The Singapore Parliament recently passed the Online Criminal Harms Act (OCHA), which targets online content or activity that is criminal in nature or used to facilitate or abet crimes.

The Online Criminal Harms Act (OCHA) allows for directions to be issued to online service providers, other entities, or individuals, when specified criminal offences take place.

The OCHA implements special provisions for scams and malicious cyber activities. As such activities tend to unfold with great speed and scale and inflict significant harm on the victims (not just in terms of financial losses), the threshold to issue directions is therefore lower than that for other specified criminal offences.

The OCHA also requires designated online services to put systems and processes in place to counter scams and malicious cyber activities.

BROAD FEATURES OF THE BILL

Directions Against Specified Criminal Offences

Directions can be issued in respect of criminal offences that affect national security, national harmony, and individual safety, and which have an online nexus.

There are five types of directions that can be issued:

1. Disabling Direction: This requires online service providers to disable specified content (e.g., post or page) or their service from the view of people in Singapore.
2. Account Restriction Direction: This requires online service providers to stop an account on their service from communicating in Singapore and/or interacting with people in Singapore (e.g., by terminating, suspending, or restricting functionalities of the service in relation to the account).
3. Stop Communication Direction: This requires the recipient of the direction (persons and entities who communicated the online content) to stop communicating specified online content to people in Singapore.
4. Access Blocking Direction: This requires internet service providers to block access to an online location (e.g., web domain) from the view of people in Singapore.
5. App Removal Direction: This requires app stores to remove an app from its Singapore storefront to stop further downloads of the app by people in Singapore.

The legal threshold for directions to be issued against online activity is when there is reasonable suspicion that a specified offence under Part 1 of the First Schedule has been committed, and the online activity is in furtherance of that offence. The use of directions is intended to limit the reach of criminals and prevent more persons from being exposed to the harm.

Designated officers will issue directions for criminal offences under their agency’s purview. For example, designated officers from the Central Narcotics Bureau will be authorised to issue directions for offences under the Misuse of Drugs Act. A competent authority sited under the Singapore Police Force will, however, serve as a single point of contact across the government for recipients of directions.

Special Provisions to Counter Scams and Malicious Cyber Activities

Under the OCHA, a different, more proactive and preemptive approach is adopted for scams and malicious cyber activities and to counter the scale and speed of such scams and activities.

The OCHA introduces a lower threshold for issuing directions for scams and malicious cyber activity offences that are specified under Part 2 of the First Schedule. This is when there is suspicion or reason to believe that any online activity is being carried out in preparation for or as part of the commission of a scam or malicious cyber activity offence.

The rationale for the lower threshold is because many scams and malicious cyber activities are carried out through deception and the initial contacting and grooming of scam victims or the creation of blank websites populated with scam content (prior to activation) may not yet constitute criminal offences, and as a result, may not cross the threshold of reasonable suspicion for directions to be issued.

With a lower threshold for the issuance of directions for scams and malicious cyber activity offences, law enforcement is then able to issue directions proactively once such activities are detected, and even before an offence is committed. For example, access-blocking directions can be issued to internet service providers to prevent the blank websites from being accessed by Singapore users, even before scammers activate these sites, and app removal directions can be issued to remove scam apps that are used to commit scam offences.

Ex-Ante Framework Through Codes of Practice

Providers of designated online services will further be required to put in place systems and processes to counter possible offences under the Second Schedule, which for the time being, are scam and malicious cyber activity offences. This approach is intended to allow law enforcement to respond more quickly if new classes of offences emerge which also require counteractions by designated online services and to involve online service providers in crime prevention because they have much more knowledge about what is happening on their platforms (as opposed to law enforcement that obtains information only when police reports are filed by victims or through online trawling).

Such collaborations will be promoted through Codes of Practice. Their requirements will be framed in terms of outcomes which designated online services must meet. This gives a provider flexibility to customise its approach, depending on the nature of its service. The authorities will consult and work with the providers of designated online services in developing the Codes of Practice.

Implementation Directives

The authorities are also empowered to issue the provider of a designated online service an Implementation Directive to put in place any system, process, or measure, if it is satisfied that this is necessary or expedient to address a relevant offence under the Second Schedule, which for the time being, are scam and malicious cyber activity offences. Unlike Codes of Practice, an Implementation Directive will be specific and prescriptive (e.g., requiring a designated online service to put in place a specific form of multi-factor authentication to protect against the misuse of accounts to commit crimes). The directives are intended to complement the Codes of Practice. Where there is an urgent need to put in place a specific measure to address the proliferation of a specific scam operation, an Implementation Directive would be more effective in such an instance.

The authorities will designate online services that would be subject to the Codes of Practice and Implementation Directives. In designating online services, the authorities will consider the extent and impact of the harms relating to the specified offence groups, the reach and projected reach in Singapore of the online service, the design and nature of the online service, and any other relevant factors.

Appeal Mechanism

An appellant must first seek reconsideration from the agency that gave the direction. If the reconsideration request is unsuccessful, the appellant can then appeal to a specialised reviewing tribunal. This allows timely and efficient remedies to be delivered via an independent channel, instead of via general appeal to the courts. Appeals against designation of online services, the application and content of Codes of Practice, and Implementation Directives, will be heard by the Minister for Home Affairs. Such appeals involve assessments of the online landscape and policy considerations on how regulatory levers should be applied.

COMMENTARY

It remains to be seen how the OCHA will be enforced and, in particular, how the Codes of Practice will be developed.

In her parliamentary speech, the Minister for Communications and Information and Second Minister for Home Affairs stated that the government will continue to adopt a consultative approach in developing the Codes of Practice to engage the online platforms, adopt an outcome-oriented approach and provide reasonable timeframes for platforms to comply with codes and directives.

It was also mentioned that given the fast-evolving nature of the online space, the authorities may need to adjust provisions in the Codes of Practice every now and then, to keep pace with emerging threats and industry developments, including tailoring the codes to different types of online services. As such, it is expected that the Codes of Practice will be updated from time to time and will therefore need to be closely monitored.

The minister also recognized the need to strike an appropriate balance between preventing online criminal harms and privacy. For example, while the new legislation will not require online companies to “break” end-to-end encryption in private messaging, to combat a crime, directions can be issued to the messaging platform to restrict the accounts which are being used to commit the crime.

[View source.]