1 Cybercrime
1.1 Would any of the following activities constitute a criminal or administrative offence in your jurisdiction? If so, please provide details of the offence, the maximum penalties available, and any examples of prosecutions in your jurisdiction:
Hacking (i.e. unauthorised access)
Wilful interception of private communications is a criminal offence
under Section 184 of the Criminal Code of Canada, RSC
1985, c C-46 (the "Code"), with a
maximum sentence of five years' imprisonment.
Section 342.1 of the Code prohibits fraudulently obtaining any computer service or intercepting any function of a computer system. Use of a computer system with intent to commit such an offence and use or possession of a computer password to enable such an offence are also prohibited. The maximum sentence is 10 years' imprisonment. The elements of this offence were recently discussed by the Alberta Court of Appeal in R v. McNish.
Hacking has also been prosecuted under:
- Section 380(1) of the Code, which prohibits defrauding the public or any person of property, money, valuable security or a service, and carries a maximum penalty of 14 years' imprisonment where the subject matter of the offence exceeds $5,000. In R v. Kalonji, the accused was found guilty of fraud and conspiracy to commit fraud in connection with an account take-over scheme involving the hacking of bank accounts.
- Section 430 of the Code, particularly when the hacking is related to "smurfing" (e.g. overloading computer systems causing chaos). In R v. Geller, an accused was charged with mischief to data after obtaining credit card numbers and other information through hacking, then accessing the internet using fake identification.
Denial-of-service attacks
Denial-of-service attacks could be considered "mischief "
under Section 430(1.1) of the Code, which prohibits obstructing,
interrupting or interfering with the lawful use of computer data
and denying access to computer data to a person who is entitled to
such access. The maximum penalty is 10 years' imprisonment.
Phishing
Phishing may constitute fraud pursuant to Section 380(1) of the
Code. In R v. Usifoh, the accused was found guilty of
receiving funds from various victims of phishing scams.
Infection of IT systems with malware (including
ransomware, spyware, worms, trojans and viruses)
Section 430 of the Code prohibits "mischief ", which
includes wilfully destroying or damaging property, rendering
property useless, inoperative or ineffective, or obstructing,
interrupting or interfering with the lawful use, enjoyment or
operation of property. Section 430(1.1) of the Code specifically
prohibits wilfully destroying or altering computer data, rendering
computer data meaningless, useless or ineffective, obstructing,
interrupting or interfering with the lawful use of computer data
and denying access to computer data to a person who is entitled to
such access. The maximum penalty is 10 years' imprisonment.
Section 8(1) of the Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying out Commercial Activities, and to Amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, SC 2010, c 23 ("CASL") prohibits, during the course of a commercial activity, installing or causing to be installed a computer program on any other person's computer system, unless an owner or authorised user of the computer system consents (subject to certain conditions) or the person is acting in accordance with a court order.
Distribution, sale or offering for sale of hardware,
software or other tools used to commit cybercrime
Pursuant to Section 342.2 of the Code, it is illegal to sell or
offer for sale a device that is designed or adapted primarily to
commit an offence under Section 342.1 (hacking) or Section 430
(mischief ).
Possession or use of hardware, software or other tools
used to commit cybercrime
Pursuant to Section 342.2 of the Code, it is illegal to make,
possess, import, obtain for use, distribute or make available a
device that is designed or adapted primarily to commit an offence
under Section 342.1 (hacking) or Section 430 (mischief ), knowing
that the device has been used or is intended to be used to commit
such an offence. The maximum penalty is up to two years'
imprisonment and/or an order to forfeit the offending
device(s).
Identity theft or identity fraud (e.g. in connection
with access devices)
Section 402.2 of the Code prohibits obtaining or possessing another
person's identity information with the intent to use it to
commit an indictable offence such as fraud. The maximum sentence is
five years' imprisonment. In R v. Levesque, the
accused held multiple forms of identity information, including
credit cards and passports. The only reasonable inference the Court
could make in the circumstances was that the accused intended to
commit fraud or personation.
Fraudulently "personating" another with the intent of gaining an advantage, obtaining property, causing disadvantage to another or to avoid arrest or prosecution is prohibited under Section 403 of the Code. The maximum penalty is 10 years' imprisonment. Personating includes pretending to be the person or using the person's identity information, including their name, signature, username or password. In R v. Mackie, the accused was found guilty of personation after gaining access to young peoples' Facebook accounts and pretending to be a victim in order to contact other children.
Electronic theft (e.g. breach of confidence by a current
or former employee, or criminal copyright
infringement)
Pursuant to Section 342.1 of the Code, it is an offence to
fraudulently obtain, without colour of right, any computer service,
including data processing, and the storage or retrieval of computer
data. See, for instance, R v. St-Martin, where a police
officer fraudulently obtained electronic information regarding
multiple individuals using a police database.
