interfere with some agreement but are not of a serious nature, will occur anyway, whether we like it or not. That is the way people interact and interrelate. There will be little twists and turns in the way equipment is used but making such matters subject to criminal liability in this legislation would not solve anything.

I urge the Minister to accept this amendment as an improvement on the Bill as it stands.

I would be extremely concerned if criminal liability in the area of employer-employee relations were introduced for minor irregularities regarding accessing information. It has been the premise of our industrial relations that this should be dealt with on the basis of agreement and regulation between the employer and the employee or their representatives. To bring about a situation where minor accessing of information outside what has been authorised by the employer could become a criminal offence moves away from our whole industrial relations approach to date. The last thing needed in industrial relations, at that level, is the introduction of legal sanction. The sanctions that normally relate with regard to disciplining an employee who accesses something in a minor fashion should be applied through the normal disciplinary procedures within an organisation, that is the approach taken in similar circumstances with regard to accessing filing. For example, it is not a criminal offence for an employee to obtain access to an unauthorised file. It may very well be an offence against the regulations or against the person's conditions of employment and an employer can take sanction, but it is wrong to introduce a criminal liability and criminal proceedings in relation to such an act simply because it relates to computers.

I do not think the section was meant to do this but effectively it does so. The amendment will bring the employer-employee relationship with regard to using computers into line with the area computers replace, that is, the normal filing of information and the normal confidentiality of information hitherto kept on file. This Bill effectively makes accessing that information a crime. The purpose and effect of this amendment is to change that and return to the normal industrial relationship between employer and employee where a breach takes place. I will also be very interested in the Minister's response to the scenario outlined by Senator Costello with regard to a spouse obtaining money from a bank cash-dispensing machine which is effectively a type of computer. I look forward to his reply on that.

The objective of the Senator's amendment is to exempt from section 5 of the Bill any person who has been granted the use of a computer from which data can be accessed even though that person may have breached any conditions or regulations attaching to the use of the computer. Acceptance of this amendment would be contrary to the principles underlying section 5.

Section 5 is designed to deter hacking, that is unauthorised accessing of data whether it is carried out from within or from outside an organisation. In fact, most of this unauthorised penetration of security systems is done from within or, if it is done from outside, has involved collusion with an employee on the inside. The consequences of hacking, the damage to systems and the extra financial burdens caused, can be the same irrespective of whether someone has granted the hacker the use of the computer.

On the point of criminalising such activity, a question has been posed on the difficulty of convicting the person involved. Certainly the investigation of unauthorised remote accessing of data will give rise to special features. Detection and prosecution may be difficult in some cases but that is not a good reason to desist from legislating. It is an unfortunate fact of life and the same can be said of other types of crime. Detection and prosecution is possible, however, even at the moment as is evident from successful prosecutions of hacking in Britain under the Criminal Damage Act of 1971.

To make the enforcement of this legislation practical, the Bill confers considerable powers of search and seizure on the Garda. For all their intellectual prowess some prosecutions for hacking demonstrate that hackers lack some sophistication and may I say, modesty in hiding their attempts. For example, in the case of a prosecution of, and I quote the "mad hacker" in the UK in 1989, the police stated in evidence that they found a copy of the hacker's handbook beside the terminal together with various access codes. The Garda will also, of course, be free to obtain technical specialists from outside, such as technical advice on the operation of a computer system as they may require. It must also be remembered that, even at the moment, the Garda may be called upon to investigate computer-related fraud or theft and I cannot recall any specific cases where criticisms have been levelled at the Garda's competence in dealing with such matters.

Senators Costello and Neville raised the question of a husband giving his wife his bank card and his Pin number to get money from the bank. That is not an offence.

Not until this Bill goes through.

As I explained in reply to amendment No. 1, the intention there is not to access data but to get money, so one of the essential elements of the offence is clearly missing, as I outlined in my initial response.

May I respond to the last point the Minister made because I think it is not entirely accurate. You can use bank cards not only to obtain money but to obtain bank statements. Presumably that will be covered? Perhaps the Minister could respond to me on that point.

I have serious worries about this. This is a reasonable amendment because it seeks to limit the extent of criminality and not to make trivial offences into serious crimes. We are talking about people who have been given a certain level of authorisation for a computer and then being criminalised if they go beyond the conditions and regulations. It is a very subtle area.

The Bill also purports to criminalise acts that take place outside the State. In other words, the Minister is saying if somebody in Montevideo uses a computer within certain regulations or specifications and gains access here that person is subject to the criminal law. I am at a loss to understand how we can claim to be able to control activities which originate outside the State. This goes right through the Bill, particularly with regard to computer operations. There is a series of points there, the first one being that the Minister is disingenuous when he said there is a difference in using a bank card. Perhaps there is if they are only taking money out, but I would remind the Minister that it is not only money you can extract using a bank card; you can also extract information about an individual's bank account.

