Cyber Laws Consulting Center » SINGAPORE

Electronic Commerce Act 1998

admin — Thu, 20 Nov 2008 13:44:59 +0000

ELECTRONIC COMMERCE ACT 1998- SINGAPORE

Overview The rapid development of information and communication technologies over the past decade has revolutionized business practices. Transactions accomplished through electronic means – collectively “electronic commerce” – have created new legal issues. The shift from paper-based to electronic transactions has raised questions concerning the recognition, authenticity and enforceability of electronic documents and signatures. The challenge for lawmakers has been to balance the sometimes conflicting goals of safeguarding electronic commerce and encouraging technological development.

The Electronic Commerce Act of 1998 (the “Act“) aims to facilitate the development of a secure regulatory environment for electronic commerce by providing a legal infrastructure governing electronic contracting, security and integrity of electronic transactions, the use of digital signatures and other issues related to electronic commerce.

The Act is divided into fifteen parts, which can be summarized as follows:

Part I of the Act outlines the general purpose of the Act provides definitions for terminology used within the Act and defines the scope of the application of the Act.

Part II of the Act addresses electronic records and electronic signatures generally. It provides that, with limited exceptions, electronic records and signatures should be accorded the same treatment as paper records and signatures for purposes of complying with statutory writing, signature, evidentiary and record-keeping requirements.

Part III of Act addresses the integrity and authentication of secure electronic records and secure electronic signatures. Secure electronic records and signatures define specific categories of records and signatures that are afforded greater evidentiary presumptions because of their enhanced reliability and trustworthiness. The concept of a secure electronic record or a secure electronic signature will foster the growth of electronic commerce by providing businesses with assurances that records and signatures which meet the statutory definitions of “secure” records or signatures will be accorded the heightened evidentiary presumptions necessary to make business transactions effectively non repudiable.

Part IV of the Act addresses issues of electronic contracting. This Part deals with the form in which an offer and an acceptance may be expressed and legal recognition of contracts formed in an electronic medium. This Part aims to provide increased legal certainty as to the conclusion of contracts by electronic means.

Parts V, VI, VII, VIII and IX of Act address the legal issues related to the use of digital signatures. Digital signature technology, which utilizes asymmetric cryptography technology, has been developed to facilitate secure transactions over the Internet and other computer networks. Although the electronic contracting sections of the Act have been drafted to be technologically neutral, Parts V-IX have been included to establish rules for the use of the most prominent current technology. Thus, a digital signature issued in accordance with Part V will be presumed to be a secure electronic signature.

Part X of the Act addresses the acceptance and use of electronic records and electronic signatures by governmental entities. This section authorizes any department or ministry to accept electronic filing of documents and to issue permits, licenses or approvals electronically. This section also empowers any department or ministry of the Government to specify the conditions and procedures for electronic filing or retention of documents. However, this section does not compel any department or ministry of the Government to accept or issue any document in electronic form if it does not wish to do so.

Part XI of the Act deals with issues relating to the liability of network service providers.

Part XII of the Act provides criminal penalties for intentional damage or destruction of information systems or data, intentional “trespass” into a system and intentional theft of computer services, tampering with data, interrupting network services and intentionally introducing viruses into computers or computer networks.

Part XIII of the Act contains general provisions relating to the use of electronic records.

An Act to establish the law relating to electronic commerce
WHEREAS it is expedient to establish the law relating to electronic commerce;
It is hereby enacted as follows:–

Part I – Preliminary

1. Short Title, Extent and Commencement.

(1) This Act may be called the Electronic Commerce Act, 1998.

(2) This Act extends to the whole of India, except the State of Jammu and Kashmir.

(3) This Act shall come into force on such date as the Central Government may, by notification in the Official Gazette, appoint in this behalf.

2. Definitions. In this Act, unless the context otherwise requires -

(a) “Asymmetric cryptosystem” means a computer-based system capable of generating and using a secure key pair, consisting of a private key for creating a digital signature and a public key to verify the digital signature.

Source: ABA Digital Signature Guidelines �1.3.

Comments: Asymmetric cryptography is the core of the current digital signature technology. An asymmetric cryptosystem is an information system utilizing an algorithm or series of algorithms that provide for a cryptographic key pair consisting of a private key and the corresponding public key. A secure key pair is a key pair that is cryptographically strong and is capable of reliably creating and verifying digital signatures.

(b) “Authentication” means a process used to ascertain the identity of a person or the integrity of specific information. For a message, authentication involves ascertaining its source and confirming that it has not been modified or replaced in transit.

Source: ABA Digital Signature Guidelines �1.4.

Comments: Authentication is necessary to determine the source and integrity of information. Authentication requires the verification that a record was sent by the sender and that the integrity of the record was not compromised. This concept has been added here to recognize the importance of determining the identity of the sender and the integrity of the contents of an electronic record in an electronic commerce transaction. Authentication is distinguishable from verification of a digital signature.

(c) “Authorized officer” means any officer that has been authorized by the Controller to exercise the powers of the Controller under this Act as identified in Section 41 of this Act.

Source: Singapore Electronic Transactions Act �50.

Comments: An Authorized Officer will have the authority, if delegated by the Controller (as defined herein), to perform the duties and obligations of the Controller as specified herein.

(d) “Certificate” means a record, that at a minimum: (i) identifies the certification authority issuing it; (ii) names or otherwise identifies its subscriber, or a device or electronic agent under the control of the subscriber; (iii) contains a public key that corresponds to a private key under the control of the subscriber; (iv) specifies its operational period; and (v) is digitally signed by the certification authority issuing it.

Source: ABA Digital Signature Guidelines �1.5.

Comments: A certificate binds a particular public key to a person that controls the corresponding private key. A certificate is used to identify the subscriber who actually controls the private key. A certificate usually helps the recipient of a digitally signed message attribute the digital signature to the sender by determining whether the public key and corresponding private key are identified with the signer. See Part VII and VIII of this Act for discussion of certificates in connection with the use of digital signatures. A certificate must be signed by the certification authority issuing it so that the certificate may not be forged.

(e) “Certification authority” means a person who authorizes or causes the issuance of a certificate.

Source: ABA Digital Signature Guidelines �1.6.

Comments: This definition expands on the definitions provided in the Singapore Electronic Transactions Act and others by regulating the process of issuance of certificates. The certification authority is responsible for issuing certificates for digital signatures to subscribers and for creating and digitally signing certificates. Once the certificate is issued by the certification authority, a representation is made as to the identity of the person named in the certificate and the binding of that person to a particular public-private key pair. See Part VII of this Act for discussion of certification authorities in connection with the use of digital signatures.

