open source law logo open source law slogan
open source law symbols
Home | Corporate Profile | Links & Resources | Past Projects | OSL Publications | OSL in the Community | Contact Us
 
OSWALD Newsletter title
What is OSWALD?
OSWALD is the name for our Open Source Law Weekly Open Source Digest. This newsletter contains all sorts of current industry news and resources.
How do I join?
Fill out the form below and we will do the rest!
Name:

Email Address:
>> View past newsletters

Open Source Law Publications

Submission of the Legislative Watch SubCommittee

of

The New South Wales Society for Computers & the Law

To

Senate Legal and Constitutional Legislation Committee

in relation to

Inquiry into the Provisions of the Cybercrime Bill 2001

18 July 2001

This Submission consists of 4 parts

Part A – Specific Drafting Issues, Derek Neve

Part B – Policy discussion and examples (Main issues), Brendan Scott

Part C – Policy Discussion and Examples (Other Issues), Brendan Scott

Appendix 1 – Extracts from Copyright Act

Brendan Scott, Derek Neve, Baker & McKenzie

Part A

Specific Drafting Issues

Prepared by: Derek Neve, Baker & McKenzie, 9210 2658
 
The Society recognises that those of its concerns which are set out in Parts B and C of this submission result from differences on the fundamental policies which lie behind the parts of the Model Criminal Code from which the Bill draws. However, we believe that the problems explained in this first part of our submissions arise from shortcomings in the drafting of the Bill (and, indeed, in the Model Criminal Code itself). Those problems require correction in order for the Bill to accurately reflect the intentions of the Officers’ Committee which drew up the Model Criminal Code. Some suggestions as to how those changes might be made are set out below.


1.Section 308F(1) and 308G(1): Relevance of data  

If interpreted literally, the element of possession of data under section 308F(1) could be satisfied by possessing any data about anything at all. That is not what the Committee intended (see Report on the Code, Chapter 4 at page 179). To clarify that the relevant data are data which are adapted to committing the intended computer offence, subsections 308F(1)(a) and 308F(1)(b) might be changed to read "with the intention of using the data to commit ..." and "with the intention of using the data to facilitate ...".

Those words would then mirror the wording of the analogous offence for tangible property: "... with the intention that the person or another person will use it to damage ..." (see section 4.1.10 of the Report on the Model Criminal Code). It would also reflect the wording of the draft Convention on Cybercrime from which the Committee drew in formulating this offence.

While we recognise that it might be possible for courts to read into the present wording the meaning expressed by our proposed changes, there is no justification for creating unnecessary uncertainty by leaving a court to do so - particularly since the drafters of the related provisions in section 4.1.10 of the Report and draft Cybercrime Convention thought it appropriate to include the clarifying words.

For the same reasons, subsections 308G(1)(a) and 308G(1)(b) might be changed to read: "with the intention of using it to commit …" and "with the intention of using it to facilitate …".


2.Section 308F(2): "possession or control of data"

Even if it is understood that the relevant data are those adapted for use in committing another computer offence, it is not clear from the proposed drafting of subsection 308F(2) that more than mere knowledge of relevant data is required. The Report of the Officers Committee on the Model Criminal Code recognises that it would be contrary to principle to introduce an offence which permits criminal conviction just on grounds of intent and states that this offence requires some tangible manifestation of the crime charged.

If a tangible manifestation is required, the definition of "possession or control of data" in section 308F(2) should clarify that mere knowledge of data does not amount to possession of that data for these purposes. Accordingly, possession or control of data should be confined to possession of data in some tangible form. That could be achieved by adding the words "means possession or control of data in a tangible form and" before "includes" in the first part of the subsection. A requirement for data to have some tangible manifestation cannot be read into the definition of "data", because "data" is used in the Bill in the context of access and display, where there may be no tangible manifestation at all.


3.Section 308F(1) and 308G(1): Maximum penalty

Section 308F applies to an intent to commit a "computer offence", which under section 308 means any offence against Part 6. Offences against sections 308H and 308I are offences against Part 6, for which the maximum penalty is only 2 years. It is not appropriate that the maximum penalty for attempting to offend sections 308H and 308I exceeds the maximum penalty for actually doing so.