I want to put a specific example to the Minister and ask him to clarify if it would constitute an offence. In an organisation where a young person who is responsible for purchasing, out of curiosity accesses the list of customers whom the organisation supplies, having been specifically instructed not to access such information that would be a breach of company rule. As I understand it, under this Bill that would also be a criminal offence even though the act was committed out of curiosity and for no ulterior motive. If the employer found the computer print-out with the list of names, he would have evidence which, if he were bad enough, he could supply to the authorities and have criminal charges brought under this law.

The longer we proceed in teasing out this and the other amendments the stronger the case gets for saying this is a catch-all Bill. It is ill-defined in terms of the degree of criminality and the degree of seriousness which incurs criminal liability. The Minister has not adequately answered us on any of the points raised. As Senator Norris has pointed out, you can access a bank code to obtain other things besides money. You can get a statement in which case you have got through to the data which may be confidential. That, of course, could be serious. The offence that is being criminalised is operating the computer with intent to access the data, whether one succeeds or not. Any form of light-hearted playing with a computer, whether or not the file is serious or sensitive, is still an offence.

In terms of industrial relations we are moving into a huge new area if we criminalise what is of a basic regulatory nature between an employer and an employee and which may be specified in whatever contractual relationship has been established. There is a whole area of contractual liabilities where there may be breaches of that contract in terms of the employer and the employee subject to various disciplines which are agreed in the workplace. We are here, impinging on that rather recklessly and saying that, irrespective of the seriousness of the breach, it is a criminal matter. We know how the workplace operates, it is not a rigidly black and white case. There are degrees whereby you have minor or trivial breaches of what would be the normal expectation of the employer and the employee. The employer very often turns a blind eye to certain practices that develop from time to time. An employee who uses a computer not solely and exclusively for the purposes authorised explicitly by the owner and employer is now involved in a criminal offence, according to this legislation. Surely we have to define what is or is not a serious offence before we start upsetting other areas of contract, regulation and conditions in operation in the workplace, in the trade union movement and so on?

In relation to "the mad hacker", I would be delighted to see the Bill specifying how to deal with a mad hacker but we do not have anything to deal with a person who compiles a handbook of hacking for interfering with sensitive and highly confidential material which may very well end up being used in fraud. We are looking for such a Bill, one which specifies its function, what area of hacking it wants to deal with whether on the economic or the financial side, whether it is with regard to State secrets, or is it the mere use or misuse of a computer by somebody who does not have got the authority of the owner. We have no such distinction in this Bill and until we have such distinction we will have bad legislation.

Amendment put.
The Committee divided: Tá, 15; Níl, 19.

  • Cosgrave, Liam.
  • Costello, Joe.
  • Doyle, Avril.
  • Harte, John.
  • Hourigan, Richard V.
  • Jackman, Mary.
  • Kennedy, Patrick.
  • McDonald, Charlie.
  • McMahon, Larry.
  • Neville, Daniel.
  • Norris, David.
  • Ó Foighil, Pól.
  • O'Reilly, Joe.
  • Raftery, Tom.
  • Ross, Shane P.N.

Níl

  • Bennett, Olga.
  • Byrne, Seán.
  • Cassidy, Donie.
  • Dardis, John.
  • Foley, Denis.
  • Haughey, Seán F.
  • Keogh, Helen.
  • Kiely, Dan.
  • Kiely, Rory.
  • Fallon, Sean.
  • Farrell, Willie.
  • Finneran, Michael.
  • Fitzgerald, Tom.
  • Lanigan, Michael.
  • Lydon, Don.
  • McGowan, Paddy.
  • Mullooly, Brian.
  • O'Brien, Francis.
  • Wright, G.V.
Tellers: Tá, Senators Costello and Neville; Níl, Senators Wright and Fitzgerald.
Amendment declared lost.
Question proposed: "That section 1 stand part of the Bill."

In relation to section 1 (d), will the Minister reply to the repeated concerns expressed by Members on this side of the House as to how he proposes to deal with an offence committed outside the State involving damage to property within the State? In what way will such an offence be policed and how will the person involved be brought before the courts? This question has already been asked on three occasions by Members on this side of the House. If a section of the Bill is not enforceable it will damage the whole Bill. Will the Minister say how he proposes to deal with a person who, in relation to data, damages or accesses information from outside the State?

The procedure to be followed in a case like that is an extension into other legal areas such as extradition. To have people extradited would be one way of complying with the question raised by the Senator.

I oppose section 1 because too many loose elements are not sufficiently defined to enable us to deal with the rest of the Bill. The Minister said we can deal with such persons by extradition but I would like him to develop that point further; will Interpol be involved at any level? In the context of the European Community and political union, will some form of common legislation operate as this is a multinational type of offence? Under what section of the Extradition Act will this operate without it being necessary to introduce new legislation or to amend the existing Extradition Act, 1965? I am not sure whether that is possible at present but I would like the Minister to indicate whether he intends amending the Extradition Act, 1965.

