Introduction
In a recent case HKSAR v Chu Tsun Wai [2019] HKCFA 3, the Court of Final Appeal (“CFA”) set out the basis to which a cyber-attacker may be found guilty for damaging the other’s property by misusing the victim’s computer through the victim’s website.
Background
On 12 October 2014, Mr Chu Tsun Wai (“Mr Chu”) took part in a Distributed Denial of Service (“DDoS”) attack on the website of the Shanghai Commercial Bank (the “Bank”). Mr Chu was charged with a criminal offence, contrary to section 60(1) of the Crimes Ordinance (“CO”), namely that he, without lawful excuse, damaged property belonging to another intending to damage such property or being reckless as to whether such property would be damaged.
What is DDoS?
DDoS is one kind of cyber-attack. Generally, when a computer user calls up a website to access it, the user’s computer sends a “request” to the website service, i.e. the computer that supports that website, calling up the website page. If the website service is available, it will respond to the request by transmitting the page. When the page appears on the screen of the user’s computer, the user may click on some services he or she want to access, for example, the user’s bank account, and the user’s computer will send another request, and so on. The capacity of the website service to deal with requests at any given time (i.e. its “bandwidth”) is finite. The method of a DDoS attack is for a number of co-ordinated computers to send a very large number of requests at more or less the same time to exhaust the server’s bandwidth, thereby denying access to persons wishing to transact their ordinary and legitimate business through the website and possibly causing the overloaded system to crash.
In the present case, the server of the Bank received 504,592 requests within the space of an hour, of which 6,652 came within a space of 16 seconds from Mr Chu’s computer (the “Requests”). The attack was a failure because the server of the Bank had enough surplus capacity to prevent the attack from having any effect upon its other operations.
Principal issue before the CFA
Section 59(1A) of the CO provides that “damage to property” in relation to a computer included “misuse of a computer”. The term “misuse of a computer” is defined by the same section to mean:
- to cause a computer to function other than as it has been established to function by or on behalf of its owner, notwithstanding that the misuse may not impair the operation of the computer or a program held in the computer or the reliability of data held in the computer (“paragraph (a)”);
- to alter or erase any program or data held in a computer or in a computer storage medium;
- to add any program or data to the contents of a computer or of a computer storage medium (“paragraph (c)”).
- At the Magistrates’ Court, it was found that Mr Chu was the user of the computer launching the DDoS attack to the Bank’s website and his participation was intentional. The magistrate found that Mr Chu had misused the Bank’s computer and convicted Mr Chu. The conviction was upheld upon appeal to the Court of First Instance and Mr Chu appealed to the CFA. The principal issue before the CFA was whether Mr Chu had caused the computer of the Bank to “function other than as it has been established to function by or on behalf of its owner” within the meaning of paragraph (a).
CFA’s ruling
The CFA unanimously dismissed the appeal and upheld Mr Chu’s conviction.
The CFA reasoned that the definition of “misuse of a computer” does not require access as such to have been unauthorised, and it applies to computers which, through their websites, offer open access to the world. The offence under section 60(1) of the CO is committed when, having obtained access to the computer through the website, one causes it to “function other than as it has been established to function by or on behalf of its owner”. The question therefore is how one describes the way in which the computer has relevantly been established to function by its owner.
Mr Chu argued that the Bank’s computer functioned as it had been established to do because it dealt with the Requests in accordance with what it had been programmed to do. However, the CFA dismissed this argument and was of the view that computers can only do what they have been programmed to do, and that the statue is concerned with what the owner has set it up to do. In other words, the functions for which the computer is established to do are not so much concerned with the way it works (or fails to work) but what it was intended to do. The Bank’s website and its server were established to provide banking services, not to deal with multitude of requests made for no purpose except to inconvenience the Bank and its customers and generate publicity for the attackers. As such, the CFA held that DDoS attack is very appropriately described as a misuse of the Bank’s computer and that Mr Chu has caused the Bank’s computer to function other than how the Bank has established it to function.
On a side note, in convicting Mr Chu, the magistrate mentioned in his judgement that Mr Chu had added information to the Bank’s computer within the meaning of paragraph (c). Mr Chu submitted to the CFA that the prosecution based its case before the magistrate solely upon paragraph (a) and Mr Chu therefore adduced no evidence in relation to paragraph (c). The CFA agreed that reliance upon paragraph (c) would be unjust to Mr Chu, but nevertheless dismissed the appeal because the magistrate’s wrongful reliance on paragraph (c) was immaterial.
Conclusion
In this case, the CFA provided the legal basis to which cyber-attack on one’s website can be regarded as “misuse of a computer” and thus constitutes damage of property under section 60(1) of the CO. In particular, the CFA clarified that the owner’s intention of the computer is a key determinant of whether the computer has been misused.
Need legal advice?
For enquiries, you can obtain legal advice from experienced lawyers in Hong Kong. For a fixed fee, you can consult an experienced lawyer on the phone within two days to get to know your legal issues and provide fast legal advice.
This article was originally published on ONC Lawyers.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to a practicing lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Interstellar Group Pte. Ltd. accepts or assumes responsibility, or has any liability, to any person in respect of this article.