Malaysian cyberlaws should be of world-class standards - not just for software companies and foreign investors, but most important of all, for the people and future generations

Speech - Computer Crimes Bill 1997
by Lim Kit Siang

(Dewan Rakyat, Monday):With the introduction of the first batch of cyberlaws, Malaysia stands at a very important crossroad in our national history because this constitutes a historic step in our transition into the Digital Era in the 21st century.

Although cyberspace is borderless, it cannot be a law-free zone. One of our greatest challenges which will decide whether Malaysia can successfully make the transition into the Information Society and take its rightful place among the front rank of nations in the 21st century is whether we can devise new legal structures and concepts that will afford due recognition to the rapid changes and the new realities that would be wrought by Information Technology to lay the basis for a civil and knowledge-based society.

It should be a matter of fundamental concern that there had been very little consumer or user perspective in the drafting of the first batch of cyberbills in the country, whether Computer Crimes Bill, the Digital Signature Bill, the Telemedicine Bill or the Copyright (Amendment) Bill.

The Multimedia Development Corporation, which described itself as "The MSC’s Super Agency" created to make the MSC a success, has a website on the Internet which contained a FAQ (Frequently Asked Questions) about the MSC which said:

If it is true that some 150 international multimedia/IT companies had been consulted on the first batch of proposed cyberlaws, it is most unfortunate that local companies and Malaysians, especially individuals and organisations who would be directly affected by the cyberlaws, like Members of Parliament, Bar Council and NGOs like the consumer organisations, had not been consulted or allowed "an influential shape MSC’s world-first cyberlaws" before the finalisation of the Bill.

There had been virtually no public participation or consultation in the drafting of the cyberbills and although I commend the government for the three-week delay in the debate on the cyberbills as it was originally scheduled that the Dewan Rakyat would begin debate on the Computer Crimes Bill and the Digital Signature Bill on 9th April to allow the multi-party Parliamentary Information Technology (IT) Committee to hold the historic Parliamentary Cyberbill Forum last Friday, there should have been an active consultation process before any bill reaches its final draft and as well as more thoroughgoing and meaningful public consultation between the final draft of the bill and its enactment by Parliament.

Although last Thursday, the Prime Minister, Datuk Seri Dr. Mahathir Mohamad, announced the National Information Technology Agenda with the theme "Turning Ripples Into Tidal Waves" to take the quantum leap into Information Age, most government officials and departments are still mired in the pre-IT mindset.

For instance, there is very little understanding of the implications and potential of the Internet for facilitaing access to official government information, where electronic publishing makes it feasible to post the cyberbills on the Internet at minimal marginal cost. Word-processed documents can now be easily formatted for display on a Web page, and released immediately to the world.

This is why the government had not acted on my proposal to post all the four cyberbills online. The posting of the Computer Crimes Bill and the Digital Signature Bill on the Internet by the DAP homepage has at least caused the TMnet to sheepishly post these two bills on its homepage - but the government has not taken any steps to post the Telemedicine Bill and the Copyright (Amendment) Bill on the Internet. Call on Cabinet to give priority to present a Data Protection Bill to protect privacy in the July meeting of Parliament

The lack of consumer or user perspective is also highlighted by the absence of a Data Protection Bill to be in the first batch of cyberbills to give protection to the rights of ordinary citizens.

The time has come when those who use computers to handle personal information, whether government or the private sector, can no longer remain the sole judges of whether their own systems adequately safeguard privacy. There must be a law and a mechanism to regulate electronic or computerised data processing, where an individual have the right to access personal data about himself, to get data corrected or erased and to ensure that there is no misuse or abuse in the obtaining, holding and use of personal data.

I would urge the Cabinet to give a Data Protection Act topmost priority, and if it is not possible to present a Data Protection Bill in the current meeting of Parliament, it should be presented in the July meeting of Parliament.

The Cabinet should take serious note of the incident uncovered in San Francisco early this month where a purchaser of a used IBM Personal Computer at an Internet auction found that the hard disk contained 2,000 patient records from a supermarket chain of pharmacies.

When booting up the computer which she bought for US$159, the purchaser found that all the software that the pharmacy had used for record keeping was still on the computer’s hard disk, including patient names, addresses, social security numbers and a chronological list of all the medicine that they had bought at the pharmacy.

The value of the data in the used computer would be many times its cost.

It was later found that the computer was one of the 34 PCs leased by pharmacies in the chain and which had been returned to the leasing company when the old computer system was replaced.

This shocking episode should alert the Cabinet to the urgent need to address the problem of data protection, especially with the promotion of electronic commerce through the Digital Signature Bill and the practice of Telemedicine through the Telemedicine Bill - both of which are in the first batch of cyberbills to be passed by the current meeting of Parliament.

The Data Protection Act which Malaysia should enact should include the following eight principles, which have been adopted by some other countries:

I will submit a draft for a Data Protection Bill to the Government in June, and present a Private Member’s Bill on Data Protection if the government is not prepared to act on it, and I hope the Government would not only give time for its debate but would remove the Whip to allow all MPs the freedom to decide whether to give it support - free from political party considerations.

