Barrie Gordon
BA (Law) LLB LLM (RAU)
Lecturer, Criminal Law
Introduction | Computer crime defined | Computer crime v Internet crime | Internet crime | Jurisdictional problems in cyberspace | Extradition | Crime scene investigation | Conclusion | Author biography
1. Introduction

In the last few years technological advances in the computer industry have been phenomenal. Just a few years ago, communicating via e-mail was a privilege not enjoyed by many. Now it is an almost indispensable business tool. The world has truly become a connected place.

  423

This connectedness has also created a multitude of problems. Computer criminals now have the opportunity to gain access to sensitive information if they possess the necessary know-how. This can cause huge problems in the economic sphere, and costly steps must now be taken to reduce the risks.
 
This chapter looks into computer crime and the legal principles involved. Problems in the law are highlighted, and where possible a solution is proposed.
2. Computer crime defined
Computer crime covers a very wide field. At one end of the scale, it involves “traditional”, straightforward crimes, as we know it, such as theft of computer systems and hardware. At the other end of the scale, computer crime is committed by using highly technical equipment to manipulate and infiltrate computer systems that may be on the other side of the world. In essence it can be said that computer crime involves any criminal activity where a computer is involved.
 
Although computer crime spans such a wide field, it can be divided into two broad categories: the first deals with criminal activity that can be committed only by using a computer system. These crimes never existed before the advent of the computer, and a computer is absolutely essential for committing such a crime. Examples are hacking, cracking and sniffing. These crimes are exclusively created by statute.1 The second category of computer crime is much wider, and involves crimes that have existed for centuries, but are now committed by using a computer system. Obvious examples are theft of computer systems, Internet fraud and the possession and distribution of child pornography, to name but a few.
3. Computer crime v Internet crime

As this book deals with the law of the Internet, the discussion on criminal law that follows will only deal with crimes that can be committed by using the Internet. Internet crime is merely a species of the wider field of computer crime, and is therefore much narrower in scope. Crimes such as theft of computer systems, which form part of the bigger sphere of computer crime, are therefore not discussed, as normal criminal law principles make provision for punishing these kind of crimes (in most cases anyway). For example, if a computer system or hardware is stolen, the normal principles of theft are applicable.

  424

The Internet can be used to commit any of the two broad categories of computer crime that we have mentioned above.
4. Internet crime
4.1 “New crimes” using online systems
As already stated, these crimes did not exist before the advent of the computer. All the crimes in this category are brought about by statutory regulation. The crimes that are discussed here are hacking, cracking, the creation of malicious code such as viruses and packet sniffing. These are crimes in many developed countries, for example the United States of America,2 and Great Britain.3 However, these activities are not regarded as crimes in South Africa, because no legislation currently exists that makes them unlawful. To remedy the situation, the South African Law Commission is currently looking at ways of criminalising certain conduct in cyberspace.4 Until this has been done, it will not be
possible to criminally prosecute perpetrators who perform these acts. If a complainant wants to act against a perpetrator of such an act, he/she will have to resort to private law and institute a civil claim.

Because the sphere of computer crime is so wide, the South African Law Commission has divided the investigation of computer crime in six subdivisions:

  • to investigate the criminalising of unauthorised access to computers as well as the unauthorised modification of computer data
  • to investigate the possibility of providing for procedural aspects associated with the investigation and prosecution of these offences
  • to investigate the use of computers in committing offences such as theft and fraud
  • to investigate offences committed by means of the Internet
  • to investigate matters relating to encryption in order to protect information
  • to investigate the continuing education of the investigating and prosecuting authorities as well as the judiciary to understand and correctly apply the legislation which may be forthcoming from the investigation.5

425

The Law Commission regards this as a long-term project, and in the current issue paper only the first two aspects have been given attention.6
 
4.1.1 Unauthorised access to computers (“hacking” and “cracking”)
Unauthorised access to computers is commonly known as “hacking”. This simply means that the perpetrator logs into a computer network, and gains entry to it without having the necessary authority to do so. An example of this would be where a perpetrator logs into a government network by means of his7 own computer and modem, in order to look at classified documents.
 
In general, hackers gain entry to computer systems simply to find out how they work, and the perpetrator gains personal satisfaction from knowing that he fooled the system. It relatively seldom happens that a hacker damages the system, and often he simply plants a “flag”8 in the computer system to show that he had been there.
 
Crackers, however, are perpetrators who do not simply intend to gain entry to a computer system, but have ulterior motives when accessing the online system. These perpetrators will bring a computer system to a grinding halt, or will make copies of sensitive information for use in an unlawful manner.9

The phenomenon of hacking has gained much publicity in the past. It is every organisation’s nightmare that a young hacker will infiltrate a computer network from the “outside”, and crash it. This perception has created much paranoia with businesses, but if the true facts of hacking are examined, it can be seen that it seldom happens that a hacker targets a computer system and destroys it ­ much more commonly an employee, or ex-employee, has a grudge and takes steps to avenge himself on his erstwhile employer. The computer system is then infiltrated from the “inside”.

  426

Because unauthorised access to a computer system is still not regarded as a crime in South Africa, the question must be asked whether some other crime could be used to prosecute unlawful access to computer networks. The South African Law Commission has specifically looked at this question, and has looked into the possibility that charges of malicious injury to property and housebreaking could perhaps be used to deal with the phenomenon of hacking.
 
