ARTICLE: The Viability Of The Malaysian Computer Crimes Act In Defining 'Computers' In The Modern Malwareinfested Environment
By Rizal Rahman*
Abstract:
Defining
"computers" without taking into consideration the future implications
of such a definition has created a divide between law and new ICT innovations.
The definition provided for in the Malaysian Computer Crimes Act 1997 takes the
similar form as the one in the Computer Fraud and Abuse Act of the United
States, but uses the conjunctive "and" instead of "or".
While it was observed as a drawback years after the Computer Crimes Act 1997
was passed, it had not been considered as being fatal to the application of the
Act. This was mostly due to the fact that computers in the era were limited to
desktop computers and laptops with features befitting the definition. At the
same time, the usage of computers was not as widespread as today on the reason
of affordability and awareness. Deployment of traditional malware (viruses,
worms and Trojans) for ulterior purposes was rather limited to professional
hackers with skills only shared with the hacking underground. Other than that
was the random infection of offline malware on computers by way of
sneakernetting, but the problem was always taken as more technical than legal.
However,
recent advancement in technology has contributed to the emergence of smart
mobile devices and hybrid innovations in the mass market. Not only have malware
been developed for mobile and hybrid devices, certain malware developed for PC
or Mac have the ability to transform themselves to infect those devices as
well. There is ambiguity as to whether new forms of mobile devices and hybrid innovations
would fall under the ambit of the definition, despite the fact that they are
recognised as computers in the ICT arena at large. This has the potential of
placing users in a state of uncertainty and also exposure to the possibility of
unfair treatment under the law.
1. Finding A Workable Definition
A
submission as to whether particular legislation is extensive enough to cover
malware has to be based on the legislation's very basic structure and
philosophy. A mere preamble or long title may declare the purpose of the
legislation as intended by the legislature, but the wording of such a preamble
or title has to be clearly understood.
As
far as the Malaysian Computer Crimes Act 1997 (hereinafter referred to as CCA)
is concerned, the Long Title declares it to be "an Act to provide for
offences relating to the misuse of computers". Such a general
"declaration" could have directly suggested that malware invasion is
covered by the Act, but regrettably the word "computer" is further
defined by the Act.
It
is a prudent move for the legislature to define the core of a statute to avoid
misleading interpretation in its application. However, when ICT is involved, a
definition that is too specific will pose a problem greater than any
misinterpretation of the law by legal practitioners.
Misinterpretation
by legal practitioners is at least rebuttable in a court of law, but an already
flawed statutory definition is a peril to justice as there is nothing more that
can be done by the judges, prosecution and lawyers than adhere to the
definition "as is". This is because it is a settled legal principle
that a statutory definition, once provided, prevails over other definitions,
however relevant and justifiable they might appear to be in the eye of justice.
As Sommer put it:[1]
A
lust to define the future can be very dangerous, especially when we cannot even
agree on the present. A lust to define the law of the future is even worse,
since law tends to evolve through an inductive accretion of experience.
The
above argument may have sounded too pessimistic, but a realistic approach is
highly necessary. Looking at the definition in the Act, "computer" is
defined as:[2]
...an
electronic, magnetic, optical, electrochemical, or other data processing
device, or a group of such interconnected or related devices, performing
logical, arithmetic, storage and display functions, and includes any data
storage facility or communications facility directly related to or operating in
conjunction with such device or group of such interconnected or related
devices, but does not include an automated typewriter or typesetter, or a
portable hand held calculator or other similar device which is non-programmable
or which does not contain any data storage facility. (Emphasis added).
Azmil
pointed out that the definition is more or less a derivative of the definition
in s. 1030 (e) (1) of the Computer Fraud and Abuse Act 1984 of the United
States, save for the fact that the latter uses "or" instead of
"and".[3] However, the most disturbing conclusion that can be derived
from the above provision is that, though it is intended to be specific, it is
too restrictive and limited as far as the developing nature of a computer in
real world ICT perspectives is concerned. As there exists varied portions to computer
networks with diverse levels of "bandwidth, services and
latencies",[4] requiring that a device can only be legitimately recognised
as a computer if it performs four conjunctive mandatory functions of logical,
arithmetic, storage and display (rather than putting a condition that it
performs inter alia the four functions) is akin to placing the law on top of a
dead technology.[5] It is as if the legislature presumes that ICT technology
abruptly stops evolving the moment the law is enacted. However, some authors
argue in support of the imposition of the four conjunctive mandatory functions.
For example, Abdul Aziz and Ayub stressed that having "display
function" as part of the initial requirement for the definition is
important, since without such a function, a computer user would be like "a
blindfolded man looking for something in the dark."[6] This is in contrast
to Azmil's argument that such a function is merely peripheral to a computer.[7]
Azmil argued that computing is handled by the processor alone.[8] The monitor
running the display is to be treated the same way like other peripheral
devices, such as the printer or the mouse.[9]
The
author is more inclined to support Azmil's argument. This is because that
argument is based on Azmil's observation of the Microsoft Computer Dictionary,
one of the contemporary leading sources of references for computer technology.
Abdul Aziz and Ayub have a good point, but their argument is simply based on
their assumptions of what a computer should be and is not validated by any
strong literature. It is understood that the conjunctive functions were imposed
by the legislature in view of the state of computers in the late 1990's.
However, when merging the restricted definition with current computer
technology, there are two main questions to be answered:
•
Does the definition include mobile devices?[10]
•
Does the definition include hybrid innovations?
2. Does the Definition Include
Mobile Devices? If yes, is there a need to legally recognise them?
It
is important to analyse which mobile devices fall under the definition of a
computer according to the current ICT standard. A decade ago it would be easy
to define a mobile device as a portable device used mainly for communication
(cellular phones), mini application (PDA),[11] entertainment (portable media
players) or storage (thumb drives and mobile disks).[12] Except for the PDA,
the others were not considered to be a "computer". Vivero predicted
seven years ago that mobile devices will be able at some stage to substitute
for ordinary computers, and become a reasonable target for hackers.[13] The
substitution process is already evident nowadays. The definitive line between
the devices has become blurred as their functions become integrated, with the emergence
of smartphones in the form of iPhones,[14] Windows Mobile,[15] Android[16]
phones and Symbian[17] phones (just to name a few)[18] and related devices in
the form of an iPod,[19] iPad[20] or Iconia,[21] not to mention thousands of
their imitators.
