Executive Summary
Computer access and information storage has drastically evolved with the increase of computer usage and internet access across a wide range of areas including homes, businesses, schools and government departments. These changes make requirements for more specific laws to regulate the use of computers and storage of data as well as new forensic techniques and tools to investigate such offences.
Following this, computer forensic investigators are becoming a necessity for lawyers and barristers as support in both criminal and civil proceedings.
‘
What legislation exists in Ireland to handle computer crime?
Ireland does not have exclusive law that would deal with computer crime as such, but has two laws that can handle computer crimes. Criminal Damage Act 1991 (the ‘1991 Act’) deals with principal offences in section 2 and section 5 while Criminal Justice (Theft and Fraud Offences) Act, 2001 (the ‘2001 Act’) covers computer related offences in section 9 and section 48.
Criminal Damage Act 1991
Section 2 ‘ ‘(1) A person who without lawful excuse damages any property belonging to another intending to damage any such property or being reckless as to whether any such property would be damaged shall be guilty of an offence.’
While section 2 above does not call out specific reference to computer related crime, the definition in the statute regarding property does include offences relating to data.
Section 5 ‘ ‘(1) A person who without lawful excuse operates a computer’
(a) within the State with intent to access any data kept either within or outside the State, or
(b) outside the State with intent to access any data kept within the State,
shall, whether or not he accesses any data, be guilty of an offence and shall be liable on summary conviction to a fine not exceeding ??500 or imprisonment for a term not exceeding 3 months or both.
(2) Subsection (1) applies whether or not the person intended to access any particular data or any particular category of data or data kept by any particular person.’
This is explicit computer offences as regulates unauthorized access of data.
Criminal Justice (Theft and Fraud Offences) Act, 2001
Section 9 ‘ ‘A Person who dishonestly, whether within or outside the State, operates or causes to be operated a computer within the State with intention of making a gain for himself or herself or other, or of causing loss to another, is guilty of an offence.’
This section covers any dishonest use of a computer for personal gain or causing loss to another.
Section 48 ‘ ‘4 (b) where necessary, to seize and, for as long as necessary, retain any computer or other storage medium in which any record is kept.
(5) A member of the Garda S??och??na acting under the authority of a warrant under this section may’
(a) operate any computer at the place which is being searched or cause any such computer to be operated by a person accompanying the member for that purpose, and
(b) require any person at that place who appears to the member to have lawful access to the information in any such computer’
(i) to give to the member any password necessary to operate it,
(ii) otherwise to enable the member to examine the information accessible by the computer in a form in which the information is visible and legible, or
(iii) to produce the information in a form in which it can be removed and in which it is, or can be made, visible and legible.’
Section 48 gives power to Garda to seize and retain computer or storage medium in which any record is kept.
What is considered a computer crime in Ireland and Europe?
There is no clear definition of computer crime, but computer crime is any crime where we use a computer to commit the offence. Examples of crime committed by use of computer are theft of personal data, copyright violation, fraud, child pornography or bullying.
In Ireland, current legislation is not clear about computer crime and categorise computer as criminal damage under the Criminal Damage Act, 1991 or as a form of dishonesty under Criminal Justice (Theft and Fraud Offences) Act, 2001.
Regarding Europe, the Council of Europe has drafted the Convention on Cybercrime, which was open for signature on November 23rd 2001. 53 countries have signed it of which 42 have ratified it. This Convention is important international legislation as it binds countries the same way as a treaty. Convention of Cybercrime deals particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and interception.
Ireland has signed the Convention but has not ratified it yet.
What can a Digital Forensics Investigator do legally as part of their job?
Digital forensics is an application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law.
In order to use this information to prosecute a criminal act and to avoid suppression during trial, investigator must collect evidence carefully and legally.
A digital forensics investigator has to be familiar with all applicable laws and regulatory requirements in order to be sure that evidence is not admissible in the court of law. The investigator needs to ensure that evidence gathered and processed comply with Privacy Data Protection Legislation. Such evidence has to be processed, analysed and presented in an unprejudiced way.
What are the Digital Rights of individuals and organisations under Irish law and EU law?
Under current Irish law, digital rights of individuals and organizations are covered with current Privacy and Data Protection Act and Freedom of Information Act, 1997. ePrivacy Regulations 2011, which deals with data protection for phone, E-mail, SMS and internet, use.
