I move: "That the Bill be now read a Second Time."
This is a measure of law reform which will, I think, be generally welcomed. It simplifies and modernises the law of criminal damage to property and in this it gives effect to the recommendations of the Law Reform Commission in their report on this subject which was published in September 1988. It goes further in penalising interference with computerised data and other forms of computer misuse.
I shall deal first with criminal damage to tangible property. The present law is contained in the Malicious Damage Act of 1861, which has survived with only minor amendments to the present day. The first 50 sections are devoted to specific offences of malicious damage to different kinds of property by different means. The Law Reform Commission report I have referred to sets out no fewer than 108 kinds of property and 62 different words to express the causing of damage. The Bill cuts through all this complicated verbiage by providing just three offences of damage to property in general. These are, first of all, a simple offence of damage to another's property; second, an aggravated offence of damage to any property where the damage is done with intent to endanger the life of another or with recklessness in that regard; and finally, an offence of damage to any property where there is an intent to defraud. There are also two subsidiary offences of threatening to cause damage to property or to have custody or control of anything with intent to cause damage with it. All these offences are covered in three provisions — sections 2, 3 and 4.
The Bill also deals with a problem of much more recent origin, that is, that of computer misuse by what is called hacking. By hacking I mean getting access to computerised information without the permission of the owner of the computer system or the information. It can be done either from inside an organisation or from outside by someone who has no legitimate connection with it. "Insider" hacking takes place when an employee with legitimate access to the data equipment either uses it for a wrongful purpose or exceeds his level of authorisation in accessing particular data: The "insider" may of course be using a terminal that is located far away from the central processing system of the organisation concerned. "Outsider" hacking takes place when a person who has no legitimate connection with a data system gains access to it by using a computer in his own home or office connected to the telephone network. It is the kind of activity that people most often think of when referring to hacking but it is no different in principle from "insider" hacking.
Before computer systems became common, confidential information was kept locked away in filing cabinets in locked rooms so that it could not be tampered with or copied by persons outside the organisation, though of course there was always the posibility of collusion between employees or burglary. Nowadays information on any computer system linked to the telephone network is vulnerable to access by complete strangers. The situation has been compared to paper files kept in a locked cabinet but left in a public place. It is just a matter of finding the right key to fit the cabinet and the person who wants to read the files — in this case the hacker — can spend as long as he likes trying different keys until he finds one that opens the lock.
The motives of hackers vary considerably. At one end of the scale, they could be altering, say, payroll programmes for fraudulent purposes. Those who do so are liable to the penalties prescribed by the law governing fraud. A crime is a crime irrespective of whether the criminal uses a jemmy or a computer to commit it. At the other end, there are those, usually young people, who are motivated by a sense of achievement on being able to penetrate the security systems of organisations not only in this country but worldwide and who may just "look around" the system or copy the information on it or perhaps add on a message of their own.
Hacking can cause very serious damage, whether the computer system is used only for storing information or has an operational role. If the system is dealing only with information storage, the hacker can erase the information or introduce false data. If it has an operational role — if it is dealing with, say, inter-bank fund transfers, air traffic control, stock control and automatic reordering, airline and hotel bookings, payrolls and so on — the hacker can reprogramme these systems or add false data with the possibility of causing substantial damage and financial losses. In both cases, he can introduce "viruses" or "worms", that is, programmes that replicate themselves and either use up the capacity of the system or delete existing programmes or data.
That is why we have added to the measures recommended by the Law Reform Commission in relation to damage to tangible property a number of provisions to ensure that any interference with data held on computerised systems will be equated with damage and be punishable accordingly. But not all hackers interfere with the data held on the target computer on every occasion that they engage in this activity. They may not have any particular computer system in mind when they start off and be merely seeking to log on to the first system they gain access to, whatever it may turn out to be. And when they do gain access, they may be satisfied just to "look around" it without modifying the data in any way or they may want to proceed further into the system but find that they are unable to do so because they cannot penetrate the level of security provided by it.
It could be argued that hacking activity which does not result in data or programs being modified — the "looking around" activity I have mentioned — should not be made an offence on the grounds that, first, what is involved is merely a breach of confidentiality and, second, that such breaches are not punishable under the criminal law except in two cases, these being breaches of the Official Secrets Act, 1963, or of section 22 of the Data Protection Act, 1988, which makes it an offence to disclose personal data that has been improperly obtained. I think that many people would regard the breach of confidentiality as sufficient, without more, to justify criminalising this activity and I sympathise with that view but the Government's reason for doing so is based on other grounds.
