Chapter 8: Jurisdictional and liability issues

Nadia Abu Hasan

Jurisdictional issue in cyberspace

• Jurisdiction is the practical authority granted to a formally constituted legal body or to a political
leader to deal with and make pronouncements on legal matters and, by implication, to administer
justice within a defined area of responsibility. It involves the authority of a court to hear a case and
resolve a dispute.
• Traditional notions of jurisdiction have no relevance to the activities carried out over the internet, as
the internet has no relevance to the location. It is difficult to apply traditional legal system in
cyberspace because of the borderless characteristic. Under the traditional legal system, the
transactions between 2 parties when both are situated indistinct territorial jurisdiction, are
governed either by the laws of country which the parties agree will govern the transactions, or by
the laws of the country in which the transaction is performed.
• The trans borderless nature of computers in transmitting and receiving data takes no account of
national boundaries as criminal activities committed through computers online will normally involve
people from different countries.
• Who has jurisdiction to hear the case? (Choice of law)

Law in Malaysia
Section 9 of CCA 1997 (Criminal)
• Any person in any nationality or citizenship committed offences at any place outside Malaysia is
within the Malaysian jurisdiction provided that the computer program or data is in Malaysia or
capable of being connected to or sent to or used by or with a computer in Malaysia at material time.
• Given a vast jurisdiction to the enforcement unit.
Section 3 of Penal Code
• Punishment of offences committed beyond, but which by law may be tried within Malaysia
• Any person liable by law to be tried for an offence committed beyond the limits of Malaysia shall be
dealt in the same manner as if such act had been committed within Malaysia.
Section 4 of Penal Code
• Extension of Code to extraterritorial offences
Extradition Act 1992
• Relating to extradition of fugitive criminal.
• “extraditable offence”
• Section 32 provides that an extraditable offence is an offence however described, including fiscal
offences, which is punishable under the laws of Malaysia with imprisonment for not less than one
year or with death.
• In R v. Governor of Braxton Prison and another, ex parte Levin,a Russian hacker has hacked in the US
territory using a Russian computer but because as his activities constituted various crimes under
British law and the conduct had effect within the American territory. He was arrested in England and
extradited to the US.

1
Mutual Assistance in Criminal Matters Act 2002 (MAA)
• Provide provision for mutual assistance in criminal matters between Malaysia and other countries
and for matters connected therewith.
• Section 3
• In the case of Olez Zezev v Bloomberg Company, an individual named Zezev, from Kazakhstan,
hacked into the Bloomberg company website and, using advanced hacking programmes, copied the
company’s account files and other secret documents related to the company’s operations such as
customer data. Zezev then used the nick name “Elias Alex” to send an email, including attachments
of the hacked information, back to the company as an attempt at blackmail. Zezev threatened to
publish the information if $200,000 was not transferred to his bank account. The company’s
dilemma was that public disclosure of the information would be a risk to the company’s reputation
and would potentially destroy the trust of its customers. Bloomberg requested the help of the
American Federal Bureau of Investigation (FBI), which directed the company to send an email to
Zezev saying that to get the money he would have to meet Maikel Bloomberg in the UK. The FBI
arranged with the British General Prosecutor Office to arrest Zezev, so that when he came to Britain
and started explaining how he had hacked the company’s website, the British police arrested him
and surrendered him to the FBI. Eventually, the FBI successfully prosecuted the offender with the
cooperation of British police
UN
• Combating the criminal misuse of information technologies: resolution/ adopted by the General
Assembly
• Provide measures in their efforts to combat the criminal misuse of information technologies
Council of Europe’s Convention on Cyber Crime(Budapest convention)
• Deals primarily with offences related to infringement of copyright, computer related fraud, child
pornography and offences connected with network security.
• It also covers a series of procedural powers such as searches of an interception of material on
computer networks.
• The main aim of the Convention as set forth in the preamble is to pursue, “a common criminal policy
aimed at the protection of society against cybercrime, inter alia, by adopting appropriate legislation
and fostering international co-operation.”
• Article 23 provides that the Parties shall co-operate with each other, in accordance with the
provisions of this chapter, and through the application of relevant international instruments on
international cooperation in criminal matters, arrangements agreed on the basis of uniform or
reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of
investigations or proceedings concerning criminal offences related to computer systems and data, or
for the collection of evidence in electronic form of a criminal offence.
• Article 24 provides that this article applies to extradition between Parties for the criminal offences
established in accordance with Articles 2 through 11 of this Convention, provided that they are
punishable under the laws of both Parties concerned by deprivation of liberty for a maximum period
of at least one year, or by a more severe penalty.
• Section 25 provides that The Parties shall afford one another mutual assistance to the widest extent
possible for the purpose of investigations or proceedings concerning criminal offences related to

2
 computer systems and data, or for the collection of evidence in electronic form of a criminal
offence.

• Suggested certain guidelines in relation to jurisdiction in respect of cybercrimes:

• A country has jurisdiction if the cybercrime was committed:

• In its territory;
• On board a ship flying the flag of the country;
• On board an aircraft registered under the laws of the country;
• By one of the countries nationals, if the offence is punishable under criminal law where it
was committed or if the offence is committed outside the territorial jurisdiction of any State.
• The Convention has made cybercrimes extraditable offences.
Order 11 rule 1 (C) and (F) of the Rules of Court 2012
• The courts in Malaysia can assume jurisdiction, if:
i. the web-site is located within a server in Malaysia; or
ii. defendant is carrying on business in Malaysia; or
iii. The defendant is a resident in Malaysia.
• A consumer in Malaysia can be dragged to the court of another country in circumstance of a
dispute.
• Contract should contain a choice-of-law provision to indicate the parties’ choice for what rules are
to govern the agreement
• If no provision on the choice-of-law, surrounding facts would be considered to determine if there is
inferred/implied choice of law by the parties.