(f) “Certification practice statement” means a statement issued by a certification authority that specifies the policies or practices that the certification authority employs in issuing, managing, suspending and revoking certificates and providing access to them.

Source: ABA Digital Signature Guidelines �1.8.

Comments: The certification practice statement generally takes the form of a declaration that the systems and procedures that it uses in creating certificates for digital signatures are trustworthy. These statements typically describe the types of procedures that a certification authority uses to verify an applicant’s identity before it issues the certificate, the security measures used to protect cryptographic keys and the process that the certification authority takes to generate keys. See Part VII of this Act for discussion of certification practice statements in connection with the use of digital signatures.

(g) “Computer” means an electronic, magnetic, electromagnetic, digital, optical, or other information processing system or device used for creating, generating, transmitting, receiving, storing, displaying, or otherwise processing information, together with any supporting software, input, output, or data storage devices used therewith.

Source: Malaysia Computer Crimes Act �2(1); Uniform Electronic Transactions Act �102(12)

Comments: This definition is broader than other definitions found in similar acts in order to encompass the broadest range of apparatus used in electronic transactions. For example, facsimile machines, sophisticated telephone systems, telex and telegraph systems all are covered by this definition, in addition to the devices commonly known as computers. The definition also is intended to cover computer software and peripheral devices.

(h) “Computer network” means two or more computers in communication with or connected to each other.

Comment: This definition is intended to encompass the broadest range of computer interconnections that could be used in facilitating electronic transactions.

(i) “Computer program” means a set of instructions or statements, and related data, to be used directly or indirectly in a computer or computer network in order to cause a certain result.

Source: Uniform Electronic Transactions Act �102.

(j) “Computer security system” means the design, procedures or other measures that the person responsible for the operation and use of a computer employs to restrict the use of the computer to particular persons or uses, or that the owner or licensee of data stored or maintained by a computer in which the owner or licensee is entitled to store or maintain the data employs to restrict access to or protect the confidentiality of the data.

Source: Texas Penal Code �33.01.

(k) “Computer virus” means any computer instruction, information, data or program that degrades the performance of a computer; disables, damages or destroys a computer; or attaches itself to another computer and executes when the host computer program, data or instruction is executed or when some other event takes place in the host computer, data or instruction.

Source: Maine Criminal Code �431(9).

(l) “Controller” means the Controller of Certification Authorities appointed under Section 41.

Source: Singapore Electronic Transactions Act �2.

Comments: The Controller of Certification Authorities shall be appointed by the Central Government to regulate and control operation of certification authorities. The duties of the Controller of Certification Authorities include licensing, certifying, monitoring and overseeing the activities of all certification authorities in India.

(m) “Correspond” in relation to private or public keys, means to belong to the same key pair.

Source: ABA Digital Signature Guidelines �1.10; Singapore Electronic Transactions Act �2.

Comments: In an asymmetric cryptosystem, two keys are said to “correspond” if one key can be used to encrypt a message and only the other key can be used to decrypt the message.

(n) “Damage” means any destruction, alteration, disruption, deletion, addition, modification or other impairment to the integrity or availability of a computer, data, electronic record, a program, an information system or information.

Source: United States Code, 18 U.S.C. �1030.

Comment: The definition of “damage” is based on the definition contained in the United States Computer Fraud and Abuse Act, but includes a wider range of categories of impairment of computer resources.

(o) “Data” means a representation of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer.

Source: Malaysia Computer Crimes Act �2.

(p) “Digital signature” means an electronic signature consisting of a transformation of an electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer’s public key can accurately determine: (i) whether the transformation was created using the private key that corresponds to the signer’s public key and (ii) whether the initial electronic record has been altered since the transformation was made.

Source: Singapore Electronic Transactions Act �2.

Comments: A digital signature is a form of an electronic signature.

(q) “Electronic” includes electrical, digital, magnetic, optical, electromagnetic or any other form of technology that entails capabilities similar to these technologies.

Source: Illinois Electronic Commerce Security Act �5-105; Uniform Electronic Transactions Act �102(5)(September 1998 draft).

Comments: This definition clarifies that this Act applies broadly to existing technologies, as well as any future technologies. It also is intended to make clear that the use of the term “electronic” is not to be taken so literally as to exclude certain technologies obviously intended to be covered but not literally “electronic” (i.e., information stored in magnetic form on a computer disk or information contained on a CD-ROM).

(r) “Electronic device” means a computer program or electronic record or other automated means configured or enabled by a person to independently initiate or respond to electronic records or performances on behalf of that person without review by an individual.

Source: Uniform Electronic Transactions Act �102(6)(September 1998 draft); UCC Article 2B �2B-102(19)(August 1998 draft).

Comment: In the electronic marketplace, an increasing number of agreements are executed automatically through the use of electronic devices. Therefore, it is critical to include provisions governing formation of contracts through the use of electronic devices in the proposed legislation. The definition of electronic device contemplates transactions where one or both parties are represented by automated devices configured to respond to specific input and to carry out transactions on behalf of their human counterparts. Given the automated nature of such devices, of course, the law of agency should not apply to such devices.

(s) “Electronic record” means a record generated, sent, received or stored by electronic means for use in an information system or for transmission from one information system to another.

Source: UNCITRAL Model Law, Article 2(a).

Comments: Electronic records include all messages sent by some electronic means. This definition can encompass computer-generated data records created for internal record-keeping purposes as well as communications to a third party.

(t) “Electronic signature” means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted with the intention of authenticating or approving the electronic record.

Source: Singapore Electronic Transactions Act �2.

Comments: This definition is included for purposes of clarity and also to expressly state the requirement that the electronic signature be attached to or logically associated with the electronic record. Since electronic records can be communicated separately from any tangible media on which they may exist, this definition requires that the signature must, in some way, be “attached to or logically associated with” the electronic record being signed.

(u) “Hash function” means an algorithm mapping or translating one sequence of bits into another, generally smaller, set (the hash result) such that: (i) a record yields the same hash result every time the algorithm is executed using the same record as input; (ii) it is not feasible that a record can be derived or reconstituted from the hash result produced by the algorithm; and (iii) it is computationally infeasible that two records can be found that produce the same hash result using the algorithm.

Source: Singapore Electronic Transactions Act �2.

(v) “Information” includes data, text, images, sound, codes, computer programs, software, databases and the like.

Source: Singapore Electronic Transactions Act �2.

Comments: The term “information” is technologically neutral but intended to include anything that can be transmitted in electronic or digital form.

(w) “Information system” means a system for creating, generating, sending, receiving, storing, displaying or otherwise processing information.

Source: Uniform Electronic Transactions Act �102(12).

