PART 2 | Unauthorised access to computer material |
3.—(1) Subject to subsection (2), any person who knowingly causes a computer to perform any function for the purpose of securing access without authority to any program or data held in any computer shall be guilty of an offence and shall be liable on conviction —| (a) | to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both; and | | (b) | in the case of a second or subsequent conviction, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both. |
| (2) If any damage is caused as a result of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 7 years or to both. |
(3) For the purposes of this section, it is immaterial that the act in question is not directed at —| (a) | any particular program or data; | | (b) | a program or data of any kind; or | | (c) | a program or data held in any particular computer. |
|
|
| Access with intent to commit or facilitate commission of offence |
4.—(1) Any person who causes a computer to perform any function for the purpose of securing access to any program or data held in any computer with intent to commit an offence to which this section applies shall be guilty of an offence.| (2) This section applies to an offence involving property, fraud, dishonesty or which causes bodily harm and which is punishable on conviction with imprisonment for a term of not less than 2 years. |
| (3) Any person guilty of an offence under this section shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 10 years or to both. |
(4) For the purposes of this section, it is immaterial whether —| (a) | the access mentioned in subsection (1) is authorised or unauthorised; | | (b) | the offence to which this section applies is committed at the same time when the access is secured or at any other time. |
|
|
| Unauthorised modification of computer material |
5.—(1) Subject to subsection (2), any person who does any act which the person knows will cause an unauthorised modification of the contents of any computer shall be guilty of an offence and shall be liable on conviction —| (a) | to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and | | (b) | in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both. |
| (2) If any damage is caused as a result of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 7 years or to both. |
(3) For the purposes of this section, it is immaterial that the act in question is not directed at —| (a) | any particular program or data; | | (b) | a program or data of any kind; or | | (c) | a program or data held in any particular computer. |
|
| (4) For the purposes of this section, it is immaterial whether an unauthorised modification is, or is intended to be, permanent or merely temporary. |
|
| Unauthorised use or interception of computer service |
6.—(1) Subject to subsection (2), any person who knowingly —| (a) | secures access without authority to any computer for the purpose of obtaining, directly or indirectly, any computer service; | | (b) | intercepts or causes to be intercepted without authority, directly or indirectly, any function of a computer by means of an electromagnetic, acoustic, mechanical or other device; or | | (c) | uses or causes to be used, directly or indirectly, the computer or any other device for the purpose of committing an offence under paragraph (a) or (b), |
| shall be guilty of an offence and shall be liable on conviction — |
| (d) | to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and | | (e) | in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both. |
| (2) If any damage is caused as a result of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 7 years or to both. |
(3) For the purposes of this section, it is immaterial that the unauthorised access or interception is not directed at —| (a) | any particular program or data; | | (b) | a program or data of any kind; or | | (c) | a program or data held in any particular computer. |
|
|
| Unauthorised obstruction of use of computer |
7.—(1) Any person who, knowingly and without authority or lawful excuse —| (a) | interferes with, or interrupts or obstructs the lawful use of, a computer; or | | (b) | impedes or prevents access to, or impairs the usefulness or effectiveness of, any program or data stored in a computer, |
| shall be guilty of an offence and shall be liable on conviction — |
| (c) | to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and | | (d) | in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both. |
| (2) If any damage is caused as a result of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 7 years or to both. |
|
| Unauthorised disclosure of access code |
8.—(1) Any person who, knowingly and without authority, discloses any password, access code or any other means of gaining access to any program or data held in any computer shall be guilty of an offence if the person did so —| (a) | for any wrongful gain; | | (b) | for any unlawful purpose; or | | (c) | knowing that it is likely to cause wrongful loss to any person. |
(2) Any person guilty of an offence under subsection (1) shall be liable on conviction —| (a) | to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and | | (b) | in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both. |
|
|
| Disclosure of password, access code, etc., in relation to national digital identity service |
8A.—(1) Any user of the national digital identity service —| (a) | who discloses any password or access code of the user in relation to the national digital identity service, or provides any other means of securing access in the identity of the user to any program or data held in any computer by way of the national digital identity service; and | | (b) | who does so knowing, or having reasonable grounds to believe, that the purpose of the disclosure or provision is for any person to commit, or to facilitate the commission by any person of, any offence under any written law, |
| shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both. |