Section 41.1(1) of the Copyright Act, RSC 1985, c C-42 prohibits circumvention of a "technological protection measure", including any technology, device or component that controls access to a work or sound recording or restricts violations of certain copyright provisions. Circumventing a technological protection measure includes descrambling a scrambled work, decrypting an encrypted work or otherwise avoiding, bypassing, removing, deactivating or impairing the technological protection measure without consent. Some violations of Section 41 can lead to fines of up to $1 million, imprisonment for up to five years or both. In Nintendo of America Inc. v. King, the respondent was found to have trafficked in circumvention devices for Nintendo's technological protection measures.
Some Data Protection Statutes (as defined in question 2.1) also allow for the imposition of administrative penalties or fines for improperly collecting, using, disclosing, gaining or attempting to gain access to personal information ("PI"). For example, pursuant to Section 107 of the Health Information Act, RSA 2000, c H-5 (Alberta), a person who knowingly gains or attempts to gain access to health information in contravention of the Act is guilty of an offence and can be fined up to $50,000. Alberta's private sector privacy legislation, the Personal Information Protection Act, SA 2003, c P-6.5, also makes it an offence to collect, use, disclose, gain or attempt to gain access to PI in contravention of the Act, subject to a fine of up to $10,000 for an individual and up to $100,000 for a person other than an individual.
Unsolicited penetration testing (i.e. the exploitation
of an IT system without the permission of its owner to determine
its vulnerabilities and weak points)
It is possible that unsolicited penetration testing could be
prosecuted under Section 430(1.1) (mischief ) and/or Section 342.1
(hacking) of the Code.
Any other activity that adversely affects or threatens
the security, confidentiality, integrity or availability of any IT
system, infrastructure, communications network, device or
data
Pursuant to Section 83.2 of the Code, an individual who commits an
indictable offence for the benefit of, at the direction of, or in
association with an organisation that commits a terrorist activity
is liable to imprisonment for life. Section 83.01 of the Code
defines a "terrorist activity" to include an act or
omission that intentionally causes serious interference with or
disruption of an essential service, facility or system, whether
public or private, other than in non-violent protests.
Section 19 of the Security of Information Act, RSC 1985, c O-5, makes it an offence to communicate a trade secret with another person, group or organisation, or to obtain, retain, alter or destroy a trade secret, for the benefit of or in association with a foreign economic entity that undermines Canada's economic interests, international relations, or national defence and security. Defences include independent development or reverse engineering, among others. A guilty party may be ordered to serve up to 10 years in prison.
1.2 Do any of the above-mentioned offences have extraterritorial application?
Section 6(2) of the Code provides that "no person shall be convicted of an offence that takes place outside of Canada" (see also Section 478(1) of the Code). However, pursuant to Sections 7(3.74) and 7(3.75) of the Code, certain terrorism offences and indictable offences that are considered terrorist activities may be deemed to have been committed in Canada, including when the offence is committed by or against a Canadian citizen.
The Supreme Court of Canada has held that, where a "significant portion" of the activities constituting an offence took place in Canada, a Canadian court may assume jurisdiction. A court will consider whether there is a "real and substantial link" between the alleged crime and the jurisdiction seeking to enforce the law (see R v. Libman).
Pursuant to Section 26(1) of the Security of Information Act, a person is deemed to have committed an offence in Canada, despite the fact the act or omission took place elsewhere, if the person: is a Canadian citizen; is someone who owes allegiance to Her Majesty in right of Canada; performs functions for a Canadian mission; or returns to Canada after the offence was committed.
Certain provisions of CASL may have extraterritorial application. For example, Section 8 (installation of computer program) applies if the computer system is located in Canada at the relevant time, or if the person is either in Canada at the relevant time or is acting under the direction of a person who is in Canada at the time when they give the directions.
1.3 Are there any factors that might mitigate any penalty or otherwise constitute an exception to any of the above-mentioned offences (e.g. where the offence involves "ethical hacking", with no intent to cause damage or make a financial gain)?
Sentencing in Canada is determined on a case-by-case basis, relying on statutory guidance under Section 718 of the Code. The basic principle is that the sentence must "be proportionate to the gravity of the offence and the degree of responsibility of the offender" (Section 718.1 of the Code). Additionally, "the degree of planning involved in carrying out the offence and the duration and complexity of the offence" are also considerations (Section 718.21(b) of the Code).
Certain criminal offences require proof of criminal intent (e.g. mens rea). Also, some offences may not apply where the action was undertaken with consent. For a recent discussion of intent as it related to Section 430(1.1) (mischief ), Section 342.1 (hacking), and Section 24 (attempts) of the Code, see R v. Livingston.
The penalties for some offences depend upon the financial repercussions of the offence. For example, Section 380(1) of the Code (see Section 1.1) carries a maximum sentence of 14 years' imprisonment for fraud involving $5,000 or more, whereas the maximum sentence is reduced to two years' imprisonment if the value of the subject-matter of the offence is less than $5,000. There are also other aggravating factors, such as the number of victims or the complexity of the fraud, that may increase the severity of the punishment (see Section 380.1(1)).
To view the full article, please click here.
This article was first published in the ICLG – Cybersecurity
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2020