(x)”Internet” means a global network of interconnected computer networks, each using the transmission control protocol/internet protocol or any combination thereof or such other standard network interconnection protocols as is used to transmit data that is directly or indirectly delivered to a computer.

(y) “Key pair” in an asymmetric cryptosystem, means a private key and its mathematically related public key, having the property that the public key can verify a digital signature that the private key creates.

Source: Singapore Electronic Transactions Act �2.

Comments: A key pair is normally generated by the person or entity that intends to use the key pair in order to digitally sign electronic records. A key pair includes a private key that is used to create a digital signature and a public key, which is used to verify digital signatures on messages sent by the holder of the corresponding private key.

(z) “Network service provider” means a person that provides the software, hardware, telecommunications facilities or any combination of the above, to facilitate access to the Internet or any other computer network, and includes a value added network service provider.

Source: United States Code, 47 U.S.C. �230(e).

Comments: This Act includes a definition based on the definition of “interactive computer service” contained in the United States Code. The definition is drafted broadly enough to encompass operators of online services, Internet access providers, VANS, and those entities that provide the telecommunications facilities to permit access to the Internet.

(aa) “Operational period of a certificate” begins on the date and time the certificate is issued by a certification authority (or on a later date and time if stated in the certificate), and ends on the date and time it expires as stated in the certificate or is earlier revoked or suspended.

Source: Singapore Electronic Transactions Act �2.

Comments: The operational period of a certificate is the period of its validity.

(bb) “Private key” means the key of a key pair used to create a digital signature.

Source: Singapore Electronic Transactions Act �2.

Comments: A private key is the secret key used to create a digital signature.

(cc)“Prescribed” means prescribed by rules made under this Act.

(dd) “Provide access” means, in relation to material provided by a third party, the provision of the necessary technical means by which such material may be accessed and includes the automatic and temporary storage of such material for the purpose of providing access.

Source: Singapore Electronic Transactions Act �2.

(ee) “Public key” means the key of a key pair used to verify a digital signature.

Source: Singapore Electronic Transactions Act �2; Illinois Electronic Commerce Security Act �5-105.

Comments: The public key is usually provided via a certificate issued by a certification authority and is used to verify the digital signature of a message purportedly sent by the holder of the corresponding private key.

(ff) “Record” means information that is inscribed, stored or otherwise fixed in a tangible medium or that is stored in an electronic or other intangible medium and may be retrieved in perceivable form.

Source: Singapore Electronic Transactions Act �2.

(gg) “Repository” means a system for storing and retrieving certificates or other information relevant to certificates, including information related to the status of a certificate.

Source: Singapore Electronic Transactions Act �2.

Comments: A repository is a collection of information related to issued certificates stored by the certification authority or another person. The repository may contain the certificates accepted by subscribers and any other necessary information.

(hh) “Revoke a certificate” means to permanently end the operational period of a certificate from a specified time forward.

Source: Singapore Electronic Transactions Act �2.

Comments: A certificate may be revoked prior to the end of the operational period. Once a certificate is revoked, its effectiveness is terminated.

(ii) “Rule of law” includes any provision contained in an enactment or any rule derived from any other source of law.

(jj) “Security procedure” means a procedure for the purpose of: (i) verifying that an electronic record is that of a specific person or (ii) detecting error or alteration in the communication, content or storage of an electronic record since a specific point in time. A security procedure may require the use of algorithms or codes, identifying words or numbers, encryption, answer back or acknowledgment procedures, or similar security devices.

Source: Singapore Electronic Transactions Act �2.

Comments: This definition does not attempt to define security procedure in terms of any specific technology, and recognizes that there are a variety of technologies in place today, as well as new technologies that will be developed in the future, that may qualify as appropriate security procedures.

(kk) “Signed” or “signature,” in relation to electronic records, includes any symbol executed or adopted, or any security procedure employed or adopted, using electronic means or otherwise, by or on behalf of a person with the intent to authenticate such record.

Source: Singapore Electronic Transactions Act �2.

Comments: This definition of the terms “signed” and “signature” has the effect of: (1) extending to the electronic medium the traditional paper-based definition of “signed” and (2) recognizing that a signature can be created both through the use of a symbol as well as through the use of a security procedure.

(ll) “Subscriber” means a person who is the subject named or identified in a certificate issued, who holds a private key that corresponds to a public key listed in that certificate and who is the person to whom digitally signed messages verified by reference to such certificate are to be attributed.

Source: Singapore Electronic Transactions Act �2.

Comments: The subscriber is the person named or otherwise identified in a certificate. Note that a person who digitally signs an electronic record, but who has not been issued a certificate, is not a subscriber, even though such person is using a digital signature.

(mm) “Suspend a certificate” means to temporarily suspend the operational period of a certificate from a specified time forward.

Source: Singapore Electronic Transactions Act �2.

Comments: Suspension of a certificate involves a temporary termination of its effectiveness prior to the end of its stated operational period.

(nn) “Third party” means, in relation to a network service provider, a person over whom the provider has no effective control.

Source: Singapore Electronic Transactions Act �10(3).

(oo) “Trustworthy system or manner” means the use of, or adoption of any device involving the use of, computer hardware, software and procedures that, in the context in which they are used: (i) can be shown to be reasonably resistant to penetration, compromise and misuse; (ii) provide a reasonable level of reliability and correct operation; (iii) are reasonably suited to performing their intended functions or serving their intended purposes; (iv) comply with applicable agreements between the parties, if any; and (v) adhere to generally accepted security procedures

Source: Illinois Electronic Commerce Security Act �5-105; See ABA Digital Signature Guidelines �1.35.

Comments: The term “trustworthy system or manner” is intended to define a general yet flexible standard, recognizing that computer security is a matter of degree and depends upon the circumstances. This definition focuses on a variety of different aspects of the trustworthiness of an information system, including (1) security from intrusion and misuse; (2) reliability and correct operation; (3) suitability to performing intended functions or purposes; (4) compliance with applicable agreements of the parties; and (5) adherence to generally accepted security procedures. The manner in which a system is configured to achieve the objectives of trustworthiness will vary depending on the type of technology available.

(pp) “Valid certificate” means a certificate that a certification authority has issued and that the subscriber listed in the certificate has accepted.

Source: Singapore Electronic Transactions Act �2.

(qq) “Verify a digital signature” means to use a public key listed in a valid certificate to determine: (i) that the digital signature was created using the private key corresponding to the public key listed in the certificate and (ii) the electronic record has not been altered since its digital signature was created.

Source: Singapore Electronic Transactions Act �2.