Section 1 does not define the causes or categories of damage. There is a reference to damage but the reference to data is strange. It is not just data that can be accessed through a computer in information form but also in programme form without a distinction as to the seriousness of accessing a programme. Many computer programmes are neutral and I am not sure how that, in itself, has the taint of criminality about it. What creates a confidential matter and a nonconfidential matter or a private matter and a non-private matter? What exactly is the damage caused here? That is not defined in the Bill — the Criminal Damage Bill.

Senator Neville and I asked about the relationship between employer and employee, how that will operate in terms of trade union law, contractual rights, duties of employer and employee and internal sanctions that are the normal part and parcel of the workplace. Where does the criminal act begin, and where does a mere breach of practice start? These matters have not been addressed in this section and the Bill is unclear in what it sets out to do. I accept that nobody decided to tag on an element of computer hacking to the Bill and call it criminal damage. I have already criticised that as a very sloppy and inadequate way of introducing legislation, but what I am really concerned with is that having attempted to deal with the unauthorised accessing of data, no attempt was made to distinguish between a serious and a non-serious matter. Section 1 to deal with computer data fails to define the terminology used or to set out the objective of the Bill. The Minister made clear what he sees as the objective of the Bill, and I agree with everything he said about dealing with serious criminal matters that can result from unauthorised abuse of computer facilities, data banks and so on. However, that is not what the Bill does; it does much more, it covers all computer activities.

This section lacks the necessary definitions, limitations, and specifications to enable us to tell precisely what is or is not a criminal offence. The computer world is large and growing. It involves the largest technical innovation in terms of its impact and use worldwide. Therefore, we simply cannot criminalise computer use right across the board. This Bill is inoperable and unenforceable and the Extradition Act will not solve the problem either. It is not a solution and we do not have a police force to operate, supervise, monitor or regulate it. That is another area that is not addressed in the legislation. As I said, there is a lack of definition in this section; and there is nothing in this Bill which says what creates a criminal offence, other than the catch all sections 5 and 6 which are so broad that everything is covered by them.

With regard to the Minister's reply to my query on damage or information accessed outside the State, I do not accept that the operation of an extradition arrangement would be satisfactory. It would satisfy in the event of the person who committed the offence being identified, but does the Minister propose to investigate such offences? What arrangements will be made between police authorities of this and other countries? This is a highly sophisticated and complicated area and thorough and complex police investigations would have to take place. As information can be accessed from anywhere in the world through computer hacking, how does one investigate such occurrences? What are the arrangements for charging such people and for extraditing them to this State?

The Garda authorities expressed concern on numerous occasions about policing arrangements in the EC, especially with regard to the introduction of the Single European Market and opening borders involving free access of people. Many of us are concerned that this may give rise to the free movement of drugs and arms. Even within the EC, there are policing problems with regard to normal policing arrangements. Therefore, how complex will the arrangements be for investigating and bringing people to trial from anywhere in the world? If it is not possible to do this, then surely this will be a bad law as it cannot be fully implemented. I would like to hear the Minister's view on that.

Senator Costello asked if the objective of the section is to deal with matters such as economic or financial loss or at protecting privacy. In short, it is aimed at deterring hacking and I have been stressing that point throughout this debate. That is the sole aim of this section but if it succeeds it will also help to protect privacy, avoid financial loss caused by hacking and maintain the integrity of computer systems.

Earlier, Senators Neville and Costello asked about the categories of offences and expressed concern at the prospect of minor breaches of the law by employees being criminalised. In practice, an employer should make clear to his employees the information they are not authorised to access. I would approach this in much the same way as other matters which can have a criminal aspect in the workplace and about which some concern was expressed. For example, employees may take home pens or stationery or they may make telephone calls without authority. This does not usually cause any problem provided the activities are minor and that is where I would draw a parallel in terms of this Bill. Substantial loss can be caused by unauthorised accessing of data by employees and the purpose of this section is to deter that. I want to emphasise that this section is there to deter hacking.

In regard to damage to data caused by someone outside the State, that offender can be extradited if the other country has a corresponding offence in their law, and most countries have a similar provision. We have extradition arrangements with most developed countries and damage to data is an extraditable offence where the maximum penalties, as apply here, exceed 12 months. If there is a corresponding offence in another country with a similar penalty, extradition can take place without any need to extend or alter the Extradition Act as was suggested. I hope I have answered the queries raised by the Senators.

The Minister said that the purpose of the Bill is to deter hacking; we are agreed on that. The definition of hacking — in so far as it is given, the word is not used in the Bill at all — is the unauthorised accessing of data and that is its limit. There is nothing about the purpose for which the data is accessed or the seriousness of the data, whether it contains information about millions of pounds or information that can ruin a person's reputation. It simply refers to the unauthorised accessing of data without lawful excuse. We are agreed on that but that is not the proper way to introduce the legislation. The Bill, as drafted, makes a criminal offence of any unauthorised use of computer data or program. It states that it is a criminal offence for a person who, without lawful excuse, operates a computer within the State with intent to access data. It is no good for the Minister to talk about somebody who takes a pen or a pencil home because the Bill does not make a distinction between a minor or a trivial offence and a serious one and until somebody explains that I have to interpret the Bill as I see it in sections 5 and 6.

