The "Changes to Book III of Criminal Code (Incorporation of Provisions on Cybercrime)" paper recommends "the incorporation in our Criminal Code of provisions, inspired by French Penal Code, relating, inter alia, to Fraudulent access to a computer system, Violations of the operation of a computer system, Import, possession, supply, sale or provision of a breach equipment to a computer system, Identity theft or use of data to identify any third party, and Pornographic exploitation of the image of a minor".
The paper defines "cybercriminalite" (cybercrime) as all criminal infractions which are committed via information networks, e.g. the internet. According to the paper criminal infractions were up to now covered by special laws, namely the Information and Communication Technologies Act and the Computer Misuse and Cybercrime Act. Mauritius only acceeded to the Budapest Convention in November 2013. The paper states that those two acts were inspired by the Budapest Convention 2001. The paper notes that some types of criminal behavior in which technology is used are similar to scams and are covered by Section 330 of the Mauritius Criminal Code.
As the paper notes, writing a law about cybercrime is a delicate exercise as the definition of the offence should account for changes in technology so that the law does not become obsolete. The paper builds upon Article 322-1 and Article 323-7 of the French Penal Code to add a Chapter III to Title II (new sections 369A to 369I of the Mauritius Criminal Code).
The proposed Section 369A is as follows:
Fraudulently accessing or remaining within all or part of an automated data processing system is punished by imprisonment not exceeding two years and by a fine not exceeding 100,000 rupees. Where this behaviour causes the suppression or modification of data contained in that system, or any alteration of the functioning of that system, the sentence cannot exceed three years' imprisonment and a fine of 150,000 rupees.
When the offenses in the first two paragraphs have been committed against an automated processing system of personal data implemented by the State, the penalty is increased to imprisonment not exceeding five years and a fine of 200,000 rupees.
Is fraudulent access similar to wrongful or criminal deception intended to result in financial or personal gain? The explanation in the paper is that any unauthorized access is considered as fraudulent access. Visitors sometimes stumble upon a mistake affecting the security of, for example, a web site. A visitor without any knowledge of security would not know that it is a mistake. A visitor with some basic knowledge of security might notice that there is something unusual. The practice is to document the issue and ask for advice about whether it is a mistake. The impact of the proposed change is that it will discourage a visitor from asking for advice about mistakes which has a negative impact on the security of a system. This benefits the visitor with wrongful or criminal intentions at the expense of usual visitors or the owner of the system. The former will attempt to derive material gain from the usual visitors or the owner of the system by exploiting that mistake.
The proposed Section 369B is as follows:
Obstructing or interfering with the functioning of an automated data processing system is punished by imprisonment not exceeding five years and a fine not exceeding 200,000 rupees.
When this offense has been committed against an automated processing system of personal data implemented by the State, the penalty is increased to imprisonment not exceeding seven years and a fine not exceeding 500,000 rupees.
The term "automated data processing system" is undefined. Nowadays, a phone would fit the description of an "automated data processing system" as it is similar to a computer. The proposed change for this section is far-reaching. A visitor could unintentionally cause a web site to "crash" through the usage of a web browser. The onus is for the visitor to prove that there wasn't malicious intent.
The proposed Section 369C is as follows:
The fraudulent introduction of data into an automated data processing system or the fraudulent deletion or modification of the data that it contains is punished by imprisonment not exceeding five years and a fine not exceeding 200,000 rupees.
When this offense has been committed against an automated processing system of personal data implemented by the State, the penalty is increased to imprisonment not exceeding seven years and a fine not exceeding 500,000 rupees.
It is common for visitors to enter incorrect information in web forms, e.g. an incorrect date of birth. Would it be considered as an offense under this proposed section?
The proposed Section 369D is as follows:
A person who, without lawful authority, imports, possesses, offers, transfers or makes available any equipment, instrument, computer programme or information created or specially adapted to commit one or more of the offences prohibited by sections 369A to 369C, is punished by the penalties prescribed for the offence itself, or the one that carries the heaviest penalty
Some software are classified as dual-use items. For example, Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. The proposed changes makes it illegal to store a copy of the software. The explanation for this section states that the intent is to make posession of a virus illegal. It will no longer be possible for researchers to analyze malware once this section is part of the law.
The proposed Section 369E is as follows:
Participating in a group or conspiracy established with a view to the preparation of one or more offences set out under sections 369A to 369D, and demonstrated by one or more material actions, is punished by the penalties prescribed for offence in preparation, or the one that carries the heaviest penalty.
This section makes it illegal to participate in, for example, an open source software project building dual-use software. Given the ambiguities in the previous sections the impact of this section is unclear.
The proposed Section 369G is as follows:
Natural persons convicted of any of the offences provided for under the present Chapter also incur the following additional penalties: forfeiture, for a period not exceeding five years, of civic, civil and family rights.
Is a person entitled to vote if the above offences are not connected with elections?
The proposed Section 369I is as follows:
The act of impersonating a third party or make use of one or more data of any kind which allows to identify him in view of disturbing his tranquility or that of others, or harm his honor or his reputation or consideration, is punishable by imprisonment not exceeding one year and a fine not exceeding 150 000 rupees. This offense is punishable by the same penalties when committed on a public online communication network.
The explanation in the paper for this section is that identity theft in, for example, the United Kingdom has caused subtantial economic loss. The explanation refers to APACS, a United Kingdom trade organisation, comment about fraud affecting online banking has doubled in the first semester of 2006 in comparison with the previous year. The objective of this proposed section is to identity theft and the usage of any data which could be used to identify another person and affect that person's honor or reputation. It seems that the intent of that section in the French penal code is misunderstood within the context of technology as it translates into impersonation instead of identity theft.
The proposed changes to Book III of Criminal Code (Incorporation of Provisions on Cybercrime) would supplement the existing special laws. The paper is scanty in respect to information about cybercrime cases in Mauritius. The repressive measures are not counterbalanced by measures to discourage negligence by the owner of a "data processing system". In a Judgement, the Supreme Court of Mauritius pointed out that what is "alarming is the relatively low threshold prescribed for obtaining access to personal data". It could be argued that the existing provisions in the law would allow the police to gain access to information which can be used to identify a person in Mauritius suspected of "cybercrime". In 2012 the number of reported offences under the Information and Communication Technology Act was 1,186 and 198 for the Computer misuse and Cybercrime Act. Would the proposed changes deter people from committing such offences or would it broaden the range of offences to an unknown extent?
1. "Paper Changes to Book III of Criminal Code (Incorporation of Provisions on Cybercrime)" Law Review Commission, Jine 2015
2. Speech for Honorable Tassarajen Pillay Chedumbrum, Minister of ICT, Ministry of Technology, Communication and Innovation
3. "Convention on Cybercrime, Budapest", Council of Europe
4. NMap
4. 2015 SCJ 177 Record No. 108696, Supreme Court of Mauritius, 29 May 2015
5. Digest of Crime, Justice and Security Statistics, Statistics Mauritius