Mobile
Active Defense stressed that "smartphones are just pocketsized computers,
and just as vulnerable as your 'real' computers".[22] Traynor pointed out
that:[23]
Despite
the ever-rising amount of applications users are downloading to their phones
(including banking software), they are still viewing them simply as phones
versus mini computers... This is dangerous, because people tend to think of
their phones as innocuous, protected devices, which these days they are not.
(Emphasis added).
Despite
the devices being considered computers by ICT standards, is there really a rush
to legally acknowledge them as such? To answer this, there is a need to analyse
to what extent malware are capable of invading mobile devices.[24]
As
far as mobile phones are concerned, there was the Timofonica worm incident
which occurred a month after the notorious "I Love You" virus attack
in 2000.[25] However, the infection here was PC based rather than mobile, where
the "payload"[26] of the worm sent messages to a Short Message Service
(SMS) gateway, resulting in random text messages being sent to a Spanish mobile
phone network.[27] Nevertheless, in the same year after the incident,
Palm.Liberty.A was discovered as "the first Trojan horse program that
infects handheld devices that run the Palm OS". [28] Later in 2004,
SymbOS.Cabir was discovered as "a worm that propagates through
Bluetooth-enabled Nokia cellular telephones"[29] followed by the
Commwarrior worm in 2005 which used "Multimedia Messaging Service (MMS) as
a transport mechanism in addition to incorporating the Bluetooth-based
approach".[30] At this stage, it took an infected phone just a mere 30
feet to infect another phone, unless the user was alert enough to enable
automatic turn off.[31] Then malware started to creep in through mobile phones'
micro-payments at vending machines in some countries. [32] As for Apple
iPhones, the wide practice among users to "jailbreak" their phones,
that is, remove protection mechanisms so that their phones can run any software,
has exposed them to more attacks since 2007. [33] More recent is the
"DroidDream" malware attack on Android devices, which led Google to
withdraw 50 infected applications from the Android Market, including the
Scientific Calculator and Color Blindness Test. [34] It has now become the
practice among criminals to hide their Trojans in legitimate applications which
they sell at mobile app stores.[35]
Furnell,
commenting on the user friendly features of such devices, provided the
prediction of users being able to dial premium rate numbers and download
content otherwise chargeable for free.[36] It seems that nowadays the truth of
the prediction is far worse than expected. It was reported that there was a
steep increase in the number of reported new vulnerabilities to the mobile
operating system: from 115 in 2009 to 163 in 2010.[37]
It
is a common ICT understanding that malware have to be coded for a system before
it can infect it. The problem with mobile malware is the fact that malware
developed for PC or Mac have the ability to infect mobile devices as well.
Morales submitted that "it is practicable for a .NET virus to be
transformed to a .NETCF virus".[38] Despite this threatening ability, it
is vital to note that malware signature files distribution to mobile devices is
a daunting task, considering that "mobile phone networks have very
different characteristics in terms of limited processing power, storage
capacity and battery power".[39] The daunting task is made worse by the
existence of a single network offering both "digital and voice
services" where hackers can easily disseminate "attack packets"
to the network, further aggravated by the ability of mobile devices to connect
to the internet.[40]
Another
problem with mobile devices is that despite the fact that they are personal
items, their usage extends to the workplace, thus becoming a threat to the
workplace network environment.[41] This has been stressed by Smith who
concluded that the single biggest thing threatening any enterprise today on a
security basis is mobile technology. [42] On top of that, the common practice
among employees to save copies of their unfinished work to their mobile devices
to finish at home exposes both networks, office and home alike, to malware
threats. There are not many companies which have regulations restricting the
usage of mobile devices at the workplace,[43] and even if they do, they would
definitely be accused of trespassing into their employees' privacy.
3. Does the Definition Include
Hybrid Innovations? If yes, is there a need to legally recognise them?
Televisions,
media players, digital cameras and gaming consoles are usually considered to be
electronic innovations, not computers. Although a computer can be attached to a
television or media player via a VGA, AVI or S-video cable, or WIFI, it is for
the purpose of transmitting audio or video from the computer to the television
or media player, nothing more.
However,
recent developments in technology have made them hybrid in nature since they
have embedded, built in computer capabilities.
One
used to be able to distinguish between chips for computers and chips for
electronics. But nowadays, when the chips are embedded into these hybrid
innovations, they are capable of being programmed just like any other computer
and they indeed have functions like computers. For example, media players, in
addition to their usual built in function of playing CDs, DVDs or blu-ray discs
or media files from other external devices attached to them, can now be used to
stream or download media files directly from the internet.[44] Some
televisions, which are called "computer TV" have USB connections
which are not limited to only play content from attached devices, but also can
run computer programs from Internet Protocol TV (IPTV)[45] devices to stream
videos or live shows from IPTV servers. Gaming consoles in the form of PS3,[46]
Xbox 360[47] and Nintendo Wii[48] alike, can be connected to the internet so
that users can download updates to the console's operating systems. Photos
taken from digital cameras can be emailed to anyone or uploaded to a Facebook
photo album directly from the cameras, bypassing the traditional step of
connecting them to a computer and copying the photos to the computer.[49] Do
these innovations qualify as "computers" considering they have
computer components and act like computers?
From
the ICT perspective, this issue does not really raise any concern. Whether a
hybrid innovation is a "computer" or not does not make any
difference, as long as it performs as it is designed and has a marketable
value.
However,
for the CCA, it is a big concern. There is no clear legal demarcation between
what a computer is and what is not as far as these innovations are concerned.
