The amendment of the Taiwanese Personal Data Protection Act

The development of new technology is bound to have both positive and negative effects. However, when a new technology is first introduced, it is common for insufficient attention to be paid to its negative aspects, either because there has not been time to accumulate sufficient experience in using it or because users are blinded by the potential benefits. It is only later, when the technology begins to be abused, that people wake up to the potential dangers. The evolution of computers and the Internet is a classic example of this phenomenon. While the rapid development of information technology has helped to stimulate the flow of information in every corner of society, cyberspace has also become the setting for a wide range of criminal activities. In many cases, countries' existing legal and regulatory frameworks have proved inadequate to cope with the threat posed by the various forms of unauthorized access. A variety of forms of cyber-crime have developed, including denial-of-service attacks, unauthorized accessing of databases, phishing, identity theft and online fraud or intimidation. Cyber-crime may involve making unauthorized use of individuals' personal information, stealing companies' confidential business information or selling state secrets; these new types of crime thus affect every level of society. The effects can be catastrophic, hence the growing importance is now being attached to information security, including both the establishment of effective management mechanisms to prevent cyber-crime from occurring in the first place and the development of the capabilities needed to detect such crime when it occurs. Recognizing the need to plug the gaps in the existing legal and regulatory framework in the face of cyber-crime, countries all over the world are working on the formulation of new legislation, and Taiwan is no exception. The following sections will discuss the key developments in the laws and regulations governing information security in Taiwan in recent years. I. The Convention on Cyber-crime and Chapter 36 of Taiwan’s Criminal Code (offences relating to the abuse of computers) Today, governments throughout the world are formulating measures to combat criminal activity that makes use of the Internet (cyber-crime). In many cases these measures are based on the Convention on Cyber-crime announced by the European Commission on November 23, 2001, and which came into effect on July 1, 2004. This convention is the first international agreement to be established specifically to combat cyber-crime. Its contents include discussion of the various types of cyber-crime, regulations governing the obtaining of electronic evidence, provisions for mutual assistance between nations in judicial matters with respect to cyber-crime and measures to encourage multilateral collaboration. The European Commission asked all signatory nations to revise their own national laws so that they conform to the provisions of the Convention, with the aim of establishing a unified international framework for combating cyber-crime. Responding to the international trend towards the enactment of legislation to fight cyber-crime and to eliminate any loopholes in Taiwanese law that might result in Taiwan becoming a haven for cyber-criminals, on June 25, 2003 the Taiwanese government added a new chapter, Chapter 36 (Offences Relating to the abuse of Computers) to Taiwan's Criminal Code. It contains six articles covering four types of crime: unauthorized access (Article 358), the unauthorized acquisition, deletion or titleeration of electromagnetic records (Article 359), unauthorized use of or interference with a computer system (Article 360) and creating computer programs specifically for the perpetration of a crime (Article 362). Article 361 specifies that more severe punishment should be imposed in the case of violations carried out against the computers or other equipment of a public service organization, and Article 363 states that the provisions of Articles 358–360 shall apply only after prosecution is instituted upon complaint. These new articles provide a clear legal basis for the punishment of common types of cyber-crime such as unauthorized access by hackers, the spreading of computer viruses and the use of Trojan horse programs. In formulating these articles, reference was made to the categorization of cyber-crimes used in the Convention on Cyber-crime and to the suggestions for revision of national laws put forward there. Article 36 is thus in broad conformity with current international practice in this regard and can be expected to achieve significant results in terms of combating cyber-crime. II. The authority of law enforcement to get evidence and ISPs liability In its discussion of the securing of electromagnetic records by law enforcement agencies, the Convention on Cyber-crime notes that such securing of records falls into two broad categories: immediate access and non-immediate access. Immediate access includes the monitoring of communications by law enforcement agencies, non-immediate access relates mainly to the data retention obligations imposed on Internet Service Providers (ISPs). As regards the regulatory framework for the monitoring of communications, Communications Protection and Surveillance Act came into effect in Taiwan on July 16, 1999. According to its provisions, monitoring of communications may only be implemented when it is deemed necessary to protect national security or to maintain social order. Warrants for such surveillance may only be issued if the content of the communications is related to a threat to national security or to the maintenance of social order. Furthermore, the crime in question must be a serious one. In principle, the period for which surveillance is implemented should not exceed 30 days. These restrictions reflect the government’s determination to ensure that citizens' right to privacy is protected. While the Internet is an environment conducive to the maintenance of anonymity, electromagnetic records are easy to erase. Effective investigation of cyber-crime requires automatic recording of communications by the equipment used to transmit the messages, that is to say, it requires the retention of historic data. As regards the extent to which companies are