3. Purpose and Construction.

This Act shall be construed consistently with what is commercially reasonable under the circumstances and to effectuate the following purposes:

(a) To facilitate electronic communications by means of reliable electronic records;

(b) To facilitate and promote electronic commerce, to eliminate barriers to electronic commerce resulting from uncertainties over writing and signature requirements, and to promote the development of the legal and business infrastructure necessary to implement secure electronic commerce;

(c) To facilitate the electronic filing of documents with government agencies and statutory corporations, and to promote efficient delivery of government services by means of electronic records;

(d) To minimize the incidence of forged electronic records, intentional and unintentional alterations of records, and fraud in electronic commerce and other electronic transactions;

(e) To promote public confidence in the integrity and reliability of electronic records, electronic signatures and electronic commerce;

(f) To establish uniform rules and standards regarding the authentication and integrity of electronic records; and

(g) To create a legal infrastructure for the use of digital signatures.

Source: Florida Electronic Signature Act of 1996 �2; Singapore Electronic Transactions Act �3, Utah Digital Signature Act �102.

Comments: This Act aims to remove actual and perceived barriers to electronic commerce and to set forth a legal framework to promote and facilitate the development of electronic commerce. It seeks to remove barriers by clarifying existing uncertainty over whether electronic records are “writings” or “signatures” or “records” for legal purposes. To promote electronic commerce, this Act provides for recognition of a class of electronic records known as “secure” electronic records and signatures. Secure electronic records and signatures are afforded higher evidentiary presumptions to provide parties engaged in electronic commerce assurance that their transactions are enforceable. In addition, this Act addresses evidentiary concerns as to the admissibility of electronic records. The Act presents a logical and coherent approach to resolving issues raised by electronic commerce and, where possible, seeks to preserve uniformity among the approaches to electronic commerce legislation taken by various countries.

4. Application.

(a) Parts II or IV of this Act shall not apply to any law requiring writing or signatures in any of the following circumstances:

(1) the creation or execution of a will;

(2) the execution of negotiable instruments;

(3) the creation, performance or enforcement of an indenture, declaration of trust or power of attorney with the exception of constructive and resulting trusts;

(4) any contract for the sale or other disposition of immovable property, or any interest in such property;

(5) the conveyance of immovable property or the transfer of any interest in immovable property;

(6) documents of title for movable or immovable property; or

(7) where such application would involve a construction of a rule of law that is clearly inconsistent with the manifest intent of the lawmaking body or repugnant to the context of the same rule of law, provided that the mere requirement that information be “in writing,” “written” or “printed” shall not by itself be sufficient to establish such intent.

(b) The Central Government may modify in the public interest, by notification published in the Official Gazette, the provisions of section (a) by adding, deleting or amending any class of transactions or matters specified in that section.

(d) Notwithstanding anything contained in the Telegraph Act, 1885, or rules made under this Act, it shall be lawful to transmit and receive records electronically.

Source: Singapore Electronic Transactions Act �4; Illinois Electronic Commerce Security Act �5-115.

Comments: It is not feasible to give broad legal recognition to all documents that are signed with an electronic signature because, under Indian Law, hand written signatures are more appropriate for certain categories of agreements. Therefore, the purpose of limiting application of this Act is to acknowledge the intent of relevant laws that mandate the use of pen and ink for some documents. For example, in the case of negotiable instruments, the current state of technology does not adequately provide a reliable mechanism for the transfer or negotiation of electronic records to holders in due course beyond an originator and an initial recipient of the electronic record. Additionally, this section provides authority to the Central Government to amend, as appropriate, the limitations set forth in this section. Further, the application of the Stamp Act has been limited to recognize the intangible nature of electronic records, based upon precedent set in the Depositories Act, 1996. The applicability of the Telegraph Act also has been limited in recognition of the necessity to encrypt data in relation to the transmission of certain types of secure electronic records.

5. Variation by Agreement. As between parties involved in generating, sending, receiving, storing or otherwise processing electronic records, any provision of Part II or IV of this Act may be varied by agreement of the parties.

Source: UNCITRAL Model Law, Article 4; UCC Article 2B �2B-107(b); ABA Digital Signature Guidelines �2.2.

Comments: This section states the general principle that parties may vary the provisions of Parts II or IV by agreement. Thus, where the signer and the recipient of an electronic record, agree to the terms of a contract, the rules set forth in this Act may be varied by a contract between the parties.

Part II – Electronic Records and Signatures Generally

Electronic Transactions Act 1998

admin — Thu, 20 Nov 2008 13:38:07 +0000

Electronic Transactions Act 1998- SINGAPORE

1. Short title and commencement

This Act may be cited as the Electronic Transactions Act 1998 and shall come into operation on such date as the Minister may, by notification in the Gazette, appoint.
The Minister may appoint different dates for the coming into operation of the different provisions of this Act.

2. Interpretation

In this Act, unless the context otherwise requires

“asymmetric cryptosystem” means a system capable of generating a secure key pair, consisting of a private key for creating a digital signature, and a public key to verify the digital signature;

“authorised officer” means a person authorised by the Controller under section 50;

“certificate” means a record issued for the purpose of supporting digital signatures which purports to confirm the identity or other significant characteristics of the person who holds a particular key pair;

“certification authority” means a person who or an organisation that issues a certificate;

“certification practice statement” means a statement issued by a certification authority to specify the practices that the certification authority employs in issuing certificates;

“Controller” means the Controller of Certification Authorities appointed under section 41(1) and includes a Deputy or an Assistant Controller of Certification Authorities appointed under section 41(2);

“correspond” , in relation to a private key or public key, means to belong to the same key pair;

“digital signature” means an electronic signature consisting of a transformation of an electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer’s public key can accurately determine -

1. whether the transformation was created using the private key that corresponds to the signer’s public key; and

2. whether the initial electronic record has been altered since the transformation was made;

“electronic record” means a record generated, communicated, received or stored by electronic, magnetic, optical or other means in an information system or for transmission from one information system to another;

“electronic signature” means any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted with the intention of authenticating or approving the electronic record;

“hash function” means an algorithm mapping or translating one sequence of bits into another, generally smaller, set (the hash result) such that -

1. a record yields the same hash result every time the algorithm is executed using the same record as input;

2. it is computationally infeasible that a record can be derived or reconstituted from the hash result produced by the algorithm; and

3.� it is computationally infeasible that 2 records can be found that produce the same hash result using the algorithm;

“information” includes data, text, images, sound, codes, computer programs, software and databases;

“key pair” , in an asymmetric cryptosystem, means a private key and its mathematically related public key, having the property that the public key can verify a digital signature that the private key creates;