When the requirements for malicious injury to property and housebreaking are considered, it seems, at first, as if the definition of these crimes could be wide enough for the law to deal with unlawful entry to computer systems. Malicious injury to property consists of unlawful and intentional damage to another person’s property,10 and housebreaking of unlawful and intentional entry into another person’s property.11 With both these crimes a very important requirement must be complied with before either malicious injury to property or housebreaking can be committed, namely that the thing damaged must be of a corporeal nature. It is unlikely that our courts will be willing to dispose of this element to include unlawful access to a computer system under the crimes of malicious injury to property or housebreaking. It seems that unlawful access to a computer system will have to be criminalised by means of a statute. The creation of statutory crimes rather than “stretching” the common law seems to be the route taken in other jurisdictions, and South Africa will probably follow suit.12
 
4.1.2 Dangerous code
Dangerous code refers to any computer program that causes destruction or harm to a computer system. This code comes in many different forms, such as viruses, Trojan horses and worms.
 
Dangerous code can, of course, also relate to computer applications that have not been properly debugged. In such an instance the computer will also malfunction, but generally speaking this kind of destructive code does not fall in the sphere of dangerous code that we envisage for purposes of this discussion, because it has not been programmed with malicious intent.
 
4.1.2.1 Virus
A virus is a very well-known form of dangerous code. It is simply a small computer program that attaches itself to a computer application or other file, and copies itself onto the user’s system. It then replicates itself to “infect” many of the host’s computer files to such an extent that it causes the computer to malfunction. If an infected file is copied onto another computer, that computer will also be infected.
  427

4.1.2.2 Trojan horse
As in the myth of the Trojan horse, this piece of code infects from within. A hacker will usually copy a Trojan horse file to a host computer (for example a web server), disguising it in such a way that it looks very similar to a “normal” application. When the authorised user runs the application, thinking it is an ordinary application, the Trojan horse will cause harm to the computer system. A Trojan horse can also be programmed to send sensitive information, such as the change of other legitimate users’ passwords to the programmer (hacker).
 
4.1.2.3 Worm
A worm is a small, self-contained computer program that hides itself on a computer system. Worms do not attach themselves to application files as viruses do, but simply hide themselves on the system. When a particular event occurs, the worm is triggered. Events that can trigger a worm are, for example, the change to a certain date, e.g. Friday the 13th, or the installation or removal of certain applications.
 
4.1.2.4 Legislation covering dangerous code
The Computer Fraud and Abuse Act13 in the United States of America deals with all forms of dangerous code. A person will be guilty of an offence if he transmits any destructive code or command to a computer or computer system without the authorisation of the persons or entities who own the system or who are responsible for it, or if he causes loss or damage to the amount of $1 00014 to the computer or computer system.15 On conviction of such an offence the perpetrator can be fined, or imprisoned for a maximum period of five years.16
 
Get the Computer Fraud and Abuse Act at
http://floridalawfirm.com/fraud.html
 
Section 3 of the Computer Misuse Act of 1990 in Great Britain states that:
 
“3(1) A Person is guilty of an offence if –

(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite knowledge.”
  428

Section 3(2) defines “requisite intent” as:
“an intent to cause a modification of the contents of any computer and by so doing –

(a) to impair the operation of any computer;
(b) to prevent or hinder access to any program or data held in any computer; or
(c) to impair the operation of any such program or the reliability of any such data.”  
Section 3(4) clarifies what is meant by “requisite knowledge” by stating that it is “knowledge that any modification he intends to cause is unauthorised.”
 
It is clear that the Computer Misuse Act is applicable to any form of dangerous code, whether a worm, Trojan horse or virus. However, before any person can be held criminally liable it must be clear that he had the intention to cause the computer to malfunction by the introduction of the destructive code.
 
In South Africa the transmission of any form of dangerous code is not prohibited at all, and can therefore not be regarded as a crime. The only way in which these acts can be criminalised is if common law crimes such as malicious injury to property are extended so as to include the transmission of destructive code, or if a statutory crime prohibiting the said conduct is created. As stated above, in the case of unauthorised access to computers it is unlikely that common law crimes such as malicious damage to property will be extended to cover computer crimes. It seems as if legislation will be the likely route followed.
 
By saying that the transmission of destructive code is not a crime does not mean that the victim is totally without any kind of remedy. The perpetrator can merely not be held criminally liable, but nothing prohibits the victim from acting against the perpetrator through a civil claim. The transmission of destructive code with the intention to cause damage can easily be the basis of a delictual claim.

4.1.3 Packet sniffing
When information is sent over the Internet, the message is broken up into smaller parts, called data packets. These packets are then sent to the recipient one by one over the Internet, and the recipient’s computer places the packets in the correct order and combines them again into one message for it to be read by the recipient.

  429

When these packets travel across the Internet, they can be easily intercepted, a copy of the original packet can be made, and the original packet can again be sent on its way. This is known as “packet sniffing”. The perpetrator can read the packets to obtain valuable information, such as credit card information, bank statements or other classified information.
 
In the United States of America packet sniffing is regulated by paragraph 2511 of the Electronic Publications and Privacy Act.17 The section simply states that if anyone intercepts an electronic communication, he can be imprisoned for a period not exceeding five years or be fined an amount of up to $500.
 
Get the Electronic Publications and Privacy Act at
http://www.rewi.hu-berlin_de/Datenschutz/USA/ElectronicPrivacyAct.html
 
South Africa does not have any legislation primarily aimed at packet sniffing. Luckily there exists a piece of legislation that is formulated widely enough to possibly be applicable to packet sniffing, and that is the Interception and Monitoring Prohibition Act.18 It has, however, never before been applied to packet sniffing, and it is still an open question whether a court of law will be prepared to apply it to this specific situation.
 