As compared to the current drafting, the last words of this subsection could be amended to read: "Imprisonment for 3 years or the maximum period of imprisonment for the computer offence which the person intended to commit, whichever is the lesser". However, we suggest this issue be given further consideration. If a 3 year maximum is appropriate for intent to commit offences against sections 308D and 308E (for which the maximum sentence is 10 years), a maximum sentence of less that 2 years may be warranted for intent to offend against sections 308H and 308I.

The same comment applies equally to section 308G(1).


4.Section 308H(3): Definition of restricted data

The Report of the Officers' Committee on the Model Criminal Code recognises that criminal consequences should not generally attach to access to private information and included the definition of "restricted data" to identify a class of information which justifies criminal sanctions for unauthorised access. It is clear from the Report that the Committee had in mind password or other security facilities.

However, the key words in the definition of "restricted data" in section 308H(3) are "restricted by an access control system". These words are too wide, since the inherent function of all computers is to control and restrict access in one way or another and certainly in ways not necessarily involving passwords or other security measures.

The meaning of "restricted data" should be clear from the face of the Bill, without resort to the Report of the Officers' Committee. It would be preferable to replace the words "access control system" by "security system". There may also be other, better solutions to this problem and we suggest the issue be given further consideration.

Part B

Policy discussion and examples

Main Issues

Prepared by: Brendan Scott

5.    Executive Summary

5.1    The key practical side effect of the Bill will be to create a form of property in information or of property in the right of access to information, through exploitation of the definition of “unauthorised” and of “restricted data”.

5.2    It will not be overly difficult for skilled lawyers to bring data within the ambit of these provisions, effectively creating an alternative regime to the laws relating to copyright and confidentiality for the protection of information. This new regime will not reflect the complex balancing of interests found in existing laws such as those relating to copyright and breach of confidence.

5.3    If the ability to grant or withhold a licence is taken as informing the meaning of “authorise” this will have the practical effect of greatly expanding the protection of data beyond that contemplated by the Copyright Act. For example, should a copyright holder distribute books electronically, those electronic books could be quite easily encapsulated in such a way as to criminalise access which would otherwise have been permitted as an exception (such as fair dealing) to a copyright holder’s monopoly, in effect removing the public benefit of the fair dealing exceptions. In the long run, it may provide an avenue for owners of copyright to convert civil enforcement costs into a cost to be borne by the community through criminal offences.

5.4    Specific terms within the Bill are not sufficiently defined to restrict application of the offences to truly criminal behaviour.

5.5    The Bill creates the potential for the restriction of freedom of speech through its references to impairing the “reliability” or “security” of data.

Remedial Action
The breadth of, and background to, the Bill is such that it is not easy to suggest immediate remedies to any of the issues set out above. It is the view of the Subcommittee, that the Bill [ed??]

6.    Section 308F

6.1    Discussion

While this clause has been created by analogy to preparatory offences “in the real world”, it overlooks aspects of the real world which clarify the operation of the preparatory offence in the real world. In the "real world" there will ordinarily be some physical relationship between the possession of the item and the offence in question, for example, being found outside a someone else's window with a crowbar. In the computer version, this is less likely to be the case. In a sense, there is less likely to be a sufficient physical prerequisite to the crime in order to base an intent argument. Rather, if any computer offence is committed, this intent crime will necessarily be an adjunct after the fact.

The key problem with this clause is that, because of the nature of computer offences, the difficulty of showing a physical manifestation of intent in computer offences, and the possible ubiquity of “data” which would found the offence, there is a risk that mere intent will convert harmless possession into criminally liable possession. Further, the point at which a non-criminal possession becomes criminal may be only a split second, compared with, for example, the time involved where someone goes equipped to steal and the relative paucity of things that would qualify as equipment in this context.