“licensed certification authority” means a certification authority licensed by the Controller pursuant to any regulation made under section 42;

“operational period of a certificate” begins on the date and time the certificate is issued by a certification authority (or on a later date and time if stated in the certificate), and ends on the date and time it expires as stated in the certificate or is earlier revoked or suspended;

“private key” means the key of a key pair used to create a digital signature;

“public key” means the key of a key pair used to verify a digital signature;

“record” means information that is inscribed, stored or otherwise fixed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form;

“repository” means a system for storing and retrieving certificates or other information relevant to certificates;

“revoke a certificate” means to permanently end the operational period of a certificate from a specified time;

“rule of law” includes written law;

“security procedure” means a procedure for the purpose of -

1. verifying that an electronic record is that of a specific person; or

2.detecting error or alteration in the communication, content or storage of an electronic record since a specific point in time, which may require the use of algorithms or codes, identifying words or numbers, encryption, answerback or acknowledgment procedures, or similar security devices;

“signed” or “signature”and its grammatical variations includes any symbol executed or adopted, or any methodology or procedure employed or adopted, by a person with the intention of authenticating a record, including electronic or digital methods;

“subscriber” means a person who is the subject named or identified in a certificate issued to him and who holds a private key that corresponds to a public key listed in that certificate;

“suspend a certificate” means to temporarily suspend the operational period of a certificate from a specified time;

“trustworthy system” means computer hardware, software, and procedures that -

1. are reasonably secure from intrusion and misuse;

2. provide a reasonable level of availability, reliability and correct operation;

3. are reasonably suited to performing their intended functions; and

4. adhere to generally accepted security procedures;

“valid certificate” means a certificate that a certification authority has issued and which the subscriber listed in it has accepted;

“verify a digital signature” , in relation to a given digital signature, record and public key, means to determine accurately that -

1. the digital signature was created using the private key corresponding to the public key listed in the certificate; and

2. the record has not been altered since its digital signature was created.

3. Purposes and construction

This Act shall be construed consistently with what is commercially reasonable under the circumstances and to give effect to the following purposes:

to facilitate electronic communications by means of reliable electronic records;
to facilitate electronic commerce, eliminate barriers to electronic commerce resulting from uncertainties over writing and signature requirements, and to promote the development of the legal and business infrastructure necessary to implement secure electronic commerce;
to facilitate electronic filing of documents with government agencies and statutory corporations, and to promote efficient delivery of government services by means of reliable electronic records;
to minimise the incidence of forged electronic records, intentional and unintentional alteration of records, and fraud in electronic commerce and other electronic transactions;
to help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; and
to promote public confidence in the integrity and reliability of electronic records and electronic commerce, and to foster the development of electronic commerce through the use of electronic signatures to lend authenticity and integrity to correspondence in any electronic medium.

4. Application

Parts II and IV shall not apply to any rule of law requiring writing or signatures in any of the following matters:
1. the creation or execution of a will;
2. negotiable instruments;
3. the creation, performance or enforcement of an indenture, declaration of trust or power of attorney with the exception of constructive and resulting trusts;
4. any contract for the sale or other disposition of immovable property, or any interest in such property;
5. the conveyance of immovable property or the transfer of any interest in immovable property;
6. documents of title.
The Minister may by order modify the provisions of subsection (1) by adding, deleting or amending any class of transactions or matters.

5. Variation by agreement

As between parties involved in generating, sending, receiving, storing or otherwise processing electronic records, any provision of Part II or IV may be varied by agreement.

6. Legal recognition of electronic records

For the avoidance of doubt, it is declared that information shall not be denied legal effect, validity or enforceability solely on the ground that it is in the form of an electronic record.

7. Requirement for writing

Where a rule of law requires information to be written, in writing, to be presented in writing or provides for certain consequences if it is not, an electronic record satisfies that rule of law if the information contained therein is accessible so as to be usable for subsequent reference.

8. Electronic signatures

Where a rule of law requires a signature, or provides for certain consequences if a document is not signed, an electronic signature satisfies that rule of law.
An electronic signature may be proved in any manner, including by showing that a procedure existed by which it is necessary for a party, in order to proceed further with a transaction, to have executed a symbol or security procedure for the purpose of verifying that an electronic record is that of such party.

9. Retention of electronic records

Where a rule of law requires that certain documents, records or information be retained, that requirement is satisfied by retaining them in the form of electronic records if the following conditions are satisfied:
1. the information contained therein remains accessible so as to be usable for subsequent reference;
2. the electronic record is retained in the format in which it was originally generated, sent or received, or in a format which can be demonstrated to represent accurately the information originally generated, sent or received;
3. such information, if any, as enables the identification of the origin and destination of an electronic record and the date and time when it was sent or received, is retained; and
4. the consent of the department or ministry of the Government, organ of State or the statutory corporation which has supervision over the requirement for the retention of such records has been obtained.
An obligation to retain documents, records or information in accordance with subsection (1)(c) shall not extend to any information necessarily and automatically generated solely for the purpose of enabling a record to be sent or received.
A person may satisfy the requirement referred to in subsection (1) by using the services of any other person, if the conditions in paragraphs (a) to (d) of that subsection are complied with.
Nothing in this section shall -
1. apply to any rule of law which expressly provides for the retention of documents, records or information in the form of electronic records;
2. preclude any department or ministry of the Government, organ of State or a statutory corporation from specifying additional requirements for the retention of electronic records that are subject to the jurisdiction of such department or ministry of the Government, organ of State or statutory corporation.

10. Liability of network service providers

A network service provider shall not be subject to any civil or criminal liability under any rule of law in respect of third-party material in the form of electronic records to which he merely provides access if such liability is founded on -
1. the making, publication, dissemination or distribution of such materials or any statement made in such material; or
2. the infringement of any rights subsisting in or in relation to such material.
Nothing in this section shall affect -
1. any obligation founded on contract;
2. the obligation of a network service provider as such under a licensing or other regulatory regime established under any written law; or
3. any obligation imposed under any written law or by a court to remove, block or deny access to any material.
For the purposes of this section -
“provides access” , in relation to third-party material, means the provision of the necessary technical means by which third-party material may be accessed and includes the automatic and temporary storage of the third-party material for the purpose of providing access; “third-party” , in relation to a network service provider, means a person over whom the provider has no effective control.

11. Formation and validity

For the avoidance of doubt, it is declared that in the context of the formation of contracts, unless otherwise agreed by the parties, an offer and the acceptance of an offer may be expressed by means of electronic records.
Where an electronic record is used in the formation of a contract, that contract shall not be denied validity or enforceability on the sole ground that an electronic record was used for that purpose.