Get the Interception and Monitoring Prohibition Act at
http://www.polity.org.za/govdocs/legislation/doclaw.html
 
Section 2 of the Act states:

“2 Prohibition on interception and monitoring

(1) No person shall –
(a) intentionally and without the knowledge or permission of the dispatcher intercept a communication which has been or is being or is intended to be transmitted by telephone or in any other manner over a telecommunications line; or
 (b) intentionally monitor any conversation or communication by means of a monitoring device so as to gather confidential information concerning any person, body or organisation.”

The term “telecommunications line” is defined as “include(ing) any apparatus, instrument, pole, mast, wire, pipe, pneumatic or other tube, thing or means which is or may be used for or in connection with the sending, conveying, transmitting or receiving of signs, signals, sounds, communications or other information”.19

  430

The difference between subsection (a) and (b) seems to be that subsection (a) prohibits the interception of a telecommunication that results in the telecommunication never reaching the intended recipient. In contrast, subsection (b) relates to the monitoring of a conversation or communication, and this section seems to be aimed at prohibiting the recording of the telecommunication.
 
In my opinion subsection (b) will be more applicable to the combating of packet sniffing, because packet sniffing essentially entails unlawful monitoring of a communication in order to obtain confidential information.
 
If the information is not really confidential, it seems as if subsection (a) should rather be used.
 
The contravention of section 2(1) of the Interception and Monitoring Prohibition Act constitutes an offence, and the perpetrator can be fined or be imprisoned for a period not exceeding two years.20
4.2 “Ordinary crime”
4.2.1 Internet fraud
4.2.1.1 Introduction
Of all the crimes online, fraud is the most prevalent. Internet fraud can be
committed in myriad ways. As a matter of fact, so many Internet fraud scams are introduced every day online that some web sites have the sole function of reporting on the latest ones.21
 
Example of a web site with the sole function of reporting online scams at
http://www.fraud.org/welcome.htm
 
The common law crime of fraud covers a very wide field, and as a result is also applicable to online fraud. Examples of how fraud is committed online vary dramatically; from cases of goods not meeting the original quality or description being auctioned online, to fraudulent business franchises being offered for sale.

4.2.1.2 Misrepresentation
A perpetrator performs a fraudulent act if he/she makes some or other misrepresentation to the victim in order to move him/her to act to his/her own prejudice. The statement must therefore represent something that is false. The scope of this requirement is, as already mentioned, very wide in that any misrepresentation made with the intention to cause the victim to act to his prejudice, will be sufficient to constitute an act of fraud.

  431

The misrepresentation can be made orally or in writing, and can be expressly stated or even be made tacitly. In the context of the Internet the misrepresentation will almost always be made by means of the written word, but one can easily imagine situations where the misrepresentation can be made in another form.22
 
4.2.1.3 Prejudice
According to current South African law the misrepresentation must cause prejudice to the victim. The meaning of the word prejudice in this context is very wide, as it can include actual or potential prejudice.
 
Actual prejudice occurs when the victim has already acted to his/her prejudice, i.e. has suffered some loss already. Potential prejudice has been caused if there is a possibility that the victim will be prejudiced.

Establishing the exact scope of potential prejudice can be somewhat problematic. As mentioned, potential prejudice is suffered when the perpetrator’s misrepresentation has the possibility that it may cause prejudice. On the other hand, the potential prejudice must not be so “fanciful”23 that no reasonable person would believe the misrepresentation. If that is the case, there will not be potential prejudice in the first instance.

  432

If a perpetrator makes a misrepresentation by means of an impressive looking web page, it can be argued that potential prejudice is present because the possibility exists that a person will act on the misrepresentation that has been made on the web page.
 
4.2.1.4 Intention
Fraud can only be committed intentionally. In addition to that the perpetrator must have had the intention to defraud the victim. The intention to deceive will not be sufficient to constitute fraud. A perpetrator acts with the intention to deceive if he/she makes a misrepresentation without having the intention that the perpetrator should act on the misrepresentation. If, however, the perpetrator makes a misrepresentation and has the intention that the victim should act to his prejudice, the perpetrator will have committed fraud.
 
4.2.1.5 Conclusion
The brief discussion of the requirements of fraud illustrates that the common law is flexible enough to deal with online fraud effectively.
 
4.2.2 Theft of information
4.2.2.1 Introduction
Although theft has been a crime since long before the birth of Christ, it still remains a problematic part of the law, especially when it has to be extended to make provision for new situations. Theft of information is a classic example of this.
 
Project 108 of the South African Law Commission mentions that the issue of theft of information will still be looked at, but only at a later stage.
 
In general the principles of theft require that the thief must appropriate a movable corporeal thing. The thief must have the intention to permanently deprive the owner of the property.24

There are three requirements for theft that will immediately provide problems if applied to theft of information:

  • The thing must be corporeal.
  • The thing must be appropriated.
  • The perpetrator must have the intention to permanently deprive the owner of the thing.

433

4.2.2.2 Corporeal thing
Generally speaking it is a requirement of theft that the thing must be corporeal. This is, however, not an absolute requirement, and our courts have in some instances broadened the scope of this requirement.25 Theft of money is an example. If someone takes another person’s wallet and appropriates the money, that constitutes a very common and unequivocal form of theft. However, money does not always take the form of bank notes. When a person opens a cheque account and deposits R1 000 in the account, the bank becomes the owner of the R1 000, and the account holder merely has a personal right against the bank. When the account holder writes out a cheque, he/she authorises the bank to lessen his personal right by the amount of the cheque. If C intercepts the cheque and deposits it into his own account so that it does not reach the intended recipient, then C has committed theft, although no physical bank notes have been stolen. If electronic entries are used to convert funds from one account to another, the perpetrator will still be guilty of theft although he did not physically steal any bank notes.
 
