Part of a comprehensive analysis of the Computer Misuse Act 1993
All Parts in This Series
Key Provisions and Their Purpose under Part 2 of the Computer Misuse Act 1993
Part 2 of the Computer Misuse Act 1993 (CMA) sets out the primary offences related to unauthorized access and misuse of computers and computer data. These provisions are designed to criminalize acts that compromise computer security, integrity, and confidentiality, thereby protecting individuals, organizations, and the public from cybercrime. Below is an analysis of the key sections and the rationale behind their enactment.
"any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer shall be guilty of an offence" — Section 3(1), Computer Misuse Act 1993
Verify Section 3 in source document →
Section 3 criminalizes unauthorized access to any program or data in a computer. The provision targets individuals who knowingly cause a computer to perform functions to gain access without permission. The purpose is to deter hacking activities that breach computer security, even if no further harm is caused. This section establishes the fundamental offence of unauthorized access.
"Any person who causes a computer to perform any function for the purpose of securing access to any program or data held in any computer with intent to commit an offence to which this section applies shall be guilty of an offence." — Section 4(1), Computer Misuse Act 1993
Verify Section 4 in source document →
Section 4 builds on Section 3 by criminalizing unauthorized access with the additional element of intent to commit a further offence, such as fraud or theft. This provision addresses more serious cybercrimes where unauthorized access is a means to commit other offences punishable by law. It ensures that offenders with malicious intent face enhanced penalties.
"any person who does any act which the person knows will cause an unauthorised modification of the contents of any computer shall be guilty of an offence" — Section 5(1), Computer Misuse Act 1993
Verify Section 5 in source document →
Section 5 targets unauthorized modification of computer contents, including data or programs. This provision criminalizes acts such as altering, deleting, or corrupting data without authority, which can disrupt operations or cause loss. The purpose is to protect the integrity and reliability of computer systems and data.
"any person who knowingly secures access without authority to any computer for the purpose of obtaining... any computer service; intercepts... any function of a computer...; or uses... the computer... for the purpose of committing an offence" — Section 6(1), Computer Misuse Act 1993
Verify Section 6 in source document →
Section 6 addresses unauthorized access with the intent to obtain computer services, intercept computer functions, or use the computer to commit an offence. This provision covers a broad range of misuse, including theft of services, eavesdropping on computer operations, and using computers as tools for further criminal acts. It aims to safeguard computer resources and prevent exploitation.
"Any person who, knowingly and without authority or lawful excuse interferes with, or interrupts or obstructs the lawful use of, a computer; or impedes or prevents access to, or impairs the usefulness or effectiveness of, any program or data stored in a computer, shall be guilty of an offence" — Section 7(1), Computer Misuse Act 1993
Verify Section 7 in source document →
Section 7 criminalizes interference with the lawful use of computers, including obstruction, interruption, or impairment of programs or data. This provision targets acts such as denial-of-service attacks or other disruptions that prevent legitimate users from accessing or using computer systems. The purpose is to maintain the availability and proper functioning of computer services.
"Any person who, knowingly and without authority, discloses any password, access code or any other means of gaining access to any program or data held in any computer shall be guilty of an offence if the person did so for any wrongful gain; for any unlawful purpose; or knowing that it is likely to cause wrongful loss to any person." — Section 8(1), Computer Misuse Act 1993
Verify Section 8 in source document →
Section 8 targets unauthorized disclosure of access credentials such as passwords or access codes. The provision aims to prevent the facilitation of unauthorized access by punishing those who share or reveal such information for wrongful gain or unlawful purposes. This protects the confidentiality of access controls and reduces risks of cyber intrusions.
Additional sections such as 8A, 8B, 9, 10, and 11 extend offences to cover misuse related to the national digital identity service, supplying credentials, misuse of personal information, obtaining items for offences, and enhanced penalties for protected computers. Section 12 addresses abetments and attempts, ensuring comprehensive coverage of computer misuse offences.
Definitions Relevant to Part 2 of the Computer Misuse Act 1993
Clear definitions are essential for the effective application of the CMA’s provisions. Several sections provide specific definitions to clarify the scope of offences and ensure that the law captures a wide range of conduct.
"For the purposes of this section, it is immaterial that the act in question is not directed at — (a) any particular program or data; (b) a program or data of any kind; or (c) a program or data held in any particular computer." — Section 3(3), Computer Misuse Act 1993
Verify Section 3 in source document →
This definition clarifies that unauthorized access offences apply regardless of whether the act targets specific data or programs, or any particular computer. This broadens the scope to include indiscriminate or opportunistic hacking attempts, reflecting the reality of cyber threats.
"In this section — (a) a reference to a credential of another person in relation to the national digital identity service has the meaning given by paragraph 1(2) of the First Schedule; and (b) a reference to an offence under any written law includes an offence under subsection (1)." — Section 8B(6), Computer Misuse Act 1993
This provision links the definition of credentials to the national digital identity service, ensuring that offences related to misuse of such credentials are clearly defined and integrated with other laws. It facilitates enforcement in the context of Singapore’s digital identity framework.