12. Effectiveness between parties

As between the originator and the addressee of an electronic record, a declaration of intent or other statement shall not be denied legal effect, validity or enforceability solely on the ground that it is in the form of an electronic record.

13. Attribution

An electronic record is that of the originator if it was sent by the originator himself.
As between the originator and the addressee, an electronic record is deemed to be that of the originator if it was sent -
1. by a person who had the authority to act on behalf of the originator in respect of that electronic record; or
2. by an information system programmed by or on behalf of the originator to operate automatically.
As between the originator and the addressee, an addressee is entitled to regard an electronic record as being that of the originator and to act on that assumption if -
1. in order to ascertain whether the electronic record was that of the originator, the addressee properly applied a procedure previously agreed to by the originator for that purpose; or
2. the data message as received by the addressee resulted from the actions of a person whose relationship with the originator or with any agent of the originator enabled that person to gain access to a method used by the originator to identify electronic records as its own.
Subsection (3) shall not apply -
1. from the time when the addressee has both received notice from the originator that the electronic record is not that of the originator, and had reasonable time to act accordingly;
2. in a case within subsection (3)(b), at any time when the addressee knew or ought to have known, had it exercised reasonable care or used any agreed procedure, that the electronic record was not that of the originator; or
3. if, in all the circumstances of the case, it is unconscionable for the addressee to regard the electronic record as that of the originator or to act on that assumption.
Where an electronic record is that of the originator or is deemed to be that of the originator, or the addressee is entitled to act on that assumption, then, as between the originator and the addressee, the addressee is entitled to regard the electronic record received as being what the originator intended to send, and to act on that assumption.
The addressee is not so entitled when the addressee knew or should have known, had the addressee exercised reasonable care or used any agreed procedure, that the transmission resulted in any error in the electronic record as received.
The addressee is entitled to regard each electronic record received as a separate electronic record and to act on that assumption, except to the extent that the addressee duplicates another electronic record and the addressee knew or should have known, had the addressee exercised reasonable care or used any agreed procedure, that the electronic record was a duplicate.
Nothing in this section shall affect the law of agency or the law on the formation of contracts.

14. Acknowledgment of receipt

Subsections (2), (3) and (4) shall apply where, on or before sending an electronic record, or by means of that electronic record, the originator has requested or has agreed with the addressee that receipt of the electronic record be acknowledged.
Where the originator has not agreed with the addressee that the acknowledgment be given in a particular form or by a particular method, an acknowledgment may be given by -
1. any communication by the addressee, automated or otherwise; or
2. any conduct of the addressee, sufficient to indicate to the originator that the electronic record has been received.
Where the originator has stated that the electronic record is conditional on receipt of the acknowledgment, the electronic record is treated as though it had never been sent, until the acknowledgment is received.
Where the originator has not stated that the electronic record is conditional on receipt of the acknowledgment, and the acknowledgment has not been received by the originator within the time specified or agreed or, if no time has been specified or agreed within a reasonable time, the originator -
1. may give notice to the addressee stating that no acknowledgment has been received and specifying a reasonable time by which the acknowledgment must be received; and
2. if the acknowledgment is not received within the time specified in paragraph (a), may, upon notice to the addressee, treat the electronic record as though it has never been sent or exercise any other rights it may have.
Where the originator receives the addressee’s acknowledgment of receipt, it is presumed, unless evidence to the contrary is adduced, that the related electronic record was received by the addressee, but that presumption does not imply that the content of the electronic record corresponds to the content of the record received.
Where the received acknowledgment states that the related electronic record met technical requirements, either agreed upon or set forth in applicable standards, it is presumed, unless evidence to the contrary is adduced, that those requirements have been met.
Except in so far as it relates to the sending or receipt of the electronic record, this Part is not intended to deal with the legal consequences that may flow either from that electronic record or from the acknowledgment of its receipt.

15. Time and place of despatch and receipt

Unless otherwise agreed to between the originator and the addressee, the despatch of an electronic record occurs when it enters an information system outside the control of the originator or the person who sent the electronic record on behalf of the originator.
Unless otherwise agreed between the originator and the addressee, the time of receipt of an electronic record is determined as follows:
1. if the addressee has designated an information system for the purpose of receiving electronic records, receipt occurs -
  1. at the time when the electronic record enters the designated information system; or
  2. if the electronic record is sent to an information system of the addressee that is not the designated information system, at the time when the electronic record is retrieved by the addressee; or
2. if the addressee has not designated an information system, receipt occurs when the electronic record enters an information system of the addressee.
Subsection (2) shall apply notwithstanding that the place where the information system is located may be different from the place where the electronic record is deemed to be received under subsection (4).
Unless otherwise agreed between the originator and the addressee, an electronic record is deemed to be despatched at the place where the originator has its place of business, and is deemed to be received at the place where the addressee has its place of business.
For the purposes of this section -
1. if the originator or the addressee has more than one place of business, the place of business is that which has the closest relationship to the underlying transaction or, where there is no underlying transaction, the principal place of business;
2. if the originator or the addressee does not have a place of business, reference is to be made to the usual place of residence; and
3. “usual place of residence”, in relation to a body corporate, means the place where it is incorporated or otherwise legally constituted.
This section shall not apply to such circumstances as the Minister may by regulations prescribe.

16. Secure electronic record

If a prescribed security procedure or a commercially reasonable security procedure agreed to by the parties involved has been properly applied to an electronic record to verify that the electronic record has not been altered since a specified point in time, such record shall be treated as a secure electronic record from such specified point in time to the time of verification.
For the purposes of this section and section 17, whether a security procedure is commercially reasonable shall be determined having regard to the purposes of the procedure and the commercial circumstances at the time the procedure was used, including -
1. the nature of the transaction;
2. the sophistication of the parties;
3. the volume of similar transactions engaged in by either or all parties;
4. the availability of alternatives offered to but rejected by any party;
5. the cost of alternative procedures; and
6. the procedures in general use for similar types of transactions.

17. Secure electronic signature

If, through the application of a prescribed security procedure or a commercially reasonable security procedure agreed to by the parties involved, it can be verified that an electronic signature was, at the time it was made -

unique to the person using it;
capable of identifying such person;
created in a manner or using a means under the sole control of the person using it; and
linked to the electronic record to which it relates in a manner such that if the record was changed the electronic signature would be invalidated, such signature shall be treated as a secure electronic signature.