In S v Harper26 the court went even further, and held that shares, in contrast to share certificates, can be stolen. It can therefore be seen that the requirement of a thing being of a corporeal nature is not always consistently applied to cases of theft. It is submitted that this exception to the rule also be applied as far as theft of information is concerned.

 

4.2.2.3 The thing must be appropriated
According to current South African law the thing that is stolen must be appropriated.27 It is not a requirement that the thing must be physically touched, but once taken by the perpetrator, the owner must no longer have it in his control. This requirement does not pose any problems if, for instance, the perpetrator takes a CD-ROM or magnetic disk and deprives the owner of his possession. Interestingly enough the perpetrator can in such an instance be charged and convicted of the theft of the CD-ROM or magnetic disk, which is not worth much, but not of the valuable information that is stored on the disk. The scenario becomes more problematic if the perpetrator takes the CD-ROM or magnetic disk, makes a copy and returns the original disk to the unsuspecting owner. Can the perpetrator now be charged and convicted of theft even though the owner still has possession of the original?

  434

The current state of the law would suggest that the perpetrator cannot be convicted of theft in the latter scenario sketched above.28 Our law has up to now, as far as theft is concerned, always worked on the premise that a thing is an entity in its own, and if the perpetrator takes control over the thing, it therefore must mean that the owner does not have control over it anymore. If this is not the case it means that the owner has never lost control of the thing.
 
In the “real world” this is largely true. If a perpetrator appropriates a motor
vehicle, it means that the owner does not have control over it anymore. This premise is, however, not always true in the sphere of computers. A copy of a disk can, for instance, be just as valuable as the original disk. How can the concept of appropriation be successfully transformed and applied to information stored on computers?
 

The answer to this dilemma can perhaps be found in the historical development of the concept of appropriation. In Roman times the appropriation of a thing was referred to as contrectatio, and that meant that the perpetrator must have physically touched the thing. In later years it was accepted that the thing need not be physically touched, and cases where, for example, a thief appropriated cattle by driving them to his own premises was also regarded as theft. It is submitted that this natural development should be taken to its logical conclusion to include the appropriation of information as theft.

4.2.2.4 The perpetrator must have the intention to permanently deprive the owner of the thing
Theft can only be committed intentionally. In addition to this requirement, the thief must have the intention to permanently deprive the owner of the thing. If this requirement is applied to theft of information, the problems become evident. When, for example, a CD-ROM or magnetic disk is copied and the original disk is returned to the unsuspecting owner, it is clear that the owner still has the full use of the information stored on the disk. The owner’s disk and use of it is in no way affected by the unlawful copying, so it can be argued that the owner did not lose control over the disk and information at all. On the other hand, before the copying took place the owner had the exclusive use of the disk and the information stored on it. By not having exclusive use of the information anymore it can be easily imagined that the information on the disk does not have such a high value as it would have had, had the copying not taken place. It seems as if the requirement that the owner should be permanently deprived will have to be applied in a different manner as far as theft of information is concerned, in that if the owner does not have the exclusive use of the information anymore, it should be regarded as if he has been permanently deprived of the possession.

  435

4.2.2.5 Conclusion
It is clear that some of the requirements to determine theft will have to be looked at in a new light before they can be applied to theft of information. These “adaptations” to the way in which theft can be looked at to include theft of information are, in my opinion, not of major significance, but if the requirements are not looked at anew, the legislature will have to remedy the situation by criminalising theft of information.
 
4.2.3 Copyright infringement
The principles on how copyright is dealt with in the context of computer
applications are discussed in chapter 2. In the context of criminal law only the consequences of copyright infringement in computer applications are now considered.
 
Section 27 of the Copyright Act29 deals with the penalties that can be imposed if copyright is infringed:

27 Penalties and proceedings in respect of dealings which infringe copyright

“(1) Any person who at a time when copyright subsists in a work,
without the authority of the owner of the copyright –
“(a) makes for sale or hire;
“(b) sells or lets for hire or by way of trade offers or exposes for sale or hire;
“(c) by way of trade exhibits in public;
“(d) imports into the Republic otherwise than for his private or domestic use;
“(e) distributes for purposes of trade; or
“(f) distributes for any other purposes to such an extent that the owner of the copyright is prejudicially affected, articles which he knows to be infringing copies of the work, shall be guilty of an offence.
  436

Section 27 makes it very clear which acts will be regarded as acts that will amount to copyright infringement. It must, however, be noted that the mere act of copyright infringement is not sufficient to constitute an offence. The last part of the section provides explicitly that if the perpetrator is not aware that he is infringing upon someone else’s copyright, he will not be committing the crime. The copyright infringer must have the intention to infringe upon someone else’s copyright before he can commit the crime. For example, if a person downloads a computer application to a computer in South Africa, but he is not aware that it is a copy that infringes on someone else’s copyright, he will not commit the crime. However, as soon as the perpetrator becomes aware of the fact that the application that he has downloaded infringes on someone else’s copyright, but still goes ahead and distributes copies of the computer program in South Africa, he will commit a crime in terms of section 27(1) of the Copyright Act.
 
Section 27(2) of the Act states that “any person who at a time when copyright subsists in a work makes or has in his possession a plate knowing that it is to be used for making infringing copies of the work, shall be guilty of an offence.” The definition of “plate” in section 1 of the Act is very wide,30 and it will also include a computer that is used to make infringing copies.
 
