(Dewan Rakyat, Thursday): The Member for Parit Sulong had asked what is the basis for my choosing RM10,000. Of course, there is a basis as we cannot take the figure "from the air". I am proposing RM10,000 as the maximum fine for the offence of unauthorised access in relationship to the sentences for the same offence in the Computer Misuse Act in the United Kingdom and Singapore. Even with RM10,000 as maximum fine, we will be providing for an even higher penalty than Singapore, where the maximum fine for the same offence is S$2,000. In fact, we would already have the world’s highest penalty for the first offender for unauthorised access to computer material. However, we must guard against having a penalty which would work against our objective of encouraging the people to learn to use and master the computer.
It is the government which has failed to give a rational for choosing a RM50,000 maximum fine for this offence.
One argument which had been advanced for such a heavy penalty for this offence is to encourage the wider use of IT. Does it mean that Singapore, with a lower penalty for this offence, is backward in general IT usage in the country? Of course not. We should admit that IT usage in Singapore is more advanced than in Malaysia, as we are quite backward whether in terms of the number of Internet subscribers or the development of the information superhighway. We must aim to catch up and even excel Singapore in IT in future. But where is the logic in the argument that we need a heavier penalty for the offence of unauthorised access so that we can be more advanced in IT usage - when Singapore is already more advanced than us in this field although it has a lower penalty for this offence?
The argument by the Member for Machang and Parit Sulong that the maximum penalty would not apply in all cases and that it is to be left to the discretion of the court to determine the actual sentence in each case is unacceptable.
When we create a new offence and decide on a maximum penalty, we cannot act in isolation but must take into consideration other laws and co-relate it to other criminal offences and penalties.
I will give an example - the case of the MP for Kota Melaka, Lim Guan Eng with regard to the charges under the Sedition Act and the Printing Presses and Publications Act. In court when arguing on sentencing, the Deputy Public Prosecutor submitted that Parliament intended to make the offence of "publishing false news" under the Printing Presses and Publications Act a more serious offence than that of an offence under the Sedition Act, because the offence of "false news" has a higher maximum penalty of RM20,000 fine or three years’ jail as compared to the offence of sedition, which is RM5,000 fine or three years’ jail.
Is Parliament now intending to make the offence of unauthorised access under the Computer Crimes Act, with a maximum penalty of RM50,000, five years jail or both as even more serious than the Sedition Act and the Printing Presses and Publications Act?
Have MPs and the Attorney-General’s Chambers given serious consideration as to why we want to make offences in the Computer Crimes Act even more serious than offences under the Sedition Act and the Printing Presses and Publications Act. I don’t think so.
We should have learnt from the experiences of computer crime legislation in other countries for the past 20 years so that we can have the best computer crime law in the world.
This is our advantage of coming into this sphere later than other countries, so that we can stand on the shoulder of others to have a better computer crime legislation, as making provisions for different penalties for the same offence according to the economic losses caused, i.e. severity of sentences based on severity of losses and different sentences for first offender and repeat offenders, as is to be found in the computer crime legislation in some countries.
But we do not seem to want to stand on the shoulders of others to have the best computer crime law in the world.
I must reject the fallacious argument that having the most severe penalties for computer crimes is necessary to encourage wider usage of computers, for this would lead to the ridiculous conclusion that the way to be an information superpower is to have the most severe penalties for computer crimes.
This is to propose that the maximum sentence for the offence of unauthorised access with intent to commit for facilitate commission of further offence shall be RM100,000 and not RM150,000 as proposed in the Bill, so that there is a corresponding relationship to the maximum fines for other offences in the Bill.
I am not proposing that the maximum jail sentence of ten years be amended.
There is no dispute that computer crimes are serious. In the 21st century almost all crime against property will be perpetrated within computer systems. Furthermore, many other crimes, even violent ones, will be controlled or directed by computers. The principal reason for this will be the central role played by computer systems in storing and processing the assets of individuals and organizations, and in directing the activities of enterprises.
Furthermore, the computer industry has expanded and prospered by emphasizing speed, efficiency and product versatility. The tasks of maintaining the confidentiality and integrity of the information processed by computer systems has been a secondary consideration.
As a computer security has explained, any person who can dial into your computer from a telephone, submit a deck of punched cards, a magnetic tape or casette, a floppy disk, or disk pack at your service counter for processing; send you a message by electronic mail; or write a program that you subsequently run on one of your computers can do any or all of the following:
1. Copy all of your sensitive files.
2. Juggle your accounts to cause you financial loss.
3. Reprogram computers embedded in other equipment to manufacture defective products, wreck production equipment, kill or maim employees, or launch weapons at friends and allies.
4. Erase all your computer programs and data files.
Furthermore, these things can be done not just to your computers but to any other computers with which they communicate. These adverse events can be arranged to happen at some future time when you will be most vulnerable, and they can continue as long as you use computers.
