|
Open
Source Law Publications
Submission
of the Legislative Watch SubCommittee
of
The
New South Wales Society for Computers & the Law
To
Senate
Legal and Constitutional Legislation Committee
in
relation to
18
July 2001
This Submission consists of 4 parts
Part A – Specific Drafting Issues, Derek
Neve
Part B – Policy discussion and examples
(Main issues), Brendan Scott
Part C – Policy Discussion and Examples
(Other Issues), Brendan Scott
Appendix 1 – Extracts from Copyright Act
Brendan Scott, Derek Neve, Baker &
McKenzie
Part A
Specific Drafting Issues
Prepared by: Derek Neve, Baker & McKenzie,
9210 2658
The Society recognises
that those of its concerns which are set out in Parts B and C of this
submission result from differences on the fundamental policies which
lie behind the parts of the Model Criminal Code from which the Bill
draws. However, we believe that the problems explained in this first
part of our submissions arise from shortcomings in the drafting of
the Bill (and, indeed, in the Model Criminal Code itself). Those
problems require correction in order for the Bill to accurately
reflect the intentions of the Officers’ Committee which drew up the
Model Criminal Code. Some suggestions as to how those changes might
be made are set out below.
1.Section
308F(1) and 308G(1): Relevance of data
If interpreted
literally, the element of possession of data under section 308F(1)
could be satisfied by possessing any data about anything at all. That
is not what the Committee intended (see Report on the Code,
Chapter 4 at page 179). To clarify that the relevant data are data
which are adapted to committing the intended computer offence,
subsections 308F(1)(a) and 308F(1)(b) might be changed to read "with
the intention of using the data to commit ..." and "with
the intention of using the data to facilitate ...".
Those words would then
mirror the wording of the analogous offence for tangible property:
"... with the intention that the person or another person will
use it to damage ..." (see section 4.1.10 of the Report on the
Model Criminal Code). It would also reflect the wording of the draft
Convention on Cybercrime from which the Committee drew in formulating
this offence.
While we recognise that
it might be possible for courts to read into the present wording the
meaning expressed by our proposed changes, there is no justification
for creating unnecessary uncertainty by leaving a court to do so -
particularly since the drafters of the related provisions in section
4.1.10 of the Report and draft Cybercrime Convention thought it
appropriate to include the clarifying words.
For the same reasons,
subsections 308G(1)(a) and 308G(1)(b) might be changed to read: "with
the intention of using it to commit …" and "with the
intention of using it to facilitate …".
2.Section
308F(2): "possession or control of data"
Even if it is
understood that the relevant data are those adapted for use in
committing another computer offence, it is not clear from the
proposed drafting of subsection 308F(2) that more than mere knowledge
of relevant data is required. The Report of the Officers Committee
on the Model Criminal Code recognises that it would be contrary to
principle to introduce an offence which permits criminal conviction
just on grounds of intent and states that this offence requires some
tangible manifestation of the crime charged.
If a tangible
manifestation is required, the definition of "possession or
control of data" in section 308F(2) should clarify that mere
knowledge of data does not amount to possession of that data for
these purposes. Accordingly, possession or control of data should be
confined to possession of data in some tangible form. That could be
achieved by adding the words "means possession or control of
data in a tangible form and" before "includes" in the
first part of the subsection. A requirement for data to have some
tangible manifestation cannot be read into the definition of "data",
because "data" is used in the Bill in the context of access
and display, where there may be no tangible manifestation at all.
3.Section
308F(1) and 308G(1): Maximum penalty
Section 308F applies to
an intent to commit a "computer offence", which under
section 308 means any offence against Part 6. Offences against
sections 308H and 308I are offences against Part 6, for which the
maximum penalty is only 2 years. It is not appropriate that the
maximum penalty for attempting to offend sections 308H and 308I
exceeds the maximum penalty for actually doing so.