6.2    Example:

A is a secretary who works for B. In the course of A’s employment A is given B's username and password for the purpose of administering B's email (these things are stored on A's computer). A is dissatisfied with A's payrise and, in a fit of pique, resolves to resign and delete B's email file. Has A committed a 308F offence? The fit is a transient one and A decides that working for B is not so bad. A takes no action.

6.3    Analysis

The clause implies, but does not require, there be a relationship with the data possessed and the crime intended to be committed. There is also no link between the purpose for which the data is possessed or controlled and the intent. See also part A in relation to the breadth of meaning of “data”, “possessed” or “controlled”.

7.    Section 308H

There is no requirement that the restricted access system be subverted, or even that the person committing the act is aware that the data is restricted data. For example, if A leaves themselves logged on and B access the data on their system without authorisation, whether B commits a 308H offence is determined by whether or not the data is restricted data, regardless of B’s awareness that it is restricted data and regardless of B having done nothing to subvert the access control system.

The practical effect of clause 308H is to criminalise actions which previously were only protected by copyright law (or the laws governing confidential information) and, therefore, only been subject only to a civil sanction. The level of criminality involved in copyright infringements has been the subject of much debate and many submissions to the Commonwealth on modifications to the Copyright Act (see sections 116A-116D of the Copyright Act). This provision effectively creates a new information protection regime sufficient in its breadth (and in the hands of a sufficiently skilled copyright lawyer) to supplant copyright for practical purposes, but does so without the same level of policy discussion of the role of balancing the public interest against a legislative monopoly. Read examples (a) and (b) and compare the complex and finely structured application of section 116A of the Copyright Act (with its manifold qualifications and exceptions) against the blunt action of 308H.1

Arguably any data is restricted data because in practice all data will be subject to an “access control system” of some form or another. See example (c) below – is the whole of the web restricted data? In the definition of “access control system” it is not clear whether "to which access is restricted" refers to "data" or "computer". Given the reference in subsection (1)(a) to computer, it probably refers to “data”, but would benefit from clarity. See also Part A, section 4.

7.1Examples

(a)    A is on holiday in the US and, unaware of DVD regional coding, buys a region 1 DVD. On arriving back in Australia A discovers that Australian bought DVDs (Region 4) will not play in A's player and has the DVD regions regime explained by a shop assistant at the time of A's resulting complaint. Following instructions downloaded from the internet, A opens up A's DVD player and modifies the switches in it to convert it into an all regions player. A plays a region 4 DVD on A's modified region 1 player. Has A committed a 308H offence? (A region 4 DVD is licensed only for playing on a DVD player purchased as a region 4 player. When a DVD is played a code is exchanged between the DVD and player to determine whether or not to play the DVD)2.

(b)    ACorp distributes software SW which uses a data set DS (say DS is a mailing list of addresses). When run, SW requires a username and password to be entered before permitting access to the data set DS. B is a university academic. B acquires a copy of SW and DS. Without running SW and being unaware of the username requirement, B reads DS with a word processing package. The first line of DS states "you must not access any part of DS except through the use of SW - by order of ACorp". B reads this and continues to access the balance of DS. Has B committed a 308H offence? Would the result be any different if DS was encrypted and B needs to go to some effort to decrypt DS before inspection? B sends DS to C, suggesting C inspect it with a word processor. B does not send SW to C. C inspects DS with a word processor, reads the first line and continues to access the balance of DS. Has C committed a 308H offence?

If restricted data only refers to that data which is “in fact” restricted, then should an interloper subvert the restriction mechanism, then that subversion will convert the restricted data into unrestricted data. If not, restricted data is too broad. In the example, assume DS may also be accessed by a second set of software SW2 (in fact, in the example, the word processing software is SW2), and when so accessed is not subject to an access control system. In these circumstances will DS be “restricted data” or not?

(c)    In order to access the world wide web A logs onto A’s internet service provider ISP. In so doing A must enter a username and password. A intends to access the world wide web through ISP. Is all of the world wide web “restricted data” within the meaning of this clause (and of the meaning of paragraph (c) of the definition of “data held in a computer” in clause 308)?