The fact is that hacking is a matter of major and legitimate concern to users of computer systems. To counter it, ever more sophisticated security measures have to be put in place which reduce their speed and efficiency. In addition, the systems must be monitored regularly to check whether there have been unauthorised attempts at entry. If any instance of hacking, however trivial, is detected it must be investigated to see if any damage has been caused. Even if it has not, it may be advisable to close down the system and rewrite the software completely as a precaution. In particular, hacking into operational computer systems, such as those I have mentioned — and they include such operations as air traffic control — could have most serious consequences. That is why in recent years any form of unauthorised access to computer systems has been made an offence in many countries, including the US, Canada, the UK, the Netherlands, Germany, Iceland and France.
Section 5, then, makes it an offence merely to access or attempt to access data or, as the section puts it, to operate a computer with intent to access any data that are kept either inside or outside the State. It applies whether any data are actually accessed and whether the intention is to access any particular data. It will also be an offence under our law for anyone abroad to try to access data kept on a computer here. The offence is punishable on summary conviction by a £500 fine or imprisonment for a maximum term of three months or by both a fine and imprisonment. Of course, if as part of the hacking activity any data are modified, the modification constitutes an offence under section 2 and makes the hacker liable to the far heavier penalties provided there. Also, a person who is found not guilty of modifying data under section 2 may be found guilty, if the facts justify it, of the lesser offence of unauthorised access under section 5. That is provided by section 7 (3).
Before leaving secion 5, I should explain that it does not cover what is called electronic eavesdropping, that is, the remote monitoring of electromagnetic emissions from computer equipment. It is possible to pick up the radiation from a computer screen in much the same way as radio or television transmissions are picked up and to convert this radiation into an image on the eavesdropper's own computer screen. But all that can be seen on that screen is whatever happens to be on the screen that is being monitored at that particular time and, in practice, the results are likely to be unsatisfactory because of the limited strength of the radiation — and consequently the limited area over which it can be received — and also because of its susceptibility to electrical inter-eference. This kind of surveillance is essentially no different from any other kind of electronic eavesdropping of current activities. It is "passive" and does not have the potential, as hacking does, of reading all the data files of the company being hacked or of going further and manipulating or even rendering useless its entire information system.
I should now like to refer to the provision being made for the mental element in the offence of damage to property. Under the Malicious Damage Act, 1861, damage had to be done "maliciously". Ever since 1861 this term has been interpreted as meaning intentionally or recklessly and the word "recklessly" has been given a subjective meaning. In other words, a person would be regarded as reckless only if he had foreseen that the particular kind of harm which in fact was done might be done and yet had gone on to take the risk of it. The Bill incorporates that subjective definition of "reckless" in section 2 (6) to make it clear that there is no intention of making any change in the traditional interpretation of the "malicious" element in the offence of criminal damage.
I may say that the Law Reform Commission, while equally anxious to ensure that a subjective interpretation of "reckless" would be retained, proposed a formulation taken from the tentative draft of the United States Model Penal Code. However, this proposal was made on the basis that there would be a common approach to the mental element — the mens rea— in criminal offences generally, unless there were special reasons for adopting a different approach having regard to the particular offence under consideration. The Government took the view, pending the adoption of a common standard of recklessness under the general criminal law, that it would be better to retain the traditional formula.
It was also a requirement under the 1861 Act that damage had to be done "unlawfully" and this element in the offence is being retained by the use of the words "without lawful excuse". Some of the circumstances in which an accused person may have a lawful excuse are set out in section 6 but these special defences are without prejudice to any other lawful defences that a person may have under the existing law, such as the defence of necessity. Under section 6 a person who damages property, or modifies data, will have a lawful excuse if he has an honest belief that the person entitled to consent to or authorise the damage or modification had in fact done so or would have done so had he known the circumstances.
The other special defence provided by the section is an honest belief that it was reasonable to do the damage, or make the modification, to protect oneself or another or to protect property belonging to oneself or another or a right or interest in property which was, or which he believed to be, vested in himself or another. In that case there must also be an honest belief in the immediate necessity of protection and in the reasonableness of the means of protection adopted or proposed to be adopted. Neither of these defences applies if there is a life endangering element in the damaging of the property. Accordingly, the operation of the section does not extend to the aggravated offence of damage under section 2 (2), to threats to cause damage or to possession of something with intent to cause damage with it, where the threat or intention relates to damaging property in a way which the offender knows is likely to endanger the life of another.
Section 7 (2) introduces a procedure aimed at avoiding what the Law Reform Commission describe as an element of unreality in requiring the owner of damaged property to identify the property as his in cases where it patently does not belong to the accused and also to say that he gave no one permission to damage the property. Under this provision, in prosecutions in relation to damage to property belonging to another, it will not be necessary for the prosecution to name the person to whom the property belongs and it will be presumed, until the contrary is shown, that the property belongs to another. It will also be presumed, again until the contrary is shown, that the person entitled to consent to or authorise the damage concerned had not done so. The latter presumption will also apply to modifications of data but only where the person charged is not an employee or agent of the person keeping the data.