As compared to the
current drafting, the last words of this subsection could be amended
to read: "Imprisonment for 3 years or the maximum period of
imprisonment for the computer offence which the person intended to
commit, whichever is the lesser". However, we suggest this
issue be given further consideration. If a 3 year maximum is
appropriate for intent to commit offences against sections 308D and
308E (for which the maximum sentence is 10 years), a maximum sentence
of less that 2 years may be warranted for intent to offend against
sections 308H and 308I.
The same comment
applies equally to section 308G(1).
4.Section
308H(3): Definition of restricted data
The Report of the
Officers' Committee on the Model Criminal Code recognises that
criminal consequences should not generally attach to access to
private information and included the definition of "restricted
data" to identify a class of information which justifies
criminal sanctions for unauthorised access. It is clear from the
Report that the Committee had in mind password or other security
facilities.
However, the key words
in the definition of "restricted data" in section 308H(3)
are "restricted by an access control system". These words
are too wide, since the inherent function of all computers is to
control and restrict access in one way or another and certainly in
ways not necessarily involving passwords or other security measures.
The meaning of
"restricted data" should be clear from the face of the
Bill, without resort to the Report of the Officers' Committee. It
would be preferable to replace the words "access control system"
by "security system". There may also be other, better
solutions to this problem and we suggest the issue be given further
consideration.
Part
B
Policy
discussion and examples
Main
Issues
Prepared by: Brendan Scott
5. Executive Summary
5.1 The key practical side effect of the Bill will
be to create a form of property in information or of property in the
right of access to information, through exploitation of the
definition of “unauthorised” and of “restricted data”.
5.2 It will not be overly difficult for skilled
lawyers to bring data within the ambit of these provisions,
effectively creating an alternative regime to the laws relating to
copyright and confidentiality for the protection of information. This
new regime will not reflect the complex balancing of interests
found in existing laws such as those relating to copyright and breach
of confidence.
5.3 If the ability to grant or withhold a licence
is taken as informing the meaning of “authorise” this will have
the practical effect of greatly expanding the protection of data
beyond that contemplated by the Copyright Act. For example, should a
copyright holder distribute books electronically, those electronic
books could be quite easily encapsulated in such a way as to
criminalise access which would otherwise have been permitted as an
exception (such as fair dealing) to a copyright holder’s monopoly,
in effect removing the public benefit of the fair dealing exceptions.
In the long run, it may provide an avenue for owners of copyright to
convert civil enforcement costs into a cost to be borne by the
community through criminal offences.
5.4 Specific terms within the Bill are not
sufficiently defined to restrict application of the offences to truly
criminal behaviour.
5.5 The Bill creates the potential for the
restriction of freedom of speech through its references to impairing
the “reliability” or “security” of data.
Remedial Action
The breadth of, and
background to, the Bill is such that it is not easy to suggest
immediate remedies to any of the issues set out above. It is the
view of the Subcommittee, that the Bill [ed??]
6. Section
308F
6.1 Discussion
While this clause has been created by analogy to
preparatory offences “in the real world”, it overlooks aspects of
the real world which clarify the operation of the preparatory offence
in the real world. In the "real world" there will
ordinarily be some physical relationship between the possession of
the item and the offence in question, for example, being found
outside a someone else's window with a crowbar. In the computer
version, this is less likely to be the case. In a sense, there is
less likely to be a sufficient physical prerequisite to the crime in
order to base an intent argument. Rather, if any computer offence is
committed, this intent crime will necessarily be an adjunct after the
fact.
The key problem with this clause is that, because
of the nature of computer offences, the difficulty of showing a
physical manifestation of intent in computer offences, and the
possible ubiquity of “data” which would found the offence, there
is a risk that mere intent will convert harmless possession into
criminally liable possession. Further, the point at which a
non-criminal possession becomes criminal may be only a split second,
compared with, for example, the time involved where someone goes
equipped to steal and the relative paucity of things that would
qualify as equipment in this context.