While users continue to be bewildered by this blindness, the most disturbing
fact is that recently there have been allegations of malware incidents
involving these innovations. For example, the uproar of PS3 users against Sony
for embedding PS3 3.56 updates which they claimed contained rootkits,[50]
similar to the 2005 incident where Sony embedded some of its CD products with
rootkits to deter piracy. Sony admitted that it had included a "security
patch" with the updates to deter "jailbreakers"[51] and
"homebrewers",[52] but denied that rootkits were embedded as well.[53]
Another
emerging problem is the abundance of illegitimate IPTV. [54] While it provides
customers with HD quality entertainment at a reduced price, since the source is
based on unsecure servers, some of which are open, it opens up opportunities
for malware perpetrators to exploit the servers and infect the streaming
contents.
Another
problem is the fact that the transmission of data from and to hybrid
innovations (and mobile devices) is not necessarily dependant on the internet
but can rely on other means of wireless communication, for example, intranet in
a local area network, WIFI and Bluetooth.[55] The finding of a 2006 study on
the spread of Bluetooth worms on 10,000 devices revealed that the spread only
takes a few days if the devices are in good condition, 24 hours on 90% of them
if they are all vulnerable and less than two days if 25% are vulnerable.[56]
Despite the fact that the order of magnitude is slower than internet worms, the
worms spread quite fast, causing "human-mediated counter-response
solutions" to be almost impractical.[57] As Viveros pointed out seven
years ago, "in either case, when the connected home also becomes a
reality, the security headache which we all share is not likely to go
away."[58] Today the security headache has become a security heart attack.
What
can be derived from the above analysis is the disturbing fact that if malware
are coded for a specific product or its component, any type of attack is
possible. If jailbreaking and homebrewing go on, the possibility is even
higher.
Lately
there have been prototypes which make use of computer engineering, programming
and communication to better enhance users' easy access to information. The best
example would be the Sixthsense, a prototype developed by Pranav Mistry, a
research assistant and PhD student at the MIT Media Lab.[59] The innovation,
however, has been viewed as precarious, as it may lead to technological
addiction. This is because unlike other mobile devices, Sixthsense is
integrated with human physics, making it more personal to the users' experience.
As the devices provides information on the go for the users, the stimulation of
human creative thinking and analytical judgement would be affected. Another
problem is the issue as to who determines the accuracy of the information and
data accessed by the devices.
Despite
the above argument, Sixthsense and other similar devices will continue to be
developed, and it is possible for those devices to be developed in nano[60]
forms for convenience. If that occurs, users would have the devices attached to
or even embedded under their skin to conveniently assist them in making
decisions and accessing information in a timely manner. While the existing
hybrid innovations already pose a problem when it comes to setting down a clear
demarcation between what is "computer" and what is not, these
emerging breeds of hybrid innovation are certainly going to make the
demarcation even more difficult to achieve.
4. The Need for an Extensive Legal
Definition
The
previous analysis points towards one conclusion: there is an imminent danger,
lurking in mobile devices and hybrid innovations, of which users are not
typically aware. There is definitely an urgent need for the CCA definition to
be extensive enough to cover these devices and innovations.
Comparing
the CCA with other legislation, what can actually be seen is restrictiveness as
opposed to flexibility. A close example is the old s. 3 of the Malaysian
Evidence Act 1950 which states:
"Computer"
means any device for recording, storing, processing, retrieving or producing
any information or other matter, or for performing any one or more of those
functions, by whatever name or description such device is called; and where two
or more computers carry out any one or more of those functions in combination
or in succession or otherwise howsoever conjointly, they shall be treated as a
single computer. (Emphasis added).
The
Evidence Act was amended in 1993 to include the above definition. That was an
era where computer technology was still in its infancy. However, the legislature
had acted wisely by providing a flexible definition which can now be
interpreted to include mobile devices. The courts in Malaysia have made full
use of the flexible definition. For example, referring to the definition of
"documents" and "computers" in s.3, the court in Ahmad
Najib Bin Aris v. Public Prosecutor[61] held that a CCTV tape falls within both
definitions. In an earlier case, Hanafi bin Mat Hassan v. Public
Prosecutor,[62] the Court of Appeal, referring to the same provision, agreed
with the finding of the lower court that ticket machines were computers:
I
was satisfied that the ticket machines installed on the buses were computers.
There was the evidence... to the effect that the ticket machines recorded and
stored information and produced tickets, status reports, shift reports, TLO
reports and audit reports. Thus they were devices for recording, storing, and
producing information...(Emphasis added).
However,
it has been very unfortunate that the Malaysian legislature decided to amend the
old s. 3 of the Evidence Act in 2012. On the ground that the definition of
"computer" needs streamlining with the CCA, the whole definition was
deleted, and replaced with a "brand new" content, which is a carbon
copy of the definition of "computer" under s. 3 CCA. It seems that
instead of moving forward, Malaysian legislature has decided to retreat
backwards to the restricted feature of the CCA.
With
the Evidence Act falling into the same rigidity as the CCA, we need to explore
other legislation for flexibility. One provision that could be referred to is
the definition in the Computer Misuse Act 1993 of Singapore (hereinafter
referred to as "the SCMA"), which is almost in pari materia to the
CCA. Section 2 of the SCMA states:
"computer"
means an electronic, magnetic, optical, electrochemical, or other data
processing device, or a group of such interconnected or related devices,
performing logical, arithmetic, or storage functions, and includes any data
storage facility or communications facility directly related to or operating in
conjunction with such device or group of such interconnected or related
devices, but does not include -
(a)
an automated typewriter or typesetter;
(b)
a portable hand-held calculator;
(c)
a similar device which is non-programmable or which does not contain any data
storage facility; or
(d)
such other device as the Minister may, by notification in the Gazette,
prescribe; (Emphasis added).