"personal information is any information, whether true or not, about an individual of a type that is commonly used alone or in combination with other information to identify or purport to identify an individual, including (but not limited to) biometric data, name, address, date of birth, national registration identity card number, passport number, a written, electronic or digital signature, user authentication code, credit card or debit card number, and password;" — Section 9(7)(a), Computer Misuse Act 1993
Verify Section 9 in source document →
This comprehensive definition of personal information ensures that offences involving the misuse or unauthorized disclosure of such data are clearly captured. It reflects the importance of protecting individuals’ privacy and sensitive data in the digital age.
Penalties for Non-Compliance under the Computer Misuse Act 1993
The CMA prescribes a range of penalties to deter and punish computer misuse offences. These penalties vary depending on the severity of the offence, the offender’s intent, and whether it is a repeat offence. The penalties include fines, imprisonment, and in certain cases, caning.
"liable on conviction — (a) to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both; and (b) in the case of a second or subsequent conviction, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both." — Section 3(1), Computer Misuse Act 1993
Section 3 offences carry moderate penalties reflecting the seriousness of unauthorized access. Repeat offenders face increased fines and longer imprisonment terms, emphasizing the law’s deterrent effect.
"If any damage is caused as a result of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 7 years or to both." — Section 3(2), Computer Misuse Act 1993
Verify Section 3 in source document →
Where unauthorized access causes damage, the penalties escalate significantly. This reflects the greater harm caused by such conduct and the need for stronger sanctions to protect computer systems and data.
"liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both." — Section 4(3), Computer Misuse Act 1993
Verify Section 4 in source document →
Section 4 offences, involving intent to commit further crimes, attract heavier penalties. The maximum 10-year imprisonment term underscores the gravity of such offences and their potential impact on victims and society.
"liable on conviction — (a) to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and (b) in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both." — Sections 5(1), 6(1), 7(1), 8(2), 9(5), 10(3), Computer Misuse Act 1993
Sections 5, 6, 7, 8, 9, and 10 offences generally carry similar penalty ranges, reflecting their related nature in terms of unauthorized modification, use, interference, disclosure, and obtaining items for offences. The graduated penalties for repeat convictions reinforce the law’s deterrent purpose.
"liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both." and caning "not more than 12 strokes" — Sections 8A(1) and (5), 8B(5), Computer Misuse Act 1993
Verify source in source document →
Sections 8A and 8B, which relate to offences involving the national digital identity service and supplying credentials, include caning as an additional penalty in certain cases. This reflects the heightened seriousness of offences that threaten Singapore’s digital identity infrastructure.
"liable to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 20 years or to both." — Section 11(1), Computer Misuse Act 1993
Verify Section 11 in source document →
Section 11 offences, which involve enhanced punishment for protected computers, carry the most severe penalties. The high maximum fine and long imprisonment term demonstrate the critical importance of safeguarding protected computer systems, such as those used by government or critical infrastructure.
Cross-References to Other Legislation
The CMA frequently references other written laws to ensure comprehensive coverage of offences that intersect with computer misuse. For example, Section 4(2) states:
"This section applies to an offence involving property, fraud, dishonesty or which causes bodily harm and which is punishable on conviction with imprisonment for a term of not less than 2 years." — Section 4(2), Computer Misuse Act 1993
Verify Section 4 in source document →
This cross-reference ensures that offences involving unauthorized access with intent to commit crimes such as fraud or causing bodily harm are linked to the relevant substantive offences under other laws. It facilitates coordinated enforcement and prosecution.
Additionally, references to the national digital identity service and its credentials are linked to definitions in the First Schedule, integrating the CMA with Singapore’s broader digital governance framework. This ensures that offences involving digital identity misuse are clearly defined and effectively prosecuted.
Conclusion
Part 2 of the Computer Misuse Act 1993 establishes a robust legal framework to combat unauthorized access and misuse of computer systems and data in Singapore. The key provisions criminalize a wide range of conduct from unauthorized access and modification to interference and disclosure of access credentials. The detailed definitions ensure clarity and broad coverage, while the graduated penalties provide strong deterrence and punishment for offenders. Cross-references to other laws and the national digital identity framework ensure that the CMA operates cohesively within Singapore’s legal system to protect digital security and trust.
Sections Covered in This Analysis
- Section 3: Unauthorized access to computer programs or data
- Section 4: Unauthorized access with intent to commit further offences
- Section 5: Unauthorized modification of computer contents
- Section 6: Unauthorized access for obtaining services or committing offences
- Section 7: Interference with lawful use of computers
- Section 8: Unauthorized disclosure of access credentials
- Section 8A: Offences related to national digital identity service
- Section 8B: Supplying credentials offences
- Section 9: Offences involving personal information
- Section 10: Obtaining items for offences
- Section 11: Enhanced punishment for protected computers
- Section 12: Abetments and attempts
- Definitions in Sections 3(3), 5(3), 6(3), 8B(6), 9(7)(a)
Source Documents
For the authoritative text, consult SSO.