These rogue programs can disguise or erase themselves, so you may never know you have been attacked. They need leave no evidence to incriminate their perpetrator or even suggest who he or she may be, or why an attack occurred.
Computer crime is difficult to prosecute because offenders sometimes know a great deal more about computer technology than do prosecutors and judges. To cope with computer crime, the authorities must understand how computer criminals work and what legal and technological weapons can be used against them.
This is to propose that the maximum sentence for the offence of unauthorised modification under Section 5 be reduced from the proposed RM100,000 and seven years’ jail or both to RM50,000, five years’ jail, or both.
This is to bring the sentence in line with my other amendments as well to try to focus government attention on the more important aspect of computer security.
This amendment is to delete Section 8 which seeks to create a statutory presumption that any person having custody or control of any program, data or other information when he is not authorised to have it will be deemed to have obtained unauthorised access unless it is proven otherwise.
This statutory presumption will criminalise the majority of computer users in the country which is inappropriate at a time when the country wishes to popularise IT-literacy and IT-fluency among Malaysians.
There will be very few computer users in the country, or even in the world, who do not have some unauthorised programme, whether games or expired "sharewares" downloaded from the Internet. This may be a copyright problem but why should we lead the world in criminalising it under the computer crimes legislation and in the process criminalising the majority of computer users in the country?
Although Section 8 is a statutory presumption and does not create a crime, anyone who has in his custody or control an unauthorised program, data or information would be deemed to have committed an offence - and this could give rise to gross abuse of police powers in various parts of the country, whether town or kampong.
Why should we lead the world in creating such a statutory presumption that criminalises the majority of computer users when it is not to be found in other countries?
I dare say that Ministers who use computers or whose children use computers would also have someunauthorised programmes in their control or custody. Would they allow an examination of the computers in their homes? Do we want to pass a law making Ministers, Deputy Ministers, Parliamentary Secretaries and Members of Parliament who use computers to become computer criminals under this section?
Section 43 of the Copyright Act provides that the maximum penalty for a copyright offence is RM25,000 fine, three years’ jail or both, but Section 41(2) provides a presumption in favour of the consumer, which states:
"41 (2). For the purposes of paragraphs (a) to (f) of subsection (1), any person who has in his possession, custody or control three or more infringing copies of a work shall, unless the contrary is proved, be presumed to be in possession of or to import such copies otherwise than for private or domestic use."
Here we seemed to have reversed this presumption in the Copyright Act, by creating a statutory presumption that a person could be guilty of the offence of unauthorised access for having in control or custody one infringing copy of a program.
I propose the introduction of a new section in the Computer Crimes Bill, which reads: "The court may dismiss a prosecution if, having regard to the nature of the conduct alleged and nature of the attendant circumstances, it finds that the defendant’s conduct did not actually cause harm or damage to any computer, computer system, computer network, or any of its data or software."
This amendment seeks to give the court the discretion to dismiss a prosecution where unauthorised access is without malice and has caused no damage, making a distinction between hacking and cracking.
This section is to provide space for hackers who have no criminal intent and who do not cause damage, and not to give shelter for criminal hackers. This section does not automatically exonerate all non-criminal hacking, but give the court the discretion to take such circumstances into account in view of the national importance of summoning "creativity" among youths in the computer world.
I propose the insertion of new Section 13 as follows:
" 13. Order for payment of compensation.
(1) The court before which a person is convicted of any offence under this Act may make an order against him for the payment by him of a sum to be fixed by the court by way of compensation to any person for any damage caused to his computer, program or data by the offence for which the sentence is passed.
(2) Any claim by a person for damages sustained by reason of the offence shall be deemed to have been satisfied to the extent of any amount which has been paid to him under an order for compensation, but the order shall not prejudice any right to a civil remedy for the recovery of damages beyond the amount of compensation paid under the order.
(3) An order of compensation under this section shall be recoverable as a civil debt."
This amendment empowers the court to order a convicted offender to pay compensation to the victim for any damage caused to his computer, program or data.
In his winding-up, Leo Moggie said that this amendment is not necessary as there is already such a provision in Section 426 of the Criminal Procedure Code where the court is empowered in criminal cases to order payment of compensation to the victims.
However, this provision in the Criminal Procedure Code is a dead provision which has never been used to compensate victims of crimes. Singapore must have such a similar provision in its Criminal Procedure Code but this does not prevent it from incorporating a provision empowering the court to order payment of compensation by a computer criminal to the victim so as to highlight the importance of such a provision in computer crime legislation
Such a provision will give a new lease of life to the concept in crime and punishment that the punishment of the criminal by the State is not adequate and that there should also be compensation to the victim of the crime.