Case Summary and Outcome

The Hong Kong Court of Appeal set aside the conviction of the appellant Chu Ting-Ting by the Deputy Magistrate for criminal damage and obtaining illegal access to the web server of the Hong Kong police. According to data provided by the prosecution, a computer with an IP address matching the appellant’s accessed the Hong Kong police website 7,467 times between 00:53 and 01:17 during a Distributed Denial of Service (DDoS) attack. She was subsequently convicted under Section 60(1) of the Crimes Ordinance for using a computer with criminal intent. On appeal of the conviction, the appellant argued that the prosecution had not proven that the computer she had used was the one responsible for the DDoS Attack. The Appellate Court allowed the appeal and held that the appellant’s admission that she used the computer was insufficient evidence to support the finding by the lower court that she was responsible for committing the offence. 

 

 

 

---

Facts

In the early morning hours of October 4, 2014, between 00:55 and 1:44, the applicant Chu Ting-Ting, a 22 year old sales associate, was home browsing the webpage of the hacker and social justice organization Anonymous.  According to video testimony, the applicant understood that Anonymous supported the pro-democracy student protests which had just taken place, that the website claimed to have the capacity to hack specified websites, and that there was a related button on the site. She claimed she pressed button, but nothing seemed to happen so she continued pressing it.  

On that same morning between 00:53 and 01:17, the Hong Kong police website experienced a Distributed Denial of Service (DDoS) attack which was traced to the IP address of Chu Ting Ting’s computer. 

Pursuant to that event, the appellant was charged under Section 60(1) of the Crimes Ordinance with criminal damage and obtaining access to a computer with criminal intent. The Respondent in the case is the Hong Kong Special Administrative Region (HSKAR). 

The Prosecution alleged that the appellant damaged property belonging to the web server of the Hong Kong police department, without lawful excuse, intending to damage the property or being reckless as to whether or not the property would be damaged. The appellant pleaded not guilty to both charges. The Magistrate held that the circumstances of the case fell within Section 59(1)(A)(a) of the Crimes Ordinance, i.e. ‘to cause a computer to function other than as it has been established to function by or on behalf of its owner’ is ‘misuse of a computer’ that constitutes ‘to destroy or damage any property’ and convicted the appellant.’  The appellant was accordingly convicted of criminal damage by the Deputy Magistrate. 

The appellant moved to overturn the conviction on two grounds: that the prosecution did not prove that the computer was the one which had caused the DDoS attack and that there was insufficient evidence to prove that the appellant had the requisite mens rea of guilty intent. 

On appeal, the Hong Kong Court of Appeal set aside the conviction of the appellant on the grounds that a connection between the computer and the DDoS attack had not been established. Further, the Court held that the admission from the defendant to having used the computer was insufficient evidence to support a finding that she had committed the offence or of dishonest intent. 

---

Decision Overview

J. Hon Wong delivered the ruling of the appellate court.

The Appellate Court observed that, for a successful conviction, the Prosecution must prove beyond a reasonable doubt that: 

1. “The police website had been criminally damaged;
2. The appellant was the person who committed the act that caused the damage;
3. When she committed the act, she was intending to do criminal damage or being reckless.” [para. 15]

The Court affirmed the ruling of the Magistrate that the police website had been criminally damaged within the meaning of section 59(1A)(a): “to cause a computer to function other than as it has been established to function by or on behalf of its owner”. [para. 19]

First ground of appeal

The Court proceeded to consider the first ground of appeal: whether the Prosecution had proven that the appellant had committed the actus reus, or conduct in question, of the offence. The Court identified a two-fold approach to their assessment: 

First, whether the Apple computer was used to cause the police website to be attacked; and

Second, whether the appellant was the person who was operating the computer that resulted in the attacks during the material time. [para. 24]

On the first test, the Magistrate had previously held that the data records produced by the Prosecution, explained by the expert witness, were sufficient to prove that the computer had caused the Police website to be attacked. [para. 26] However, Mr Leung contested evidence provided by the expert witness PW4 and argued that the remaining prosecutorial evidence was insufficient to prove that the computer in question caused the attacks, or that the appellant was the individual to have committed the actus reus of the alleged offence. [para. 35]

After reviewing the legal issues surrounding the role of expert witnesses, the Court stated that expert evidence serves a dual purpose of providing opinions for matters which are supported by evidence and impugning credibility of the adduced evidence. [para. 41]

The Court then considered whether the magistrate erred in relying to such a large extent on PW3’s expert opinions in consideration of the criticisms set out by the appellant.

