{1} Imagine that you wake up one morning, turn on your computer, and open an e-mail message with a catchy phrase in the subject line. Immediately after opening the e-mail’s attachment, your personal computer is severely damaged. Obviously having a bad day, you head to your job as an attorney for a multinational corporation. By the time you arrive at work, there has been damage to company computers across the globe. The monetary costs of the damage, coupled with the downtime, are astronomical. The CEO of your company is furious. You hope to diffuse the situation by informing your boss that the person who released the virus has been apprehended. Unfortunately, soon after explaining the good news of the perpetrator’s capture, you learn that the individual, who admits involvement with the e-mail virus, will not be prosecuted in his home state because that state had no laws on the books outlawing his behavior at the time of the incident. In fact, none of the states where damage occurred will be able to prosecute because of lack of jurisdiction. The damage is done and the perpetrator is free.
{2}
Although the situation
may sound far fetched, this is the basic story of the events surrounding
the dissemination of the I LOVE YOU virus. The perpetrator was allowed to go free because
the Philippines did not have appropriate cybercrime laws instituted at the
time the virus was released. [1] This high-profile case is
a superb introduction to the difficult issues arising from the existence
of cyberspace.[2]
{3}
In this "Age
of the Internet,"[3] access to information is unprecedented.
This access can be positively used to contact friends and businesses around
the world or can be negatively used to gain unauthorized access to information
or to steal profitable data. With the threat of sinister uses for access
comes the need for protection – protection from attacks such as the I LOVE
YOU virus[4] and protection from prying
eyes.[5] Even though protection from these threats is hampered because of
the international scope of the threat, this same scope assists the cybercriminal.
No longer must a criminal be located physically in the proximity of his
crime. Instead, through the same
technology that makes the Internet such a popular personal and business
instrument, the criminal is able to cause damage regardless of national
borders. The ability of the cybercriminal
to cross national borders without effort, coupled with the relative ease
of his causing harm, present problems for states that want to crack down
on cybercrime. These states must determine effective ways to investigate
activity that occurs outside of their national boundaries, including investigations
in states that may not outlaw the activity. In addition, the states investigating
these crimes must employ individuals with the appropriate technical training
who can devote long hours to tracing the electronic trails of cybercriminals.
{4} In an effort to address the difficulties of investigating cybercriminals, the Council of Europe put forward a cybercrime treaty to harmonize definitions of cybercrime in states that become parties to the treaty.[6] To assist law enforcement with investigation of these crimes, the treaty provides for procedures to assist law enforcement in the search and seizure of computer data and facilitates cooperative investigations by states affected in specific cybercrime incidents.[7] The increase in police power that would result from the treaty concerns many privacy advocates.[8] The basis for this concern is the limited protection available to support privacy of information pertaining to individuals.[9]
A. Cybercrime and the Cybercriminal
{6}
In this Age of
the Internet, ‘cybercrime’ has become a household word, but its definition
is seldom explained. Books and articles
written on the subject often assume that the reader understands the many
facets of cybercrime. For many,
however, computer hacking[10] and computer viruses[11] are the main images conveyed
by the term. While these crimes
comprise two important categories of cybercrime, many other crimes can be
committed or facilitated utilizing computer networks. A non-exhaustive list of cybercrimes includes:
fraud, forgery, counterfeiting, gambling, transmission of child pornography,
transmission of threats, transmission of harassing communications, interception
of communications, copyright infringement, and theft of trade secrets.[12]
{7}
The motivations
of those who commit cybercrimes may be as varied as the nature of the cybercrime
itself. Juveniles may be drawn by
the prestige of outwitting adults.[13] Insiders may be seeking retribution for a perceived wrong by a business
or a former employer.[14] Hackers may simply want bragging rights associated with compromising
a particular computer system.[15] Virus writers may be motivated by prestige, as well as by malicious
feelings towards others.[16] Criminal groups functioning on the Internet may seek monetary gain.[17] Foreign terrorists may seek foreign intelligence.[18] Even with these various motivators, there is at least one common
characteristic of the people who commit cybercrimes. Yesterday’s street criminal had “street smarts;" today’s cybercriminal
has “computer smarts.” In order
to be successful at their craft, cybercriminals need to possess a knowledge
of computers that is far superior to the average user’s amateur skills.