If, say, the copyright on software is infringed or pirated it is a civil offence and not a criminal offence. We are saying here that it is a criminal offence to use anything that is pirated or unauthorised in relation to a computer but in many other areas it is a civil offence, not a criminal offence.

The example I gave earlier about photocopying material is relevant. In the context of the new junior and senior cycles — both of which are being introduced with major curricular changes at present — the textbook is no longer the mainstay of the curriculum, and every teacher is photocopying various parts of books, making videos and distributing photocopies to students in the classroom. I want to draw a parallel here. Is a person who has not got authorisation from the owner of the book or the video equipment that is being used in the classroom guilty of a criminal offence? The same is true in terms of computers. I cannot see why one is a criminal offence irrespective of the seriousness of the matter, another a civil offence and there is no offence at all if it is a trivial matter.

I am not satisfied that an adequate answer has been given as to why section 5 exists and why no attempt has been made to define or categorise criminal offences. We need a provision in the Bill, stating the objective of the Bill, the area we want criminalised and policed and under which cases can be brought to court.

Question put and declared carried.
Section 2 agreed.
NEW SECTION.

Amendment Nos. 4 and 8 are related and both may be discussed together.

I move amendment No. 4:

In page 5, before section 3, to insert the following new section:

"3.—(1) In any case under this Act, where the extent of the damage alleged exceeds £100, the accused person shall have the right, as shall the Director of Public Prosecutions, to elect for trial on indictment.

(2) In all other cases the matter shall be tried summarily in the District Court.

(3) The maximum penalty to be imposed on summary conviction shall be six month's imprisonment, or a fine of £1,000, or both.".

This amendment is establishing the constitutional right of the accused to a trial by jury. As I said, this legislation is very broad and any type of criminal conviction could result in a permanent stain on somebody's character, affecting their good name, their future and all the rest of it. Therefore, it is very important that the accused — particularly in the context of this Bill which is so ill defined — who may be charged with a very minor offence should have the option of electing for trial by jury if the alleged amount of damage would exceed £100.

First, the Bill is very broad and criminalises areas that should not be criminalised. Second, it is a very important principle that we maintain the right to trial by one's peers — the right to trial by jury if the accused wishes to avail of it. That essentially is the content of amendment No. 8 —"A person shall not be tried without a jury for an offence under this Act without his or her consent". The amendment is giving two options which are slightly different. One is a specification of £100 as a cut off mark; the other is that in all cases there should be the option of a trial by jury. I urge the Minister to consider that point, since we have now criminalised all unauthorised accessing of data, whether it be serious or not. If this legislation is implemented strictly, we could find ourselves, with many others, who never expected it, appearing in the courts. Since we are casting the net so wide it is right that we should ensure there is the option of a trial by jury.

At present a person accused of committing malicious damage to property exceeding £50 is entitled to insist on a jury trial. In their report the Law Reform Commission recommended that the accused should not have an absolute right to trial by jury for any minor offence of this kind. This referred to the obligation on the District Court to ensure that a non-minor offence is not tried summarily. If the district justice concludes that the offence charged is not a minor one, then the case can only proceed on indictment so that the constitutional right to a trial by jury in such circumstances is fully preserved.

I appreciate that in some of the old statutes, such as those relating to larcency, a trial by jury can still be insisted on for the most trivial of offences. However, I do not see that any special case can be made in this context for criminal damage offences. The fact remains that there is no constitutional right to trial by jury for a minor offence. There are many precedents for the provision in the Bill giving the Director of Public Prosecutions discretion to proceed summarily, or on indictment, and the practice is subject to the safeguards I have mentioned. I regret, therefore, that I cannot accept these amendments.

Criminal damage is never a minor offence if it is opposed by the person who is alleged to have committed the offence. Criminal damage is a serious matter. It is one in regard to which we should maintain protection rather than reduce it. We have added now to the area of criminal damage a much broader offence, the offence of unauthorised accessing of computer data. That is as broad an offence as we will ever find in our legislation; it is the broadest criminal offence I have ever come across. I have no doubt that the net that has now been spread encompasses the unwary, those who least expect it. The employer who owns a computer would least expect that he would have to give total authorisation for every use of that computer; otherwise it is subject to criminal action. The least we can do in those circumstances is to provide protection parallel with the scope we have allowed to be established in respect of this offence.

This emphasises once again why we must have the offence of computer hacking, why we have to make it so broad. Yet we are reluctant to ensure the right of trial by one's peers. I think we are getting this out of proportion. If we are providing catch all legislation, we have to ensure that there is a jury trial option. As I said, people may come before the courts who never expected to do so.