If a person is convicted of the offence in section 27(1) of the Act, he will, in the case of a first conviction, be sentenced to a fine not exceeding R5 000 or to imprisonment for a period not exceeding three years, or both, for each article to which the offence relates.31 In any other case, the perpetrator can be sentenced to a fine not exceeding R10 000 or imprisonment for a period not exceeding five years, or both, for each article to which the offence relates.32
 
It is interesting to note that in both the instances of a first and subsequent offender, the fine or period of imprisonment can be applied to each article to which the offence relates. This provision opens up the possibility that a perpetrator can be punished very severely, as some infringing copies can be mass duplicated, such as computer programs and video games.33
 
4.2.4 Online gambling
4.2.4.1 Introduction
Since the World Wide Web developed into a fully graphic environment, it has become very easy to introduce online gambling to the world. Gamblers can place bets over the Internet, and within seconds they can find out whether they have won, and if so, an electronic payment can be made immediately. To set up such a site is relatively easy to do and costs a fraction of the price of a fully-fledged casino.

  437

Gambling in South Africa is regulated by the National Gambling Act.34 In essence the Act creates a National Gambling Board, and the board is responsible for regulating all gambling activities throughout South Africa. Before a casino can operate, it must first be in possession of the necessary gambling licence. The Gambling Act provides that only a certain number of gambling licences may be issued, and even goes so far as to specify how many licences each province may grant to a prospective candidate. When reading the Act, it is evident that the National Gambling Board was created to regulate gambling operations in South Africa to the fullest extent.
 
Section 16 of the Gambling Act states that if a person does not have the necessary licence to conduct gambling activities, or does not comply with any provision of the Act, he will be committing an offence punishable with a fine, or imprisonment for up to 10 years.
 
4.2.4.2 Problems with online gambling
Because online gambling can hold such a great financial advantage, it is not ludicrous to say that many persons or companies would consider such a business venture, especially if a casino operator was not one of the lucky ones to obtain a licence. If an online gambling operator opens up a site on a South African server,35 it will be easy for the National Gambling Board to close it down, but what if the operator opens up the site in another country? In such a case the National Gambling Board has no authority to act against the gambling operator in the other country. Furthermore, it will be impossible to control the gambling operations of that operator, and South Africa will not be able to claim the necessary taxes, as is the case with unlawful casino operators.
 
4.2.4.3 Possible solutions
If Internet users make use of an online gambling site, one might argue that users of such an international online system must be taxed when they use it. An international online gambling system can, however, easily make use of cryptography36 to safeguard the identity of its users, and this will result in the South African Gambling Board’s hands being tied.

  438

The National Gambling Board can request that the international gambling operator be extradited to South Africa. This is, however, a laborious process, and the country from which the online gambling operator conducts business can simply refuse extradition.
 
It can be said that the Internet service provider, or access provider, which provides the user with access to the online gaming site, should be punished for granting such access. To hold a content provider liable for such conduct is not to be considered, as it would place an impossible burden on access providers if they were held accountable for the content which they merely give access to.
 
4.2.5 Child pornography
4.2.5.1 Introduction
Regulating pornography is a very difficult thing to do. On the one hand an adult’s right to privacy, as entrenched in section 14 of our Constitution,37 should be guaranteed. On the other hand it may in certain instances be necessary to infringe on such a right to safeguard the rights of others, for example the protection of children against exploitation from criminals creating child pornography.
 
Get the South African Constitution at
http://www.polity.org.za/govdocs/constitution/saconst.html
 
Before 1 June 1998, pornography was regulated by the Indecent or Obscene Photographic Matter Act.38 Section 2(1) of this Act had such a wide definition as to what is meant by indecent or obscene photographic matter that it was declared unconstitutional.39 On 1 June 1998 a new dispensation regarding pornography came into existence when the Films and Publications Act40 became law. This Act repealed, inter alia, the Indecent or Obscene Photographic Matter Act.
 
Get the Films and Publications Act at
http://www.polity.org.za/govdocs/legislation/1996/index.html
 
Get the Films and Publications Amendment Act at
http://www.polity.org.za/govdocs/legislation/1999/index.html
 
The Films and Publications Act is a comprehensive piece of legislation that deals with the classification and regulation of films and publications. A “publication” is defined as:

  439
“(i) any message or communication, including a visual presentation, placed on any distributed network including, but not confined to, the Internet.” 
A “visual presentation” means:
“(a) a drawing, picture, illustration, painting, photograph, or image; or
(b) a drawing, picture, illustration, painting, photograph or image or any combination of it, produced through or by means of computer software on a screen or a computer printout.”
The Films and Publications Act also defines new criminal acts to allow law enforcement agencies to prosecute certain unacceptable conduct in relation to the distribution of films and publications. This is now looked at in more detail.
 
4.2.5.2 Child pornography on the Internet
In 1998 the media reported that a Port Elizabeth man allegedly placed child pornography on his web site. This caused a public uproar, and requests to prosecute the man soon followed. The Eastern Cape Attorney General refused to prosecute the man, saying that legislation at that time did not cover the offence, and that the Films and Publications Act was still not in operation.41 This caused the legislature to take note of the lacuna in the law, and the Films and Publications Act was soon brought into force.
 
If a person creates, produces, imports or is in possession of a publication or film which contains scenes of child pornography, he shall be guilty of an offence.42 Child pornography is defined in section 1 of the Act as:  
“any image, real or simulated, however created, depicting a person who is or who is shown as being under the age of 18 years, engaged in sexual conduct or a display of genitals which amounts to sexual exploitation or participating in, or assisting another person to engage in sexual conduct which amounts to sexual exploitation or degradation of children.”

It is interesting to note that the presentation of child pornography can be simulated or real. This means that so called “pseudo-pornography”43 is also included in the Act, and the production or possession of such material will also be punishable under this section. Even if the visual presentation merely depicts a person engaging in sexual conduct to be under the age of 18 years, while this is not actually the case, the material will still be prohibited.