8.    Clause 308I

8.1    Discussion and analysis

The issues in clause 308I relate to the meaning of terms such as “impair”, “reliability” and “security”. On an ordinary English interpretation the “reliability” of data can be impaired by a number of means aimed at undermining confidence in the data, none of which involve any tampering with the data itself or with the operation of the computer one which the data is stored. For example, by arguing that the data is not the product of sound science. It is not clear what "operation" of data means. This clause also raises similar issues to that of clause 308H in relation to the interaction between the criminal law and the policy underlying the legislative monopoly of copyright.

8.2    Examples

(a)    ACorp writes popular operating system software OS which contains many security bugs. These security flaws are unknown to the world in general. B is a computer security expert who, through B's diligent inquiry and experimentation, has identified some of these flaws and posts a "security alert" message on B's website setting out the main characteristics of these flaws. Has B impaired/intended to impair the security of data held on systems using the OS software? Has B committed a 308I offence? What if B, on B's website, explains in detail how to exploit the security flaws?
   
(b)    ACorp posts marketing material and data on the internet relating to its new cold fusion invention. B, a former engineer at ACorp, knows that the methodology used to derive ACorp's data is flawed. B posts a message on the internet aimed at impairing the reliability of that data by arguing that there were flaws in the means by which it was derived. Has B committed a 308I offence?

(c)    ACorp produces movies on DVDs. The movies on the DVDs are encrypted by ACorp. B buys one of ACorp's DVDs and downloads software DS off the internet to decrypt the movie. Has B, by downloading the software, impaired the security of the data comprising the movie on the DVD, and thereby committed a 308I offence? What if B goes ahead and decrypts the movie using the software and B's computer? What if B plays the movie and records its output without using the software? What about: (i) C who analyses and cracks the encryption method used? (ii) D who writes the software which enables the decryption of the movie; (ii) E who places DS on E's website; (iii) F who advertises over the internet the fact that DS is available on E's website and that it will enable the decryption of movies on ACorp's DVDs?

Part C

Policy discussion and examples

Other Issues

Prepared by: Brendan Scott

9.    Clause 308

The Society notes that the definitions in clause 308 have been inherited from provisions in other Commonwealth legislation, such as the Electronic Transactions Act. However, a number of definitions, if read on their face, have a meaning far broader than apparently intended.

Data storage device: libraries bar code their books, the bar codes are intended only to be read by a computer. Does that make the piece of paper on which a bar code is recorded a “data storage device”? Extending the example further, A dictates into a dictaphone. The tape is later entered into a computer for voice recognition software to transcribe the tape. Is the dicatphone tape a “data storage device”? Would a piece of paper on a scanner ready to be scanned into a computer be a data storage device? Is there anything that would not be a data storage device? Is mere intention to use it in relation to a computer the only characteristic which defines it? That is, the definition of data storage device may ultimately be determined not by characteristics inherent to the device, but by reference to subjective intentions.

10.    Clause 308A

Is printing an email "any [other] output of the data from the computer" and therefore an access to that data? Is it a movement of data to a data storage device (see discussion in section 5). If A sends spam to millions of people, has A impaired the electronic communications of (i) those people, or (ii) of others who are using the link over which the spam is sent? In relation to (ii), is the answer the same if A sends out the same volume of commercial traffic?
 
What does it mean for access, modification or impairment to be “caused (directly or indirectly) by the execution of a function of a computer”? For example, if A has a backhoe with a computer controlled operating pad, is anything the backhoe does as a result of A’s interaction with the operating pad “caused by the execution of a function of a computer”? If A is using the backhoe in their back garden and cut the main fibre optic cable between Sydney and Melbourne, has A “impaired” an electronic communication to or from a computer (see 9.2(e) below)?

11.    Clause 308B

Clause 308B(1) effectively defines "unauthorised" as meaning "not entitled to". However “not being entitled to” does not advance the meaning of unauthorised any further.

