CLD Criminal Law Basics
Data theft: the effectiveness of the CMCA
We can be certain of one thing (and perhaps only this one in an increasingly uncertain world): there will, from now, always be business in cyber security – in fool-proofing the cloud, in blockchain technology, in coding, and everything else therein.
Data theft is a problem of our time. Truthfully a misnomer, data theft indeed does not only refer to depriving owners of their data, but also refers to making unauthorized copies of private, copyrighted data. Data theft most commonly happens when employees mishandle or purposefully leak information, the latter as most famously committed by whistle-blower Edward Snowden.
This new nature of crime is an extreme threat to corporations all around the world. They debilitate business operations and/or may distract businesses from “real” cyber-attacks such as hacking. However, when we are forced to acknowledge the nature of the internet in a world where most are digitally literate, we realize that “any threat to a computer … can affect the national security, essential services, defence or foreign relations of Singapore”[1]. In 2017, the Singapore Ministry of Defence (MINDEF) was hacked, and “the personal data of 850 national servicemen and employees [were] stolen”[2]. This was an enormous surprise, seeing as the Ministry had “on a daily level, experience[d] hundreds of thousands of cyber intrusion attempts ranging from simple probes to sophisticated cyberespionage efforts”.[3] This successful hack underscores the growing skill of hackers, our failure to keep up with too quickly evolving criminal techniques, and most of all, our own growing vulnerability.
In September of the same year, AXA, one of the most forefront insurance firms, also experienced a far-reaching cyberattack. “[P]ersonal data belonging to about 5,400 of [their] customers, past and present … was compromised”[4]; among that data: email addresses, mobile numbers, insurance policy numbers and dates of birth[5].
Once a rarity, data thefts and breaches are now part of our everyday conversation. “The SPF noted an increase in the proportion of cybercrimes to overall crime cases from 7.9 per cent in 2014 to 13.7 per cent in 2016”.[6] Criminals are realizing that there is new tenure given to them by countries such as ours, who premise most of our development on cyber infrastructure. The growing of ourselves into a “Smart Nation” is truly a double-edged sword.
In an attempt to ward ourselves against even more crushing attacks, the Computer Misuse and Cybersecurity Act (CMCA) was founded in 2013. A progeny of the Computer Misuse Act (CMA) of 1993, the CMCA is:
“An Act to make provision for securing computer material against unauthorised access or modification, to require or authorise the taking of measures to ensure cybersecurity, and for matters related thereto.”[7]
The CMCA is the main backbone of Singapore’s defence against cybercrimes. Its predecessor, the CMA, was enacted to criminalise unauthorized access or modification of data and other computer crimes, and was amended twice between 1994 and 2012 to introduce new offences that helps us keep pace with newer criminal behaviour. In 2013, the CMA was amended to include cybersecurity measures and transnational offences, both lurking dangers for Singapore. This amended CMA was simultaneously renamed the CMCA. This article aims to dissect its usefulness and role in our future.
First, there are still numerous cases that are not caught by the CMCA. The purview of the CMCA only includes nascent, non-traditional cases such as unauthorized access to data or hacking from an overseas computer. “[T]raditional crimes performed online such as online cheating, and cyber extortion” exist in the purview of the Singapore Penal Code[8], the Defamation Act[9], or the Undesirable Publications Act[10]. It is curious that Parliament did not expand the CMCA beyond its current 27 pages to include traditional cybercrimes. This may especially pose a problem when cases involve a large accumulation of offences across different pieces of legislation.
Not only this, ambiguity is littered throughout the CMCA. With this article’s subject matter in mind, we shall first direct our attention to the lack of a definition for “theft” in the CMCA. Despite data theft being omnipresent when discussing cybercrime, it is not mentioned explicitly in the legislation. Only the description of data theft is described in S.2(b) in the CMCA as the:
“cop[ying] or mov[ing] it (data) to any storage medium other than that in which it is held or to a different location in the storage medium in which it is held.”
This definition’s narrow ambit is problematic. The CMCA’s definition of data theft only allows direct perpetrators to be punished, and does not advise on journalists, reporters, netizens, and other such parties using second-hand stolen data in the course of their work. For example, a news reporter who uses stolen private, encrypted data will not be held liable, even if they have clearly promulgated the principle of data theft. This does not mete out justice, nor serve to rectify the mischief the CMCA purportedly aims to rectify, which is that of “ensuring cybersecurity”[11]. Had ‘theft’ been defined similarly to that in the Singapore Penal Code[12], We would think that journalists, reporters, netizens, etc. would be held liable for using information obtained by illegal means, regardless of whether they had committed that illegal act by their own resources. As the law currently stands, such parties cannot be charged – S.8A of the CMCA states clearly that the usage of stolen data is only an offence if the usage facilitates or leads to the commission of any offence under any written law. Unless stolen data used is for the purposes of blameworthy acts (for example, to achieve the ends of defamation or the breaching of the Internal Security Act), parties can use stolen data indiscriminately.
We find this ludicrous. First, this freedom should not be allowed to exist for second-hand data abusers, even if they are legitimate journalists or reporters. Secondly, this allows the public at large to leverage on breached cybersecurity for profitability sake. It is thus not only a question of ethics, but also a question of drafting. Ambiguities like this would render legislation such as the CMCA useless, or ineffective, to eradicate cybercrime. This was exactly the main concern of Mr Murai Pillai in Parliamentary Debates Singapore: Official Report, vol 94 (3 April 2017). Mr Desmond Lee then later tried to assuage Mr Pillai’s worries in the same Debates, stating:
“There is nothing wrong with the journalist reporting on the hacking incident, or the researcher who works with the hacked personal information for research purposes. But it is doubtful if they would ever need to disclose the hacked personal information itself, as part of the report or research findings. For example, there is no need for them to publish details such as hacked credit card numbers, as part of the report on the hacking incident, or the research findings. Depending on the circumstances, indiscriminately making available hacked personal information may amount to an offence.”