I have listened carefully to what the Minister said. Not being a legal person, I understand that the safeguards under the Constitution are automatic and where it is deemed that an offence is serious, the accused will have the option of a jury trial. Senator Costello has identified serious damage to property as something in excess of £100 in value. I am satisfied that the Minister's explanation covers that area. I was concerned that a jury trial should be available in a serious offence, but I am satisfied that what the Minister has outlined will cover my concerns.

Amendment put and declared lost.
Section 3 agreed to.
SECTION 4.

I move amendment No. 4a:

In page 6, line 4, after "has" to insert "or has had".

This is a very simple amendment. If accepted section 4 would read:

A person (in this section referred to as the possessor) who has or has had any thing in his custody or under his control intending without lawful excuse to use it or cause or permit another to use it.

Too often we see criminals who are able to overcome lapses in the law — if you like to call it that — and use a situation where they can overcome the intent of the law. I think this was discussed in the other House as well. If somebody had an object and disposed of it before he was arrested, before he was questioned or before he was intercepted by the police, could he then say that he did not have any object in his hand?

The purpose of the amendment would be to ensure that a person who had such an object would also be guilty of the offence and subject to the provisions of the Act. Too often, as I said, we see criminals who are experts in overcoming difficulties in the law, using the right of silence in many areas. In this situation I would be afraid that somebody who had, say, an implement to damage property could dispose of it before he was intercepted by the Garda and could then say that he had not any such object in his custody. I believe my amendment would overcome that difficulty.

I have not seen the amendment. Has it been circulated?

Acting Chairman

It has been circulated.

The parliamentary draftsman has confirmed that the form of words used in the section is adequate to cover the possession of articles or substances with intent to cause damage irrespective of when the possession took place. I hope Senator Neville would agree with my response and that he will not press the amendment; otherwise, I have to say that I could not accept the amendment.

Senator Neville has identified a problem here. A person who has "or has had" anything in his custody or under his control — would seem to broaden the scope and enable the law to operate more effectively. We talked already about prosecuting and how best to do it without lawful excuse. If we say somebody has something in their control, should we not also extend it to somebody who has had something in the vicinity or within a short time previously? Later, we refer to an arrest taking place in the context of somebody who has been seen in the vicinity of the crime. Since that would be subsequent to the event, why can we not go prior to the event as well, if we are going to provide rights of arrest to a citizen as well as to a garda where somebody is perceived to be in the vicinity of where criminal damage has occurred? It would seem a reasonable amendment to extend the powers in dealing with somebody who would be intent to damage property by including prior possession of equivalent that might be used for that unlawful purpose.

I would be in favour of this amendment. I would like to see the Minister tease it out more comprehensively, especially when it is taken in the context of the arrest section — section 12. Section 12 (3) provides:

Where an offence to which this section applies has been committed, any person may arrest without warrant anyone who is or whom he, with reasonable cause, suspects to be guilty of the offence.

There is also reference to the arrest of someone suspected to be in the act of committing an offence or about to commit an offence. This amendment would seem to fit in with the powers that are given in section 12.

I can see the point being made by both Senators. It would seem on paper to be a very small adjustment to make. I have no great difficulty with it myself, but I understand the parliamentary draftsman has confirmed that the form of words used in this section is adequate to cover the possession of articles or substances with intent to cause damage. If you think about it for a minute, possession is always in the past, after being arrested anyway. Perhaps we are putting too much play on the words "has" and "or has had". It is the responsibility of the parliamentary draftsman to guide us in the wording. I have a doubt myself but I am slow to say that both gentlemen are wrong. However I have to take the advice of the parliamentary draftsman.

My other concern is that if we begin at this stage to amend little words like "has" and "or has had", how many more times do we have to do it? Perhaps that is another question we should look at. If necessary it must be done, I suppose; but I have to stick with the original decision. As I indicated, I hope Senator Neville agrees that the form of words used in the section is adequate to satisfy his concern and that he would agree not to press the amendment.

I appreciate that what the Minister has said is tantamount to agreeing with our views on this. However I do not think that amendment would damage the Bill. At worst, it may reaffirm a situation that is already there but I cannot understand how it would do any damage. It would certainly close the loophole that this side of the House, and indeed the Minister, are concerned may be there; we believe it is there. I think it would enhance section 4 if this amendment were accepted because, as I said earlier, too often that the criminal mind finds ways and means of overcoming the spirit of the law and the intent of the law cannot be implemented because of the deviant resourcefulness of the criminal mind.

The Minister has to take the Bill back to the Dáil anyway. While that is being done, there would be the opportunity for the draftsman to have another look at it and see if, in view of what has been said, he is satisfied with the wording or if it is less than adequate. Perhaps that would be a more satisfactory way to deal with it.

My own view here, as I said is not too far removed from the opinions expressed by the Senators. I will go this far: I will have this amendment and the section it refers to looked at again, and come back to it on Report Stage.

I would be happy to accept that the Minister would come back to us on Report Stage. I would have some difficulties at this stage about leaving it to the other House, because we have debated it in this House, we have strong views on it and we would like it considered on Report Stage.

