Exploring Canada's computer crime laws: Part 3

Since the exceptions in copyright law for encryption and security research don't apply if you're doing anything criminal, I next looked at the Criminal Code [PDF].

Unauthorized use of a computer

s 342.1 more closely resembles the CFAA, in that is seems to draw an analogy with trespass.

Unauthorized use of computer

342.1 (1) Every one who, fraudulently and without colour of right,

(a) obtains, directly or indirectly, any computer service,

(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system,

(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or

(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)

is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.

The "fraudulently and without colour of right" language immediately makes me think of the vagueness of "unauthorized" and "exceeding authorization" in the CFAA -- language which is widely regarded as problematic. Immediately following the quoted text, the Criminal Code lists several definitions. I omitted them for brevity, and because they didn't seem problematic to me. The terms "fraudulently" and "without colour of right" are not defined there, but they are explored in case law. "Essentials of Canadian Law: Computer Law" (2nd ed., by George S. Takach, 2003 [yes, seriously, 2003]) explains:

"Fraudulently" means dishonestly and unscrupulously, and with the intent to cause deprivation to another person.

The intent requirement here might be a useful get-out-of-jail card for security researchers who did not intend to deprive any other person. For example, I have a hard time imagining that prosecutors could successfully argue that weev intended to deprive others of... their blissful ignorance?

"Without colour of right" means without an honest belief that one had the right to carry out the particular action. To establish "colour of right," one would need to have an honest belief in a state of facts that, if they existed, would be a legal justification or excuse.

This escape clause might apply, for example, if someone sat down at a computer in the library thinking it was open for anyone to use, but it was really unlocked by someone who had stepped away. (Fun fact: I once nearly did this with a classified computer system, but was caught before doing more than jiggling the mouse. Oops! I honestly thought I was allowed to access that computer. If that had actually been true, then that would have been a legal excuse. That gives a colour of right, which would get me out of a charge under s 342.1)

However, "without colour of right" seems to simply postpone the difficult question of what use of computer is "unauthorized." The answer might be different if you ask a computer expert, as compared to a layperson. If "unauthorized" isn't in the eye of the beholder, you get around that problem, but simply replace it with the nonexistent definition provided by statute. The answer will presumably come from case law, but that doesn't help the people who shape the law by putting their liberty (and money - making good legal precedent is expensive!) on the line.

The language "directly or indirectly" in (a) is interesting -- that would seem to include social engineering where you trick someone into accessing a computer system on your behalf. I think that's probably a sensible inclusion.

Subsection (c) is quite broad, as it makes it an offence to use a computer with the intent to commit the offences in (a) or (b), or s 430 (mischief in relation to data). "Essentials of Canadian Law" explains that the rationale here is that the police shouldn't have to wait for actual harm to occur. So, this is like murder vs attempted murder, except the punishment is the same for both. That seems wrong -- we differentiate between murder and attempted murder in the Criminal Code, and sentence those convicted of these offences differently. Another potential issue: this section inherits all the problematic breadth of mischief in relation to data, which I talked about last time.