Liability issue in cyberspace

Internet service providers
• ISP liability for the activities of its customers is generally based on a knowledge of the customer's
activity.
• If the ISP is unaware of the behaviour of its customer, most courts seem reluctant to hold the ISP
liable for that behaviour.
• However, once the ISP becomes aware of the customer's activity, or should have become aware of
the activity with reasonable diligence, courts are much more likely to hold the ISP liable for its
customer's actions.

Role of judges and PP

• While law enforcement authorities have been able to strengthen their capacities to investigate
cybercrime and secure electronic evidence, it seem to be less the case for judges and prosecutors
who nevertheless play an essential role in the criminal justice process.
• Judges and prosecutors must have at least a basic understanding of technologies and related
problems.
• Experience suggests that in most cases, judges and prosecutors encounter difficulties in coping with
the new realities of the cyber world.
• Efforts are therefore required to enable judges and prosecutors to prosecute and adjudicate
cybercrime and make use of electronic evidence through training, networking and specialisation.

3
 In regards to the basic knowledge, there are several basic knowledge that the judges and
prosecutors should be able to understand:

• Cybercrime legislation :domestic legislation (including case law) and the international standards

The judges and prosecutors must fully understand the operation and the gist of the relevant
legislation or provision. However, it is insufficient at all to know the domestic legislation only, they
are also required to understand the international standards. For instance, under the digital signature
act, a close analysis on the legislation would come to the conclusion that such act is only applicable
domestically when the statute clearly stipulates that the magistrate court shall have the jurisdiction
to hear the case. However, the operation of digital signature act, however, is borderless. In a case
where the operation of digital signature involves different jurisdiction, the judge and the
prosecution must have the knowledge as to whether the digital signature act is applicable to such a
case and whether the court has the jurisdiction or whether the prosecution has a right to brought a
case before the court. For example, under section 9 of CCA, the court has the right to hear the case
as long as there is connection to the Malaysia. However, the judge and prosecution must know how
the section would be functioned and what are the requirements to be proven under such section or
what amount to connection and whether there was any restriction. In fact, the judges and
prosecutor shall look into the international standards in regards to section 9 of the CCA. The
international standards have also a simillar provision ie section 4 of computer misuse act. However,
the operation of the provision is restricted situation where it involves significant link to the country.
Therefore, the judges must know that how should section 9 of CCA be applied having consideration
of the application of international standard. Besides, they shall also have the knowledge as to the
application of extradiction act as well as the procedural of the extradiction.

• Jurisdiction and territorial competencies.

Under section 9 of the CCA, it provides an extremely board assertion of jurisdiction. However, cases
law has proven that such assertion would not be operative as it caused the issue of jurisdiction
competencies. The way of section was structure had indirectly claiming that malaysia court has
jurisdiction to hear the case as long as there is connection. For example, in a case where it involves
the other jurisdictions but the apps was created from Malaysia. By virtue of section 9, it claims that
malaysia court has power to it even the mere fact that the apps was created by Malaysian.
Therefore, it creates a jurisdiction and terrirorial competencies when that the malaysia court has not
significant link with the offence itself.
• Electronic evidence: technical procedures and legal consideration
In regards to this, the judges and the prosecution must have te knowledge on how to store, process
and analysize the electronic evidence. They should also have the knowledge as to whether the
computer generated evidence is applicable before the court or not as well as the credibility of the
evidence. Besides, they shall also have the knowledge as to the procedures for the electronic
evidence to be stored, process, and analysize as well as the procedural in tendering the computer
generated evidence before the court.
• Computers and networks

4
 For example, the judges and the prosecution shall have the knowledge as to how the digital
signature is being performed and how the computer as well as the internet is used to perform
hacking, unauthorised alteration. For example, in the case of toh see wei , the prosecution and the
judge must have the basic knowledge what would amount to hacking in to an email. What may
constitute to hacking and how such hacking can be performed. Without such knowledge, the it is
impossible for the court convict the offender. Besides, they should also have the knowledge as to
the role of services provides. They should have the basic knowledge on what circumstances a service
provide can be held liable for committing an offence.

Admissibility of evidence
• Issues with cross-borders:
• Remote access to computer via the internet may be exposed to illegal interception of
communications;
• The need to execute simultaneous warrants on offenders in different countries
• Retention of seized materials;
• Accessing encrypted data, which in some countries can only be accessed by installing key logging
program onto a computer to detect the password used for decryption;
• High costs for mutual assistance treaties, logistical and practical barriers;
• Difficulty to contact and deal with the right people in other jurisdictions;
• Documents may not be written in english;
• Witness may not speak english; and
• Lack of expertise and proficiency in dealing with and handling digital evidence.
• Investigator to be able to identify, preserve and process computer related evidence effectively and
possess tremendous skills as well as proficiency in dealing with cross border crime.
• Good cooperation between the investigators and the prosecutors since the defence counsel will
challenge the latter if the prosecutor cannot provide sufficient evidence in his case.