Computer Hackers: Catch Me If You Can?
Introduction
In June 2014, Apple Daily’s and popvote.hk’s websites and apps experienced massive cyber-attacks from sophisticated hackers, which are of the type of distributed denial-of-service attack (“DDoS”). For the popvote.hk app, it was recorded that the app received over 10 billion visits within the first 30 hours of the app opening up for registration, overwhelming and impairing the normal function of the server.
With the advancement of technology, these types of attacks become more and more common, causing loss to corporations estimated in the billions of dollars. Although it is difficult to pinpoint the actual amount of loss associated with such attacks, the loss generally involves (1) down time in business or other critical systems, (2) emergency repair and remedial costs, (3) legal costs, and (4) loss of confidence and reputation.
This article explores the Hong Kong legal framework (or lack of) to tackle such cyber-attacks and the practical difficulties of locating, obtaining evidence, and prosecuting cross-border hackers under jurisdictional issues.
What is denial-of-service (“DoS”) and DDoS attacks?
DoS or DDoS attack is generally an attempt to send massive data to a host (e.g. a web server) within a short period of time in order to temporarily or indefinitely interrupt and suspend the services of the host and prevent legitimate visitors access. The difference between DoS and DDoS is that for DoS, the attacks are sent by one person or system whereas for DDoS, a multitude of systems (usually infected and compromised) attack a single host.
Offence Committed
Unlike other major jurisdictions, Hong Kong has lagged behind in legislative reform to target DoS and DDoS attacks. For example, in the United Kingdom, the Computer Misuse Act 1990 was amended through the Police and Justice Act 2006 to make it a criminal offence to conduct DoS and DDoS attacks. The United States have also implemented similar legislations to tackle such attacks.
With the lack of clear legislation to target DoS and DDoS attacks, the Hong Kong courts have resolved in using existing legislations under the Crimes Ordinance (Cap. 200)(“CO”) in order to impose criminal liability on such attacks.
Section 60 of the CO
Section 60(1) of the CO makes it a criminal offence for a person without lawful excuse intentionally or recklessly destroys or damages any property belonging to another. “To destroy or damage any property” is defined under section 59 of the CO to include misuse of a computer, i.e. to cause a computer to function other than as it has been established to function, to alter or erase any program or data, or to add any program or data to the contents of a computer or its storage medium.
Section 161 of the CO
Further, section 161(c) and (d) of the CO provide that any person who obtains access to a computer with a view to dishonest gain for himself or another; or with a dishonest intent to cause loss to another, commits an offence.
Hong Kong Case on DoS attack
In one of the few Hong Kong reported cases involving DoS attacks (HKSAR v Tse Man Lai CACC 455/2012), the Court of Appeal was faced with the defendant’s application for leave to appeal against his convictions of two charges of obtaining access to a computer with a view to a dishonest gain for himself or another, contrary to section 161(1)(c) of the CO.
The defendant directed DoS attacks from his computer to the web server of the “HKExnews”, a website set up by the Hong Kong Exchanges and Clearing Limited. As a result of the attacks, the Hong Kong Stock Exchange was forced to suspend trading in the shares of seven listed companies, which prevented the general public gaining access to the website during the attacks.
The defendant, although admitting that he was the person who caused the attacks, contented that he did not have the dishonest intention required under section 161(1)(c) of the CO. For circumstances unique to that case, the Court of Appeal upheld the lower court’s finding that the defendant had the intention of dishonest gain, i.e. to promote his company’s business. Hence, the defendant’s application was refused.
How Apple Daily and popvote.hk cases differ from Tse Man Lai?
DoS versus DDoS
As mentioned above, DoS and DDoS attacks are different in nature. In Tse Man Lai’s case, it was relatively easy to identify the cyber-attacker as only one person was involved in the DoS attacks. The attacks suffered by Apple Daily and popvote.hk were in the form of DDoS attacks involving a multitude of compromised systems, which makes locating and identifying the cyber-attacker(s) more difficult.
Offence
As discussed above, DoS and DDoS attackers may potentially be charged with an offence under section 60 or section 161 of the CO. In Tse Man Lai’s case, the defendant was charged under section 161 of the CO. However, in order to secure the conviction under this section, the prosecution was required to show that the defendant had access to a computer with a dishonest intention to (1) gain for himself or another (section 161(1)(c)), or (2) cause loss to another (section 161(1)(d)). Fortunately for the prosecution in that case, the Court found that the evidence showed the defendant’s dishonest intention to gain for his company’s business. However, the application of section 161 of the CO in the Apple Daily and popvote.hk cases seems less straightforward.
There appears to be no clear evidence that the cyber-attacker(s) in the Apple Daily and popvote.hk cases obtained any benefit or advantage from such attacks. Without such evidence, it would be difficult to prosecute under section 161(1)(c) of the CO.
It may however be possible for the prosecution to prosecute under section 161(1)(d) of the CO, i.e. obtaining access to a computer with a dishonest intent to cause loss to another. In both the Apple Daily and popvote.hk cases, the loss suffered may include the down time in business or other critical systems and emergency repair and remedial costs. In addition, the Apple Daily may also have suffered loss of business, confidence and reputation. Note that in such types of cases, the prosecution only needs to establish that there is a potential loss to another and it is unnecessary to prove actual loss (see R v. Tong Ka Kin HCMA 1031/1995).
Given the extra hurdle to show dishonest intent under section 161 of the CO, it may be easier to prosecute under section 60 of the CO instead. Indeed, it seems that the prosecution has already shifted its reliance to section 60 of the CO for prosecuting DoS and DDoS related offences. In popvote.hk scenario, after the cyber-attacks were reported to the police, two males were arrested and one of them subsequently pleaded guilty to the charge of attempted criminal damage, contrary to section 60 and 159G of the CO.
Jurisdictional Issues
To add further complexity to the investigation and prosecution work are the issues of jurisdiction, since many of the attacks originate outside of Hong Kong. As discussed in our newsletter “When Can a Person be Prosecuted in Hong Kong for a Cross-border Crime?” published in May 2013, Hong Kong Courts do not generally have extra-territorial jurisdictions over criminal matters unless the offence is covered by the Criminal Jurisdiction Ordinance (Cap. 461) (“CJO”). However, despite the Government’s proposal in 2002 to bring section 60 and section 161 of the CO as well as some other computer related crimes within the coverage of the CJO, the necessary amendments have still not been implemented.
Conclusion
Unlike other major jurisdictions, Hong Kong does not have legislations in place specifically dealing with cybercrimes. Although the CO has frequently been relied on by the prosecution to bring cybercriminals to justice, the aged wordings of the CO have often led to uncertainty in prosecuting cybercrimes. In addition, Hong Kong has yet to provide its courts with the much needed extra-territorial jurisdictions to try trans-border computer related crimes. Legislative reforms are urgently needed in order to tackle the rapidly evolving cybercriminal activities.
For enquiries, please contact our Litigation & Dispute Resolution Department:
W: www.onc.hk
T: (852) 2810 1212
F: (852) 2804 6311
IMPORTANT: The law and procedure on this subject are very specialized and complicated. This article is just a very general outline for reference and cannot be relied upon as legal advice in any individual case. If any advice or assistance is needed, please contact our solicitors.