This knowledge allows the criminal to mask his criminal activity
and to divert the efforts of law enforcement officials.[19]
B. The New Tools of the Cybercriminal
{8}
Technology provides
the cybercriminal with a new bag of ‘tools’ that make him more effective
at his craft. In this Internet Age,
the ‘tools’ are not physical implements, but instead are advantages for
those who commit cybercrime. The
first such ‘tool’ is the ability to hide evidence pertaining to the cybercrime. The evidence is virtually hidden because of
the instantaneous transfer of data through computer systems.[20] The cybercriminal has the capacity to act at one site in cyberspace
and then, taking the evidence of the crime with him, to leave instantaneously.
The second ‘tool’ is the cybercriminal’s ability to hide his identity. In effect, a skilled cybercriminal is able to attack computer systems
leaving few, if any, clues as to his identity. His identity is further concealed because he
can easily commit the cybercrime without being physically present in a jurisdiction.[21] The third ‘tool’ is the cybercriminal’s ability to increase his
cybercriminal activity with minimal effort.
The cybercriminal can ignore international boundaries[22] by simultaneously targeting
multiple victims in multiple states.[23] Ultimately, these ‘tools’ provide the cybercriminal with an international
forum for cybercrime in a world where laws criminalizing his behavior are
limited to domestic borders.
{9}
With each of the
cybercriminal’s new ‘tools,’ law enforcement officials face new challenges.[24] The cybercriminal’s first ‘tool,’ his instantaneous ability to hide
data in computer systems, creates a host of problems for law enforcement.[25] In domestic investigations, law enforcement officials may discover
that critical data is stored on a networked computer that is located in
another state. Law enforcement must
then determine if their domestic court order is sufficient to search the
storage facility outside the state’s territory or if mutual assistance must
be sought with law enforcement in the other state.[26] Even in the instance of information stored with ISPs, the procedures
that law enforcement need to follow are not uniform from state to state,
meaning that the task of obtaining the information may be quite time consuming.[27] If the evidence is encrypted, there is a question as to whether
a witness can be compelled to provide a printout of encrypted data when
questioned by law enforcement authorities or interrogated in court. This situation becomes particularly daunting
when an encryption key[28] is held by a second person
who is located outside the state’s territory.[29] All of these inquiries take time and may provide the cybercriminal
the time frame needed to further conceal the incriminating data.
{10}
The second ‘tool’
to which law enforcement must respond is the cybercriminal’s ability to
hide his identity. By skillfully
using a computer system, the cybercriminal has the ability to mask his identity
or remain anonymous.[30] If the law enforcement cannot identify the cybercriminal by the
clues left in cyberspace, it may be extremely difficult to track the criminal.[31] Because the cybercriminal can commit a crime without being present
in a jurisdiction, the cybercrime scene has no physical boundaries[32] and leaves law enforcement
with few, if any, physical leads as to the identity of the cybercriminal.
Unlike the situation where a criminal’s location can be approximated by
the distance that he could possibly have traveled since the crime occurred,
cybercriminals have no effective limitation on their distance from the crime
scene – even a second after the crime was committed.
{11}
The cybercriminal’s
third ‘tool,’ his ability to increase criminal activity by striking multiple
victims in multiple states, creates several problems. Law enforcement must first determine whether
domestic criminal laws are applicable to crimes committed by utilizing international
data networks.[33] If the domestic court system makes a determination that the laws
are not applicable, an investigation may be inappropriate, as no domestic
laws have been violated. Even if
the domestic criminal law applies, jurisdictional issues must still be addressed.[34] If a perpetrator has committed crimes in more than one state, the
home state must make a determination concerning extradition. In a crime involving multiple victim states,
a home state that is willing to extradite the accused must decide on one
state to which to send the accused. Conversely,
a home state may be unable to extradite because the laws regarding cybercrimes
vary substantially in the two states.[35] In the case where extradition is not possible, the home state may
have the option of prosecuting the accused if jurisdiction can be established
by the presence of the accused in the home state. This solution may not satisfy the victim, as the penalties for the
cybercrime may be different in the home state and the victim state. In addition, the victim may not believe that
the same diligence will be used in the prosecution of the accused in the
home state as would be used in the victim state.
The possibility also exists that the accused committed no crime according
to the laws of the home state; thus, he would face no penalty for his activity.[36]
{12}
While the term
‘cybercrime’ did not exist twenty years ago, today the number of attacks
is increasing and the monetary damage from the crimes is staggering.
Cybercriminals are able to benefit from the use of their new ‘tools,’
while law enforcement is plagued with a host of new cyberproblems.
To even the playing field, law enforcement officials need increased
police powers to combat the new ‘tools’ of cybercriminals.