required to collaborate with law enforcement agencies and the conditions applying to the making available of electromagnetic records, these issues relate to the public's right to privacy, and the law in this area needs to be very clear and precise. For the most part, data retention obligations are laid down in Taiwan’s Telecommunications Act. In Taiwan ISPs are classed as "Type II Telecommunications Operators". Article 27 of the Administrative Regulations on Type II Telecommunications Businesses stipulates that Type II telecommunications operators may be required to confirm the existence of, and provide the contents of, customers' communications for the purpose of investigation or collection of evidence upon request in accordance with the requirements of the law. ISPs are required to retain, for a period of between 1 and 6 months, data relating to the account number of subscribers, the times and dates of communications, the times at which subscribers logged on and off, free e-mail accounts, the IP addresses used when applying for Web space and the time and date when such applications were made, the IP address used to make postings on message boards and newsgroups, the time and date when such postings were made and subscribers' e-mail communications records. If a Type II telecommunications operator violates these provisions, he may be fined between NT$200,000 and NT$1 million and be required to remedy the situation within a specified time limit in accordance with Paragraph 2 of Article 64 of the Telecommunications Law. If he fails to remedy the situation within the specified time limit, his license may be revoked. III. The Legal Framework for Personal Data Protection titlehough, as outlined above, some revisions have already been made to the legal framework governing information security, there are still many areas which need to be reviewed. One of the most important is the protection of personal information. Following the explosive growth of the Internet, customer-related information is being processed by computers on a large scale in many different industries. With so many companies collaborating with other firms or adopting new marketing methods, the value and importance of personal information is being reassessed. The dramatic increase in the number of online scams in Taiwan in recent years has made the protection of privacy a focus of attention. The existing Computer-processed Personal Data Protection Law, drawn up to target specific industries, does not really provide adequate protection. A new Personal Data Protection Act, drawn up with reference to the European Union’s Directive (95/46/EC) on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data and the personal information protection legislation adopted in the USA and Japan, has already been submitted to the Legislative Yuan for deliberation. The key differences between this new Act and the existing Computer-processed Personal Data Protection Law are as follows. Protection is no longer industry-specific, it now applies to both natural and juristic persons and to both public and private agencies. The scope of protection has been expanded to include hard copies of documents containing personal information, and five new types of "sensitive information" – information relating to criminal records, medical examinations, medical records, sexual history and genetic information – have been added. Special restrictions apply to the collection and processing of these types of data. The Personal Data Protection Act also imposes stricter requirements on public and private agencies with regard to the protection of individuals' personal data. For example, agencies must formulate personal data protection plans and measures for dealing with personal data once those data are no longer needed for business purposes. If an agency discovers that an individual's personal data have been stolen, leaked, titleered or violated in any way, they are required to notify by telephone or letter the agency responsible for notifying the individual concerned as soon as possible. If these provisions are violated, the agency's responsible person will be liable for administrative punishment. The new Act also gives regulatory authorities greater powers to undertaking auditing in this area, makes provision for class action suits and increases the amount of compensation to be paid to victims. It is expected that these mechanisms will help boost awareness of the importance of information security in all sectors, thereby helping to ensure better protection for the public's personal information. IV. Management of Unsolicited Commercial E-Mail The widespread utilization of e-mail has created a brand new marketing channel, so that e-mail can fairly be described as one of the most important "killer applications" to which the Internet has given rise. Today, spamming is causing serious problems for both e-mail users and ISPs. E-mail users are concerned about their privacy being violated and about having their e-mail box stuffed full of junk e-mail. Spamming also ties up bandwidth which could be used for other purposes, and Distributed Denial of Service Attacks (DDOS) can make it difficult for ISPs to provide normal service to their customers. Governments throughout the world have begun to consider whether anti-spamming legislation may be necessary. In Taiwan draft legislation of this type has already been submitted to the Legislative Yuan. Taiwan's Anti-SPAM Act was drawn up with reference to the USA's CAN-SPAM Act of 2003, Japan's Law on Regulation of Transmission of Specified Electronic Mail, Australia's SPAM Act and the UK's Privacy and Electronic Communications (EC Directive) Regulations 2003. The draft SPAM Act contains 13 articles, with an emphasis on self-regulation, technology filtering and provision for seeking compensation through civil action. The Act provides for the use of an "opt-out" mechanism to regulate the behavior of e-mail senders, with the following obligations to be imposed on them. (1) The sender must specify in the "Subject" field of the e-mail whether it is a "business communication" or "advertising" to facilitate filtering by ISPs and to make clear to the recipient what type it is. (2) The sender must provide accurate information, including header, information on the sender's identity and the sender's e-mail