18. Presumptions relating to secure electronic records and signatures

In any proceedings involving a secure electronic record, it shall be presumed, unless evidence to the contrary is adduced, that the secure electronic record has not been altered since the specific point in time to which the secure status relates.
In any proceedings involving a secure electronic signature, it shall be presumed, unless evidence to the contrary is adduced, that -
1. the secure electronic signature is the signature of the person to whom it correlates; and
2. the secure electronic signature was affixed by that person with the intention of signing or approving the electronic record.
In the absence of a secure electronic record or a secure electronic signature, nothing in this Part shall create any presumption relating to the authenticity and integrity of the electronic record or an electronic signature.
For the purposes of this section -

- “secure electronic record” means an electronic record treated as a secure electronic record by virtue of section 16 or 19;
- “secure electronic signature” means an electronic signature treated as a secure electronic signature by virtue of section 17 or 20.

19. Secure electronic record with digital signature

The portion of an electronic record that is signed with a digital signature shall be treated as a secure electronic record if the digital signature is a secure electronic signature by virtue of section 20.

20. Secure digital signature

When any portion of an electronic record is signed with a digital signature, the digital signature shall be treated as a secure electronic signature with respect to such portion of the record, if -

the digital signature was created during the operational period of a valid certificate and is verified by reference to the public key listed in such certificate; and
the certificate is considered trustworthy, in that it is an accurate binding of a public key to a person’s identity because -
1. the certificate was issued by a licensed certification authority operating in compliance with the regulations made under section 42 ;
2. the certificate was issued by a certification authority outside Singapore recognised for this purpose by the Controller pursuant to regulations made under section 43;
3. the certificate was issued by a department or ministry of the Government, an organ of State or a statutory corporation approved by the Minister to act as a certification authority on such conditions as he may by regulations impose or specify; or
4. the parties have expressly agreed between themselves (sender and recipient) to use digital signatures as a security procedure, and the digital signature was properly verified by reference to the sender’s public key.

Computer Misuse Act

admin — Thu, 20 Nov 2008 13:34:38 +0000

COMPUTER MISUSE ACT (OF SINGAPORE)

PART I

PRELIMINARY

Short title

1. This Act may be cited as the Computer Misuse Act.

Interpretation

2. (1) In this Act, unless the context otherwise requires

“computer” means an electronic, magnetic, optical, electrochemical, or other data processing device, or a group of such interconnected or related devices, performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device or group of such interconnected or related devices, but does not include

(a) an automated typewriter or typesetter;

(b) a portable hand held calculator;

(d) such other device as the Minister may, by notification in the Gazette, prescribe;

“computer output” or “output”means a statement or representation (whether in written,

printed, pictorial, graphical or other form) purporting to be a statement or

representation of fact

(a) produced by a computer; or

(b) accurately translated from a statement or representation so produced;

“computer service” includes computer time, data processing and the storage or retrieval of data;

“damage” means, except for the purposes of section 13, any impairment to a computer or the integrity or availability of data, a program or system, or information, that

(a) causes loss aggregating at least $10,000 in value, or such other amount as the Minister may, by notification in the Gazette, prescribe except that any loss incurred or accrued more than one year after the date of the offence in question shall not be taken into account;

(b) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment or care of one or more persons;

(d) threatens public health or public safety;

“data” means representations of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer;

“electronic, acoustic, mechanical or other device” means any device or apparatus that is used or is capable of being used to intercept any function of a computer;

“function” includes logic, control, arithmetic, deletion, storage and retrieval and communication or telecommunication to, from or within a computer;

“intercept” , in relation to a function of a computer, includes listening to or recording a function of a computer, or acquiring the substance, meaning or purport thereof;

“program or computer program” means data representing instructions or statements that, when executed in a computer, causes the computer to perform a function.

(2) For the purposes of this Act, a person secures access to any program or data held in a computer if by causing a computer to perform any function he

(a) alters or erases the program or data;

(b) copies or moves it to any storage medium other than that in which it is held or to a different location in the storage medium in which it is held;

(d) causes it to be output from the computer in which it is held (whether by having it displayed or in any other manner), and references to access to a program or data (and to an intent to secure such access) shall be read accordingly.

(3) For the purposes of subsection (2) (c), a person uses a program if the function he causes the computer to perform

(a) causes the program to be executed; or

(b) is itself a function of the program.

(4) For the purposes of subsection (2) (d), the form in which any program or data is output (and in particular whether or not it represents a form in which, in the case of a program, it is capable of being executed or, in the case of data, it is capable of being processed by a computer) is immaterial.

(5) For the purposes of this Act, access of any kind by any person to any program or data held in a computer is unauthorised or done without authority if

(a) he is not himself entitled to control access of the kind in question to the program or data; and

(b) he does not have consent to access by him of the kind in question to the program or data from any person who is so entitled.

(6) A reference in this Act to any program or data held in a computer includes a reference to any program or data held in any removable storage medium which is for the time being in the computer; and a computer is to be regarded as containing any program or data held in any such medium.

(7) For the purposes of this Act, a modification of the contents of any computer takes place if, by the operation of any function of the computer concerned or any other computer

(a) any program or data held in the computer concerned is altered or erased;

(b) any program or data is added to its contents; or

(c) any act occurs which impairs the normal operation of any computer, and any act which contributes towards causing such a modification shall be regarded as causing it.

(8) Any modification referred to in subsection (7) is unauthorised if

(a) the person whose act causes it is not himself entitled to determine whether the modification should be made; and

(b) he does not have consent to the modification from any person who is so entitled.

(9) A reference in this Act to a program includes a reference to part of a program.

PART II

OFFENCES

Unauthorised access to computer material

3. (1) Subject to subsection (2), any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both.

(2) If any damage is caused as a result of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 7 years or to both.

(3) For the purposes of this section, it is immaterial that the act in question is not

directed at

(a) any particular program or data;

(b) a program or data of any kind; or

Access with intent to commit or facilitate commission of offence

4. (1) Any person who causes a computer to perform any function for the purpose of securing access to any program or data held in any computer with intent to commit an offence to which this section applies shall be guilty of an offence.

(2) This section shall apply to an offence involving property, fraud, dishonesty or which causes bodily harm and which is punishable on conviction with imprisonment for a term of not less than 2 years.

(3) Any person guilty of an offence under this section shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both.

(4) For the purposes of this section, it is immaterial whether

(a) the access referred to in subsection (1) is authorised or unauthorised;

(b) the offence to which this section applies is committed at the same time when the access is secured or at any other time.

Unauthorised modification of computer material

5. (1) Subject to subsection (2), any person who does any act which he knows will cause an unauthorised modification of the contents of any computer shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.

(3) For the purposes of this section, it is immaterial that the act in question is not directed at

(a) any particular program or data;

(b) a program or data of any kind; or

(4) For the purposes of this section, it is immaterial whether an unauthorized modification is, or is intended to be, permanent or merely temporary.