  440

If a person imports child pornography into the Republic, he will also commit a crime. The term “import” is not defined in the Act, but if the overall nature of the Act is taken into consideration,44 it is submitted that “import” will also involve the downloading of child pornographic material.
 
The crime that has been discussed above only prohibits the creation, production, importation and possession of child pornographic material. What would the law be if a perpetrator places child pornographic matter on a web site without storing it on his own personal computer or producing it himself? Could this be a lacuna in the law? The answer to this is that the Films and Publications Act also defines as a crime if a person distributes child pornography to anyone else. Section 25 prohibits the distribution of child pornography contained in publications, whereas section 26 prohibits child pornography in films.
 
A perpetrator convicted of any of the above-mentioned crimes can be sentenced to a fine, or to imprisonment for a period not exceeding five years, or where aggravating circumstances are found, to both the fine and imprisonment.45
5. Jurisdictional problems in cyberspace

The American case of Playboy Enterprises, Inc. v Chuckleberry Publishing, Inc.46 illustrates the jurisdictional problem.

  441

In 1981, Playboy obtained an injunction (interdict) against Chuckleberry Publishing, stating that Chuckleberry Publishing may not continue with its own “Playmen” publication, as it was very similar to the Playboy trademark. In January 1996, the defendant created an Internet web site using its “Playmen” mark. The site was created, and the server located, in Italy. Playboy filed suit in the United States, arguing that the defendant had violated the 1981 injunction by distributing the prohibited publication, albeit on the Internet.
 
The defendant argued that it was:  
“merely posting pictorial images on a computer server in Italy, rather than distributing those images to anyone in the United States. A computer operator wishing to view these images must, in effect, transport himself to Italy to view [the defendant’s] pictorial displays. The use of the Internet is akin to boarding a plane, landing in Italy, and purchasing a copy of Playmen magazine, an activity permitted under Italian law”.47
The court disagreed with this contention, by holding that the defendant “has actively solicited United States customers to its Internet site, and in doing so has distributed its product within the United States”.48 The court further held that the defendant could operate its web site, but was prohibited from accepting any subscriptions from customers in the United States.
 
The interesting part of this case is the question of enforcement. If the defendant fails to comply with the order, how can it be enforced? Unfortunately the court did not shed any light on this question.

Why is jurisdiction such a problem when applying it to cyberspace? The answer lies in the realms of cyberspace itself, where borders are totally different from those in the “real world”, although it would be incorrect to say that cyberspace has no borders at all. Some servers and web sites require passwords to enter, and if one does not have the correct password, entry will be prohibited. These sites are, however, far in the minority. Most of cyberspace is accessible to all Internet users, regardless of where they may find themselves. The concept of jurisdiction as we currently know it relates to a sovereign country with well mapped out boundaries. Cyberspace disregards these boundaries totally. A user can access dozens of web sites in just as many countries within a matter of minutes, without even knowing where he has obtained the information. It is also not uncommon for a single web page to be composed of content that is obtained from different servers located in different countries in the world.49 Sometimes the user has no way of knowing where the information originated.

  442

The problem becomes even worse if a criminal, situated in one country, commits an Internet-related crime in another country. How can such a person be prosecuted if he does not fall within the jurisdiction of the country where the crime was committed? At the moment a criminal can only be brought before the law if he is extradited to the country where the crime was committed.
 
Extradition is, however, a sensitive political issue, and criminals are usually only extradited for extremely serious crimes. The process of extradition is very involved, and it is almost certain that extradition will only be considered for the most serious forms of computer and Internet crime.
6. Extradition
6.1 Introduction
Extradition can be defined as “the delivery of an accused or a convicted individual to the state where he is accused of, or has been convicted of, a crime, by the state on whose territory he happens for the time to be”.50
 
In international law it is recognised that individual countries are sovereign, and as a result a particular country has the exclusive right to govern its nationals as it sees fit.51 If a perpetrator flees one country to seek refuge in another country, the country from where the perpetrator fled cannot simply disregard the territorial jurisdiction of the country to which the perpetrator flees, but will have to request the latter country to hand over the perpetrator. This is known as extradition.
 
According to the principles of international law a country does not have a duty to extradite a fugitive. In order to ensure that criminals do not abuse this system, countries enter into extradition agreements with each other to come to some sort of agreement on how the surrender of criminals should be dealt with.

The principles of extradition in South Africa are regulated by individual international agreements (treaties) entered into with other countries, and the procedures for requesting extradition are statutorily regulated by the Extradition Act.52 As a result of this the body of law on extradition is vast, and only its most important aspects are touched on here. The discussion deals with principles that are common to most extradition agreements, and how these principles affect Internet crime.

443
6.2 Extradition of nationals
It is each individual country’s prerogative to determine whether it will permit its own nationals to be extradited. In general, South Africa will allow its nationals to be extradited, as the Extradition Act does not provide South African citizens any special treatment. However, this principle is subject to some exceptions, as some extradition agreements between South Africa and some other countries make provision for nationals not to be extradited.53
6.3 Double criminality
The principle of double criminality simply means that the extraditable offence54 of which the perpetrator is accused must be a crime in both the country to which the fugitive is extradited and the country where the fugitive finds himself. This principle of double criminality is found in section 2(2) of the South African Extradition Act, and will therefore limit extradition to cases “which if committed in the Republic would be punishable therein as an offence”.
 