It would be unreasonable to have such a presumption for employees because there can often be genuine misunderstandings about the extent of an employee's authorisation to access and modify data. So, if an employee is charged with modifying data without authorisation it will be up to the prosecution to prove the absence of authorisation in the normal way. The presumption will apply to unauthorised modifications of data only where the person charged has no connection with the person or firm whose data are being hacked.
Section 9 enables a court to require a person who has been convicted of damaging property to pay the owner compensation not exceeding the amount of the damages that in the court's opinion would be recovered in a civil action. The object is to ensure as far as possible that offenders who can afford to pay for the damage are made to do so, or to start doing so, as quickly as possible. But, as a practical matter, it will not be always possible for the convicting court to establish who the owner of the damaged property is and the exact extent of the damage and the cost of making it good. So it will be utilised only where the owner is identified and where the approximate cost of making good the damage is readily ascertainable.
The section also requires the court to have regard to the convicted person's means so far as they appear or are known to the court. Again, the object here is to try to ensure that the compensation order can be realistically enforced without causing hardship. Special provision is made where the convicted person is under 17 and the court is empowered under section 99 of the Children Act, 1908, to order the fine, damages or costs awarded to be paid by the parent or guardian instead of by the child or young person. In such a case the court must have regard to the means of the parent or guardian. Payment of the compensation may be made by instalments so long as the period of payment does not extend beyond 12 months. The object of imposing a maximum limit on the repayment period is to ensure that payment cannot be so prolonged as to be oppressive or indeed unrealistic.
The section, in effect, allows the court to give preference to making a compensation order rather than imposing a fine where it seems to it that the means of the offender are insufficient to pay both an appropriate fine and appropriate compensation, though in such a case it may impose a fine as well if the offender can afford to pay it.
The Law Reform Commission also recommended that criminal damage offences should cease to be scheduled under the Offences Against the State Act, 1939. Scheduling these offences means that a person may be arrested under section 30 of that Act for a malicious damage offence and be detained for up to 48 hours, during which period he may be questioned about other offences. The commission concluded that the scheduling of malicious damage offences could not be justified as being necessary to investigate other offences and that it led to unnecessary confusion and expense.
This recommendation of the commission is not relevant to the proposed Bill as the scheduling, or descheduling, of an offence is a matter to be effected by a Government order under section 36 of the 1939 Act. Section 36 (3) provides that, whenever the Government are satisfied that the effective administration of justice and the preservation of public peace and order can be secured through the medium of the ordinary courts in relation to offences of any particular class or kind or under any particular enactment, it may by order declare that those offences shall cease to be scheduled offences. The need to continue scheduling particular offences is reviewed periodically but at this juncture I do not propose asking the Government to deschedule malicious damage offences. In any event, the matter will come up for review by the Government when the Bill becomes law, as that will necessitate a consequential amendment of the scheduling order, which, as it stands, refers to provisions of the 1861 Act which are now proposed for repeal.
The repeals effected by the Bill make it necessary to make a consequential amendment to the Criminal Law (Jurisdiction) Act, 1976. The 1976 Act extended the State's criminal jurisdiction to certain acts done in Northern Ireland that, if done in the State, would constitute one of the offences specified in the Schedule to that Act. Corresponding legislation was enacted in the UK. These offences include the common law offence of arson, which the Bill proposes to abolish, and sections 1 to 7 of the 1861 Act dealing with arson offences, which sections are being repealed.
When the 1976 Act was passed, the 1861 Act applied both here and in Northern Ireland, but in 1977 the provisions of the English 1971 Criminal Damage Act were extended by order to Northern Ireland, resulting in the abolition of the common law offence of arson and the repeal of sections 1 to 7 of the 1861 Act. However, in order to maintain the necessary correspondence between the offences specified in the 1976 Act and those applying in Northern Ireland, the order provided that, for the purposes of the UK legislation, the abolition of the common law offence of arson would not have effect in Northern Ireland and that sections 1 to 7 of the 1861 Act would continue to apply there.
I believe that the criminal law jurisdiction legislation here and in the UK should reflect the changes that have been made in UK criminal damage law and those we are now proposing to make in Irish law. Section 14 (4) proposes, therefore, to update the Schedule of offences in the 1976 Act to take account of the changes being made by the Bill and to bring this provision into operation when a reciprocal amendment has been made in the corresponding UK legislation. In the meantime the necessary correspondence with Northern Ireland law is being preserved by section 14 (3).
In conclusion, I think it is fair to say that the Bill is a useful and practical measure of law reform. On behalf of the Government I wish to express thanks and appreciation to the chairman and members of the Law Reform Commission for their excellent report, which has greatly facilitated the preparation of this much needed amendment of the law. The Bill is, I think, non-controversial and I commend it to the House.