In Australia, computer-based offences or "cybercrime" is regulated by a series of Commonwealth laws under the Criminal Code Act 1995 (Cth) and supplemented by State and Territory laws that deal with specific issues.
Background
Computer-based offences or "cybercrime" refers to both: crimes directed at computers or other information communications technologies (ICTs) (such as computer intrusions and denial of service attacks), and crimes where computers or ICTs are an integral part of an offence (such as online fraud).
Cybercrime is largely regulated by a set of national offences in the Criminal Code Act 1995 (Cth) (or 'Criminal Code'), many of which were introduced by amendments contained within the Cybercrime Act 2001 (Cth).
States and territories are responsible for regulating cyber-stalking and harrassment laws, including, most recently, revenge porn offences.
The threat environment for cybercrime related to cloud computing is constantly evolving due to the connectedness of infrastructure, applications and services. Unique threats apply to cloud computing services and architecture due to the sharing or outsourcing of resources, systems, applications and data security. Other threats include loss of control over resources; misuse of cloud computing resources; changes in delivery and receiving models; insecure interface or application programming interface (‘API‘); malicious insiders; data scavenging; data loss or leakage; service/account hijacking; risk profiling; and identity theft.
Legal Framework
Criminal Code Act 1995 (Cth)
Parts 10.7 and 10.8 of the Criminal Code Act 1995 (Cth) criminalise the following offences:Under the Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 (Cth), offences applying to hosting service providers include the failure to notify the Australian Federal Police within a reasonable time about material relating to abhorrent violent conduct in Australia; and failure to remove access to the content. These offences create an independent incident reporting regime that applies to the cloud sector. Other frameworks may intersect, such as the power of the eSafety Commissioner to publicly shame a hosting service that is providing access to or hosting abhorrent violent content
Computer intrusions
Unauthorised modification of data, such as the destruction of data
Unauthorised impairment of electronic communications, such as denial of service attacks
Creation and distribution of malicious software (such as malware, viruses and ransomware)
Dishonestly obtaining or dealing in personal financial information.
‘Doxxing‘
Doxxing is a recent phenomenon where an individual’s personal information, such as names, addresses, contact details, and other identifiers, is maliciously exposed online. This can lead to harassment, stalking, reputational damage, and even physical harm to the victim. The doxxing offences exist alongside a number of existing criminal offences which might already apply in some doxxing scenarios, such as using a carriage service to menace, harass or cause offence.
a more serious offence where the conduct involves protected attributes such as race, religion or sexuality under section 474.17D.
Section 474.17C
The section 474.17C offence criminalises the release of personal data via a carriage service in a manner that a "reasonable person" would regard as menacing or harassing.
The term "carriage service" encompasses a wide range of electronic communications, including data dissemination through internet services and telecommunications.
To secure a conviction under section 474.17C, the prosecution must establish beyond a reasonable doubt that:
The accused used a carriage service to make available, publish, or otherwise distribute personal data;
The personal data relates to one or more individuals; and
The accused engaged in this conduct in a manner that reasonable persons would deem, in all the circumstances, to be menacing or harassing.
The fault element for this offence is recklessness (see section 5.6 of the Criminal Code).
Interestingly, “personal data" under this offence is not the same as "personal information" under the Privacy Act 1988 (Cth) or "personal data" under the GDPR. In this context, "personal data" refers to any information about an individual that enables the individual to be identified, contacted, or located.
The offence carries a maximum penalty of six years’ imprisonment.
Section 474.17D
The section 474.17D offence applies when a person uses a carriage service to disseminate personal data targeting individuals or groups based on their protected attributes, such as race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, or ethnic origin.
To establish the section 474.17D offence, the prosecution must prove the following elements beyond a reasonable doubt:
The accused used a carriage service to distribute personal data;
The data pertains to one or more members of a group distinguished by protected attributes (that is, race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality and national or ethnic origin);
The accused acted, in whole or in part, based on the belief that the targeted group is distinguished by one or more of these attributes; and
The conduct would be regarded by reasonable persons as menacing or harassing in all the circumstances.
It is sufficient if the accused believes that the group or individual possesses the protected attribute. The protected attribute need not be an actual characteristic of the victim.
Hacking
Section 478.1(1) of the Criminal Code provides for the offence of ‘unauthorised access to, or modification of, restricted data’. There are three elements:
An individual who causes unauthorised access to, or modification of, restricted data; and
This individual intends to cause the access or modification; and
The person is knows that the access or modification is unauthorised.