The
above provision seems more practical and flexible as the words used are
"performing logical, arithmetic, or storage functions".[63] This
means that the SCMA does not require the functions to conjunctively exist
before a device can be identified as a computer. The SCMA also does not state
anything about "display functions" to be an essential feature of a
"computer" compared to the CCA. The flexible functions of computers
in the SCMA had been applied by the court in Public Prosecutor v. Muhammad
Nuzaihan Bin Kamal Luddin,[64] where the accused was convicted, inter alia, for
the offence of unauthorised access to computer materials and unauthorised
modification of the contents of a computer under ss 3(1) and 5(1) of the SCMA.
The "computers" which were the subject matter of the case were
actually "proxy servers." If a similar case is brought in the
Malaysian court, the accused would have been acquitted, on the basis that a
proxy server only runs storage functions, thus it does not fulfil the remaining
three conjunctive criteria as a computer under the CCA.
The
CCA drafting is almost akin to that of the Indian Information Technology Act
2000 (hereinafter referred to as "the ITA"), where the words used are
"performs logical, arithmetic, and memory functions".[65]
Nevertheless, it can be argued that the usage of "and" instead of
"or" does not necessarily lead to a conjunctive interpretation, by
resorting to the test developed in R v. Oakes.[66] In that case, the court
decided to read the word "or" in place of the word "and" in
dealing with the words "any person who ... aids or abets and does any act
preparatory to the commission of an offence..." (the italic is mine) in s.
7 of the Official Secrets Act 1920 of the United Kingdom.[67] It was held that:
Although,
where the literal meaning of a penal statute produced an intelligible result,
there was no ground for reading in words, or changing words, according to what
might be the supposed intention of Parliament; in the present case, because of
the use of the word "and" after the word "abets" in section
7, no intelligible meaning could be given to the section, but it being clear
what the intention was, and there having been merely a faultiness of
expression, the court would read "or" for "and"...
However,
such an approach is not normally favoured in the interpretation of penal
provisions as there is a possibility that the approach is likely to have an
adverse effect on the accused. This is because it is like creating a
retrospective law, since the rule of law requires that "No one should be
punished save where he has committed a distinct breach of the law."[68]
One should always bear in mind the criticism levelled in Knuller v. Director of
Public Prosecutions[69] against the decision made in Shaw v. Director of Public
Prosecutions[70] for the creation of a new offence of "conspiracy to
corrupt public morals." Such a creation was considered to be retrospective
in nature, thus damaging to the accused person.[71]
As
stated by Sharma J in Public Prosecutor v. Sykt Perusahaan Makanan Haiwan
Bekerjasama:[72]
It
is occasionally necessary to read the conjunction 'and' as if it were 'or' so
that the meaning and intent of the Legislature can be carried out. One should,
however, be reluctant to convert 'and' into 'or' or vice-versa in a penal
statute if the result of it is going to be unfavourable to the subject but
there is no rule of law to that effect.
Since
the application of "and" as "or" involves the issue of
ambiguity in criminal statutes, we have to remember the basic principle of
every criminal implication, that is the benefit of the doubt should always be
given to the accused person. However, this inevitably grants malware criminals
a preliminary win against the CCA. Malware's transmission from and into a
computer will only be caught by the CCA as far as the computer possesses the
attributes made mandatory by the CCA definition. This ultimately leaves users
of mobile devices and hybrid innovations in the dark as to whether they are
entitled to the same legal protection as users of CCA computers.
It
is submitted that if the Malaysian legislature is to revise the existing
definition of "computer" in the CCA, it should consider adopting the
flexible definition as provided in the Evidence Act or the SCMA. Or
alternatively it could adopt a simple, realistic all-encompassing definition as
stated in the Microsoft Computer Dictionary, which describes a computer as
"any machine that does three things: accepts structured input, processes
it according to prescribed rules and produces the results as output".[73]
It could also provide the Act with an open definition, for example
"'computer' shall be understood as the current [74] ICT standard defines
it".
5. To Dispense with the Definition
To
play safe and stay current, another option that the legislature could exercise
is to dispense with the definition of "computer" altogether, similar
to the Computer Misuse Act 1990 of the United Kingdom (hereinafter referred to
as CMA), the Australian Criminal Code Act 1995 and the New Zealand Crimes Act
1961. A reference to both statutes (Australia and New Zealand) shows that they
do provide definitions for computer related terms, but not "computer"
itself.[75] The Australian Criminal Code contains provisions on computer
offences in Part 10.7, from Division 476 to 478. However, Division 476.1, which
is the interpretation provision, does not provide any definition for computers.
As
for the New Zealand Crimes Act, it contains provisions on crimes involving
computers from s. 248 to 252. However, s. 248, which provides the
interpretation for terms used in s. 245 to 252, does not state any reference as
to what a computer is. The only definition provided is "computer
system":
computer
system-
(a)
means-
(i)
a computer; or
(ii)
2 or more interconnected computers; or
(iii)
any communication links between computers or to remote terminals or another
device; or
(iv)
2 or more interconnected computers combined with any communication links
between computers or to remote terminals or any other device; and
(b)
includes any part of the items described in paragraph (a) and all related
input, output, processing, storage, software, or communication facilities, and
stored data.
As
for the CMA, the reason why there is no definition provided is because the Law
Commission of England and Wales viewed it as unnecessary and possibly foolish
to try to define "computer". The Commission stated:[76]
...all
the attempted definitions that we have seen are so complex, in an endeavour to
be all-embracing, that they are likely to produce extensive arguments, and thus
confusion for magistrates, juries and judges.
The
move has been controversial. Dumbill argued that the absence of such definition
will possibly lead to uncertainty on how the CMA is to be applied.[77] He
however noted that the uncertainty is curable by applying common sense and the
de minimis principle.[78] Bainbridge, however, viewed it as a right step taken
by the legislature:[79]
This
is sensible in view of the rapid rate of change in the computer industry as
attempts to offer precise definitions would probably prove to be unduly
restrictive in the light of technological development. It is better to allow
the judge to use their discretion sensibly, permitting a degree of flexibility
in this respect. (Emphasis added).