The lack of a consumer or user perspective can also be seen from the absence of legislative proposals to protect computer users from unfair trading practices whether from retailers, suppliers or manufacturers, whether in unfair pricing, shoddy products or atrocious after-sales service. Even Packard Bell, a prestigious brand-name product, is a disappointment - giving one-year guarantee when three-year guarantees is now becoming the norm. Some computer companies even charge RM100 for every visit.

The Computer Crimes Bill is one bill which had been drafted without any consumer or user-perspective, which explains why it is proposing to have the most severe penalties for the same offences of computer crimes in the world.

Let me state from the outset that I support a Computer Crimes Act or a Computer Misuse Act, as the losses from computer-related crimes are potentially astronomical and legislative measures are needed to deal with computer-related crime in business and government, whether through the introduction of fraudulent records into a computer system, the alteration or destruction of computerized information or files and the stealing of financial instruments, data and other assets.

Malaysia needs a Computer Crimes Law if we are serious about the country going IT as computer crimes can cause astronomical financial losses and will be used more and more in military and intelligence attacks as national security is increasingly in the hands of computers.

However, Malaysia’s Computer Crimes Law should not criminalize the majority of the computer users in the country or seek to lead the world in having the most severe penalties for similar offences.

The Computer Crimes Bill identifies three specific offences which are modelled after the UK Computer Misuse Act 1990 and the Singapore Computer Misuse Act 1993 almost word for word, except for the penalities.

For instance, section 3(1) of the Computer Crimes Bill, which makes it an offence for any person who causes any computer to perform any function with intent to secure unauthorised access to any computer material, which reads:

However, the penalties proposed for Malaysia for the same offence would be 12 times more severe than in the United Kingdom and two-and-a-half times more severe than in Singapore for the same offence. In the Computer Crimes Bill, the penalty for committing an offence under Section 3 is up to a maximum fine of RM50,000, five years’ jail or both. In the UK Computer Misuse Act 1990, however, the penalty of such a similar offence is a maximum fine of 2,000 pounds sterling or six months’ jail or both while under the Singapore Computer Misuse Act 1993, the penalty for the same offence is a maximum fine of S$2,000 or two years’ jail or both.

Is it appropriate for Malaysia to have a penalty 12 times more severe than that provided in the United Kingdom and two-and-half times more severe than in Singapore? Is this the way Malaysia wants to have the "world-first cyberlaw"?

There is lively discussion on the Malaysian newsgroups on the Internet as to whether there should be a "French Spiderman" provision in the Computer Crimes Bill to exempt hackers with no criminal or malicious intent and which result in better computer security systems from prosecution.

There is merit that this proposal be given serious consideration.

An International Computer Crime Conference in New York last month was told of three recent cases in which a computer was the weapon used to commit crimes against a bank, the flying public and a 911 system in the United States.

In one, someone with a laptop computer in St. Petersburg, Russia tried to gain access to millions of dollars in a U.S. bank. In another, a convicted terrorist used a laptop to create plots to blow up a dozen U.S. airliners. In the third case, a young man in Sweden hacked his way into computers in Florida to shut down a 911 emergency call system for an hour, cripplying the networks responsible for speedy responses by police, fire and ambulances.

The full resources of the state must be focussed on these cyberspace criminals and not to criminalise the majority of the computer users in the country.

Under the present Computer Crimes Bill, the young hobbyist who commits the minor trespass of unauthorised access to computers with no malice and causing no damage and who could make a contribution to strengthen the information security system in the interests of the general public would be guilty of the offence of unauthorised access under Section 3 of the Bill, which carries a maximum sentence of RM50,000 fine, five years’ jail or both - the most severe sentence for such an offence in the world!

This is most unfortunate, for it would divert attention from the real cyberspace criminals - the real highwaymen on the Information Superhighway - who could steal billions of dollars a year by illegally transfering funds, diverting payments and shaving cents off other people’s earnings.

The US Federal Bureau of Investigations’ National Computer Crimes Squad estimates that between 85 and 97 per cent of computer intrusions are not even detected. In a recent test sponsored by the US Department of Defense, the statistics were startling. Attempts were made to attack a total of 8932 systems participating in the test. 7860 of those systems were successfully penetrated. The management of only 390 of those 7860 systems detected the attacks, and only 19 of the managers reported the attack.

This is why hackers who have unauthorised access to computer systems with no malicious or criminal intent but who want to test the security of the systems may be performing a very valuable contribution not only to the targetted companies and systems but also to the computer-using public at large.

This should be a sobering reminder that having computer crimes laws is one thing, but having the capability to enforce them is another - and we not just talking about the problem of extraterritoriality. Be that as it may, when enacting our first Computer Crimes Act, Malaysians should take vigorous part in a national discussion as to whether we should criminalise all unauthorised access - and whether this is not like "taking a sledgehammer to a nut".

I would seriously suggest that Parliament should study how other countries enact legislation to avoid criminalising young computer hobbyists for the minor trespass of unauthorised access without malice or causing damage.