address. (3) E-mails may not be sent if the sender knows or could be expected to know that the intended recipient has already expressed a wish not to receive e-mail from this source. E-mails may also not be sent if the sender knows or could be expected to know that the information in the "Subject" field is inaccurate or misleading. If the sender continues to send e-mails after the recipient has expressed a clear wish not to receive any more from the sender or if the sender falsifies the "Subject" or header information, then the sender may be required to pay compensation to the recipient at a rate of NT$500–2,000 per person per e-mail. With regard to the widespread practice whereby companies or advertising agencies commission third parties to send junk e-mail on their behalf, in cases where the commissioning party knows or could be expected to know that e-mail is being sent in violation of the above regulations, the commissioning party shall be held jointly liable with the party sending the e-mail. Through the implementation of this new law, the government hopes to establish a first-class Internet environment in Taiwan, putting an end to the current situation whereby large numbers of businesses are engaged in spamming. V. Conclusions Security is the biggest single factor affecting the implementation of e-government initiatives, e-business application adoption and Internet user confidence. Most people associate information security only with the purchasing of security hardware or software and the setting up of firewalls. While these products can indeed help to make the online environment more secure, Internet users should not allow themselves to be lulled into thinking that buying these products will in and of itself be sufficient to ensure security. "Security" is a fluid concept. Over time, the level of security that even a high-end product can provide will deteriorate; the fact that your system is secure now does not guarantee that it will remain secure in the future. Evidence that this is true is provided by the damage that is constantly being caused by viruses, by the need to constantly update security products and by the shift in emphasis away from virus prevention and firewalls towards preventing "backdoor" attacks and towards proactive intrusion detection. Furthermore, the information security risks that companies and organizations have to deal with are not limited to external threats; poor internal management may result in employees selling or leaking customer data or other company data, which can cause serious damage to the organization. Examination of information security theory and practice in Taiwan and overseas suggests that the establishment of effective information security measures embraces four main areas: the detection of cyber-crime, development of new information security technologies and formulation of standards, education and management of computer users and regulatory and policy issues. The most important of these is the education and management of computer users. Detection of cyber-crime is the next most important, while development of new technologies and standard setting and the regulatory and policy aspects play a supporting role. To create a genuinely secure online environment, attention must be paid to all of these. Today governments throughout the world are formulating new legislation to plug the gaps in the regulatory framework governing the online environment. Given the need to let the market mechanism operate freely and to refrain from measures that might retard industrial development, government interference in the Internet, with the exception of crime prevention activity, has generally been viewed as a last resort. Currently the government in Taiwan is still focusing mainly on self-regulation by Internet service providers and other types of business enterprise, and the government's role is still largely confined to formulating standards and assisting with the development of new security products. The area on which both the government and the private sector will need to concentrate in the future is educating and ensuring effective management of computer users.

Regarding the issue of critical infrastructure protection, the emphasis in the past was put on strategic facilities related to the national economy and social security merely based on the concept of national defense and security1. However, since 911 tragedy in New York, terrorist attacks in Madrid in 2004 and several other martial impacts in London in 2005, critical infrastructure protection has become an important issue in the security policy for every nation. With the broad definition, not only confined to national strategies against immediate dangers or to execution of criminal prevention procedure, the concept of "critical infrastructure" should also include facilities that are able to invalidate or incapacitate the progress of information & communication technology. In other words, it is elevated to strengthen measures of security prevention instead. Accordingly, countries around the world have gradually cultivated a notion that critical infrastructure protection is different from prevention against natural calamities and from disaster relief, and includes critical information infrastructure (CII) maintained so that should be implemented by means of information & communication technology into the norm. In what follows, the International CIIP Handbook 2008/2009 is used as a research basis. The Subjects, including the coverage of CIIP, relevant policies promoted in America, are explored in order to provide our nation with some references to strengthen the security development of digital age. 1. Coverage of Important Critical Information Infrastructures Critical infrastructure is mainly defined in "Uniting and Strengthening our country by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, as known as Patriot Act of the U.S., in section 1016(e)2 . The term ‘critical infrastructure’ refers to "systems and assets, whether physical or virtual, so vital to our country that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." In December 2003, the Department of Homeland Security (DHS) promulgated Homeland Security Presidential Directive 7 (HSPD-7)3 to identify 17 Critical Infrastructures and key resources (CI/KR) ,and bleuprinted the responsibility as well as the role for each of CI/KR in the protection task. In this directive, DHS also emphasized that the coverage of CI/KR would depend on the real situations to add or delete sectors to ensure the comprehensiveness of critical infrastructure. In March 2008, DHS added Critical Manufacturing which becomes the 18th critical infrastructure correspondent with 17 other critical infrastructures. The critical infrastructures identified by DHS are: information technology, communications, chemical, commercial facilities, dams, nuclear reactors, materials and waste, government facilities, transportation systems, emergency services, postal and shipping, agriculture and food, healthcare and public health, water, energy (including natural gas, petroleum, and electricity), banking and finance, national monuments and icons, defense industrial Base, and critical manufacturing. 