Fourteen
years after the Act was passed, the absence of such a provision in the Act was
praised. In the words of the AU Party Internet Group:[80]
An
All Party Parliamentary Internet Group study in 2004 considered that, with the
benefit of hindsight, there had been no difficulties resulting from the lack of
statutory definition and that the legislature should continue with the scheme
whereby such terms will be understood by the courts to have the appropriate
contemporary meaning. (Emphasis added).
Such
absence makes the CMA, the Australian Criminal Code Act 1995 and the New
Zealand Crimes Act 1961 flexible enough to cover any "computer" as
the common ICT term permits. Although it opens up more room for debate as to
whether a particular item is a "computer" or not, at least it
provides an avenue for legal discussion and does not limit legal flexibility.
It
is submitted that if the CCA were to dispense with the definition, another step
has to be taken so as to avoid judges making improper reference as
"computer" to devices not befitting to be treated as such.
This
is not only a problem in Malaysia but other countries as well. It was reported
in the United States that "insufficient technical capacity of the judicial
systems" is one of the factors that set hurdles to the US’s endeavour to
enforce cybercrimes and other cyberlaws.[81] At the same time, we also have to
consider the problem related to the divergence of definition that might arise
between courts of parallel jurisdiction. [82] In order to prevent the above
problems from arising, it is proposed that a permanent panel of reference,
consisting of ICT experts, has to be identified as such by the CCA. The
decision as to whether a device is a computer or not would depend on the
current inclusion of the device under the definition provided by the panel
through its periodical publications. There are two ways for these publications
to become binding in courts. First, the provision establishing such a panel
under the CCA must include a specific finality clause, a statutory term which
makes the decision of the panel final and conclusive.[83] For Malaysia, this is
not an uncommon practice.[84] Second, the issuance of the periodical
publications should be exercised through a power of delegated legislation (subsidiary
legislation) conferred by the Act.[85]
By
imposing the above two measures, the courts would be able to apply the law of
judicial notice on the publications. This will relinquish the burden of a party
from having to prove that a device is a computer, thus speeding up the judicial
process. Section 56 of the Evidence Act provides that a "fact judicially
noticeable need not be proved" while s.57(1) of the Act provides that:
"The
court shall take judicial notice of the following facts:
(a)
all laws or regulations having the force of law now or heretofore in force or
hereafter to be in force in Malaysia or any part thereof; (Emphasis added).
"Regulations"
as provided for in the above provision, are a form of delegated legislation.
Section 3 of the Malaysian Interpretation Act 1948 defines "subsidiary
legislation" as "any proclamation, rule, regulation, order,
notification, by-law or other instrument made under any Act, Enactment,
Ordinance or other lawful authority and having legislative effect." However,
the binding effect of the above measures should not be taken as a barrier to
arguing that a particular device should not be considered as a computer. The
above measures only dispense with the need of proving that a device is a
computer. As the issue of whether a device is a computer is an issue of fact
rather than law, this means that proof to the contrary may be brought forward
to challenge it. Since the finality clause is to be incorporated in the
delegated power of the panel, the inclusion of such a clause, nevertheless,
cannot be in violation of the doctrine of excessive delegation.[86] This means
that the principle of check and balance is still in place, since Parliament
cannot be drafting a blank cheque to the panel and simply put the clause in the
CCA to protect any action taken by the panel. This is in conjunction with the
principle upheld by the Federal Court in Pengarah Tanah Dan Galian, Wilayah
Persekutuan v. Sri Lempah Enterprise Sdn Bhd:[87] "Unfettered discretion
is a contradiction in terms... Every legal power must have legal limits."
If
one compares the above suggested measures and the SCMA, the SCMA reflects the
above needs to a certain extent, but in an opposite way, where the Minister is
empowered to prescribe what device is not a "computer" for the
purpose of the SCMA. While the CCA states that a computer does not include
"an automated typewriter or typesetter, a portable hand held calculator,
and a similar device which is nonprogrammable or which does not contain any
data storage facility,"[88] the SCMA, in addition to the above, states
"such other device as the Minister may, by notification in the Gazette,
prescribe."[89] Mahalingam and Williams argued that despite such power by
the Minister, "swift technological updating" may still cause
problems.[90] While this argument is true, the existence of such power at least
does not render the statutory definition of "computer" to be as rigid
as in the CCA.
At
this point, it is wise to revert back to the late Ludwig Wittgenstein's
philosophy on definition. He argued that for terms like "game"
"number" and "family" there is no fixed boundary that can
be used to provide a definition because one simply comes to understand the use
of the terms.[91] This approach is also true when it comes to defining
"computer". With the merger of ICT and other technology, the term
becomes more extensive, and at times it is difficult to be differentiated from
its non-computer counterparts. It is thus sensible to let the term flow and fit
into its current usage and understanding, rather than attempting to
specifically define it and being unreasonably bound by its statutory
constraint.
6. Conclusion
In
response to the ambiguity left by the restricted definition of
"computer", while a solution of a minor amendment to the provision by
replacing "and" with "or" might appeal, the outcome will
still be temporary. The following permanent solutions are proposed:
a.
The legislature could adopt a simple, realistic all-periods definition as
provided by leading ICT references. For example, the one provided in the
Microsoft Computer Dictionary, which describes a computer as "any machine
that does three things: accepts structured input, processes it according to
prescribed rules and produces the results as output"; or
b.
The legislature could adopt an open definition. For example "'computer'
shall be understood as the current ICT standard defines it"; or
c.
The legislature could dispense with a definition altogether and leave the
matter to be considered by the courts; and
d.
A permanent panel of reference consisting of ICT experts has to be identified
by the Act. This panel would come out with periodical inclusions of devices
into the "computer" category; and
e.
The law of judicial notice in the Evidence Act has to be amended to clearly
allow judicial notice of such inclusion.
____________________________________________________________
*
The author is a senior lecturer at the Faculty of Law, The National University
of Malaysia: www.ukm.my/fuu (noryn@ukm.my , idanoryn@yahoo.com).
This article first appeared in CLJ [2013] 1
LNS(A)lx and is reproduced with permission from the Author.
Endnotes:
[1]
Joseph H. Sommer "Against Cyberlaw" (2000) 15 Berk. Tech. L.J. 1145
at 1147.
