by Daniel Shap
Co-founder, The Legal Group for the Internet in Canada (LoGIC)
Section 342.1
Section 342.1 of the Criminal Code of Canada is part of a series of new "high tech" crimes that were introduced a few years back. The Criminal Code was also amended in order to expand the definition of "mischief" (see s. 430) to include anyone who wilfully obstructs, interrupts, interferes, alters or destroys data.
The purpose of s.342.1 was, amongst other things, to prohibit anyone from making use of a computer system "fraudulently and without colour of right". In other words, if you use a computer system when you're not suppose to, or in a way that you know you're not suppose to, you may be committing an offence.
In creating a new category crime which prohibits the unauthorized use of a computer system, the Canadian government was presumably trying to pass a law which would allow the police to control computer hackers.
The term "hacker" is generally held to mean one of two different things
(1) anyone who likes to fiddle around (a technical term) with computers and their software; or
(2) a person who breaks into computer systems.
Unfortunately, the s.342.1 of the Criminal Code doesn't draw such a fine distinction. According to the law, if you use a computer system that you weren't suppose to, and you know it, then your guilty of an offence and could be liable for imprisonment "for a term not exceeding ten years". But the law's clear cut distinction between authorized and unauthorized use a computer system may have some very serious implications for Canadians everywhere. That's because many of the service contracts that Canadians enter into nowadays contain language which limits their right to transfer or assign the use of the service to any other person.
For example, if you have an inter-branch banking card, the kind that you use to withdraw money from an automatic teller machine (ATM) then you've probably already signed an agreement with the bank that reads something like this:
"This card belongs to the bank and is not the personal property of the card holder.
The card holder agrees not to give this card or the password to anyone and the card holder will notify the bank as soon as possible if and when it is discovered that someone other than the card holder knows or may know the password..."
So if you give your bank card to a friend so that he or she can pay your bills or make a withdrawal for you, your friend could be charged under s. 342.1 of the Criminal Code.
The same type of restrictions may apply to your telephone answering service (arguably a computer system) and to your Prodigy or Compuserve accounts. In each case, the account and password are intended "for your eyes only".
But would anyone actually prosecute these cases, you might ask. Wouldn't banks and phone companies rather deal with these issues privately, rather than drag them through the courts and risk all the publicity and possible embarrassment associated with a trial? The answer, in most cases, is yes. Banks do, in fact, prefer to deal with these types of cases privately. One Toronto bank manager told me that even though Canadian banks are facing a growing number of cases in which people are caught using their friend's banking cards, the banks prefer to deal with the matter privately.
On the other hand, universities and employers are two groups of computer owners who actually welcome the publicity and exposure associated with criminals trial. Universities administer gigantic computer systems which are used by thousands of staff and students on a daily basis. The people who are hired to run these computers have a tremendous responsibility and, generally speaking, not enough resources to do their job. As a result, the universities prefer to see unauthorized users prosecuted under the criminal law, since it provides a powerful form of deterrence against future abuses. The rationale is that if people know that they're likely to face criminal charges if they're caught misusing a university computer, maybe they'll think twice before they abuse their own, or someone else's, account.
The idea that universities or employers can rely on the criminal law to protect their computer systems (and their telephone systems - see s. 326 of the Criminal Code of Canada which prohibits the theft of a telecommunication service) raises the following important question: to what extent should the criminal law be used to enforce private agreements?
Its an interesting question and one that deserves further looking into. On the one hand, anyone who gives their password to a friend is an accomplice to a crime and could be prosecuted as such under s. 21 of the Criminal Code. On the other hand, giving your password to someone is merely a breach of your contractual agreement with the owner of the computer system. Should you be liable for criminal sanctions for the mere breach of a contract? And if you shouldn't be liable, why should the person who you gave the password to be liable. The easy answer is, of course, that the person you gave the password to hasn't entered into a contractual arrangement with the owner of the computer. But imagine for a moment that the person you gave the password to has entered into an agreement with the computer owner (e.g. another university student). If you give the password to that person, can the computer owner still try to go outside the terms of the private agreement that binds you and seek criminal sanctions?
Another interesting point is whether the password has to be given to anyone at all in order to constitute an offence under s. 342.1. Say, for example, that you are a university student with a computer account. The university has informed you that the account can be used only for the purposes of your course work and e-mail, but not for reading Usenet news. After diligently using your account for the sole purposes of calculating integrals and sending e-mail to your Aunt May in Alberta, you finally submit to the overwhelming temptation to read alt.sex.walter_mathau. After several months, and countless computer cycles later, you are informed by the university's computing staff that they have been "monitoring your activities" and that you have made "unauthorized use of a computer" system. Should the university be restricted to the terms of its contract with you, or can it go outside the contract and request criminal sanctions?
If it seems far fetched that the university would press charges in the circumstances just described, try to imagine this scenario. A private detective needs to get the criminal record of a person she's investigating to see if he can dig up any smut. She calls up her policeman friend, who happens to work in the records department, and asks him to pull the file. He sits down at his computer terminal and calls up the record, then he prints it and gives it to the his detective friend. Section 342.1(c) states the everyone who, fraudulently and without colour of right "uses or causes to be used, directly or indirectly, a computer system..." is guillty of an offence. While its true in this example that the private detective doesn't have a contract with the police department to shield her from criminal prosecution, the police officer who actually used the computer does. Should the police officer be charge with the unauthorized use of a computer system or should his employer be restricted to the terms of the employment contract?
In the final analysis, Canadians have to have to ask themselves if they are satisfied with the existing laws, like s. 342.1, designed to protect society against the unlawful use of computer systems. Ultimately, it will have to be left up to all Canadians to decide if they feel that the existing laws are to broad or too narrow. Some people may argue that the law is fine as it stands and that its only a question of degree and willingness to enforce the law. As one criminal law teacher put it, "its a crime to steal pencils from your office, but its never enforced." Well, hardly ever.