6.2 Example:
A is a secretary who works for B. In the course
of A’s employment A is given B's username and password for the
purpose of administering B's email (these things are stored on A's
computer). A is dissatisfied with A's payrise and, in a fit of
pique, resolves to resign and delete B's email file. Has A committed
a 308F offence? The fit is a transient one and A decides that working
for B is not so bad. A takes no action.
6.3 Analysis
The clause implies, but does not require, there be
a relationship with the data possessed and the crime intended to be
committed. There is also no link between the purpose for which the
data is possessed or controlled and the intent. See also part A in
relation to the breadth of meaning of “data”, “possessed” or
“controlled”.
7. Section
308H
There is no requirement that the restricted access
system be subverted, or even that the person committing the act is
aware that the data is restricted data. For example, if A leaves
themselves logged on and B access the data on their system without
authorisation, whether B commits a 308H offence is determined by
whether or not the data is restricted data, regardless of B’s
awareness that it is restricted data and regardless of B having done
nothing to subvert the access control system.
The practical effect of clause 308H is to
criminalise actions which previously were only protected by copyright
law (or the laws governing confidential information) and, therefore,
only been subject only to a civil sanction. The level of criminality
involved in copyright infringements has been the subject of much
debate and many submissions to the Commonwealth on modifications to
the Copyright Act (see sections 116A-116D of the Copyright
Act). This provision effectively creates a new information
protection regime sufficient in its breadth (and in the hands of a
sufficiently skilled copyright lawyer) to supplant copyright for
practical purposes, but does so without the same level of policy
discussion of the role of balancing the public interest against a
legislative monopoly. Read examples (a) and (b) and compare the
complex and finely structured application of section 116A of the
Copyright Act (with its manifold qualifications and
exceptions) against the blunt action of 308H.
Arguably any data is restricted data because in
practice all data will be subject to an “access control system”
of some form or another. See example (c) below – is the whole of
the web restricted data? In the definition of “access control
system” it is not clear whether "to which access is
restricted" refers to "data" or "computer". Given the reference in
subsection (1)(a) to computer, it probably
refers to “data”, but would benefit from clarity. See also Part
A, section 4.
7.1Examples
(a) A is on holiday in the US and, unaware of DVD
regional coding, buys a region 1 DVD. On arriving back in Australia
A discovers that Australian bought DVDs (Region 4) will not play in
A's player and has the DVD regions regime explained by a shop
assistant at the time of A's resulting complaint. Following
instructions downloaded from the internet, A opens up A's DVD player
and modifies the switches in it to convert it into an all regions
player. A plays a region 4 DVD on A's modified region 1 player. Has
A committed a 308H offence? (A region 4 DVD is licensed only for
playing on a DVD player purchased as a region 4 player. When a DVD
is played a code is exchanged between the DVD and player to determine
whether or not to play the DVD).
(b) ACorp distributes software SW which uses a
data set DS (say DS is a mailing list of addresses). When run, SW
requires a username and password to be entered before permitting
access to the data set DS. B is a university academic. B acquires a
copy of SW and DS. Without running SW and being unaware of the
username requirement, B reads DS with a word processing package. The
first line of DS states "you must not access any part of DS
except through the use of SW - by order of ACorp". B reads this
and continues to access the balance of DS. Has B committed a 308H
offence? Would the result be any different if DS was encrypted and B
needs to go to some effort to decrypt DS before inspection? B sends
DS to C, suggesting C inspect it with a word processor. B does not
send SW to C. C inspects DS with a word processor, reads the first
line and continues to access the balance of DS. Has C committed a
308H offence?
If restricted data
only refers to that data which is “in fact” restricted, then
should an interloper subvert the restriction mechanism, then that
subversion will convert the restricted data into unrestricted data. If
not, restricted data is too broad. In the example, assume DS may
also be accessed by a second set of software SW2 (in fact, in the
example, the word processing software is SW2), and when so accessed
is not subject to an access control system. In these circumstances
will DS be “restricted data” or not?