A.
Draft 19: The First Publicly-Released Version of the Cybercrime Treaty[37]
{13} Although no treaty is likely to address the full scope of the problems created by cybercriminals’ new ‘tools,’ the treaty drafted by the Council of Europe[38] endeavors to address several of the basic problems. The Council of Europe first examined the problems associated with the international nature of cybercrimes when it drafted a 1995 paper recommending that states adopt laws regarding cybercrime.[39] Realizing the need for a legally binding instrument, the Council of Europe began deliberations on the cybercrime treaty in 1997.[40] The Council invited observers from Canada, Israel, Japan, South Africa, and the United States[41] to take part in the negotiations in the hopes that the resulting treaty would have international impact.[42] The goal of these discussions was to create a cybercrime treaty which would “harmonize laws against hacking, fraud, computer viruses, child pornography and other Internet crimes”[43] as well as “make criminal investigations and proceedings concerning criminal offences related to computer systems and data more effective and to enable the collection of electronic evidence of a criminal offense.”[44]
{14} In April 2000, after nearly three years of negotiations, the Council posted to its website the first publicly-released version of the proposed treaty.[45] The proposed treaty addressed four principal areas: cybercrime, search and seizure, jurisdiction, and international cooperation.[46] In the area of cybercrime, this draft of the treaty criminalized four categories of crime: access crimes, data crimes, systems crimes, and crimes involving “illegal devices.”[47] The first category, access crimes, outlawed unauthorized access to data contained in a computer system and access to the computer system itself.[48] Under this provision of the treaty, it would be possible for a cybercriminal to be convicted of both gaining access to a computer system where desired data was stored and obtaining the desired data.[49] Data crimes, a second category of crime outlined in the treaty, made illegal the interception of data and interference with data.[50] The definitions of the two data crimes provided in the draft make it unclear whether data theft,[51] the outright taking or copying for the cybercriminal’s use, was outlawed. The third category, systems crimes, outlawed actions that intentionally hindered the functionality of a computer system.[52] A clear example of such a violation is a denial of service attack.[53] Less clear is whether the dissemination of a computer virus[54] or computer worm[55] would constitute a violation. The final category of crime, “illegal devices,” made it a crime to produce, sell, or obtain for use any device created or changed to facilitate the commission of any of the crimes enumerated in the treaty.[56] The illegal device provision raised the question as to how an individual who possessed a device could establish innocence. The provision was written with the presumption that an individual who possessed a device had the intent to use the device to engage in a cybercrime. Because the same devices are used by cybercriminals and by those employed to check the security of business systems, the presumed criminal intent was unfounded.[57]
{15} The cybercrime articles included in the draft shared several common characteristics. First, the illegality of each crime was to be executed through the adoption of domestic legislation in each of the signator states.[58] Second, the definition of each cybercrime was to include the requirements of “intentionally” and “without right.”[59] With the foregoing provisions, the treaty provided a framework to outlaw four categories of cybercrimes.
{16} As the preamble of the proposed cybercrime treaty envisioned that one of the purposes of the instrument was as “an international agreement to regulate trans-border search and seizure,”[60] this draft of the treaty also addressed search and seizure issues. The proposed treaty empowered law enforcement officials with the authority to search and seize data stored on computer systems, when such actions were taken as part of an investigation of cybercrime.[61] As part of this search and seizure power, the treaty authorized the officials to retain copies of the data.[62] Another power granted to law enforcement was the authority to order persons in its territory to produce specific computer data.[63] In investigations where a lapse of time could lead to a loss of computer-stored evidence, the proposed treaty authorized law enforcement officials to expedite the preservation of stored data and of traffic data.[64] As to stored data, expediting referred to shortening the time required to obtain a search and seizure warrant or a production order. With traffic data, the draft authorized law enforcement officials to require that ISPs retain traffic related to a suspect. In addition, the service provider was required to reveal enough of the traffic so that law enforcement officials could track the path by which the communication was transmitted.
{17} As was the case with the categories of cybercrime, the search and seizure articles shared several characteristics. First, according to the proposed treaty, the provisions were to be implemented through domestic legislation in each of the signatory states. Second, in an effort to address privacy concerns, each of the articles specifically provided that “the powers and procedures referred to in the present article shall be subject to conditions and safeguards as provided for under national law.”[65] Third, conspicuously absent from the search and seizure provisions was any mention of a requirement for judicial review for particular applications of the new law enforcement authority.[66] Without a judicial check on the power granted to law enforcement officials, individuals would have no guaranteed protection against abuses. As such, the foregoing provisions outlined the search and seizure powers granted under the treaty.