Unauthorised use or interception of computer service

6. (1) Subject to subsection (2), any person who knowingly

(a) secures access without authority to any computer for the purpose of obtaining, directly or indirectly, any computer service;

(b) intercepts or causes to be intercepted without authority, directly or indirectly, any function of a computer by means of an electro-magnetic, acoustic, mechanical or other device; or

(c) uses or causes to be used, directly or indirectly, the computer or any other device for the purpose of committing an offence under paragraph (a) or (b), shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.

(3) For the purposes of this section, it is immaterial that the unauthorised access or interception is not directed at

(a) any particular program or data;

(b) a program or data of any kind; or

Unauthorised obstruction of use of computer

7. (1) Any person who, knowingly and without authority or lawful excuse

(a) interferes with, or interrupts or obstructs the lawful use of, a computer; or

(b) impedes or prevents access to, or impairs the usefulness or effectiveness of, any program or data stored in a computer,

shall be guilty of an offence and shall be liable on conviction to a fine not �exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.

Unauthorised disclosure of access code

8. (1) Any person who, knowingly and without authority, discloses any password, access code or any other means of gaining access to any program or data held in any computer shall be guilty of an offence if he did so

(a) for any wrongful gain;

(b) for any unlawful purpose; or

(2) Any person guilty of an offence under subsection (1) shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both.

Enhanced punishment for offences involving protected computers

9. (1) Where access to any protected computer is obtained in the course of the commission of an offence under section 3, 5, 6 or 7, the person convicted of such an offence shall, in lieu of the punishment prescribed in those sections, be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 20 years or to both.

(2) For the purposes of subsection (1), a computer shall be treated as a “protected computer” if the person committing the offence knew, or ought reasonably to have known, that the computer or program or data is used directly in connection with or necessary for

(a) the security, defence or international relations of Singapore;

(b) the existence or identity of a confidential source of information relating to the enforcement of a criminal law;

(c) the provision of services directly related to communications infrastructure, banking and financial services, public utilities, public transportation or public key infrastructure; or

(d) the protection of public safety including systems related to essential emergency services such as police, civil defence and medical services.

(3) For the purposes of any prosecution under this section, it shall be presumed, until the contrary is proved, that the accused has the requisite knowledge referred to in subsection (2) if there is, in respect of the computer, program or data, an electronic or other warning exhibited to the accused stating that unauthorised access to that computer, program or data attracts an enhanced penalty under this section.

Abetments and attempts punishable as offences

10. (1) Any person who abets the commission of or who attempts to commit or does any act preparatory to or in furtherance of the commission of any offence under this Act shall be guilty of that offence and shall be liable on conviction to the punishment provided for the offence.

(2) For an offence to be committed under this section, it is immaterial where the act in question took place.

PART III

MISCELLANEOUS AND GENERAL

Territorial scope of offences under this Act

11. (1) Subject to subsection (2), the provisions of this Act shall have effect, in relation to any person, whatever his nationality or citizenship, outside as well as within Singapore.

(2) Where an offence under this Act is committed by any person in any place outside Singapore, he may be dealt with as if the offence had been committed within Singapore.

(3) For the purposes of this section, this Act shall apply if, for the offence in question

(a) the accused was in Singapore at the material time; or

(b) the computer, program or data was in Singapore at the material time.

Jurisdiction of Courts

12. A District Court or a Magistrate’s Court shall have jurisdiction to hear and determine all offences under this Act and, notwithstanding anything to the contrary in the Criminal Procedure Code (Cap. 68), shall have power to impose the full penalty or punishment in respect of any offence under this Act.

Order for payment of compensation

13. (1) The court before which a person is convicted of any offence under this Act may make an order against him for the payment by him of a sum to be fixed by the court by way of compensation to any person for any damage caused to his computer, program or data by the offence for which the sentence is passed.

(2) Any claim by a person for damages sustained by reason of the offence shall be deemed to have been satisfied to the extent of any amount which has been paid to him under an order for compensation, but the order shall not prejudice any right to a civil remedy for the recovery of damages beyond the amount of compensation paid under the order.

(3) An order of compensation under this section shall be recoverable as a civil debt.

Saving for investigations by police and law enforcement officers

14. Nothing in this Act shall prohibit a police officer, a person authorised in writing by the Commissioner of Police under section 15 (1) or any other duly authorised law enforcement officer from lawfully conducting investigations pursuant to his powers conferred under any written law.

Power of police officer to access computer and data

15. (1) A police officer or a person authorised in writing by the Commissioner of Police shall

(a) be entitled at any time to

(i) have access to and inspect and check the operation of any computer to which this section applies;

(ii) use or cause to be used any such computer to search any data contained in or available to such computer; or

(iii) have access to any information, code or technology which has the capability of retransforming or unscrambling encrypted data contained or available to such computer into readable and comprehensible format or text for the purpose of investigating any offence under this Act or any other offence which has been disclosed in the course of the lawful exercise of the powers under this section;

(b)� be entitled to require

(i) the person by whom or on whose behalf, the police officer or investigation officer has reasonable cause to suspect, any computer to which this section applies is or has been used; or

(ii) any person having charge of, or otherwise concerned with the operation of, such computer,

to provide him with such reasonable technical and other assistance as he �may require for the purposes of paragraph (a); or

(c) be entitled to require any person in possession of decryption information to grant him access to such decryption information necessary to decrypt data required for the purpose of investigating any such offence.

(2) This section shall apply to a computer which a police officer or a person authorised in writing by the Commissioner of Police has reasonable cause to suspect is or has been in use in connection with any offence under this Act or any other offence which has been disclosed in the course of the lawful exercise of the powers under this section.

(3) The powers referred to in paragraphs (a) (ii) and (iii) and (c) of subsection (1) shall not be exercised except with the consent of the Public Prosecutor.

(4) Any person who obstructs the lawful exercise of the powers under subsection (1) (a) or who fails to comply with a request under subsection (1) (b) or (c) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both.

(5) For the purposes of this section

“decryption information” means information or technology that enables a person to readily retransform or unscramble encrypted data from its unreadable and incomprehensible format to its plain text version;

“encrypted data” means data which has been transformed or scrambled from its plain text version to an unreadable or incomprehensible format, regardless of the technique utilised for such transformation or scrambling and irrespective of the medium in which such data occurs or can be found for the purposes of protecting the content of such data;

“plain text version” means original data before it has been transformed or scrambled to an unreadable or incomprehensible format.

Arrest by police without warrant

16. Any police officer may arrest without warrant any person reasonably suspected of committing an offence under this Act.