It should be pointed out that any changes made in the Bill here will still have to go back to the Dáil.

Amendment, by leave, withdrawn.
Section 4 agreed to.
SECTION 5.

I move amendment No. 5:

In page 6, subsection (1), line 26, to delete "or imprisonment for a term not exceeding 3 months" and substitute "or to pay compensation to the owner of the data".

The purpose of this amendment is to deal with an offence which is liable to summary jurisdiction, summary conviction, and therefore is something we should be looking at in the context of greater flexibility of sanction rather than adhering to the old two-some sanction of a fine or a term of imprisonment. I do not see any reason we should not include compensation. It is reasonable to pay compensation to the owner of the data. The ease with which a fine or imprisonment is mentioned, even in summary matters, always causes me some concern. We seem to have no problem imposing fines or imprisonment no matter how trivial or how serious the offences.

It is time we looked at the reform of the prison system and the value of the prison system. All the criminal legislation that goes through this House simply presumes that a sentence of imprisonment is a norm, in all circumstances, but in the context of summary offences a sentence of imprisonment should not be the norm. We should be providing alternative sanctions rather than sanctions of imprisonment. We should be exploring fines, compensation for damage done, community service orders and any range of alternatives to incarceration that we can come up with. What will three months' imprisonment do except cost the State £100 per day? That is the same as a fine not exceeding £500 or three months' imprisonment. A working week has hardly elapsed before the State has spent as much as was imposed in terms of the fine.

We do not consider these in terms of the cost to the State or the value of a sentence in terms of reformation or rehabilitation. Our prisons are bursting at the seams. People in prison have all sorts of problems that seem to grow. We have a disproportionate number of suicides in our prisons because of conditions there. Very few points can be made in favour of our prisons. I have hardly heard anybody in either House say that imprisonment is a useful sanction. We should take the initiative and say suggest getting rid of the sentence of three months imprisonment as part of the sanctioning mechanism and put in its place the payment of compensation to the owner of the data, the person whose authorisation has not been received, the person who has not provided the lawful excuse, or the person who has been infringed upon, whose information or whose file has been interfered with. If we do that we are not doing something terribly radical or unthought of; we are acting in accord with the provisions of the Whitaker Committee who said that the vast majority of summary offences can be dealt with by non-custodial means, that the presumption should be not a prison sanction but an alternative sanction. That is a Government established committee. Those are not the recommendations of a radical body but of a large number of civil servants and people in the community, respected in all quarters, who examined the situation scientifically and came to the conclusion that our prison system was operating ineffectively in dealing with minor and trivial offences.

I ask the Minister to consider this amendment as a useful statement of intent by the Government to expand the sanctions in terms of summary convictions into an area that would be more beneficial to the person against whom the offence was committed — namely, the owner of the data — in that he or she would get something out of it; second, that the State would not have a further financial burden imposed' and third, that the offender would not benefit in any case by a sentence of imprisonment.

I support this amendment. It goes to the core of what we have called for in this House on numerous occasions when discussing the reform of our prison service. There should be a full investigation of alternatives to prison sentencing. It costs at least £700 per week to keep a person in prison. If alternative arrangements can be made — and I believe they can — they should be explored fully. Compensation to the victims of crime is one of the areas that should be introduced. This amendment introduces that as an alternative to imprisonment for minor offences. We all accept that serious offences require incarceration and one would hope there would be more rehabilitative facilities for people than exist at present.

For minor offences it is a wrong and outdated practice to send people to an overcrowded prison. Most of them do not go to prison anyway. One day of their short sentence is as much as they spend in prison because the prisons are overcrowded. This proposal is certainly in line with Fine Gael policy. For a number of months we have had a motion on the Order Paper calling for the Seanad to look at alternatives to imprisonment for minor offences.

Acting Chairman

Please speak to the amendment, Senator.

I am making a case for changing from imprisonment to other forms of punishment.

Acting Chairman

We are not dealing with motions on the Order Paper.

I am just referring to and verifying our policy on this issue. The point I am making is that we should look at alternatives to prison. The proposal that compensation should be made to the owner of the data is worthwhile and should be extended to all offences that involve personal damage of any sort. We should also look at other areas if, on occasion, fines cannot be collected. What do you do if somebody is fined £500 and you cannot collect it or, if somebody is given £500 compensation, how does he enforce that if there is no prison sentence as an alternative? Attachment of income or confiscation of property of the convicted person should be looked at. Participation in training courses might be seen as an alternative if a person failed to pay a fine. Confiscation of property for failure to compensate the victim of crime is a much better alternative to sending somebody to prison for three months at a cost to the State of approximately £10,000.

