Exploring Canada's computer crime laws: Part 2

Since the exceptions in copyright law for encryption and security research don't apply if you're doing anything criminal, I next looked at the Criminal Code [PDF].

Mischief in relation to data

This is a digital counterpart to the mischief offence against physical property.

Mischief in relation to data
430.

...
Mischief in relation to data

(1.1) Every one commits mischief who wilfully

(a) destroys or alters data;

(b) renders data meaningless, useless or ineffective;

(c) obstructs, interrupts or interferes with the lawful use of data; or

(d) obstructs, interrupts or interferes with any person in the lawful use of data or denies access to data to any person who is entitled to access thereto.

Punishment

(2) Every one who commits mischief that causes actual danger to life is guilty of an indictable offence and liable to imprisonment for life.

...

(4) Every one who commits mischief in relation to property, other than property described in subsection (3),

(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding two years; or

(b) is guilty of an offence punishable on summary conviction.

(5) Every one who commits mischief in relation to data

(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or

(b) is guilty of an offence punishable on summary conviction.

A strict reading of s 430(1.1)(a) means that altering data is illegal, but s 429(3) provides that it is not a crime to destroy anything if you own it, so long as you are not attempting fraud. (So, you can't burn down your house in an attempt to defraud your insurance company)

s 430(1.1)(c) and (d) seem to apply fairly straightforwardly to dDOS. Researchers like Molly Sauter are developing an understanding of at least some dDOS as legitimate political activity. Equating what we might understand as a digital sit-in with destructive computer crime is a serious category error. While civil disobedience in the physical realm is a crime, there is a large and widening gulf between the consequences for civil disobedience online and off, which I believe is fundamentally unjust.

s 430(2) provides for life in prison if your mischief causes actual danger to life. So, if you break into the computer systems controlling the power grid and wreak havoc, you might not see the light of day once convicted. It would be interesting to know how courts have judged the "actual danger to life" standard.

I included 430(4) because it doesn't apply to mischief to data because "property" is defined as "real or personal corporeal property." Note the dollar value requirement, which is missing from 430(5). The US CFAA had a $5000 requirement for the felony enhancement, which is already a laughably low bar, but the comparable statute in Canada has no bar at all. (I believe this felony enhancement was amended in 2008, but it isn't clear that the new requirements are much better.)

Given the abuses of the CFAA we've seen, the lack of requiring real damange should be disturbing. There should be a minimum monetary damage here before punishment kicks in -- and it should be real damages. The EFF's legal director Cindy Cohn gave a good explanation of how the CFAA counts up the $5000 of damages at DEF CON 11 -- we shouldn't make that same mistake.