[2]
Computer Crimes Act 1997 (Malaysia), s. 2(1).
[3]
Sulaiman Azmil "Crimes on the Electronic Frontier - Some Thoughts on the Computer
Crimes Act 1997" (1997) 3 MLJA 59 at 62.
[4]
See Abhijit Bose and Kang G. Shin "On Capturing Malware Dynamics in Mobile
Power-Law Networks" (2008) Proceedings of the 4th International Conference
on Security and Privacy in Communication Networks (SecureComm'08).
[5]
See Sulaiman Azmil "Crimes on the Electronic Frontier - Some Thoughts on
the Computer Crimes Act 1997" (1997) 3 MLJA 59 at 62.
[6]
Ahmad Shamsul bin Abdul Aziz and Zainal Amin bin Ayub "Computer Crimes: Is
there a need for Legislation Reform?" (2004) Malayan Law Journal Online
Articles.
[7]
Sulaiman Azmil "Crimes on the Electronic Frontier - Some Thoughts on the Computer
Crimes Act 1997" (1997) 3 MLJA 59 at 62.
[8]
Ibid.
[9]
Ibid.
[10]
Mobile device markets and usages have seen tremendous growth in Malaysia. See Nor
Shahriza Abdul Karim, Rose Alinda Alias, Shamsul Anuar Mokhtar and Nor Zairah
Ab Rahim "Mobile Phone Adoption and Appropriation in Malaysia and the Contribution
of Age and Gender" (2009) International Conference on Information and
Multimedia Technology, IEEE Computer Society 485 at 487-489.
[11]
PDA (Personal Digital Assistant) is "a handheld computer for managing
contacts, appointments and tasks." Alan Freedman Computer Desktop
Encyclopedia (software ed, The Computer Language Company, 2007).
[12]
See Vangie Beal "The Difference between a Cell Phone, Smartphone and
PDA" (2008) Webopedia <www.webopedia.com >.
[13]
Sal Viveros "Changing Malware Threats - AV Vendor's View" (2005)
Network Security 16 at 18.
[14]
A smartphone produced by Apple. This phone uses iOS as its mobile operating system.
Apple <www.apple.com >.
[15]
An mobile operating system developed by Microsoft. It was originally known as Pocket
PC. It is now superseded by Windows Phone 7. Microsoft <www.microsoft.com
>.
[16]
A mobile operating system, middleware and key applications developed by Google.
Android <www.android.com >. Middleware is a software which operates as a conversion
or translation layer, by connecting software components or people and their
applications. Alan Freedman Computer Desktop Encyclopedia (software ed, The Computer
Language Company, 2007).
[17]
A mobile operating system developed by Nokia. As at March 2011, the Symbian OS
is the second most widely used open operating system for mobile phones after Android.
See The Symbian Foundation Community <www.symbian.org >.
[18]
See Vangie Beal "The Difference between a Cell Phone, Smartphone and
PDA" (2008) Webopedia <www.webopedia.com >.
[19]
A handheld device developed by Apple. It operates as a personal digital
assistant, portable media player and game console. It can also be used as a
Wi-Fi mobile platform. Apple <www.apple.com >.
[20]
A tablet computer developed by Apple. Apple <www.apple.com >.
[21]
A tablet computer developed by Acer. Acer <www.acer.com >.
[22]
'Smartphone Security for Everyone" Mobile Active Defense <www.mobileactivedefense.com
>. Mobile Active Defense is owned by Mobile Application Development
Partners, a software development company headquartered in Atlanta, GA with
offices in Mainz, Germany and London, England.
[23]
Georgia Tech Information Security Center Emerging Cyberthreats Report 2011 (2010)
at 6.
[24]
See Mikko Hypponen "Malware Goes Mobile" (2006) Scientific American <www.sciam.com
>.
[25]
See Evan Hansen "New Email Virus Bombards Mobile Phone Users" (2000) CNET
News <www.cnet.com >.
[26]
The harmful results of malicious software. Alan Freedman Computer Desktop Encyclopedia
(software ed, The Computer Language Company, 2007).
[27]
Ibid.
[28]
'Palm.Liberty.A" <www.symantec.com >.
[29]
"SymbOS.Cabir" <www.symantec.com >.
[30]
See Bob Francis "IT Managers Battle Mobile Viruses" (2005) Infoworld <www.infoworld.com
>.
[31]
Jason Yuen "Virus Mobil - Ancam Telefon, Komputer Riba" (Mobile
Viruses – A Threat to Mobile Phones, Laptops) (2005) Utusan Malaysia
<www.utusan.com.my >.
[32]
Martin McKeay "What Does the Future of Malware Look Like?" (24
October 2006) Computerworld <www.computerworld.com >.
[33]
Georgia Tech Information Security Center Emerging Cyberthreats Report 2011 (2010)
at 6. See also Thomas Ricker "iPhone Hackers: "We Have Owned the Filesystem"
(10 July 2007) Engadget <www.engadget.com > and Adam Pash "Jailbreak
Your iPhone or iPod Touch with One Click" (29 October 2007) Lifehacker <http://lifehacker.com
>.
[34]
See Aaron Gingrich "The Mother of All Android Malware Has Arrived" (1
March 2011) Android Police <www.androidpolice.com >. See also "An
Update on Android Market Security" (5 March 2011) Google Mobile Blog <http://googlemobile.blogspot.com
> and Charles Arthur "More than 50 Android Apps Found Infected with
Rootkit Malware" (2 March 2011) The Guardian <www.guardian.co.uk >.
[35]
Symantec Internet Security Threat Report -Trends for 2010 (Volume 16, 2011) at 15.
[36]
Steven Furnell "Handheld Hazards: The Rise of Malware on Mobile
Devices" (2005) Computer Fraud & Security 4 at 7.
[37]
Symantec Internet Security Threat Report -Trends for 2010 (Volume 16, 2011) at 15.