This amendment proposes to leave it open to the court to require a person who has been convicted of an offence under section 5 — which deals with unauthorised accessing of data — to pay compensation to the owner of the data. The objective of the amendment is achieved by the combined effects of sections 2 and 9. The scope of section 5 is confined to deliberate unauthorised access to data or attempts to gain such access. The offence will be committed either when access is achieved or when the computer is being operated with the objective of gaining access but no access is actually achieved. It will be committed even when the hacker merely looks around the system he has penetrated. Depending on the level of security in the system, a hacker may not get beyond a look at a list of what the system contains. However, if the hacker gets beyond the read only stage, if he adds to the data or alters it in any way, manipulates either the data in the system or the instructions in the program, he will then be committing an offence under section 2, that is, the offence of damage to the data which carries very heavy maximum penalties.

If the alterations to the data have caused any loss to the owner of the data, the court is authorised under section 9 to make a compensation order against the convicted person. Section 5 is designed to deal with simple hacking or attempts at hacking where no damage is involved to the data concerned. The compensation aspect arises only where damage has been caused, and that is covered by sections 2 and 9. I cannot go along with the Senator on this amendment. I understand the point he is making but it is covered by both sections 2 and 9.

I am not quite clear about sections 2, 9 and 5 in that context. What we have are two different sets of sanctions. The sanction in section 5 refers to computer hacking and the range of sanctions in section 9 refer to criminal damage and section 2 refers to damaging property. On Second Stage I praised the flexibility of the sanctions in section 9. Section 5 deals with computer hacking, and unauthorised access to data is only one type of offence and covered in section 5. I do not see why we cannot have the same flexibility in relation to sanctions for computer hacking as we have for criminal damage expressed in section 2, and which is covered in section 9 in terms of sanctions. I ask the Minister to extend the sanctions for this offence to the range of sanctions in section 9. I do not think there is anything unreasonable about that.

Accessing data or attempting to access data can be a very serious matter. We should specify the offence in terms of indictment as well as in terms of summary offence but when we are talking about infringement and summary conviction, we must address the offence under section 5 which deals with the unauthorised accessing of data. Despite what the Minister has said, there is no reason we cannot extend the range of sanctions to offences covered by section 2. The legislation could direct how a judge may act rather than telling him the sanction is either a fine or imprisonment. Let us tell a judge that there is a range of sanctions which are probably less costly, more effective, and more beneficial to the victim. Why not tell the judge that? The only way to tell that to a judge is by putting it in legislation. Why be afraid to write into legislation that we want reform by way of alternative sentencing for somebody who is convicted of a summary offence — and it is a summary offence if it merits either a fine of £500 or three months' imprisonment.

The Department of Justice bring most legislation before this House. Let us break the cycle where the two sanctions are specified. In section 9 we have provided for compensation, payment by instalments and an appeals system. Let us do the same in section 5. I cannot see any good reason not to do so.

Where damage is done, under section 9, the person causing the damage is liable to a maximum fine or imprisonment or both. Every court is empowered under section 9 to make an order for compensation for damage to property. Data is property and computers are property. There is no point trying to make distinctions that are not there. Section 9 states:

(1) On conviction of any person of an offence under section 2 of damaging property belonging to another, the court, instead of or in addition to dealing with him in any other way, may, on application or otherwise, make an order (in this Act referred to as a "compensation order") requiring him to pay compensation in respect of that damage to any person (in this section referred to as the "injured party") who, by reason thereof, has suffered loss (other than consequential loss).

Section 2 states:

a person who without lawful excuse damages any property belonging to another intending to damage any such property or being reckless as to whether any such property would be damaged shall be guilty of an offence.

I am satisfied that sections 9 and 2 cover the Senator's problem. I oppose the amendment.

If sections 9 and 2 cover it, why do we have an offence at all under section 5? Section 9 specifically refers to section 2 as the Minister indicated, on conviction of any person of an offence under section 2 of damaging property belonging to another, etc. We have a range of sanctions in relation to section 2. Section 5 has a separate sanction for a separate offence. All I am asking is that in relation to this separate offence we include another sanction. There is no contradiction between what is in section 9, what is in section 2 and what I am trying to do by amending section 5.

I cannot see why the Minister cannot take on board a perfectly good amendment which is in line with what he has done in section 9. I praised the Minister the other day for expanding the range of alternative sentencing. Why not continue that? Let us do it across the board in relation to the two offences. I do not think anything the Minister has said would suggest that my amendment, supported by Senator Neville, would be less useful or inadequate. The amendment has its own merits. The Minister has not indicated anything that takes away from the amendment. In other words, it is not an inappropriate amendment. It is a most appropriate one and is in keeping with the other sanctions in the Bill. It would be a beneficial development for us to indicate to every judge in the country that we expected them to avail of the broadest possible range of sanctions that are available.

Will the Minister look at this on Report Stage? The sanction in section 5 is against the spirit of the Bill. It is a reforming Bill in the area of sentencing, as indicated in section 9. It looks as if there has been a lapse into the old way of looking at sanctions. Would the Minister look at an alternative to a prison sentence in circumstances where the offence is a minor one. Someone sentenced to three months in prison is unlikely to spend a week in jail because of the present difficulties which are likely to continue for some time. That is one side of it. The other side is the cost to the State. Surely sanctions other than imprisonment must now be considered in the light of modern penal studies which would suggest that there are other ways of penalising people that are much more productive than sending them to prison for three months for a minor offence.