(c) In order to access the world wide web A logs
onto A’s internet service provider ISP. In so doing A must enter a
username and password. A intends to access the world wide web
through ISP. Is all of the world wide web “restricted data”
within the meaning of this clause (and of the meaning of paragraph
(c) of the definition of “data held in a computer” in clause
308)?
8. Clause
308I
8.1 Discussion and analysis
The issues in clause 308I relate to the meaning of
terms such as “impair”, “reliability” and “security”. On
an ordinary English interpretation the “reliability” of data can
be impaired by a number of means aimed at undermining confidence in
the data, none of which involve any tampering with the data itself or
with the operation of the computer one which the data is stored. For
example, by arguing that the data is not the product of sound
science. It is not clear what "operation" of data means. This clause
also raises similar issues to that of clause 308H in
relation to the interaction between the criminal law and the policy
underlying the legislative monopoly of copyright.
8.2 Examples
(a) ACorp writes popular operating system software
OS which contains many security bugs. These security flaws are
unknown to the world in general. B is a computer security expert
who, through B's diligent inquiry and experimentation, has identified
some of these flaws and posts a "security alert" message on
B's website setting out the main characteristics of these flaws. Has
B impaired/intended to impair the security of data held on systems
using the OS software? Has B committed a 308I offence? What if B,
on B's website, explains in detail how to exploit the security flaws?
(b) ACorp posts marketing material and data on the
internet relating to its new cold fusion invention. B, a former
engineer at ACorp, knows that the methodology used to derive ACorp's
data is flawed. B posts a message on the internet aimed at impairing
the reliability of that data by arguing that there were flaws in the
means by which it was derived. Has B committed a 308I offence?
(c) ACorp produces movies on DVDs. The movies on
the DVDs are encrypted by ACorp. B buys one of ACorp's DVDs and
downloads software DS off the internet to decrypt the movie. Has B,
by downloading the software, impaired the security of the data
comprising the movie on the DVD, and thereby committed a 308I
offence? What if B goes ahead and decrypts the movie using the
software and B's computer? What if B plays the movie and records its
output without using the software? What about: (i) C who analyses
and cracks the encryption method used? (ii) D who writes the software
which enables the decryption of the movie; (ii) E who places DS on
E's website; (iii) F who advertises over the internet the fact that
DS is available on E's website and that it will enable the decryption
of movies on ACorp's DVDs?
Part
C
Policy
discussion and examples
Other
Issues
Prepared by: Brendan Scott
9. Clause
308
The Society notes that the definitions in clause
308 have been inherited from provisions in other Commonwealth
legislation, such as the Electronic Transactions Act. However, a number
of definitions, if read on their face, have a
meaning far broader than apparently intended.
Data storage device: libraries bar code their
books, the bar codes are intended only to be read by a computer. Does
that make the piece of paper on which a bar code is recorded a
“data storage device”? Extending the example further, A dictates
into a dictaphone. The tape is later entered into a computer for
voice recognition software to transcribe the tape. Is the dicatphone
tape a “data storage device”? Would a piece of paper on a
scanner ready to be scanned into a computer be a data storage device?
Is there anything that would not be a data storage device? Is mere
intention to use it in relation to a computer the only characteristic
which defines it? That is, the definition of data storage device may
ultimately be determined not by characteristics inherent to the
device, but by reference to subjective intentions.
10. Clause
308A
Is printing an email "any [other] output of
the data from the computer" and therefore an access to that
data? Is it a movement of data to a data storage device (see
discussion in section 5). If A sends spam to millions of people, has
A impaired the electronic communications of (i) those people, or (ii)
of others who are using the link over which the spam is sent? In
relation to (ii), is the answer the same if A sends out the same
volume of commercial traffic?
What does it mean for access, modification or
impairment to be “caused (directly or indirectly) by the execution
of a function of a computer”? For example, if A has a backhoe with
a computer controlled operating pad, is anything the backhoe does as
a result of A’s interaction with the operating pad “caused by the
execution of a function of a computer”? If A is using the backhoe
in their back garden and cut the main fibre optic cable between
Sydney and Melbourne, has A “impaired” an electronic
communication to or from a computer (see 9.2(e) below)?