(2) For the purpose of proving an offence under subsection (1), it is not necessary for the prosecution to prove —| (a) | that the purpose of committing, or facilitating the commission of, an offence was carried out; | | (b) | that the user knew, or had reasonable grounds to believe, that the purpose was to commit, or facilitate the commission of, any specific offence; or | | (c) | that the disclosure or provision was made to any specific person, if the disclosure or provision was made by the user in a manner that was intended to be accessible or retrievable by another person, whether or not that other person is known to the user. |
|
(3) For the purposes of subsection (1)(b), a user of the national digital identity service who does an act mentioned in subsection (1)(a) is presumed, until the contrary is proved, to have reasonable grounds to believe that the purpose of the disclosure or provision is for a person to commit, or to facilitate the commission by a person of, an offence under any written law, if —| (a) | the user does the act for any gain —| (i) | whether or not the gain is a wrongful gain; | | (ii) | whether or not the gain is realised; and | | (iii) | whether the gain is to the user or to another person; |
| | (b) | the user does the act knowing that it is likely to cause wrongful loss to any person; or | | (c) | at the time the user does the act, the user fails to take reasonable steps to ascertain the identity and physical location of the person to whom the password, access code or means of securing access is disclosed or provided. |
|
| (4) It is not an offence under subsection (1) if the user of the national digital identity service had reasonable grounds to believe that the purpose of the disclosure or provision is to use or access the national digital identity service to carry out a transaction in the identity of the user for a lawful purpose. |
[Act 16 of 2023 wef 08/02/2024] |
| Supplying, etc., credential of another person |
8B.—(1) A person shall be guilty of an offence if the person —| (a) | obtains or retains any credential of another person in relation to the national digital identity service; or | | (b) | supplies, offers to supply, transmits or makes available, by any means, any credential of another person in relation to the national digital identity service. |
(2) It is not an offence under subsection (1)(a) if the person obtained or retained the credential of the other person for a purpose that is not any of the following purposes:| (a) | for use in committing, or in facilitating the commission of, any offence under any written law; | | (b) | for the supply or transmission of, or making available, by any means, the credential to be used in committing, or in facilitating the commission of, any offence under any written law. |
|
(3) It is not an offence under subsection (1)(b) if —| (a) | the person did the act for a purpose other than for the credential of the other person to be used in committing, or in facilitating the commission of, any offence under any written law; and | | (b) | the person did not know or have reason to believe that the credential of the other person will be or is likely to be used to commit, or facilitate the commission of, any offence under any written law. |
|
| (4) For the purposes of subsection (1)(b), a person does not transmit or make available any credential of another person in relation to the national digital identity service merely because the person provides, or operates facilities for network access, or provides services relating to, or provides connections for, the transmission or routing of data. |
(5) A person who is guilty of an offence under subsection (1) shall be liable on conviction —| (a) | to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and | | (b) | in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both. |
|
(6) In this section —| (a) | a reference to a credential of another person in relation to the national digital identity service has the meaning given by paragraph 1(2) of the Schedule; and | | (b) | a reference to an offence under any written law includes an offence under subsection (1). |
|
[Act 16 of 2023 wef 08/02/2024] |
| Supplying, etc., personal information obtained in contravention of certain provisions |
9.—(1) A person shall be guilty of an offence if the person, knowing or having reason to believe that any personal information about another person (being an individual) was obtained by an act done in contravention of section 3, 4, 5 or 6 —| (a) | obtains or retains the personal information; or | | (b) | supplies, offers to supply, transmits or makes available, by any means the personal information. [22/2017] |
(2) It is not an offence under subsection (1)(a) if the person obtained or retained the personal information for a purpose other than —| (a) | for use in committing, or in facilitating the commission of, any offence under any written law; or | | (b) | for supply, transmission or making available by any means for the personal information to be used in committing, or in facilitating the commission of, any offence under any written law. [22/2017] |
|
(3) It is not an offence under subsection (1)(b) if —| (a) | the person did the act for a purpose other than for the personal information to be used in committing, or in facilitating the commission of, any offence under any written law; and | | (b) | the person did not know or have reason to believe that the personal information will be or is likely to be used to commit, or facilitate the commission of, any offence under any written law.| Example 1.— A comes across a list of credit card numbers on the Internet belonging to individuals who are customers of B, which A has reason to believe were obtained by securing access without authority to B’s server. A downloads the list for the purpose of reporting the unauthorised access to B’s server to the police. |
| | A retains the list of credit card numbers and transmits it to B for the purpose of informing B of the unauthorised access to B’s server. |
