Singapore has extended its laws to allow anyone that uses or transacts with illegally obtained personal information to be prosecuted, even if they are not responsible for causing the security breach.
First mooted earlier this month, the bill to amend the Computer Misuse and Cybersecurity Act was passed in parliament on Tuesday, with some MPs voicing concerns about the changes.
The amended laws now criminalised any act of dealing in personal information obtained via acts considered illegal, such as hacking and identity fraud. This meant that businesses or individuals that provided, obtained, or retained hacked personal details could be charged, even though they were not responsible for the security breach.
The act prohibited unauthorised access to computer data, access with intent to commit or facilitate an offence, as well as unauthorised modification of computer data. It also outlawed illegal interception of computer services, unauthorised obstruction of computer use, and illegal disclosure of access codes.
Under the changes, anyone caught illegally accessing or dealing with hacking tools such as malware and port scanners now could be prosecuted. Amendments to the act also would apply to perpetrators that commit the offences while overseas as well as using a system located overseas. These offenders would be charged if their actions caused or created "significant risk of serious harm" in Singapore, including illness, injury, or disruptions to essential services in the country.
The government said the amendments were necessary to address the "increasing scale and transnational nature of cybercrime".
The laws also now enabled prosecutors to combine repeated acts of hacking into a system, launched over a year or less, under one charge in order to push for a higher penalty.
Senior Minister of State for Home Affairs Desmond Lee said in parliament that the amendments would better arm law enforcers to combat increasingly complex cybercrime acts and evolving methods used by cybercriminals.
Several MPs, though, highlighted the complexity of prosecuting offences that involved cross-border elements as well as the need to raise awareness, in particular, among small and midsize businesses that might unwittingly use illegally obtained personal data.
They noted that investigating offences that involved overseas systems, for instance, would be complex since it likely meant having to deal with foreign laws. Furthermore, data hosted on the cloud might be stored in servers located outside Singapore, making it tough to investigate incidents involving such systems.
In response to a question about researchers and journalists having access to breached personal data, Lee said no crime would have occured as long as the information was not published or made publicly available.
Depending on the circumstances, however, he stressed that "indiscriminately making available hacked personal information" might be deemed an offence.
There also were concerns that prosecutors no longer had the burden of proof in bringing such charges to court.
Dennis Tan, executive council member and vice chair of media for opposition group, The Workers' Party, pointed to an amended clause that stated "it is not necessary for the prosecution to prove the particulars of contravention, such as who carried out the contravention and when it took place".
Tan noted: "This section is doing away with the need for the prosecution to prove the particulars of contravention such as who carried out the contravention and when it took place. I am somewhat uncomfortable with the prosecution being relieved of the burden to prove the particulars of the contravention in question.
"I think these are fundamental issues which the prosecution should prove before another person can be charged and convicted of obtaining or retaining or making use of the information in question," he said.
He added that while it was necessary to bolster Singapore's efforts in combating cybercrimes, the government should limit "easing the burden of proof" through such provisions or establish strong justification for it before doing so.
Tan also asked for updates on the country's standalone cybersecurity act, scheduled to be announced later this year.
The new act was expected to provide the Singapore government powers to audit business sectors and ensure organisations had implemented cyber defense systems. The new bill would detail what these powers would entail, for example, in a large-scale cyberattack.