11. Clause
308B
Clause 308B(1) effectively defines "unauthorised"
as meaning "not entitled to". However “not being
entitled to” does not advance the meaning of unauthorised any
further.
308B(1) also points to the effects of the
operation of a function of a computer, not the function itself. So if
A is entitled to perform a function, but is not entitled to cause an
access, modification or impairment (which occurs as an indirect
effect of the function A is entitled to perform), has A committed an
unauthorised access, modification or impairment? The Society
acknowledges that the force of this criticism is mollified when read
against the specific offences.
12. Clause
308C
The Society does not understand why the
circumstances set out in this clause are not already covered by the
law of attempt to commit the serious offence in question. Is there
any evidence that computers are being used for preparatory offences
in a manner which does not constitute attempt?
13. Clause
308D
13.1 Discussion
and Analysis
Does "impair reliability of" data extend
to rational critiques of the information - for example, by pointing
out errors in data gathering methodology?
13.2 Example
A is an S11 protester and hacks a global
corporate's web site. A modifies the site by the inclusion of a
single, simple link to alternative information sources (without
disrupting the balance of the site). The protester intends by that
modification to impair the "reliability" of information on
the global corporate's web site. Has the protester committed a 308D
offence? If A intends to impair the reliability of the information
in printed brochures of the corporate, but which are not held in any
computer has A committed a 308D offence?
14. Clause
308E
14.1 Discussion
and analysis
Similar issues arise in relation to clause 308E as
with other clauses as a result of the unclear meaning of what it is
to be unauthorised/what is meant by being entitled to.
14.2 Examples
(a) A downloads a piece of software over the
internet. The licence terms of the software require that A must
consent to the collection of data from A's computer in return for a
licence to use the software ("spyware" as it is known). A
reads the terms in full, but regards them with contempt. A disables
the spyware features of the software but continues to use the useful
features (ie commits a breach of licence). Has A committed a 308E
offence?
(b) A & B work at the same company CCorp. A
believes B intends to use A's computer while A is away from A's desk
to send an email. A runs a password protected screen saver when they
leave their desk. B tries to send an email, but can’t because of
the screen saver. CCorp’s has expressly prohibited the use of
password screen savers but is silent about sending emails from other
people’s machines. Has A committed an offence? If so, when? Would the
answer be different if B did not want to (and did not try
to) send an email? – That is, if there is no communication
attempted to or from the computer, is there an “impairment”? Therefore,
does B’s intention or action criminalise A’s action
after the fact?
(c) A works for BCorp. A uninstalls the email
program on A's computer at work. BCorp has specifically prohibited A
from making changes to the software on A’s computer. Has A
committed a 308E offence where: (i) A is sick of receiving spam
emails and intentionally uninstalls the program to achieve that
purpose? (ii) A has heard of a new program A wants to use and needs
to uninstall the old program first (A installs the new program and
everything works dandy apart from a temporary impairment)? (iii) A
just couldn't care less about the consequences?
(d) A gives B A's mobile phone saying - "don't
turn it off and don't divert under any circumstances, I need to
contact you at any moment". B enters a hospital grounds and
turns the phone off for 15 minutes. Is B guilty of an offence? B
uses the "divert" function of the phone and programs a
voicemail number into it while "going to the bathroom" for
5 minutes. Has B committed an offence? If so, when? Would it make
any difference if A says they intend to send an SMS message through
the use of their computer? What if B simply turns the ringer volume
down or off? Is this an "impairment"?
(e) A has a backhoe and is digging in A's back
garden. The backhoe has a computer controlled operating pad. Through
its use A cuts the main fibre optic cable between Sydney and
Melbourne. When A hires the backhoe from B, B says “Be careful
about cables and wires running under the ground”. A considers the
possibility of cables running under A’s yard, but thinks that the
chances of there being any are slim. Has A committed a 308E offence?