See also Ken Dunham (ed) Mobile Malware Attacks and Defense (Syngress Publishing,
Burlington, 2009), Marianne Mallen "SMS Mobile Malware Feelin' the Love"
(11 February 2011) Microsoft Malware Protection Centre <http://technet.microsoft.com
>, Bernadette Irinco "Mobile Users Unfazed by Web Threats" (28 August
2009) TrendLabs Malware Blog <www.trendmicro.com >, and "Cybercrime
Goes Mobile" (2011) Bangkok Post <www.bangkokpost.com >.
[38]
Jose Andre Morales "Threat of Renovated.NET Viruses to Mobile
Devices" (2008) Proceedings of the 46th Annual Southeast Regional
Conference on XX (ACM-SE 08) 367-372.
[39]
Hsiu-Sen Chiang and Woei-Jiunn Tsaur "Mobile Malware Behavioral Analysis and
Preventive Strategy Using Ontology" (2010) IEEE International Conference
on Social Computing / IEEE International Conference on Privacy, Security, Risk
and Trust 1080 at 1080. See also Asaf Shabtai "Malware Detection on Mobile
Devices"
(2010)
Eleventh International Conference on Mobile Data Management, IEEE Computer
Society, 289 at 289- 290, Ashkan Sharifi Shamili, Christian Bauckhage and Tansu
Alpcan "Malware Detection on Mobile Devices using Distributed Machine Learning"
(2010) 2010 International Conference on Pattern Recognition, IEEE
Computer
Society 4348 at 4348-4351, Bryan Dixon and Shivakant Mishra "On Rootkit
and Malware Detection in Smartphones" (2010) International Conference on Dependable
Systems and Networks Workshops (DSN-W), IEEE Computer Society 162 at 162-163.
[40]
Michael P. Gallaher, Albert N. Link, Brent Rowe Cyber Security: Economic Strategies
and Public Policy Alternatives (Edward Elgar Publishing Ltd, Cheltenham, 2008)
at 35.
[41]
Steven Furnell "Handheld Hazards: The Rise of Malware on Mobile
Devices" (2005) Computer Fraud & Security 4 at 7.
[42]
Georgia Tech Information Security Center Emerging Cyberthreats Report 2011 (2010)
at 6. See also David Linsalata (analyst) Mobile Malware: The Impact of Malicious
Code on Mobile Phones (IDC Research, 2005), and Ken Dunham (ed) Mobile Malware
Attacks and Defense (Syngress Publishing, Burlington, 2009).
[43]
Steven Furnell "Handheld Hazards: The Rise of Malware on Mobile
Devices" (2005) Computer Fraud & Security 4 at 7.
[44]
For example, AppleTV and Google TV. Apple TV is "a digital media hub from Apple
that connects to an HDTV set, enabling music, movies and photos to be streamed
over a wired or wireless home network", while Google TV is the
"Internet TV capability from Google" which "lets users surf the
Web and download and run
Android
apps full screen or in a picture-in-picture window while watching TV."
Alan Freedman Computer Desktop Encyclopedia (software ed, The Computer Language
Company, 2007).
[45]
"Also called "TV over IP" and "Internet TV," IPTV
refers to the delivery of scheduled and video-on-demand (VOD) TV programs and
movies over the Internet." Alan Freedman Computer Desktop Encyclopedia
(software ed, The Computer Language Company, 2007).
[46]
A gaming console developed by Sony. Playstation <www.playstation.com >.
[47]
A gaming console developed by Microsoft. Xbox <www.xbox.com >.
[48]
A gaming console developed by Nintendo. Nintendo <www.nintendo.com >.
[49]
See Aimee Baldridge Organize Your Digital Life: How to Store Your Photographs,
Music, Videos, & Personal Documents in a Digital World (National Geographic,
Washington, 2009) at 95.
[50]
"PlayStation members want to sue Sony for releasing 3.56 update"
(2011) PS3haxnetwork <www.ps3hax.net >.
[51]
"A jailbreak is simply the ability to run apps and use themes and tweaks
not approved by Apple." Jailbreakme <http://jailbreakme.com >.
[52]
Programmers who create new software for jailbroken systems as an alternative to
the overpriced proprietary software. See Brett Camper "Independent and Experimental
Video Games" in Mark J. P. Wolf The Video Game Explosion: A History from
PONG to Playstation and Beyond (Greenwood Press, Wesport, 2008)
197
at at 201- 202.
[53]
See Don Reisinger "Did Sony add a rootkit to PS3 firmware update?" (2
February 2011) Cnet News <http://news.cnet.com >. See also "PS3 3.56
May Have Brought Effective Sony Rootkit" (1 February 2011) Electronista
<www.electronista.com > and "Ps3 May Have Received Possible
Permanent Jailbreak" (29 December 2010) Electronista <www.electronista.com
>.
[54]
David Cotriss "New Threat: IPTV Piracy" (2011) Dailyiptv <www.dailyiptv.com
>.
[55]
See Christian Gehrmann, Joakim Persson, and Ben Smeets Bluetooth Security (Artech
House, Boston, 2004) at 97-116.
[56]
Jing Su, Kelvin K. W. Chan, Andrew G. Miklas, Kenneth Po, Ali Akhavan, Stefan Saroiu,
Eyal de Lara and Ashvin Goel "A Preliminary Investigation of Worm Infections
in a Bluetooth Environment" (2006) WORM'06 9 at 15.
[57]
Ibid.
[58]
Sal Viveros "Changing Malware Threats - AV Vendor's View" (2005)
Network Security 16 at 18.
[59]
Sixthsense <www.pranavmistry.com >.
[60]
"The science of developing materials at the atomic and molecular level in
order to imbue them with special electrical and chemical properties." Alan
Freedman Computer Desktop Encyclopedia (software ed, The Computer Language
Company, 2007).
[61]
[2009] MLJU 109.
[62]
[2006] 4 MLJ 134.
[63]
Computer Misuse Act 1993 (Singapore), s. 2(1).
[64]
(2000) 1 SLR 34.
[65]
Information Technology Act 2000 (India), s. 2(1)(i).