{18} Jurisdiction was the third area addressed by the treaty.[67] According to the proposed treaty, jurisdiction was based either on territory or on the nationality of the accused. The draft skirted the issue of whether the term “territory” applied to the state where the harm occurred or to the state where the perpetrator was located at the time that the cybercrime was committed. Instead of settling this issue, the treaty provided that disputes over jurisdiction should be decided between the states involved. With the foregoing provisions, the drafters espoused a structure for jurisdictional concerns.
{19} The fourth and final area addressed by the proposed treaty was international cooperation.[68] Mutual cooperation for investigation of crimes was expected of states that became parties to the treaty. The mutual cooperation article was vague as to the procedures that would be necessary to carry out the assisted investigation. As to extradition, the draft ensured that either an existing instrument or this treaty could be used as the basis for extradition of a cybercriminal. The foregoing provisions thus provided a skeletal plan for international cooperation. As outlined in this section, the proposed treaty attempted to address the new 'tools' of cybercriminals by providing law enforcement with new powers to investigate the international nature of cybercrime. The inadequacies of the proposed treaty, which have been suggested in this section, did not pass unnoticed for long.
{20}
Until the public
release of the proposed treaty in April 2000, member delegations had worked
in virtual secrecy on the negotiations.[69] The Internet release of the treaty triggered angered outcries from
more than 400 e-mailers[70] and garnered the condemnation
of a coalition of 29 international cyber-rights organizations, which represented
the views of privacy experts, data protection officials, and technical experts.[71] In a letter to the Council of Europe, the Global Internet Liberty
Campaign ("GILC")[72] outlined its concerns with
the proposed treaty.[73] Technical experts complained that the treaty’s broad provision concerning
illegal devices[74] would criminalize possession
of devises used by security practitioners, educators, and researchers to
increase the security of computer systems.[75] The concern centered on the fact that the devices used to ensure
security within a system are the same ones utilized by hackers to gain unauthorized
access to computer systems.[76] Those involved in securing systems worried that the provision of
the treaty outlawed possession of such devices without regard to their intended
use.[77] The coalition asserted that procedures for international investigations[78] had been omitted from the
proposed treaty, and that such procedures should be agreed upon in order
to ensure that a consistently high level of individual rights was maintained.[79] As to search and seizure,[80] the coalition stated that
the treaty lacked any assurance of an independent judicial review in particular
instances were the search and seizure powers would be utilized.[81] The treaty’s provisions pertaining to the preservation of Internet
traffic and the review of the content of communications relating to an individual
under investigation[82] raised a host of concerns.
For the ISPs, the requirement to preserve communications meant an
increase in operating costs. Additional costs incurred by the ISPs would
include the personnel hours and the storage space necessary to execute the
requests of law enforcement.[83] For the cyber-rights organizations involved in the coalition, the
requirement that traffic and content information be made available to law
enforcement raised substantial privacy concerns. The coalition asserted that the treaty would encourage “inappropriate
monitoring of private communications,”[84] which would violate accepted
privacy norms.[85] One of the specific worries was that inappropriate monitoring would
lead to persecution of dissidents and minorities.[86] In summing up their position, the coalition stated that the treaty
improperly extended police power while failing to protect privacy of communication,
freedom of expression, or criminal procedure protections, all of which are
considered rights under the Universal Declaration of Human Rights.[87]
C.