What if A cuts an electricity cable? What if the utility provider
transmits electricity usage information over the cable as well as
electricity?
15. Clause
308G
15.1 Example
A is a
disaffected student with little or no
computing experience. A resolves to hack the website of B corporation
and undertakes a course of study (by sources available over the
internet) to do so (including an acquisition of descriptions of
hacking techniques). After 6 months of study A considers the
endeavour all too hard and gives up. Has A committed an 308G offence?
Note
Clauses 308F, 308G, 308H and 308I are discussed in
detail in Part A and Part B.
Appendix
1
Extracts
from COPYRIGHT ACT 1968
(from
Austlii www.austlii.edu.au)
47D
Reproducing computer programs to make interoperable products
(1) Subject to this Division, the copyright in a
literary work that is a computer program is not infringed by the
making of a reproduction or adaptation of the work if:
(a) the reproduction or adaptation is made by, or
on behalf of, the owner or licensee of the copy of the program (the
original program ) used for making the reproduction or adaptation;
and
(b) the reproduction or adaptation is made for the
purpose of obtaining information necessary to enable the owner or
licensee, or a person acting on behalf of the owner or licensee, to
make independently another program (the new program ), or an article,
to connect to and be used together with, or otherwise to interoperate
with, the original program or any other program; and
(c) the reproduction or adaptation is made only to
the extent reasonably necessary to obtain the information referred to
in paragraph (b); and
(d) to the extent that the new program reproduces
or adapts the original program, it does so only to the extent
necessary to enable the new program to connect to and be used
together with, or otherwise to interoperate with, the original
program or the other program; and
(e) the information referred to in paragraph (b)
is not readily available to the owner or licensee from another source
when the reproduction or adaptation is made.
(2) Subsection (1) does not apply to the making of
a reproduction or adaptation of a computer program from an infringing
copy of the computer program.
47E
Reproducing computer programs to correct errors
(1) Subject to this Division, the copyright in a
literary work that is a computer program is not infringed by the
making, on or after 23 February 1999, of a reproduction or adaptation
of the work if:
(a) the reproduction or adaptation is made by, or
on behalf of, the owner or licensee of the copy of the program (the
original copy ) used for making the reproduction or adaptation; and
(b) the reproduction or adaptation is made for the
purpose of correcting an error in the original copy that prevents it
from operating (including in conjunction with other programs or with
hardware):
(i)
as intended by its author; or
(ii)
in accordance with any specifications or other documentation
supplied with the original copy; and
(c) the reproduction or adaptation is made only to
the extent reasonably necessary to correct the error referred to in
paragraph (b); and
(d) when the reproduction or adaptation is made,
another copy of the program that does operate as mentioned in
paragraph (b) is not available to the owner or licensee within a
reasonable time at an ordinary commercial price.
(2) Subsection (1) does not apply to the making of
a reproduction or adaptation of a computer program from an infringing
copy of the computer program.
47H
Agreements excluding operation of certain provisions
An agreement, or a provision of an agreement, that
excludes or limits, or has the effect of excluding or limiting, the
operation of subsection 47B(3), or section 47C, 47D, 47E or 47F, has
no effect.
116A
Importation, manufacture etc. of circumvention device and provision
etc. of circumvention service
(1) Subject to subsections (2), (3) and (4), this
section applies if:
(a) a work or other subject-matter is protected by
a technological protection measure; and
(b) a person does any of the following acts
without the permission of the owner or exclusive licensee of the
copyright in the work or other subject-matter:
(i)
makes a circumvention device capable of circumventing, or
facilitating the circumvention of, the technological protection
measure;
(ii)
sells, lets for hire, or by way of trade offers or exposes for sale
or hire or otherwise promotes, advertises or markets, such a
circumvention device;
(iii)
distributes such a circumvention device for the purpose of trade, or
for any other purpose that will affect prejudicially the owner of the
copyright;
(iv)
exhibits such a circumvention device in public by way of trade;
(v)
imports such a circumvention device into Australia for the purpose
of:
(A)
selling, letting for hire, or by way of trade offering or exposing
for sale or hire or otherwise promoting, advertising or marketing,
the device; or
(B)
distributing the device for the purpose of trade, or for any other
purpose that will affect prejudicially the owner of the copyright; or
(C)
exhibiting the device in public by way of trade;
(vi)
makes such a circumvention device available online to an extent that
will affect prejudicially the owner of the copyright;
(vii)
provides, or by way of trade promotes, advertises or markets, a
circumvention service capable of circumventing, or facilitating the
circumvention of, the technological protection measure; and
(c) the person knew, or ought reasonably to have
known, that the device or service would be used to circumvent, or
facilitate the circumvention of, the technological protection
measure.
