The belated disclosure by Sony last month that hackers had accessed millions of customers' identity and credit card data worldwide has put the security of personal data once again into the spotlight.
Warnings of a growing internet crime wave are becoming commonplace in media reports. And with new crimes come calls for new laws.
Most Australian states now have identity crime laws, and after a delay of almost four years, federal laws have recently been enacted.
But defining what should be a crime in this area is tricky.
Clearly, it should be a crime to use someone else’s identity to commit a fraud. But should it be a crime to be in control of information that others want kept private?
The problem for police is that observing internet crime is very difficult. It can occur extremely fast and the perpetrators are often outside of Australia.
Some argue that the only way to catch these criminals is to stop them before the commit crime – catching them red-handed with the tools of their trade, like a burglar with a jemmy outside a window.
The problem is that the most common tool of internet crime is information – not specially designed burglar’s tools. Because information can be used in many different ways, it’s hard to keep boundaries on the scope of information crime.
The section NSW Crimes Act dealing with identity crime highlights this problem.
“A person who possesses identification information with the intention of committing, or of facilitating the commission of, an indictable offence is guilty of an offence,” it states. The act provides for a maximum penalty seven years imprisonment for this offence.
What constitutes identification information? It’s not just your PIN or secret passwords. It’s anything that can be used to identify you, such as your name, address, marital status, work title, and so on.
So because you are reading this, you know my name and where I work – you are now in possession of personal identification information.
Knowing this, what would be necessary to make you a criminal? To make you a criminal, the police would have to convince a court that you intended to use that information to commit a crime.
They would have to prove is that you merely intended this, not that you did anything about it.
Every time someone in a pub says, “I hate the way that bastard treated me, so I’m going to smash his car window” or “If I see that politician I am going spit at her” they may have technically already committed the offence of identity crime because they know personal information about their victim and appear to intend to commit a crime (criminal damage in the first case here, and criminal assault in the second).
Of course, this is usually mere bravado and such behaviour would never be prosecuted.
A fundamental principle of criminal law is that your wrong thoughts become crimes if you act on them. There is no murder without a dead body, no assault without a bruise or a scared victim.
This gets stretched at times to allow conviction of people who do acts that amount to attempts to do crimes, but liability is still based on an act that shows the person tried to do the crime.
This is why these new offences are objectionable. They do not allow for a defendant to say, “I thought about breaking the law, but I stopped myself and I didn’t do anything”.
Under these laws, in theory, the moment you think of a crime to do with the information, you’re guilty. I say in theory, because the police are never really going to have a viable case unless you actually do something – unless of course there is a major panic going on and police are desperately looking to charge someone.
I suspect the law here doesn’t require an act because there is a fear that it’s too hard to catch such actions online, and law enforcement would always prefer to not have to prove complex things.
From their perspective, it gives defendants more chances for a person to beat the charge.
That’s because they assume they are guilty. After all they wouldn’t have charged them if they didn’t think that.
In the end it comes down to whether you trust the police to always exercise their discretion with a full appreciation of the importance of the presumption of innocence and the basic right in a free society to think evil things – so long as those thoughts are not acted on.
Criminal laws should require proof of an act, not just as a safeguard for the innocent, but also to prevent lazy policing.
Internet crime is a serious problem, but it should never be a crime to merely know and think certain things.