308B(1) also points to the effects of the operation of a function of a computer, not the function itself. So if A is entitled to perform a function, but is not entitled to cause an access, modification or impairment (which occurs as an indirect effect of the function A is entitled to perform), has A committed an unauthorised access, modification or impairment? The Society acknowledges that the force of this criticism is mollified when read against the specific offences.

12.    Clause 308C

The Society does not understand why the circumstances set out in this clause are not already covered by the law of attempt to commit the serious offence in question. Is there any evidence that computers are being used for preparatory offences in a manner which does not constitute attempt?

13.    Clause 308D

13.1    Discussion and Analysis

Does "impair reliability of" data extend to rational critiques of the information - for example, by pointing out errors in data gathering methodology?

13.2    Example

A is an S11 protester and hacks a global corporate's web site. A modifies the site by the inclusion of a single, simple link to alternative information sources (without disrupting the balance of the site). The protester intends by that modification to impair the "reliability" of information on the global corporate's web site. Has the protester committed a 308D offence? If A intends to impair the reliability of the information in printed brochures of the corporate, but which are not held in any computer has A committed a 308D offence?

14.    Clause 308E

14.1    Discussion and analysis

Similar issues arise in relation to clause 308E as with other clauses as a result of the unclear meaning of what it is to be unauthorised/what is meant by being entitled to.

14.2    Examples

(a)    A downloads a piece of software over the internet. The licence terms of the software require that A must consent to the collection of data from A's computer in return for a licence to use the software ("spyware" as it is known). A reads the terms in full, but regards them with contempt. A disables the spyware features of the software but continues to use the useful features (ie commits a breach of licence). Has A committed a 308E offence?

(b)    A & B work at the same company CCorp. A believes B intends to use A's computer while A is away from A's desk to send an email. A runs a password protected screen saver when they leave their desk. B tries to send an email, but can’t because of the screen saver. CCorp’s has expressly prohibited the use of password screen savers but is silent about sending emails from other people’s machines. Has A committed an offence? If so, when? Would the answer be different if B did not want to (and did not try to) send an email? – That is, if there is no communication attempted to or from the computer, is there an “impairment”? Therefore, does B’s intention or action criminalise A’s action after the fact?

(c)    A works for BCorp. A uninstalls the email program on A's computer at work. BCorp has specifically prohibited A from making changes to the software on A’s computer. Has A committed a 308E offence where: (i) A is sick of receiving spam emails and intentionally uninstalls the program to achieve that purpose? (ii) A has heard of a new program A wants to use and needs to uninstall the old program first (A installs the new program and everything works dandy apart from a temporary impairment)? (iii) A just couldn't care less about the consequences?

(d)    A gives B A's mobile phone saying - "don't turn it off and don't divert under any circumstances, I need to contact you at any moment". B enters a hospital grounds and turns the phone off for 15 minutes. Is B guilty of an offence? B uses the "divert" function of the phone and programs a voicemail number into it while "going to the bathroom" for 5 minutes. Has B committed an offence? If so, when? Would it make any difference if A says they intend to send an SMS message through the use of their computer? What if B simply turns the ringer volume down or off? Is this an "impairment"?

(e)    A has a backhoe and is digging in A's back garden. The backhoe has a computer controlled operating pad. Through its use A cuts the main fibre optic cable between Sydney and Melbourne. When A hires the backhoe from B, B says “Be careful about cables and wires running under the ground”. A considers the possibility of cables running under A’s yard, but thinks that the chances of there being any are slim. Has A committed a 308E offence? What if A cuts an electricity cable? What if the utility provider transmits electricity usage information over the cable as well as electricity?

15.    Clause 308G

15.1    Example

A is a disaffected student with little or no computing experience. A resolves to hack the website of B corporation and undertakes a course of study (by sources available over the internet) to do so (including an acquisition of descriptions of hacking techniques). After 6 months of study A considers the endeavour all too hard and gives up. Has A committed an 308G offence?

Note
Clauses 308F, 308G, 308H and 308I are discussed in detail in Part A and Part B.