(2) This section does not apply in relation to
anything lawfully done for the purposes of law enforcement or
national security by or on behalf of:
(a) the Commonwealth or a State or Territory; or
(b) an authority of the Commonwealth or of a State
or Territory.
(3) This section does not apply in relation to the
supply of a circumvention device or a circumvention service to a
person for use for a permitted purpose if:
(a) the person is a qualified person; and
(b) the person gives the supplier before, or at
the time of, the supply a declaration signed by the person:
(i)
stating the name and address of the person; and
(ii)
stating the basis on which the person is a qualified person; and
(iii)
stating the name and address of the supplier of the circumvention
device or circumvention service; and
(iv)
stating that the device or service is to be used only for a
permitted purpose by a qualified person; and
(v)
identifying the permitted purpose by reference to one or more of
sections 47D, 47E, 47F, 48A, 49, 50, 51A and 183 and Part VB; and
(vi)
stating that a work or other subject-matter in relation to which
the person proposes to use the device or service for a permitted
purpose is not readily available to the person in a form that is not
protected by a technological protection measure.
(4) This section does not apply in relation to the
making or importing of a circumvention device:
(a) for use only for a permitted purpose relating
to a work or other subject-matter that is not readily available in a
form that is not protected by a technological protection measure; or
(b) for the purpose of enabling a person to supply
the device, or to supply a circumvention service, for use only for a
permitted purpose.
(4A) For the purposes of paragraphs (3)(b) and
(4)(a), a work or other subject-matter is taken not to be readily
available if it is not available in a form that lets a person do an
act relating to it that is not an infringement of copyright in it as
a result of section 47D, 47E, 47F, 48A, 49, 50, 51A or 183 or Part
VB.
(5) If this section applies, the owner or
exclusive licensee of the copyright may bring an action against the
person.
(6) In an action under subsection (5), it must be
presumed that the defendant knew, or ought reasonably to have known,
that the circumvention device or service to which the action relates
would be used for a purpose referred to in paragraph (1)(c) unless
the defendant proves otherwise.
(7) For the purposes of this section, a
circumvention device or a circumvention service is taken to be used
for a permitted purpose only if:
(a) the device or service is used for the purpose
of doing an act comprised in the copyright in a work or other
subject-matter; and
(b) the doing of the act is not an infringement of
the copyright in the work or other subject-matter under section 47D,
47E, 47F, 48A, 49, 50, 51A or 183 or Part VB.
(8) In this section:
qualified person means:
(a) a person referred to in paragraph 47D(1)(a),
47E(1)(a) or 47F(1)(a); or
(b) a person who is an authorized officer for the
purposes of section 48A, 49, 50 or 51A; or
(c) a person authorised in writing by the
Commonwealth or a State for the purposes of section 183; or
(d) a person authorised in writing by a body
administering an institution (within the meaning of Part VB) to do on
behalf of the body an act that is not an infringement of copyright
because of that Part.
supply means:
(a) in relation to a circumvention device—sell
the device, let it for hire, distribute it or make it available
online; and
(b) in relation to a circumvention service—provide
the service.
(9) The defendant bears the burden of establishing
the matters referred to in subsections (3), (4) and (4A).
|