| | A has downloaded and retained the list of credit card numbers for purposes other than those mentioned in subsection (2)(a) and (b). Therefore A does not commit an offence under subsection (1)(a) by reason of subsection (2). |
| | A has transmitted the list to B for a purpose other than for it to be used in committing or in facilitating the commission of an offence. If A did not know or have reason to believe that the list so transmitted will be or is likely to be used to commit or facilitate the commission of an offence, then A does not commit an offence under subsection (1)(b) by reason of subsection (3). |
| | Example 2.— C, an employee of B, after receiving the list from A in Example 1, transmits it to D, another employee of B, for the purpose of facilitating B’s investigation of the unauthorised access of B’s server. |
| | C has transmitted the list to D for a purpose other than for it to be used in committing or in facilitating the commission of an offence. If C did not know or have reason to believe that the list so transmitted will be or is likely to be used to commit or facilitate the commission of an offence, then C does not commit an offence under subsection (1)(b) by reason of subsection (3). |
|
|
[22/2017] |
|
| (4) For the purposes of subsection (1)(b), a person does not transmit or make available personal information merely because the person provides, or operates facilities for network access, or provides services relating to, or provides connections for, the transmission or routing of data. [22/2017] |
(5) A person guilty of an offence under subsection (1) shall be liable on conviction —| (a) | to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and | | (b) | in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both. [22/2017] |
|
| (6) For the purpose of proving under subsection (1) that a person knows or has reason to believe that any personal information was obtained by an act done in contravention of section 3, 4, 5 or 6, it is not necessary for the prosecution to prove the particulars of the contravention, such as who carried out the contravention and when it took place. [22/2017] |
(7) In this section —| (a) | personal information is any information, whether true or not, about an individual of a type that is commonly used alone or in combination with other information to identify or purport to identify an individual, including (but not limited to) biometric data, name, address, date of birth, national registration identity card number, passport number, a written, electronic or digital signature, user authentication code, credit card or debit card number, and password; and | | (b) | a reference to an offence under any written law includes an offence under subsection (1). [8A [22/2017] |
|
|
| Obtaining, etc., items for use in certain offences |
10.—(1) A person shall be guilty of an offence if the person —| (a) | obtains or retains any item to which this section applies —| (i) | intending to use it to commit, or facilitate the commission of, an offence under section 3, 4, 5, 6 or 7; or | | (ii) | with a view to it being supplied or made available, by any means for use in committing, or in facilitating the commission of, any of those offences; or |
| | (b) | makes, supplies, offers to supply or makes available, by any means any item to which this section applies, intending it to be used to commit, or facilitate the commission of, an offence under section 3, 4, 5, 6 or 7. [22/2017] |
(2) This section applies to the following items:| (a) | any device, including a computer program, that is designed or adapted primarily, or is capable of being used, for the purpose of committing an offence under section 3, 4, 5, 6 or 7; | | (b) | a password, an access code, or similar data by which the whole or any part of a computer is capable of being accessed. [22/2017] |
|
(3) A person guilty of an offence under subsection (1) shall be liable on conviction —| (a) | to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and | | (b) | in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both. [8B [22/2017] |
|
|
| Enhanced punishment for offences involving protected computers |
11.—(1) Where access to any protected computer is obtained in the course of the commission of an offence under section 3, 5, 6 or 7, a person convicted of the offence shall, in lieu of the punishment prescribed in those sections, be liable to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 20 years or to both.(2) For the purposes of subsection (1), a computer is treated as a “protected computer” if the person committing the offence knew, or ought reasonably to have known, that the computer or program or data is used directly in connection with or necessary for —| (a) | the security, defence or international relations of Singapore; | | (b) | the existence or identity of a confidential source of information relating to the enforcement of a criminal law; | | (c) | the provision of services directly related to communications infrastructure, banking and financial services, public utilities, public transportation or public key infrastructure; or | | (d) | the protection of public safety including systems related to essential emergency services such as police, civil defence and medical services. |
|
| (3) For the purposes of any prosecution under this section, it is presumed, until the contrary is proved, that the accused has the requisite knowledge referred to in subsection (2) if there is, in respect of the computer, program or data, an electronic or other warning exhibited to the accused stating that unauthorised access to that computer, program or data attracts an enhanced penalty under this section. [9 |
|
| Abetments and attempts punishable as offences |
12.—(1) Any person who abets the commission of or who attempts to commit or does any act preparatory to or in furtherance of the commission of any offence under this Act shall be guilty of that offence and shall be liable on conviction to the punishment provided for the offence.| (2) For an offence to be committed under this section, it is immaterial where the act in question took place. [10 |
|
|