Members of Parliament should consider whether Malaysia should have the toughest penalties in the world for the same offence in computer crime, where a person who is guilty of unauthorised access to computer material would be punishable to a maximum fine of RM50,000 or five years’ jail or both, or whether we should have a saving clause to exempt hackers who gain access to computers with no criminal or malicious intent and who causes no damage, as in the case of the two TMnet hackings last month - which were to highlight public unhappiness with the poor TMnet services and to point out its poor security system.

Under the Computer Crimes Bill, the two TMnet hackers would be regarded as criminals liable to the more serious charge of unauthorised modification of the contents of any computer under section 5 of the Bill, where the maximum penalties are RM100,000 fine, seven years’ jail or both - when the two hackers should be rewarded for performing a public service in trying to get TMnet to wake up from its most atrocious service and most consumer-unfriendly attitude.

Recently, the "French Spiderman", Alain Robert was arrested by the police for trying to scale one of the Petronas Twin Towers, the world’s tallest building on March 20 - after climbing 60 floors of the 88-storey building. However, the Attorney-General’s Chambers decided not to prefer any charges against him for trespassing.

The Computer Crimes Bill should have a "French Spiderman" provision to exempt hackers with no criminal or malicious intent and which result in better computer security systems from prosecution.

The computer crime law should make a distinction between "hacking" and "cracking", the latter connoting malicious computer meddling, while in its original technological sense, the word "hacker", coined at the Massachusetts Institute of Technology (MIT) in the 1960s, simply connoted a computer virtuoso. The 1994 edition of the New Hacker’s Dictionary defined such a person as someone "who enjoys epxloring the details of programmable systems and how to stretch their capabilities; one who programs enthusiastically, even obsessively".

The ethics of "responsible hacking" included the following ideals:

The finest software pioneers in the United States were proud to be called hackers. The government should enlist the support of the computer whizz-kids who breach computer security defences for sport and could tell the experts how they do it, so as to improve on the information security systems.

The Computer Crimes Bill has a section which criminalises the majority of computer users in the country. This is Section 8 which creates a statutory presumptionwhere any person having custody or control of any program, data or other information when he is not authorised to have it will be deemed to have obtained unauthorised access unless it is proven otherwise. This section criminalises the majority of the computer users in the country - including, I believe, journalists, government officials, MPs and Ministers who use computers.

I will like to ask the Ministers, Deputy Ministers and MPs who use computers, or whose children use computers, to declare whether they have any program or data in their computers which they are not authorised to have, which might have been downloaded from the Internet or passed to them by a friend, and whether they are prepared to pass laws which will criminalise the majority of computer users in the country, including themselves and their children?

What I cannot understand is why Malaysia should create such a computer crime to criminalise the majority of computer users in the country, when no other country that I know of has such a criminal crime in their laws.

Unless the government can give very strong and persuasive arguments as to why Section 8 is needed in Malaysia, this provision should be withdrawn and removed from the Bill.

There should be a vigorous and robust debate in the country as to whether Malaysia needs to have the most severe penalties in the world for computer crimes and a section which criminalises the majority of the computer users in the country, which will be a major setback to raise IT-consciousness among Malaysians.

Much is written and spoken on the subject of software piracy - the producing and supplying of computer programs which infringe copyright in an original work, which is estimated to have caused world-wide losses of over US$10 billion.

While not condoning software piracy, we must see this problem in its perspective, which is how to reconcile the claims of copyright owner and legitimate user.

It has been suggested for instance that 13 unauthorised copies are made of every computer game. If software piracy could be stopped overnight, it seems unlikely that the sales of computer games would rise thirteen-fold. Indeed, it might be argued that, deprived of the possibility of obtaining cheap software, some potential users would decide not to buy a computer.

The problem of piracy however is not unique to computers. In almost every area of copyright, technological developments are making it easier for copyright infringement to occur. The ubiquitous photocopier makes everyone a potential or actual copyright infringer to an extent undreamed of twenty or even ten years ago.

In fact, the producers of computer programs are more vulnerable to those who wish to copy their works than most other copyright owners. Where devices such as photocopiers or cassette recorders are used to copy a protected work, the copy will be of inferior quality to the original. This is not the case with computer programs, as because of the digital nature, every copy of a program will be identical to the original. The fiftieth or 100th generation copy will be identical to the original.

In fact, the Internet has been described as the world’s biggest copying machine. Copyright laws based on national boundaries are irrelevant in the borderless world of the Internet - a giant copying machine where anything from music to software can be duplicated and distributed at the click of the mouse.

In view of the astronomical losses that could be caused by computer intrusions, Parliament must consider the provisions in computer crime legislation in other jurisdictions, including Singapore, which provides that the court may order a person convicted of a computer crime to make a payment of a sum to be fixed by the court by way of compensation to any person for any damage caused to his computer, program or data.

It is for the above reasons that I have given notice to move six amendments to the Computer Crimes Bill during the committee stage.


*Lim Kit Siang - Malaysian Parliamentary Opposition Leader, Democratic Action Party Secretary-General & Member of Parliament for Tanjong