Published: 05 July 2023
1. Mr Deputy Speaker, Sir, I beg to move that the Bill be now read a second time.
2. Last year, Parliament amended the Broadcasting Act through the Online Safety Bill, which targets harmful online content such as advocacy of suicide and self-harm. The Online Criminal Harms Bill we are debating today focuses instead on online content or activity which is criminal in nature, or which is used to facilitate or abet crimes.
3. There is growing international consensus that new rules and levers are needed to combat criminal harms online. There is also growing recognition that proactive approaches are needed to prevent such harms, and that government efforts alone will not be enough. The UK, EU, Germany, and Australia have or are introducing new laws in this regard. They have been useful references as we formulated our proposals.
4. In general, we have taken a targeted approach, focussing on areas that are most problematic. We have also taken a pragmatic and collaborative approach. For example, we recognise and encourage initiatives by online services to improve online safety. But we also know that they tend to be designed for a global user base, and do not cater to the unique circumstances in specific locations. Where we have identified a need for additional measures to tackle the risks of criminal activities, it will be better to require them by law than to leave things to chance. The specific interventions should however be designed for ease of implementation, with strong emphasis on effective outcomes.
Key Features of the Bill
5. Sir, with those comments as backdrop, let me outline the broad features of the Bill.
(a) First, the Bill allows Directions to be issued to online service providers, other entities, or individuals, when specified criminal offences take place.
(b) Second, the Bill makes special provisions for scams and malicious cyber activities. Such activities tend to unfold with great speed and scale. They inflict great harms on the victims, not just in terms of financial losses. The threshold to issue Directions should therefore be lower than for the other specified criminal offences. We will also require designated online services to put in place systems and processes to counter scams and malicious cyber activities.
Directions Against Specified Criminal Offences
Scope of Directions
6. Members would be familiar with the use of “Directions” to restrict the exposure of users in Singapore to online criminal content and activity. “Directions” are also a feature of the Protection from Online Falsehoods and Manipulation Act (POFMA), the Foreign Interference (Countermeasures) Act (FICA) and the Broadcasting Act (BA).
7. What criminal offences can Directions be used for? These are criminal offences that affect national security, national harmony, and individual safety, and which have an online nexus. They are specified in the First Schedule of the Bill.
8. Clause 6(1)(a) provides the legal threshold for Directions to be issued against online activity. Directions can be issued only when there is reasonable suspicion that a specified offence under Part 1 of the First Schedule has been committed, and the online activity is in furtherance of that offence.
9. Designated officers will issue Directions for criminal offences under their agency’s purview. For example, designated officers from the Central Narcotics Bureau will be authorised to issue Directions for offences under the Misuse of Drugs Act. While designated officers may be sited in several agencies, a Competent Authority sited under the Singapore Police Force will serve as a single point of contact across the Government, for recipients of Directions, such as online service providers.
10. Clauses 8 to 12 set out the scope of the five types of Direction.
11. For example, where the Police have reasonable suspicion that an account on a social media service is being used for unlicensed moneylending activity, they can issue the social media service provider:
(a) a Disabling Direction, so that the offending post or page is prevented from reaching a person in Singapore; or
(b) an Account Restriction Direction, so that an offending account is prevented from interacting with persons in Singapore.
12. As a second example, a Stop Communication Direction may be issued to someone who posts text or images, inciting violence against people of a certain race.
13. The use of Directions limits the reach of criminals, and prevents more persons from being exposed to the harm.
Special Provisions to Counter Scams and Malicious Cyber Activities
14. For scams and malicious cyber activities, we will however, need a different approach - one which is more proactive and pre-emptive.
15. Many scams and malicious cyber activities are carried out through deception. For example, scammers may create online accounts or websites that seem authentic and legitimate. Such accounts or websites are then used to convince victims to transit to another platform, where they are then targeted for scams. Victims may also inadvertently download malware that have the ability to steal their login credentials or other personal information.
16. Such methods are commonly used for investment and job scams, which together saw close to 10,000 cases in 2022, with victims losing more than $300 million. Unfortunately, the initial contacting and grooming of victims may not yet constitute a criminal offence, even if they are a necessary step. As a result, they may not cross the threshold of reasonable suspicion for Directions to be issued.
17. Malicious actors are also quite “kiasu”, in the sense of preparing much more than the bare minimum. For example, thousands of blank websites are created in advance, with domain names that resemble those of legitimate organisations. When the malicious actor is ready to strike, these blank websites are swiftly activated, populated with scam content, and pushed out to the public, who may fall prey within minutes. But until these blank websites and preparatory locations activated, they may also not cross the threshold of reasonable suspicion for Directions to be issued.
Lower Threshold for Issuance of Directions for Scams and Malicious Cyber Activity Offences
18. Faced with such opponents, members might understand why our response needs to also be “kiasu”, to be extraordinarily careful. That is why Clause 6(1)(b) of the Bill introduces a lower threshold for issuing Directions for scams and malicious cyber activity offences that are specified under Part 2 of the First Schedule. This is when there is suspicion or reason to believe that any online activity is being carried out in preparation for or as part of the commission of a scam or malicious cyber activity offence.