The European Commission has published the Code of EU online rights, which is a compilation of basic set of rights when individuals are using online services to buy goods and in case of conflict with their service provider. This Code states that everyone in the EU must have the possibility to access a minimum set of electronic communications services of good quality at an affordable price as well as ability of everyone in the EU to access and distribute any information and to run any application and service of their choice. The Code states as well that no one should be discriminated when accessing services provided online and individual rights of privacy and data protection should not be violated.
Some EU countries have gone a step further, for example France and Finland. In France, the Highest Court declared internet access as a basic Human Right, while in Finland it is the legal right of every citizen to access at least 1Mbps broadband connection.
Does international law apply in Ireland?
International law is the term given to the body of rules that governs relations between states or nations. International law is obligatory to states, and that fact gives those rules status of law.
In Irish Constitution Article 29.6 regulates international agreements, stating that international agreements have the force of the law to the extent determined by Oireachtas. This means that international agreements must be incorporated into domestic law before they are applicable within the State with exception of European Community law, which under terms of the Article 29 of the Constitution has the force of the law in the State.
How different are Irish computer crime laws to those in other countries, e.g. UK and USA?
As we have mentioned Ireland does not have computer crime laws but those offences are covered under the Criminal Damage Act and Criminal Justice (Theft and Fraud Offences) Act, 2001.
However, the UK does have an exclusive law that deals with computer related crimes. Computer Misuse Act 1990 was designed specifically to address computer misuse and defines three computer misuse offences:
‘ Unauthorised access to computer material
‘ Unauthorised access with intent to commit or facilitate commission of further offences
‘ Unauthorised modification of computer material
Comparing to Ireland or even the EU, the USA has a comprehensive number of laws, which regulate computer related offenses, and they can be divided in the following sections:
‘ Internet fraud
‘ Online Child Pornography, Child Luring, and Related Activities
‘ Internet Sale of Prescription Drugs and Controlled Substances
‘ Internet Sale of Firearms
‘ Internet Gambling
‘ Internet Sale of Alcohol
‘ Online Securities Fraud
‘ Software Piracy and Intellectual Property Theft
What are the changes to Irish IT law since 2003?
Since 2003, there have been two additions to Irish legislation regarding computer related crime.
First is District Court (Theft and Fraud Offences) Rules 2003, which was amended under the Criminal Justice (Theft and Fraud Offences) Act, 2001. Form 34.1 is a warrant that gives the following powers to members of Garda S??och??na:
‘ where necessary, to seize and, for as long as necessary, retain any computer or other storage medium in which any record is kept;
‘ to operate, or cause to be operated by a person accompanying him/her for that purpose, any computer;
‘ to require any person at the said place who appears to have lawful access to any such computer:
‘ to give him/her any password necessary to operate it,
‘ otherwise to enable him/her to examine the information accessible on any such computer in a form in which such information is visible and legible or,
‘ to produce any such information in a form in which it can be removed and in which it is or can be made visible and legible) and
The second change in Irish Law was the Criminal Justice Act 2011. This act brought changes regarding offences of dishonesty and "white collar crime". The changes have given new powers to the Garda in relation to the hand over of passwords and decryption of files as well as duty to report certain types of crime.
Other than computer crime law, what other laws would be of interest to a computer forensics investigator, e.g. data protection, etc.?
For a computer forensics investigator to do his/her job in compliance with law, apart from computer related laws he or she must be familiar with the following laws:
‘ Data Protection (Amendment) Act 2003
‘ Copyright and Related Rights Act, 2000
‘ Freedom of Information Act, 1997
‘ Criminal Evidence Act, 1992
‘ Data Protection Act, 1988
What is new with eDiscovery?
eDiscovery is the process used as evidence in a civil or criminal legal case in regard to requesting, searching and reviewing electronic information to be used.
On 22nd of March 2009, Superior Courts Rules Committee amended the Rules of Superior Courts (Discovery) 2009. The amendments were required, as the use of electronic technology in communication between parties has increased. Therefore, for discovery purposes, the word ‘document’ includes all electronically stored information.
The main changes can be summarised in the following:
One party in the process can request electronically stored information in searchable format from the other party
The court may order one party to give electronically stored information in searchable format to other party
In case the computer contains sensitive but not discoverable data the court may order an independent investigator to search for relevant electronic data
A request can be made to the court to narrow the scope of the discovery order in the case where the party giving discovery believes the search for data or documentation may be too costly or time consuming
To make discovery more comprehensible the discovery giving party must follow agreed sequence or categories in which data or documents were originally kept
A sworn affidavit of discovery by the giving parties is necessary for parties to declare they understand their obligations to provide the necessary documents and electronic data regardless if it helps or damages their case.