Appendix 1

Extracts from COPYRIGHT ACT 1968

(from Austlii www.austlii.edu.au)

47D Reproducing computer programs to make interoperable products

(1) Subject to this Division, the copyright in a literary work that is a computer program is not infringed by the making of a reproduction or adaptation of the work if:

(a) the reproduction or adaptation is made by, or on behalf of, the owner or licensee of the copy of the program (the original program ) used for making the reproduction or adaptation; and

(b) the reproduction or adaptation is made for the purpose of obtaining information necessary to enable the owner or licensee, or a person acting on behalf of the owner or licensee, to make independently another program (the new program ), or an article, to connect to and be used together with, or otherwise to interoperate with, the original program or any other program; and

(c) the reproduction or adaptation is made only to the extent reasonably necessary to obtain the information referred to in paragraph (b); and

(d) to the extent that the new program reproduces or adapts the original program, it does so only to the extent necessary to enable the new program to connect to and be used together with, or otherwise to interoperate with, the original program or the other program; and

(e) the information referred to in paragraph (b) is not readily available to the owner or licensee from another source when the reproduction or adaptation is made.

(2) Subsection (1) does not apply to the making of a reproduction or adaptation of a computer program from an infringing copy of the computer program.

47E Reproducing computer programs to correct errors

(1) Subject to this Division, the copyright in a literary work that is a computer program is not infringed by the making, on or after 23 February 1999, of a reproduction or adaptation of the work if:

(a) the reproduction or adaptation is made by, or on behalf of, the owner or licensee of the copy of the program (the original copy ) used for making the reproduction or adaptation; and

(b) the reproduction or adaptation is made for the purpose of correcting an error in the original copy that prevents it from operating (including in conjunction with other programs or with hardware):

(i) as intended by its author; or

(ii) in accordance with any specifications or other documentation supplied with the original copy; and

(c) the reproduction or adaptation is made only to the extent reasonably necessary to correct the error referred to in paragraph (b); and

(d) when the reproduction or adaptation is made, another copy of the program that does operate as mentioned in paragraph (b) is not available to the owner or licensee within a reasonable time at an ordinary commercial price.

(2) Subsection (1) does not apply to the making of a reproduction or adaptation of a computer program from an infringing copy of the computer program.

47H Agreements excluding operation of certain provisions

An agreement, or a provision of an agreement, that excludes or limits, or has the effect of excluding or limiting, the operation of subsection 47B(3), or section 47C, 47D, 47E or 47F, has no effect.

116A Importation, manufacture etc. of circumvention device and provision etc. of circumvention service

(1) Subject to subsections (2), (3) and (4), this section applies if:

(a) a work or other subject-matter is protected by a technological protection measure; and

(b) a person does any of the following acts without the permission of the owner or exclusive licensee of the copyright in the work or other subject-matter:

(i) makes a circumvention device capable of circumventing, or facilitating the circumvention of, the technological protection measure;

(ii) sells, lets for hire, or by way of trade offers or exposes for sale or hire or otherwise promotes, advertises or markets, such a circumvention device;

(iii) distributes such a circumvention device for the purpose of trade, or for any other purpose that will affect prejudicially the owner of the copyright;

(iv) exhibits such a circumvention device in public by way of trade;

(v) imports such a circumvention device into Australia for the purpose of:

(A) selling, letting for hire, or by way of trade offering or exposing for sale or hire or otherwise promoting, advertising or marketing, the device; or

(B) distributing the device for the purpose of trade, or for any other purpose that will affect prejudicially the owner of the copyright; or

(C) exhibiting the device in public by way of trade;

(vi) makes such a circumvention device available online to an extent that will affect prejudicially the owner of the copyright;

(vii) provides, or by way of trade promotes, advertises or markets, a circumvention service capable of circumventing, or facilitating the circumvention of, the technological protection measure; and

(c) the person knew, or ought reasonably to have known, that the device or service would be used to circumvent, or facilitate the circumvention of, the technological protection measure.