As I indicated earlier, we are not tying the hands of the courts or the person damaged to claim damages or compensation. In fact, the court is authorised under section 9 to make compensation against any person convicted of damaging another person's property. There is no other explanation for it. If compensation is applied for, the judge is authorised under section 9 to award compensation.

The Minister is saying that damage to property by accessing unauthorised data does not arise under section 5 — no damage will take place. Is that what the Minister is saying because section 9 refers specifically to section 2, not to section 5, and section 9 does not cover section 5 in that context?

The objective of this amendment is contained in sections 2 and 9, not taken individually but taken together. It strengthens the Criminal Damage Bill and it would be wrong for us to take a line here and another line there where it suits us. Both sections have adequate strengths for any judge, court or lawyer to impose summary fines and/or imprisonment or both and also to grant compensation if damage is done.

If the objective is achieved in sections 2 and 9, why have we an offence and a sanction in section 5? If section 9 only refers to section 2 which relates to damage to property and section 5 has the stated offence of unauthorised access to data with a stated sanction, then section 9 does not cover section 5 or it is not seen by the parliamentary draftsman to cover section 5. Without going over the same ground again, the Minister knows the point that Senator Neville and I are making and the desirability of introducing alternative sanctions that is at the heart of it.

If the wording were varied a little and instead of eliminating or deleting the term of imprisonment, which obviously I would prefer, we added on a third sanction and said a fine not exceeding £500, a term of imprisonment not exceeding three months or compensation to the owner of the data, then we would be retaining, if the Minister wishes, imprisonment as a sanction. To bring it in as a third option in the same terms as it is stated in section 9, would not go against the substance of the Bill. As he has kindly agreed to do in relation to amendment No. 4a, the Minister might reconsider this for Report Stage. If he can at that stage categorically state that there is good and sound reason that option should not be left in, then we will accept it. I would like him to look at it again in the context of section 9.

If there is no damage then there is no compensation. On the doubts raised about section 5, if the hacker goes further than reading the data, if he alters the data or interferes with it in any way, he is damaging the data and commits an offence under section 2, thus giving rise to the probability of compensation being sought or granted because a person's property was damaged.

It would appear that section 5 covers a situation where no damage is done. While the amendment would be in difficulties because of that the spirit of the amendment should be looked at. There are alternatives to imprisonment other than compensation which the Minister could look at. I am talking about community activities, etc. There is a range of sanctions which the Minister could look at other than sending people to prison for three months where they serve three days and cost the State over £3,000.

Section 5 deals specifically with accessing data. That is a crime in itself. The objective of this section is to deter hacking. Damage arises if the hacker alters or interferes with the data or the system.

Section 2 refers to damage to property, physical damage. Damage can be assessed and evaluated financially without it necessarily being physical damage. It is still possible to think in terms of compensation to the owner or the victim against whom the unauthorised infringement took place. It does not stand to reason that, because there was no damage within the terms of section 2, there was no damage caused which can be redressed through compensation. That is possible in virtually all circumstances. If damage is assessed in terms of a fine of £500, this is a financial assessment of damage and in a sense that is compensation to the State which may go into the Exchequer in various forms. Since the same principle is involved why can we not turn that around and say that compensation will be used as a sanction for the unauthorised accessing of data? There is no doubt that could be financially evaluated. That would be a more reasonable sanction than thinking in terms of imprisonment.

It is not correct to call a fine of £500 compensation to the State. That borders on the ridiculous. A fine is a fine and compensation is compensation. There is a fine for the crime of unauthorised accessing of data in section 5, sections 2 and 9 deal with damage to data and compensation for damage caused. There are two separate transgressions here and it is incorrect to say that a fine of any amount of money — £10, £500 or £1,000 — is compensation. That is not correct. I do not think that we should deal with it along those lines. I am still opposed to the amendment because it is not relevant.

Amendment put and declared lost.

I move amendment No. 6:

In page 6, between lines 26 and 27, to insert the following new subsection: "(2) Subsection (1), (in so far as it relates to accessing data not owned by the State), applies only to access which is capable of causing economic loss to the owner; and accordingly a person who accesses data contrary to this section shall be liable for any such economic loss.".

Data owned by the State presumably is covered by the Official Secrets Act. This Bill makes it an offence to unlawfully obtain or seek to obtain official secrets or data owned by the State. Where it applies to economic loss, how are we to determine that? Is it the Minister's intention to protect business, financial and entrepreneurial interests? If that is the case, we should limit its application to this area and say we have a major problem with fraud that is being perpetrated by the operation of computers. We must distinguish between what creates economic loss and what is merely of non-economic intent.

Progress reported; Committee to sit again.
Sitting suspended at 6 p.m. and resumed at 6.30 p.m.
Top
Share