Computer Crimes Act
Penalties
Jurisdiction
Enforcement
In this increasingly technological world, more and more crimes are being perpetrated through the use of computers. One prevalent type of crime is 'hacking' (ie, the unauthorized infiltration of computer systems).
Earlier this year, the Malaysian Parliament's web site (www.parlimen.gov.my) was hacked by an individual known only as 'Topeira'. All information on the web site was erased and replaced with Portuguese words and the Brazilian web address for the pop group 'Garbage'.
This is not an isolated incident. It is estimated that around 50 government owned Malaysian web sites have been hacked in the last few years.
The Computer Crimes Act 1997, which came into force on June 1 2000, prohibits the unauthorized use of computers and the modification of computer records. A crime is committed under the act if:
- unauthorized access to computer material is gained;
- unauthorized access is gained with intent to commit or facilitate the commission of a further offence;
- unauthorized modification of the contents of any computer is carried out; or
- the means of access is communicated (whether directly or indirectly) to an unauthorized person.
Attempting to commit these acts, or abetting in their commission, also constitute offences.
Section 2(2) of the act states that a person secures access to a computer if he or she:
- uses, alters or erases a computer program or data;
- copies or moves a program or data to a different storage medium or location in the storage medium where it is held; or
- causes a program or data to be output from the computer in which it is held, by having it displayed or produced in any manner.
Section 2(5) further provides that access to any information held in a computer is regarded as 'unauthorized' if the person accessing the computer is not entitled to access the information and does not have the consent of an authorized person.
A person found guilty of hacking may be sentenced to a fine, imprisonment or both, depending on the crime committed.
A person who merely gains access to unauthorized material without the intention of committing a further offence will be liable to a fine of up to M$50,000, imprisonment for up to five years, or both.
A person who gains unauthorized access with intent to commit or facilitate the commission of a further offence (which involves fraud or dishonesty, or which causes injury as defined in the Penal Code) will be liable for a fine of up to M$150, 000, imprisonment for up to 10 years, or both.
The act of corrupting or removing the entire content of a web site constitutes unauthorized modification, which is prohibited under Section 5 of the act. The penalty for this crime is a fine of up to M$100,000, imprisonment for up to seven years, or both.
Recent investigations indicate that 'Topeira' may be based in another jurisdiction. Traditionally, this means that he is out of reach of Malaysian law. However, the government has recognized that such a jurisdictional limitation hinders efforts to deal with computer crimes which, generally, are borderless by nature. Thus, Section 9 of the act provides that the legislation has extra-territorial effect.
In relation to a particular offence, the nexus requirement is satisfied under Section 9 if the computer, program or data was in Malaysia or was capable of being connected or sent to, or used by or with, a computer in Malaysia at the time of the crime.
Nevertheless, perpetrators residing outside Malaysia must still be extradited if they are to be prosecuted in Malaysia. Currently, Malaysia has extradition arrangements with Indonesia, Thailand, America, Brunei and Singapore. Extradition from other countries may prove to be lengthy and complicated.
Section 10 of the act gives police officers the power to search any premises and to access, inspect and seize any computer equipment or data that will assist in the investigation of a computer crime. Further, police officers are empowered to arrest any person whom they reasonably believe has committed (or is committing) an offence under the act. A warrant is not required.
However, these powers in themselves may not be adequate for the collection of evidence with regard to hacking. Even if a hacker resides in Malaysia, the necessary evidence and data trail to link a crime with an individual may be on a server in a foreign jurisdiction. In such cases, the cooperation of relevant foreign legal systems will be required.
For further information on this topic please contact Sharon Suyin Tan or Pooi Yuee Wong at Zaid Ibrahim & Co by telephone (+603 257 9999) or by fax (+603 254 4888) or by email ([email protected] or [email protected]).
The materials contained on this web site are for general information purposes only and are subject to the disclaimer.