19. Law enforcement would then be able to issue Directions proactively, once such activities are detected, and even before an offence is committed. For instance, we could issue Access Blocking Directions to internet service providers to prevent the blank websites I mentioned earlier from being accessed by Singapore users, even before scammers activate these sites.
20. We would also be able to issue App Removal Directions to remove scam apps that are used to commit scam offences, from Singapore app storefronts and third-party app stores.
Ex-ante Framework Through Codes of Practice and Implementation Directives
21. In addition, we will require providers of designated online services to put in place systems and processes to counter possible offences under the Second Schedule. For now, the only group specified within the Second Schedule will be scam and malicious cyber activity offences. But this approach allows us to respond more quickly if new classes of offences emerge which also require counter actions by designated online services.
22. Sir, we have decided to involve online service providers in crime prevention because they have much more knowledge about what is happening on their platforms. Law enforcement agencies obtain information only when Police reports are filed by victims, or through online trawling, which is not exhaustive, and is like finding a needle in a haystack. On the other hand, online services have direct and full access to relevant data about activities on their platform, and can also perform analytics to detect and respond to crime on their platform.
23. Through successful partnerships with Police, online service providers have also found that it helps them plug information gaps and take more effective actions. For example, a scammer may first approach a victim through an online service but carry out the scam on a different online service. The first online service may not be aware of the scam, and will act to identify and remove the source only when alerted by the Police.
24. Such collaborations will be promoted through Codes of Practice. Their requirements will be framed in terms of outcomes which designated online services must meet. This gives a provider flexibility to customise its approach, depending on the nature of its service.
25. The Competent Authority will consult and work with the providers of designated online services in developing the Codes of Practice. The Codes will be updated periodically in response to new and evolving threats, and technological developments.
26. If designated online services are found to be non-compliant with the Codes of Practice, Clause 23 allows that the Competent Authority be able to serve the providers of these services with a Rectification Notice to correct the non-compliance by a specified time, before escalation to prosecution.
Implementation Directives
27. Clause 24 provides that the Competent Authority may issue the provider of a designated online service an Implementation Directive to put in place any system, process, or measure, if it is satisfied that this is necessary or expedient to address a relevant offence under the Second Schedule. Unlike Codes of Practice, an Implementation Directive will be specific and prescriptive.
28. For example, the Competent Authority may issue an Implementation Directive for a designated online service to put in place a specific form of multi-factor authentication to protect against the misuse of accounts to commit crimes.
29. We are providing for such Directives as a complement to the Codes of Practice. For example, where there is an urgent need to put in place a specific measure to address the proliferation of a specific scam operation. An Implementation Directive would be more effective in such an instance.
Designation of Online Services
30. Clause 20 provides for the Competent Authority to designate online services that would be subject to the Codes of Practice and Implementation Directives to be applied against offences in the Second Schedule of the Bill. In designating online services, we will consider the extent and impact of the harms relating to the specified offence groups, the reach and projected reach in Singapore of the online service, the design and nature of the online service, and any other relevant factors.
Other Provisions
Orders Against Non-compliance
31. Clauses 28 to 31 provide the Competent Authority with powers to issue Access Blocking Orders, App Removal Orders, or Service Restriction Orders, where there has been non-compliance with a Direction, a Rectification Notice, an Implementation Directive, or another Order.
32. In other words, Orders are intended to be an escalatory enforcement measure, taken only where necessary, if there has been non-compliance. Their purpose is to limit the further exposure of persons in Singapore to the criminal activity.
33. Orders operate alongside, and do not replace, other possible measures that we can take for the non-compliance, such as prosecution.
Appeal Mechanisms
34. Sir, the Bill provides for appeal mechanisms against Directions, Orders against non-compliance, designation of online services, the application and content of Codes of Practice, and Implementation Directives.
35. For Directions and Orders, an appellant must first seek reconsideration from the agency that gave the Direction or Order. If the reconsideration request is unsuccessful, the appellant can then appeal to a specialised Reviewing Tribunal under clause 18 or 37. This allows timely and efficient remedies to be delivered via an independent channel, instead of via general appeal to the courts.
36. Appeals against designation of online services, the application and content of Codes of Practice, and Implementation Directives, will be heard by the Minister for Home Affairs. Such appeals involve assessments of the online landscape and policy considerations on how regulatory levers should be applied.
37. For example, an appeal by a designated online service against a provision in a Code of Practice may be resolved through varying that provision. This will, however, impact other designated providers that are similarly subject to that Code, and thus should be decided by the Minister for Home Affairs.
38. This appeal mechanism is similar to that provided for appeals against Codes of Practice in other legislation such as the Broadcasting Act, which are also appealed to the relevant Minister.
Information Powers
39. Clause 48 provides that police officers and enforcement officers may request information from online service providers or owners of online locations where there is reasonable suspicion that a specified offence has been committed, and there is online activity on that online service or location which is in aid of the specified offence. This is to facilitate investigations and criminal proceedings.
40. These powers also apply to entities that are based overseas and information which is stored overseas. For example, the Police may require account information relating to persons who are distributing child sex abuse material, from an online service provider that is not based in Singapore.
Conclusion
41. Sir, to conclude, there is no silver bullet to resolving the complexities of the online world. This Bill is calibrated to allow us to respond more effectively to online criminal harms, while enabling us to continue to enjoy the many benefits which the internet has brought us.
42. Sir, I beg to move.