(2) This section does not apply in relation to anything lawfully done for the purposes of law enforcement or national security by or on behalf of:

(a) the Commonwealth or a State or Territory; or

(b) an authority of the Commonwealth or of a State or Territory.

(3) This section does not apply in relation to the supply of a circumvention device or a circumvention service to a person for use for a permitted purpose if:

(a) the person is a qualified person; and

(b) the person gives the supplier before, or at the time of, the supply a declaration signed by the person:

(i) stating the name and address of the person; and

(ii) stating the basis on which the person is a qualified person; and

(iii) stating the name and address of the supplier of the circumvention device or circumvention service; and

(iv) stating that the device or service is to be used only for a permitted purpose by a qualified person; and

(v) identifying the permitted purpose by reference to one or more of sections 47D, 47E, 47F, 48A, 49, 50, 51A and 183 and Part VB; and

(vi) stating that a work or other subject-matter in relation to which the person proposes to use the device or service for a permitted purpose is not readily available to the person in a form that is not protected by a technological protection measure.

(4) This section does not apply in relation to the making or importing of a circumvention device:

(a) for use only for a permitted purpose relating to a work or other subject-matter that is not readily available in a form that is not protected by a technological protection measure; or

(b) for the purpose of enabling a person to supply the device, or to supply a circumvention service, for use only for a permitted purpose.

(4A) For the purposes of paragraphs (3)(b) and (4)(a), a work or other subject-matter is taken not to be readily available if it is not available in a form that lets a person do an act relating to it that is not an infringement of copyright in it as a result of section 47D, 47E, 47F, 48A, 49, 50, 51A or 183 or Part VB.

(5) If this section applies, the owner or exclusive licensee of the copyright may bring an action against the person.

(6) In an action under subsection (5), it must be presumed that the defendant knew, or ought reasonably to have known, that the circumvention device or service to which the action relates would be used for a purpose referred to in paragraph (1)(c) unless the defendant proves otherwise.

(7) For the purposes of this section, a circumvention device or a circumvention service is taken to be used for a permitted purpose only if:

(a) the device or service is used for the purpose of doing an act comprised in the copyright in a work or other subject-matter; and

(b) the doing of the act is not an infringement of the copyright in the work or other subject-matter under section 47D, 47E, 47F, 48A, 49, 50, 51A or 183 or Part VB.

(8) In this section:

qualified person means:

(a) a person referred to in paragraph 47D(1)(a), 47E(1)(a) or 47F(1)(a); or

(b) a person who is an authorized officer for the purposes of section 48A, 49, 50 or 51A; or

(c) a person authorised in writing by the Commonwealth or a State for the purposes of section 183; or

(d) a person authorised in writing by a body administering an institution (within the meaning of Part VB) to do on behalf of the body an act that is not an infringement of copyright because of that Part.

supply means:

(a) in relation to a circumvention device—sell the device, let it for hire, distribute it or make it available online; and

(b) in relation to a circumvention service—provide the service.

(9) The defendant bears the burden of establishing the matters referred to in subsections (3), (4) and (4A).

1 A licenses software SW from B. The licence terms specifically exclude the right to reverse engineer the software. B refuses to provide maintenance to A and specifically prohibits A from accessing any data contained within SW. A wishes to rely on the interoperability and error correction exceptions to copyright in the Copyright Act (sections 47D and 47E) in order to correct errors with SW and ensure SW interoperates with A's other systems. In order to do so, A needs to access data held within the SW. Ordinarily this data is only accessible to B's engineers after entering a username and password. If A proceeds to access that data, will A commit a 308H offence? Does 308H practically remove A's interoperability rights under the Copyright Act? (note the operation of section 47H of the Copyright Act, which relates to “agreements” which limit the operation of sections 47D and 47E).


2 While it might be argued that a player is more an “appliance” than a computer, the argument can easily be restructured to make it computer specific by referring to a DVD player component for A’s computer, and to A downloading and installing a software or firmware patch.


 

supporter logos
 
Website developed by Solutions First
Ph: 0414 339 227 Email: inquiries@opensourcelaw.biz