Recent News
Navigating Computer Misuse Act: Offences Beyond Just Hacking
Aug 30, 2023Computer Misuse Act
The Computer Misuse Act (“CMA”) criminalizes a wide range of computer-related activities. This article will briefly discuss certain provisions of the CMA (and its corresponding punishments) with reference to some of the more common offences prosecuted under the CMA. Understanding the legal implications of these provisions is crucial for all parties in the Criminal Justice System, including criminal lawyers.
What are the common offences of the CMA? Of course, most would think (and rightly so) that acts of hacking[1] are covered under the CMA. However, the CMA goes further than that. The following are just some of the common offences under the CMA:
- The unauthorised usage a credit card;
- Unauthorised access to another’s email account;
- The unauthorised registration of pre-paid SIM cards;
- The unauthorised disclosure of access codes (such as SingPass credentials).
Provisions under the CMA
Categories (a) and (b)
The acts as set out in (a) and (b) above are criminalised under Section 3(1) of the Penal Code, which reads as follows:
“Subject to subsection (2), any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer shall be guilty of an offence and shall be liable on conviction —
- to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both; and
- in the case of a second or subsequent conviction, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both.”[2]
It is sufficiently clear that Section 3(1) of the CMA is phrased in a broad manner. It captures, effectively, any unauthorized access to a computer’s data or program. Further, “Computer” is given a very broad definition under Section 2 of the CMA, which reads as follows:
““computer” means an electronic, magnetic, optical, electrochemical, or other data processing device, or a group of such interconnected or related devices, performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device or group of such interconnected or related devices…”
The broadly worded nature of Sections 2 and 3(1) of the CMA naturally captures all forms of “hacking”. Given the definition of “computer”, one would also be guilty of a Section 3(1) CMA offence if one hacks into another’s handphone.
It is obvious that instances of hacking are captured by Section 3(1) of the CMA. However, as mentioned, Section 3(1) of the CMA also captures the unauthorised usage of a credit card.[3] How does that work in practice? This can be illustrated by the following simple example:
Person A is walking along Orchard Road, and chances upon a credit card that had been left on the sidewalk by Person B. Person A then takes the credit card. Person A decides to use the “Paywave” function of the credit card, given that no signature is required for such a function. Person A proceeds to have a meal at his favourite Korean restaurant located at Plaza Singapura. Person A uses the “Paywave” function to pay for the meal. The “Paywave” function involves the use of the Electronic Payment System (“EPS”) to access the programme “VISA payment network”. Since the EPS is a computer within the meaning of the CMA, Person A has caused the EPS to perform a function for the purpose of securing access without authority to a programme – “VISA payment network”. Person A has thus committed an offence under Section 3(1) of the CMA.
Category (c)
The act of registering pre-paid SIM cards under another person’s name without the said person’s authorisation is criminalised by Section 5 of the CMA, which reads as follows:
“Subject to subsection (2), any person who does any act which the person knows will cause an unauthorised modification of the contents of any computer shall be guilty of an offence and shall be liable on conviction —
- to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and
- in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.”[4]
As with Section 3(1) of the CMA, Section 5(1) of the CMA is also worded rather broadly. The phrase “unauthorised modification” is defined in Section 2(7) and Section 2(8) of the CMA. Briefly, an authorised modification can include the addition of data to a computer by a person who does not have authorisation to do so. Further, any act which contributes towards causing such a modification will be taken as causing the said modification.
Thus, a person (A) who registers SIM cards under another person’s name (B) has caused the data of B to be registered into the computer system of a telecommunication company (C) without authorization from C.
Category (d)
On its face, the disclosure of access codes is a seemingly innocuous act. However, syndicates have often made use of personal credentials for criminal activities. This is the mischief that the Section 8(1) of the CMA is designed to prevent.
Section 8(1) of the CMA reads as follows:
“Any person who, knowingly and without authority, discloses any password, access code or any other means of gaining access to any program or data held in any computer shall be guilty of an offence if the person did so —
- for any wrongful gain;
- for any unlawful purpose; or
- knowing that it is likely to cause wrongful loss to any person.”
An offence within the meaning of Section 8(1) of the CMA is best explained with a simple example:
Person A is asked by Person B to hand over his Singapore Personal Access (“SingPass”) details. Person B informs Person A that his SingPass credentials would be used to “sponsor” visa applications. In exchange for his SingPass details, Person B tells Person A that he will give him $300. Person A agrees, and hands over his SingPass credentials. In so doing, Person A has committed an offence under Section 8(1) of the CMA.
The punishment for an offence under Section 8(1) of the CMA is found under Section 8(2) of the CMA, which reads as follows:
“Any person guilty of an offence under subsection (1) shall be liable on conviction
- to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and
- in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.”
It should also be noted that the Ministry of Home Affairs (“MHA”) have recently proposed amendments to the CMA[5]. The amendments will bolster efforts to curb the emergence of Singpass related scams. The MHA noted as such:
“In addition, there is an emerging trend of Singpass users giving away their Singpass credentials (e.g. Singpass password and one-time password), usually for money. Using these Singpass accounts, criminals can register companies, open bank accounts and sign up for new phone lines, to facilitate the perpetration of scams or other offences. It is often hard to prosecute such Singpass users today, e.g. under the Computer Misuse Act (CMA), as the prosecution has to prove that the Singpass user knowingly disclosed his credentials for wrongful gain or unlawful purposes, or that it would cause wrongful loss, which are difficult to do.”
The MHA thus proposes to implement offences to prevent Singpass abuse. The offences are as follows:
Disclosing a User’s Own Singpass Credentials to Facilitate an Offence
It will be an offence if an individual:
- Discloses his Singpass password or access codes, or provides any other means of access to his Singpass account, and
- The individual did so, knowing or having reasonable grounds to believe that the purpose of the disclosure is to commit or facilitate the commission of an offence.
- The Singpass user will be presumed to have fulfilled condition (b), if he disclosed his Singpass credentials in any of the following situations:1
- Where he received any gain for disclosing his Singpass credentials;
- Where he disclosed his credentials knowing that the disclosure is likely to cause wrongful loss to any person; or
- Where he disclosed his credentials without taking reasonable steps to find out the identity and physical location of the person to whom he disclosed his credentials.
Obtaining or Dealing in Singpass Credentials to Facilitate Criminal Activities
It will be an offence for an individual to obtain, retain, supply, offer to supply, transmit or make available, the Singpass credentials of another person to commit or facilitate the commission of any offence.[6]
[1] In the convention sense, hacking involves gaining unauthorised access to a computer and its data
[2] Note: More severe punishments are applicable if any harm were to be caused as a result of an offence under Section 3(1) of the CMA (see Section 3(2) of the CMA)
[3] Such an offender might also be guilty of committing an offence of cheating.
[4] Note: More severe punishments are applicable if any harm were to be caused as a result of an offence under Section 5(1) of the CMA (see Section 5(2) of the CMA)
[5] https://www.mha.gov.sg/mediaroom/press-releases/amendments-to-the-corruption-drug-trafficking-and-other-serious-crimes-confiscation-of-benefits-act-and-the-computer-misuse-act/#:~:text=For%20successful%20conviction%20under%20the,are%20linked%20to%20criminal%20activity.
[6] The MHA notes that this offence is to deal with criminals who purchase Singpass credentials, and syndicates who engage in trading of Singpass credentials.