However, we are unconvinced. Legislation should be able to stand on its own legs, and not crumble under any ambiguity. The failure to codify what the “circumstances” that constitute an offence are, courts will be forced to enforce arbitrary, uncertain standards. This does not bode well for the future of the CMCA.
Next, the usage of “Minister” in 12A(2), 15A(1), and 15A(4) of the CMCA also gives rise to much uncertainty. The CMCA accords an individual Minister supreme authority to oversee investigative bodies, much more than the courts or any another government body, such as the Singapore Police Force. This is much unlike the United States, where the Attorney-General governs investigators such as the Federal Bureau of Investigation and Court Judges may review such powers as they wish[13]. There exists an airtight check-and-balance in the United States system of investigation into such crimes. However, there seems to be a lack of safeguards to ensure utmost fairness and certainty in protecting cyber privacy in Singapore. We argue that an advisory or supervisory committee should be set up to review the decisions of the Minister, given the “sensitive, private or corporate”[14] nature of information breached through data theft.
Next, the CMCA defines cybercrimes that cause “serious harm in Singapore” worthy of criminality in 11(4) as that which causes:
- illness, injury or death of individuals in Singapore;
- a disruption of, or a serious diminution of public confidence in, the provision of any essential service within the meaning of section 15A(12) in Singapore;
- a disruption of, or a serious diminution of public confidence in, the performance of any duty or function of, or the exercise of any power by, the Government, an Organ of State, a statutory board, or a part of the Government, an Organ of State or a statutory board; or
- damage to the national security, defence or foreign relations of Singapore.
This does not assuage worries for companies that are: not only as equally vulnerable as any other Singapore government service, but also equally important to either the cyber health of Singapore or public confidence in the barriers Singapore has erected for cyber attacks. This limits the effectiveness of the CMCA, and goes against Parliament intention to eradicate cybercrimes. We are of the view that the CMCA should expand its reach to protect corporations, especially large ones such as AXA, from debilitating data thefts. A criminal who hacks into a Singapore government service should be held to the same standards of liability as one who hacks for the sake of injuring vulnerable Singaporeans.
Last but not least, there is no mention of intent in the CMCA. No allowances are made for uninformed offenders. On one hand, this will prove to be a difficult obstacle for potential defendants who operate under a bona fide mistake. On the other, this might be in line with parliamentary interest to effectively eradicate cybercrime in Singapore, regardless of whether it was done with malignance. It might also serve as a powerful incentive for employees and companies to educate themselves on these codified offences.
All in all, however, the CMCA is definitely a step in the right direction for Singapore, who will only become more reliant on cyber infrastructures in the next 50 years of our nationhood. Together with the Cyber Security Agency at the frontline, we believe that the CMCA will definitely deter cybercrime and bring us closer to the envisioned future of a country immune to crippling cyberattacks despite all its current flaws.
Written by Chow Ee Ning, class of 2021
*The views and opinions expressed in this article do not constitute legal advice and solely belong to the author and do not reflect the opinions and beliefs of the NUS Criminal Justice Club or its affiliates.
[1] Assoc. Prof. Ho Peng Kee in Parliamentary Debates Singapore: Official Report, Vol 76 at Col 3321 (10 November 2003)
[2] Loke Kok Fai, Channel NewsAsia (28 February 2017). “MINDEF Internet system breached; data stolen from national servicemen, employees”, accessed: http://www.channelnewsasia.com/news/singapore/mindef-internet-system-breached-data-stolen-from-national-servic-7617146.
[3] Mr Ong Ye Kung (for the Minister of Defence) in Parliamentary Debates Singapore: Official Report, Vol 94 (3 April 2017)
[4] Claire Huang, The Business Times (7 September 2017). “AXA policyholders’ data breached after cyber attack”, accessed: http://www.businesstimes.com.sg/companies-markets/axa-policyholders-data-breached-after-cyber-attack.
[5] Ibid.
[6] Security Agency of Singapore (2017). “Singapore Cyber Landscape 2016”, accessed: https://www.csa.gov.sg/~/media/csa/documents/publications/singaporecyberlandscape.ashx?la=en.
[7] Computer Misuse and Cybersecurity Act (Cap. 50A, 2007 Rev. Ed. Sing.)
[8] Penal Code (Cap 224, 2008 Rev. Ed. Sing.) at sections 415
[9] Defamation Act (Cap.75, 2014 Rev. Ed. Sing.) at sections 5 and 6
[10] Undesirable Publications Act (Cap. 338, 1998 Rev. Ed. Sing.) at sections 11 and 12
[11] Computer Misuse and Cybersecurity Act (Cap. 50A, 2007 Rev. Ed. Sing.)
[13] United State Code. “The Attorney General’s Guidelines for Domestic FBI Operations”, accessed: https://www.justice.gov/archive/opa/docs/guidelines.pdf.
[14] Mr Ravindran in Parliamentary Debates Singapore: Official Report, Vol 76 at Col 3321 (10 November 2003)