This principle could prove to be a problem in the context of Internet crime. South African law regarding Internet crime is, as the reader will have gathered on a number of occasions by now, still extremely undeveloped, and as a result of this a number of “basic” Internet offences, such as unauthorised access to computers, which are crimes in many other countries, are still not criminalised in South Africa. Obtaining extradition for any of these “crimes” could prove to be very difficult.
6.4 Crimes of a political nature
An entrenched principle of international law world-wide is that a country may refuse to extradite a fugitive for a political crime that has been committed in another country.55 This principle has in the past created many problems, and it is not the purpose of this text to discuss the issues involved. All that needs to be mentioned in this context is that if it can be proved that a perpetrator has committed an Internet offence with a political motive in mind, it may well be impossible to obtain extradition.
6.5 Procedure for extradition

Section 4 of the Extradition Act deals with requests for extradition from South Africa. It stipulates that any request for extradition shall be made to the Minister,56 and if it has not been made to the Minister, it must be handed over to him/her.57 The Minister will then take the matter further.58

  444

This section illustrates a point that is woven through the whole Extradition Act – a fugitive will only be extradited for a serious offence. The fact that high-ranking government officials are involved in this process illustrates the point. This principle is also found in many other countries’ extradition legislation. If a perpetrator therefore commits a “minor” Internet crime, such as gaining entry to a computer system without having the authority to do so, and does not cause any actual harm, he will most likely not be extraditable. Even if the perpetrator can be extradited, the process will be so involved and costly that it will most probably not be worth the trouble.
6.6 Conclusion
Although the surface of the law of extradition has barely been scratched, it can be seen that extradition in the context of Internet crime can, and most likely will be, a major challenge to be overcome in future. At the moment it is not at all practical to use extradition as a tool to punish perpetrators of “minor” Internet offences. How this problem will be solved remains to be seen.
7. Crime scene investigation
7.1 Initial investigation
Computer crime is a very new field in South Africa. Computer crime committed over the Internet is an even more unknown area. It is therefore not improbable that the South African Police Service would be somewhat hesitant to become involved in the investigation of computer crime, and if it did become involved, it would probably not know where to start.

It may be a good idea to make the initial investigation an in-house project. Normally system administrators will posses enough information to investigate the computer network, and find out what really happened. When this information is then later handed over to the police, they will be able to understand better what the extent of the problem is. If the system administrator, however, does not know how to conduct this initial investigation, it will not be wise to allow him/her to perform such a task.

  445

Only when it has been established what really happened can a possible perpetrator be identified. In the majority of cases it is not an external person who attacks the network, but rather an employee who has some grudge against the organisation. It is often a good idea to consult with the human resources department to identify a possible suspect.
 
When the investigation team knows exactly what happened on the computer system, it has to establish whether the unauthorised conduct is indeed an offence. As far as South African criminal law on computer crime is concerned, it is highly likely that the unauthorised conduct will most probably not be a crime. In such an instance the perpetrator cannot be prosecuted in any way. This, however, does not mean that the aggrieved party does not have any remedy. The aggrieved party will most probably be able to institute a civil claim against the perpetrator.
7.2 Deciding whether or not to prosecute
It is often difficult to decide whether it is really going to be worthwhile to take the case any further. Computer crime investigation can take a very long time to complete, and it can be very expensive. For example, if someone gains access to a computer system only once, it may perhaps be the best remedy to simply close up the “hole” by which the perpetrator gained access to make sure that the perpetrator does not gain entry again.
 
The decision on whether or not to prosecute the perpetrator must be taken quite quickly. If the organisation decides to investigate the matter fully, it will probably entail allowing the perpetrator to gain access to the computer system again and again in order to build up a proper case against him. If the perpetrator is booted out of the network, he will immediately realise that his presence has been detected, and that will effectively be the end of the investigation against him.
 
If classified or secret documents are found on the computer system, it is obvious that it would be better to fix the “hole” in the system as a matter of urgency, and that the perpetrator go. The integrity of the computer system is of more importance than the prosecution of the perpetrator.
8. Conclusion

From the discussion above it can be seen that criminal law often has difficulties in adapting to the online world. Many of the principles that have been relied on for centuries have changed. For example, it has always been difficult to conceive how a crime can be committed in one country if the perpetrator was situated in another country. Now it is a reality.

  446

Although criminal law has difficulties adapting to many of these online crimes, one must be wary not to fall into the trap of thinking that the current law is always incapable of dealing with many of the online crimes that have been discussed. By thinking about fundamental principles in a slightly different way, a solution to problems can often be found. In those cases where the current state of the law cannot provide an answer, statutory measures will have to be introduced. The South African Law Commission has already made progress with this venture, and it is merely a question of time before many of the problems that the current state of the law faces will be solved.
Author biography  
Barrie James Gordon grew up in Randburg and matriculated from Roodepoort High School in 1986. After obtaining BA (Law) and LLB degrees, he was admitted as an Advocate of the High Court of South Africa in 1996. In 1997 he combined his keen interest in computers with his law career by completing a Masters degree in International Law (cum laude). The theme of his dissertation was “The Legal Challenge of Regulating the Internet – Fact or Fallacy?” At the 1998 World Conference on Modern Criminal Investigation, Organised Crime and Human Rights, he delivered a paper dealing with online crime. Since 1995 Barrie has been involved in tertiary education, and is a lecturer in criminal law.