Denial-of-Service Attacks
Section s 477.3(1) of the Criminal Code provides for the offence of 'unauthorised impairment of electronic communication’. There are 2 elements:Under s 477.2 there is a related or alternative offence of 'unauthorised modification of data causing impairment'.
An individual perpetuates an offence if they cause any unauthorised impairment from a computer; and
That individual knows that the impairment is unauthorised.
Phishing
"Phishing" refers to online fraud whereby an individual seeks access to personal information such as credit card or bank details, usernames and passwords by pretending to be someone trustworthy.
Under sections 134.2 and 135.1 of the Criminal Code, where the victim is a Commonwealth entity, the following acts are offences:
obtaining a financial advantage via deception
dishonestly obtaining a gain from a person
doing something with the intention of causing a loss to a person
causing a loss or a risk of loss to a person
Infecting IT systems with malware
Section 478.2 of the Criminal Code provides for the offence of unauthorised impairment of data held on a computer disk. There are three elements:
A person causes any unauthorised impairment of the reliability, security or operation of data placed on a computer disk, credit card or another device that stores data electronically;
The person intends to cause the impairment; and
The person knows that the impairment is unauthorised.
Possession of hacking tools used to commit cybercrime
Section 478.3 of the Criminal Code provides for the offence of possession or control of data with intent to commit a computer offence. There are 2 elements:
A person has possession/control of data; and
The person has possession or control of the data with the intention that it be used by the person or another person in committing an offence against Division 477 of the Criminal Code (referring to Serious Computer Offences) or facilitating the commission of such an offence.
Identity theft and identity fraud
Division 372 of the Criminal Code criminalises dealing in identification information, dealing in identification information using a carriage service, possessing identification information and possessing equipment used to make identification information.
A computer-based or "cyber" offence will fall within the scope of 'dealing in identification information using a carriage service' if the following elements are satisfied:A person who produces ‘deep fakes’ that cause financial loss may fall under the fraud provisions in the Crimes Act 1900 (Cth) whereby someone ‘by any deception, dishonestly obtains property belonging to another, or obtains any financial advantage or causes any financial disadvantage’.
A person deals in identification information; and
Does so using a carriage service; and
Intends that any person will use the identification information to pretend to be (or come across as) another person (either living, dead, real or fictitious) for the purpose of committing an offence or facilitating the commission of an offence; and
The offence is an indictable offence against the law of the Commonwealth or a state or territory or is a foreign indictable offence.
Electronic theft
Electronic theft may involve matters such as the breach of confidence by a current or former employee or criminal copyright infringement.
Section 478.1 of the Criminal Code criminalises such conduct. The elements are:
A person causes any unauthorised access to, or modification of, restricted data (which is data held in a computer and an access control system restricts access to it in accordance with the function of the computer); and
They intend to cause the access or modification; and
They know that the access or modification is unauthorised.
Telecommunications Service Offences
Part 10.6 of the Criminal Code contains offences relevant to telecommunication services, including:Telecommunications service providers and carriers provide access to the cloud. Under the Telecommunications (Interception and Access) Act 1979 (Cth) law enforcement and security agencies can request reasonable assistance, including decryption and technical assistance, to access data within the cloud, or the metadata associated with access to the cloud. These obligations may be incompatible with service provider efforts to secure the cloud with strong encryption systems that are specifically designed to protect against interception and access.
Exercising dishonesty using carriage services to obtain a gain or cause a loss
Interfering with telecommunications, such as:
Acting for a carriage or carriage service provider
Interfering with facilities or modifying a telecommunications device identifier
Possessing or controlling data or a device with intent to modify a telecommunications device identifier
Producing, supplying or obtaining data or a device with intent to modify a telecommunications device identifier
Copying subscription-specific secure data
Possessing or controlling data or a device with intent to copy an account identifier
Producing, supplying or obtaining data or a device with intent to copy an account identifier
More general offences, such as:
Using a telecommunications network to commit a serious offence
Using a carriage service to make a threat (only intention to cause fear and not actual fear is necessary)
Using a carriage device for a hoax threat (inducing a belief that a dangerous or harmful substance or thing is left in any place)
Using a carriage service to menace, harass or cause offence
Aggravated offences, such as:
Those involving private sexual material by using a carriage service to menace, harass or cause offence
Special aggravated offence involving the aforementioned aggravated offence but where 3 or more civil penalty orders were also issued
Financial information offences
Sections 480.4 and 480.5 of the Criminal Code provide for offences of 'dishonestly obtaining or dealing in personal information' and 'possessing or controlling a thing with an intent to obtain or deal in personal financial information'.