[66]
[1959] 2 Q.B. 350.
[67]
S. 7, Official Secrets Act 1920 (United Kingdom) reads:
"Any
person who attempts to commit any offence under the [Official Secrets Act, 1911]
or this Act, or solicits or incites or endeavours to persuade another person to
commit an offence, or aids or abets and does any act preparatory to the
commission of an offence under the [Act of 1911] or this Act, shall be guilty
of an offence."
[68]
Albert Dicey An Introduction to the Study of the Law of the Constitution
(1885).
[69]
[1973] A.C. 435.
[70]
[1962] AC 220.
[71]
[1973] A.C. 435.
[72]
[1959] 2 All ER 92.
[73]
Computer Dictionary (2nd ed., Microsoft Press, 1994).
[74]
This should be based on the approach suggested in page 81 - 84 below.
[75]
Criminal Code Act 1995 (Australia), Div. 476.1, and Crimes Act 1961 (New Zealand),
s. 217.
[76]
Law Commission of England and Wales Criminal Law - Computer Misuse (Law Com.
No. 186, Cm 819, 1989) [3.39].
[77]
Eric Alexander Dumbill "Computer Misuse Act 1990 - Part 2" (1990)
140(6468) New Law Journal 1156 at 1157.
[78]
Ibid.
[79]
David Bainbridge An Introduction to Computer Law (4th ed, Pearson Education Ltd,
London, 2000) at 25.
[80]
AU Party Internet Group Revision of the Computer Misuse Act: Report of an Inquiry
by the AU Party Internet Group (2004).
[81]
See Government Accountability Office Cyberspace: United States Faces Challenges
in Addressing Global Cybersecurity and Governance (U.S. Government Accountability
Office, Washington DC, 2010) at 37.
[82]
For example, the Malaysian High Courts. A High Court decision does not bind one
another. See Sundralingam v. Ramanathan Chettiar [1967] 2 MLJ 211 at 213.
[83]
See Paul P. Craig Administrative Law (Sweet & Maxwell, London, 2008) at
921.
[84]
For examples of Malaysian provisions containing finality clauses, see
Arbitration Act 2005, s. 36; Banking And Financial Institutions Act 1989
(BAFIA), s. 117; Consumer Protection Act 1999, s. 116(1); Criminal Procedure
Code (Revised - 1999), s. 418A; Dangerous Drugs (Special Preventive Measures)
Act 1985, s.
11C(1);
Dental Act 1971, s. 34(1)(2); Development Financial Institutions Act 2002, s.
121; Election Offences Act 1954 (Revised - 1969) ss 33 (4; 36 and 41; Elections
Act 1958 (Revised - 1970), s. 9A; Extradition Act 1992, s. 37(6); Fishermen's Associations
Act 1971, s. 21; Geographical Indications Act 2000, s. 31; Housing
Development
(Control And Licensing) Act 1966, s. 16AC(1); Immigration Act 1963, s. 59A(1);
Income Tax Act 1967 (Revised - 1971), s. 97(1); Industrial Co-Ordination Act
1975, s. 13(1); Industrial Relations Act 1967, s s. 9(5)(6) and 33B(1);
Insurance Act 1996, s. 197; Internal Security Act 1960, s. 8B(1); Land
Acquisition Act 1960, s.8(1)(2)(3); Legal Aid Act 1971, s. 31A; Legal Profession
Act 1976, s. 135; Lembaga Kemajuan Ikan Malaysia Act 1971, s. 22; Malaysian
Rubber Exchange (Incorporation) Act 1962 (Revised - 1989), s. 94; Medical Act
1971, ss 31(1)(2); Medical Assistants (Registration) Act 1977, s. 17(1);
Official Secrets Act 1972, s.16A; Padi Cultivators (Control Of Rent And
Security Of Tenure) Act 1967 (Revised - 1994), s. 30; Pengurusan Danaharta
Nasional Berhad Act 1998, s. 72; Petroleum (Income Tax) Act 1967 (Revised -
1995), s. 41(1); Printing Presses And Publications Act 1984, s. 13A(1); Real
Property Gains Tax Act 1976, s. 20(1); Rubber Industry Smallholders Development
Authority Act 1972, s. 11E; Sales Tax Act 1972, s. 68;
Securities
Commission Act 1993, s. 147; Societies Act 1966 (Revised - 1987), s.18C;
Street, Drainage And Building Act 1974, ss 9(1) and s. 95(2); Telemedicine Act 1997,
s. 4; Trade Unions Act 1959 (Revised - 1982) s. 71A; and Universities And University
Colleges Act 1971, s. 16A(1).
[85]
See Edward C. Page Governing by Numbers: Delegated Legislation and Everyday Policy-Making
(Hart Publishing, Oxford, 2001) at 20-21.
[86]
A doctrine of law which operates against delegation of uncontrolled power and delegation
of power without policy and guidance in the parent Act. See Mahabir Prashad
Jain Administrative Law of Malaysia and Singapore (Malayan Law Journal, Singapore,
1980) at 39.
[87]
[1979] 1 MLJ 135. See also Page v. Hull University Visitor 1993] 1 AER 97. Lord
Griffiths stated: "In the case of bodies other than courts, in so far as
they are required to apply the law correctly. If they apply the law
incorrectly, they have not performed their duty correctly and judicial review
is available to correct their error
of
law so that they may make their decisions upon a proper understanding of the law."
[88]
Computer Crimes Act (Malaysia), s. 2(1).
[89]
Computer Misuse Act (Singapore), s. 2(1). This addition was made in a 1998 amendment
to the SCMA. See Computer Misuse (Amendment) Act 1998, s. 2(a).
[90]
Indira Mahalingam Carr and Katherine S. Williams "A Step Too Far In Controlling
Computers? The Singapore Computer Misuse (Amendment) Act 1998" (2000) 8(1)
Int J Law Info Tech 48 at 49.
[91]
Ludwig Wittgenstein Philosophical Investigations (Macmillan, New York, 1953).