 
446
  1. For example, in the United States of America the Electronic Communications Privacy Act 18 USCS §2510 (1988), the Computer Fraud and Abuse Act 18 USCS §1030 (1991) and in Great Britain the Computer Misuse Act of 1990 (Back)
  2. Ibid
  3. Ibid
  4. SA Law Commission Project 108 Issue Paper 14 (1998) (Computer Related Crime: Options for Reform in respect of Unauthorised Access to Computers, Unauthorised Modification of Computer Data and Software Applications and Related Procedural Aspects)
  5. Ibid p. 1­2 (Back)
  6. Ibid
  7. The majority of hackers are male, and because of this the masculine form of personal pronouns is used throughout the text
  8. A “flag” is usually a small text file that mentions that the specific hacker had been there, for example “Phreak was here”
  9. For example, the cracker might copy a file with all the company’s customers’ credit card information, planning to use it to buy goods on credit
  10. The comprehensive definition of malicious injury to property is:
    A person commits malicious injury to property if he unlawfully and intentionally damages
    (a) movable or immovable property belonging to another; or
    (b) his own insured property, intending to claim the value of the property from the insurer
    Snyman Criminal Law 3 ed (1995) 502 (Back)
  11. The comprehensive definition of housebreaking is:
    Housebreaking with intent to commit a crime consists in unlawfully and intentionally breaking into and entering a building or structure, with the intention of committing some crime in it
    Snyman Criminal Law 3 ed (1995) 507
  12. The United States of America and Great Britain use statutory measures to criminalise certain unacceptable computer-related conduct
  13. 18 USCS §1030 (1991)
  14. More specifically, the $1000 amount relates to any 1-year period
  15. 18 USCS §1030(a)(5) (Back)
  16. 18 USCS §1030(a)(6)(c)(3)(A)
  17. 18 USCS §2510 (1988)
  18. 127 of 1992
  19. Section 1
  20. Section 8 (Back)
  21. For example The National Consumer’s League National Fraud Information Center (http://www.fraud.org)
  22. With digital telephony advancing to a stage where it is entering the mainstream market, it can be easily envisaged that a person can speak to another person over the Internet and thus make the misrepresentation
  23. R v Seabe 1927 AD 28
  24. The technically correct definition of theft goes further in that it will also constitute theft if a perpetrator removes his own property from the control of another person who has a legal right to have possession over the thing. An example of this is where an owner of a thing removes it from the premises of a person who has a lien over the thing
  25. S v Harper 1981 2 SA 638 (D) (Back)
  26. Ibid
  27. S v Tau 1996 2 SACR 97 (T) at 102a­b
  28. Theft of information has never formally been accepted in our law
  29. 98 of 1978
  30. Section 1 defines “plate” as “includ(ing) any stereotype, stone, block, mould, matrix, transfer, negative, record, disk, storage medium or any version of a work of whatsoever nature used to make copies” (Back)
  31. Section 27(6)
  32. Ibid
  33. This principle is, however, subject to the Adjustment of Fines Act 101 of 1991 which makes provision for absolute maximum fines
  34. 33 of 1996
  35. A server is a powerful computer that is linked to the Internet. Internet sites are placed on these computer servers (Back)
  36. Cryptography is a process whereby the message in the text is matched to a powerful algorithm that scrambles the original message in such a way that it no longer looks like the original. Only by means of a decrypting program with the correct “key” can the original message be retrieved
  37. 108 of 1996
  38. 37 of 1967
  39. Case and Another v Minister of Safety and Security and others CCT 20/95; Curtis and Another v Minister of Safety and Security and Others CCT 21/95
  40. 65 of 1996 (Back)
  41. Sawyer New Law on Net child Porn in July (www2.inc.co.za/Archives/1998/9806/2/pornfoll.html 14/06/1999)
  42. Section 27(1) and section 28. Section 27 defines the crime of child pornography in publications, while section 28 defines the same offence in films
  43. Pseudo pornography can be produced in a number of ways. The most obvious example is where a scanned image of a naked slenderly built adult woman is taken and digitally altered in such a way as to transpose a girl’s head on the body of the adult woman. The transformed image will then be perceived to be that of a naked girl. Although the child has not been exposed to the creation of the pornography, it is nonetheless covered by the Act
  44. It is obvious that the drafters of the Act wanted to include the electronic media in that many of the terms defined also include electronic devices capable of showing pictures and visual presentations
  45. Section 30 (Back)
  46. 939 F Supp 1032 (S.D.N.Y. 1996)
  47. Donohue Litigation in Cyberspace: Jurisdiction and Choice of Law, a United States Perspective (1997) (www.abanet.org/buslaw/cyber/jiusjuris.html 17/12/1997)
  48. Playboy case 1039
  49. An example of this would be where web site A produces its own text, but graphics are imported from web site B, located at another server in another country. The actual graphic that will be displayed on web site A (together with the text), is never saved on the server of web site A. It merely tells the user’s browser where to collect the graphic file
  50. Jennings & Watts (eds) Oppenheim’s International Law 9 ed (1992) 948-9 (Back)
  51. This rule is, of course, not absolute in that the international community will involve itself with the domestic affairs of a sovereign country if an extreme situation arises, for example, if a sovereign country commits genocide of its own nationals, the international community will intervene
  52. 67 of 1962
  53. For example, the 1972 Extradition Agreement between South Africa and Malawi grants each country the right to refuse extradition of its nationals
  54. An extraditable offence is defined in section 1 of the Extradition Act as “any offence which in terms of the law of the Republic and of the foreign state concerned is punishable with a sentence of imprisonment or other form of deprivation of liberty for a period of six months or more, but excluding any offence under military law which is not also an offence under the ordinary criminal law of the Republic and of such foreign State”
  55. The South African Extradition Act expressly recognises this principle in section 15 of the Act (Back)
  56. Section 4(1). The word “Minister” is defined in section 1 as the Minister of Justice
  57. Section 4(2)
  58. For example, section 5 of the Extradition Act authorises a magistrate to issue a warrant for the arrest of a suspect if requested to do so by the Minister