Serious computer offences
Division 477 of the Criminal Code provides for an offence where:
A person gains unauthorised access, modification or impairment of data with intent to commit a serious offence. This offence must actually be committed, and not merely attempted.
A person gains unauthorised modification of data to cause impairment.
A person, without authorisation, impairs electronic communication.
Human trafficking
Divisions 270 and 271 of the Criminal Code criminalise slavery and similar actions such as servitude, forced labour and the deceptive engagement of people in labour.
Child abuse material
Section 474.22 of the Criminal Code makes it an offence to use a carriage service to access, transmit, make available, publish or distribute (all listing intention as the fault element) child abuse material (only putting recklessness as the fault element).
Child abuse material is regulated by sections 474.22 to 474.24 of the Criminal Code.
Harassment and use of private sexual material
Under Commonwealth law, Section 474.17 of the Criminal Code provides for an offence where a person uses a carriage service in a manner that reasonable persons would regard as being, in all the circumstances, menacing, harassing or offensive. Section 474.17A creates an aggravated offence where private sexual material is transmitted, made available, published, distributed, advertised or promoted.
Several States and Territories have enacted legislation dealing with intimate images. See, for example:
Criminal Code Act 1983 (NT) s 208AB - Distribution of intimate image without consent
Other laws
Online Safety
The Online Safety Act 2021 (Cth) commenced 23 January 2022. The Act sets out the powers of the eSafety Commissioner (for example, to regulate illegal and abhorrent content) as well as expectations for online service providers. See here for further details.
Cyber-stalking and harassment
Section 13 of the Crime (Domestic and Personal Violence) Act 2007 (NSW) makes it an offence to stalk or intimidate another person with the intention of causing the other person to fear physical or mental harm.
Section 8 defines stalking as the following of a person about, the watching or frequenting of the vicinity of, or an approach to, a person’s place.
Section 7 defines intimidation as conduct (including cyberbullying) amounting to harassment or molestation of the person.
Case law indicates that offenders tend to stalk their victim through electronic means:The Federal Circuit Court of Australia has recognised that uploading information on to social media sites may constitute family violence: Moyne and Ashby [2014] FCCA 2309.
Australian Federal Police - investigates cybercrime offences, concentrating on cybercrime against Federal departments and agencies, critical infrastructure, and systems of national significance.
Australian Institute of Criminology (AIC) - the AIC is Australia’s national research and knowledge centre on crime and justice, compiling trend data and disseminating research and policy advice.
Australian Transaction Reports and Analysis Centre (AUSTRAC) - Australian Government agency responsible for detecting, deterring and disrupting criminal abuse of the financial system to protect the community from serious and organised crime.
Australian Criminal Intelligence Commission (ACIC) (see 'Cybercrime', Australian Criminal Intelligence Commission (Web Page, 2024)). The ACIC is Australia's national criminal intelligence agency. One of its functions is to collect and analyse information and intelligence to identify, investigate, disrupt, or prevent cyber-related criminal activity.
Department of Home Affairs (DHA) (see 'Cyber security', Department of Home Affairs (Web Page, 2024)). The DHA is responsible for cyber policy coordination, setting the strategic direction of cyber policy, operationalising cyber policy, and regulating relevant critical infrastructure industries and cyber security.
Department of Foreign Affairs and Trade (DFAT) – DFAT coordinates Australia’s international engagement on digital trade, cybercrime, cyber security, human rights, democracy, international security, internet governance and technology for development.
Roderick G Broadhurst, 'Cybercrime in Australia' in Antje Deckert and Richard Sarre (eds), The Australian and New Zealand Handbook of Criminology, Crime and Justice (Palgrave McMillan, 2017)
Sam Murugesan and Irena Bojanova (eds), (2016) Encyclopedia of Cloud Computing (Wiley – IEEE Press)
Miguel Ángel Díaz de León Guillén, Víctor Morales-Rocha and Luis Felipe Fernández Martínez, (2020) ‘A systematic review of security threats and countermeasures in SaaS 28(6) Journal of Computer Security 1, 5