The criticisms based on PW3’s testimony in the original trial were:

1. The prosecution had not proven that the computer was operating normally at the time of the offence.
2. The prosecution had relied on the operating system of the computer to prove that it was the computer involved in this case. However, the computers in question were only seized several days after the occurrence of the incident. Further, there was “no evidence as to whether the computer program has been updated or altered”. As such, it would not be possible to ascertain which version of the operating system the computers were using at the time.
3. The Prosecution had relied solely on the admitted facts that the police had seized two computers. However, there was no evidence to prove that there were only two computers at the relevant address. As such, there may have been another computer in the same establishment or surrounding area using the same Internet Protocol (IP) address.
4. PW3 had testified that it was possible for messages to be sent by an IP address being used without authorisation or to fake an IP address of a different location. The prosecution had not ruled out this possibility. 
5. Expert evidence from PW3 provided that computer users may unknowingly enter suspicious websites that might result in initiating an act without intent. It was also possible that a person who enters a webpage may unknowingly cause the computer to make a high volume of network traffic. 
6. PW3 also admitted that he could not differentiate between log ins that were manual or by robot operation from a program that initiates visits automatically. Nor could PW3 ascertain which entry or address in the browsing records the “attack” was allegedly launched from. 

In summary, Mr Leung submitted that it was unreasonable for the magistrate to exclude the part of PW3’s evidence that was beneficial for the defence case. In response, the prosecution submitted that, while PW3 accepted during questioning that alternative explanations do exist, there was no evidence to support these alternatives. Furthermore, the appellant had not provided any evidence in court during the original trial to support the suggestions raised by the defence. Citing R v Chong Kin Cheong, the prosecution submitted that it was not the responsibility of the court to consider all possible defences of which there was evidence. The Court agreed with this position as a matter of law. [para. 47]

Finally, the Court considered whether there was sufficient evidence that the appellant was the person responsible for the damage. This had been determined by PW3 on the basis of 4 matters: 

1. The IP address of the appellant’s residential address;
2. The operating system of the computer in question;
3. The browser of the computer;
4. The browsing records of the webpage ‘http://pastehtml.com/view/ckok6t524.html’. 

Mr Leung pointed out deficiencies in each of these 4 matters.  

The Court first considered the fourth matter: whether the browsing records of the webpage ‘http://pastehtml.com/view/ckok6t524.html’ were stored in the Apple computer used for the DDoS attack. Mr Leung criticized the testimony of PW3, as he had not explained the source of the time of the attack 00:53 in his witness statement, later relied on by the magistrate. The Court agreed that the magistrate had not analyzed the time of attack. Moreover, there was no nexus between the browsing at 01:39 hours and the attack of the police website because the attack ended at 01:19 hours. On this point, the Court supported Mr Leung’s submission that the Court was handicapped to make a decision without the necessary evidence. 

Considering that adverse findings were made by the magistrate on the basis of inadequate evidence given by PW3, the appellate Court held that it cannot be safely concluded that the Apple computer was used to attack the police website. [para. 59] The Court also held that, as matter 4 was unsafe to rely on, the previous 3 matters were insufficient to be relied upon to come to the same conclusion. 

The Court further acknowledged that, while examination of the records might illuminate these issues, it would be inappropriate to scrutinise the voluminous computer data in this case in order to draw inferences. [para. 61]

Based on this analysis, the Court agreed that there was insufficient evidence that the computer in question was used to attack the police website. Furthermore, even though the appellant had made certain admissions to the police regarding her use of the computer, these admissions were insufficient to support the finding that the appellant was the individual responsible for the offence. [para. 64]

As such, the magistrate’s ruling that the appellant had launched the attacks could also not be upheld. Therefore, the first ground of appeal was upheld. 

Second ground of appeal

The Court was required to consider whether the appellant had the requisite mens rea to commit the offence of intent or recklessness. As it could not be proven that the appellant had committed the relevant actus reus of criminal damage, the Court determined that there was no need to decide whether she had the mens rea. [para. 75]

However, the Court noted that there was an insufficiently thorough analysis conducted by the magistrate before concluding that the appellant was reckless as to the consequence an act was cause. 

The Court referred to Sim Kam Wah v. HKSAR to define the general standard of recklessness. In this case the Court of Final Appeal determined that a person acts recklessly with respect to:

1. a) a circumstance when he is aware of a risk that it exists or will exist;

b) a result when he is aware of a risk that it will occur; and

2. it is, in the circumstances known to him, unreasonable to take the risk.

Addressing the first aspect of the standard, risk, the Court observed that it is dependent on the “nature and circumstances of individual cases”. [para. 83] In this case, the risk was of the relevant property being damaged. For damage to a computer, the statutory definition of damage is broader than it is generally understood. Applying this broad definition of damage, the risk would refer to the impact on a computer to function otherwise than originally designed. [para. 83] Therefore, a finder of fact must conduct a thorough analysis to determine whether the act was reckless. In making this observation the Court relied on Smith and Hogan’s Criminal Law, which stated that not all risk-taking amounts to recklessness. [para. 89]

Even if the appellant’s knowledge of the risk were established, to determine whether she was reckless, considering that her action was “only pressing a button and that there was no particular evidence showing what kind of button it was, the Court should also scrutinise what did the appellant see on the webpage and consider carefully whether she was acting unreasonably before coming to a conclusion”. [para. 91] However, the magistrate had not made any finding on this matter.

Therefore, the Appellate Court determined that the magistrate’s finding was unsafe. The appeal was allowed and the conviction set aside. 

---