Draft 27: The Final Revision to the Treaty[88]
{21}
The criticism stunned
the Council of Europe.[89] Peter Csonka, deputy head of the Council of Europe’s economic crime
division,[90] said, “We were surprised by
the violence of these comments, . . . . We have learned we have to explain
what we mean in plain language because legal terms are sometimes not clear.”[91] Through a series of drafts, the Council worked to address the issues
raised concerning illegal devices, procedural safeguards, and ISP retention
of traffic[92] and content data.[93] The drafters responded to the concern expressed by security personnel
that the treaty criminalized the mere use of certain devises by adding a
provision, which provided that those who possessed the devises without the
intent of committing cybercrimes had not acted illegally.[94] In an effort to avoid the increased criminalization feared by GILC,
the drafters required that two types of intent be established for an individual
to be convicted of the crime of misuse of devises. The first type of intent was a general intent
to engage in illegal activity. Second,
the specific intent to use the devise to commit one of four crimes outlined
in the treaty – illegal access, illegal interception, data interference,
or system interference – had to be established.[95]
{22}
With regards to
criminal procedure issues, the drafters inserted an article requiring minimum
safeguards to adequately protect human rights and liberties.[96] The treaty required each state to ensure, through domestic legislation,
independent supervision of the treaty power in question, justification of
the use of the power, and a limitation on the scope and duration of the
power.[97] The decision as to which treaty powers are sufficiently intrusive
to require the safeguards set out in the article was left to the respective
states.[98]
{23}
To address the
concerns pertaining to ISP retention of Internet traffic and content data,
the drafters clarified the requirements by stipulating that the ISPs would
only be asked to store specific data related to suspected crimes.[99] In these provisions, however, the drafters did not limit the time
period for which the ISPs would be required to retain traffic and content
data concerning alleged crimes. Although
the drafters restricted the scope of the data to be maintained,[100] without a limitation concerning
the time period for retention of data, ISPs could still incur significant
business costs in adhering to the provisions of the treaty.[101] In addition, when law enforcement officials engaged service providers
to collect data, the requirement that the providers keep confidential the
fact that data was being collected[102] put the ISPs at odds with
the privacy interests of their customers.[103]
{24}
While three of
the revisions made by the drafters addressed specific concerns regarding
illegal devices, procedural safeguards, and ISPs’ retention of data, additional
modifications to the treaty raised new issues. The treaty itself unnecessarily created four
sets of problems concerning sovereignty, jurisdiction, search and seizure
of computer data, and international investigation. In the arena of sovereignty, both the article concerning search
and seizure and the article pertaining to trans-border access to data without
consent[104] permit law enforcement officials
to cross state boundaries without notifying or gaining permission from the
intruded state.[105] Although some experts argue, “[i]t may be legitimate and important
for law enforcement to be allowed to conduct a remote search of computers
in a foreign country,”[106] it is unclear why the drafters
have allowed these intrusions of sovereignty when the treaty provides for
mutual assistance between states and provides for expedited mutual assistance
when necessary.
{25}
In the area of
jurisdiction, the drafters failed to address the problems raised by the
existence of cyberspace.[107] No state has jurisdiction over cyberspace.[108] Thus, jurisdiction cannot simply be based on the place where the
cybercrime took place. According
to the treaty, jurisdiction was based primarily on territory and secondarily
on nationality.[109] In an instance where more than one state claimed jurisdiction over
an alleged offense, the treaty provided for the states involved to decide
the “most appropriate jurisdiction for prosecution.”[110] The “most appropriate jurisdiction” clause will likely be much invoked
because of the ambiguity in the meaning of territory-based jurisdiction. The provision could be interpreted to provide
jurisdiction to the state in which the perpetrator was located, as happened
in the case of the I LOVE YOU virus where the Philippine government investigated
the individual who released the virus from that state.[111] Unfortunately, this provision could just as easily be interpreted
to give jurisdiction to the state in which the damage from the attack occurred.
Alternatively, the provision could be construed to grant jurisdiction
in either the host state or the victim state, with place of jurisdiction
depending on the particular cybercrime at issue.[112] The drafters made no attempt to solve this predicament.[113] It is unclear why the drafters simply did not choose one of the
above-mentioned meanings of the term ‘territory.’
{26}
In search and seizure
of computer data, the drafters clarified those who are subject to orders
that require production of specified computer data for use in law enforcement
investigations.[114] Under the newly crafted provision, any person physically located
in the state or any service provider offering services within the state
would be required to submit data requested by means of a production order.[115] According to this language, production could be required from a
computer outside the state so long as it belonged to an individual who was
physically present in the state or to a service provider that provided services
within the state. A complimentary
provision provided for search and seizure of stored computer data.[116] The draft empowered competent authorities to search and seize computer
data within the state. Reading the
two provisions together would allow for data produced from outside the state,
pursuant to a production order, to be seized once in the state.
{27}
Generally speaking,
the problems created by the treaty are unnecessary. The treaty is intended to encourage uniform
definitions of cybercrime and through such uniformity to enhance the ability
of law enforcement to investigate these cybercrimes. A carefully written treaty with well-defined provisions could have
avoided much unnecessary confusion. The
question remains as to whether overall privacy concerns have been adequately
addressed by the revisions to the treaty. In international investigations, the drafters omitted any clear
procedures that could have ensured high levels of protection for individual
rights.[117] In an effort to address broad privacy concerns, the “powers and
procedures” provision of the articles on expedited preservation of stored
computer data, expedited preservation and partial disclosure of traffic
data, production orders, search and seizure of stored computer data, real-time
collection of traffic data, and interception of content data are all “subject
to Article 14 and 15.”[118] These two articles provide that the powers and procedures are subject
to the safeguards provided under domestic law and under applicable international
human rights treaties.[119] Thus, critical to an understanding of the privacy protections afforded
by the treaty is knowledge of the safeguards provided by domestic law and
by pertinent international human rights treaties.
IV.
EXAMPLES OF PRIVACY PROTECTIONS PROVIDED UNDER DOMESTIC LAWS
A.
Treaty Expected to Become International Standard
{28}
While the focus
of the treaty is to increase police power to allow law enforcement officials
to effectively battle the new ‘tools’ of cybercriminals, there is a concern
that the increase in police power will not be properly rebalanced with the
privacy rights of individuals.[120] In an attempt to rebalance the scales between police power and privacy,
the treaty protects privacy through safeguards provided under domestic laws
and under applicable human rights treaties. Because the first set of safeguards provided under the treaty are
those found in domestic laws,[121] the first part of the answer
to the question of whether the treaty adequately addresses Internet-Age
privacy concerns must be found by examining domestic protections of privacy.
{29}
The key to understanding
the privacy protections afforded by current domestic laws is two-fold, meaning
that a recognition of the policies enacted in the states is needed as well
as a grasp of the impact of each state’s policies when two or more states
interact. The policies adopted by
states will first be examined to determine the goals that the state desires
to further with its Internet crime control policy in addition to exploring
the ability of the government to prosecute the crime and the capacity of
the victim to recover for his losses. The
outcomes of interactions between states with differing levels of privacy
protection will then be explored.
B.
Three Examples of Southeast Asian States with Differing Levels of Privacy
Protection
{30} As it is not possible to examine every state, several states in Southeast Asia have been chosen to illustrate the overall approach to privacy protection afforded by the treaty.[122] Three Southeast Asian states were selected to illustrate the first prong of the approach, privacy protection afforded by domestic laws. Southeast Asian states were selected because their history of colonialism, which they subsequently replaced with emerging capitalist economies, represents the experience of many of the states that exist outside of Europe.[123] Singapore, Thailand, and the Special Administrative Region of Hong Kong have been specifically chosen because each provides an example of a differing level of privacy protection. For each of these three, Internet crime control policies will be examined. The second prong of the approach, which examines the outcomes of the interactions between states with differing levels of privacy protection, will be illustrated with two hypothetical interactions between a European state and the three Southeast Asian states.
1.
Singapore: An Example of a Low Level of Privacy Protection
{31}
The kind of society
that a state supports determines the goals concerning privacy protection
that underlie the Internet crime control policy of that state.[124] Totalitarian states oppose privacy rights while liberal democratic
systems support individual privacy rights and freedoms.[125] These two abstract kinds of societies lie on opposite poles of the
political spectrum.[126] Singapore is known for its near totalitarian regime. In support of the doctrine that the kind of
society determines the level of privacy protection, Singapore has a reputation
for aggressively using surveillance for social control.[127] In its approach to Internet crime control, the goal of the government
is to shield its citizens from any undesirable influences.[128] In an effort to ensure government supervision of Internet usage,
all ISPs are government-owned or government-controlled companies.[129] The Telecommunications Authority of Singapore has extensive authority
to monitor any activity considered to be a threat to national security.[130] The Authority routinely monitors phone conversations and Internet
use.[131]
{32}
Singapore has no
constitutionally protected right to privacy against government acts.[132] Although government officials are normally required to obtain court-issued
search warrants, exceptions exist to this general warrant rule.
Law enforcement may search without a warrant if they believe the
intrusion is necessary to preserve evidence and warrantless searches are
permitted in drug-related and organized-crime-related incidents.[133] Specific to Internet-related crime, the police do not need a warrant
to search computers under the Electronic Transactions Act ("ETA").[134]
{33}
Singapore has passed
criminal laws that enable the prosecution of perpetrators of Internet crime.
The Computer Misuse Act ("CMA")[135] prohibits unauthorized access
to computer data, unauthorized modification of computer data, unauthorized
obstruction of the use of computers, and unauthorized disclosure of access
codes.[136] The ETA imposes a duty of confidentiality on individuals who possess
data obtained under the act and imposes sanctions for disclosing such data
without authorization. [137]