2. Relevant Policies Previously Promoted With Critical Infrastructure Working Group (CIWG) as a basis, the President's Commission on Critical Infrastructure Protection (PCCIP) directly subordinate to the President was established in 1996. It consists of relevant governmental organizations and representatives from private sectors. It is responsible for promoting and drawing up national policies indicating an important critical infrastructure, including natural disasters, negligence and lapses caused by humans, hacker invasion, industrial espionage, criminal organizations, terror campaign, and information & communication war and so on. Although PCCIP no longer exists and its functions were also redefined by HDSP-7, the success of improving cooperation and communication between public and private sectors was viewed as a significant step in the subsequent issues on information security of critical infrastructure of public and private sectors in America. In May 1998, Bill Clinton, the former President of the U.S., amended PCCIP and announced Presidential Decision Directive 62, 63 (PDD-62, PDD-63). Based on these directives, relevant teams were established within the federal government to develop and push the critical infrastructure plans to protect the operations of the government, assist communications between the government and the private sectors, and further develop the plans to secure national critical infrastructure. In addition, concrete policies and plans regarding information security of critical infrastructure would contain the Defence of America's Cyberspace -- National Plan for Information Systems Protection given by President Clinton in January, 2000 based on the issue of critical infrastructure security on the Internet which strengthens the sharing mechanism of internet information security messages between the government and private organizations. After 911, President Bush issued Executive Order 13228 (EO 13228) and Executive Order 13231 to set up organizations to deal with matters regarding critical infrastructure protection. According to EO 13228, the Office of Homeland Security and the Homeland Security Council were established. The duty of the former is mainly assist the U.S. President to integrate all kinds of enforcements related to the protection of the nation and critical infrastructure so as to avoid terrorist attacks, while the latter provides the President with advice on protection of homeland security and assists to solve relevant problems. According to EO 13228, the President's Critical Infrastructure Protection Board directly subordinate to the President was established to be responsible for offering advice on polices regarding information security protection of critical infrastructure and on cooperation plans. In addition, National Infrastructure Advisory Council (NIAC), which consists of owners and managers of national critical infrastructure, was also set up to help promote the cooperation between public and private sectors. Ever since the aforementioned executive order, critical infrastructure protection has been more concrete and specific in definition; for instance, to define critical infrastructure and its coverage through HSPD-7, the National Strategy for Homeland Security issued in 2002, the polices regarding the National Strategy to Secure Cyberspace and the National Strategy for Physical Protection of Critical Infrastructure and Key Assets addressed by the White House in 2003; all of this are based on the National Strategy for Homeland Security. Moreover, the density of critical infrastructure protection which contains virtual internet information security was enhanced for the protection of physical equipment and the protection from destruction caused by humans. Finally, judging from the National Infrastructure Protection Plan (NIPP), Sector-Specific Plans (SPP) supplementing NIPP and offering a detailed list of risk management framework, along with National Strategy for Information-Sharing, the public-private partnership (PPP) and the establishment of information sharing mechanism are highly estimated to ensure that the network of information security protection of critical infrastructure can be delicately interwoven together because plenty of important critical infrastructures in the U.S. still depend on the maintenance and operation of private sectors. 1.Cf. Luiijf, Eric A. M. , Helen H. Burger, and Marieke H. A. Klaver, “Critical Infrastructure Protection in the Netherlands：A Quick-scan”. In：Gattiker, Urs E. , Pia Pedersen, amd Karsten Petersen (eds. ) . EICAR Conference Best Paper Proceedings 2003, http://cip.gmu.edu/archive/2_NetherlandsCIdefpaper_2003.pdf （last accessed at 20. 07. 2009） 2.For each chapter of relevant legal cases, please visit http://academic.udayton.edu/health/syllabi/Bioterrorism/5DiseaseReport/USAPatriotAct.htm. The text regarding the definition of critical infrastructure is cited as "Critical Infrastructure Defined- In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matter. " 1.Cf. Luiijf, Eric A. M. , Helen H. Burger, and Marieke H. A. Klaver, “Critical Infrastructure Protection in the Netherlands：A Quick-scan”. In：Gattiker, Urs E. , Pia Pedersen, amd Karsten Petersen (eds. ) . EICAR Conference Best Paper Proceedings 2003, http://cip.gmu.edu/archive/2_NetherlandsCIdefpaper_2003.pdf （last accessed at 20. 07. 2009） 2.For each chapter of relevant legal cases, please visit http://academic.udayton.edu/health/syllabi/Bioterrorism/5DiseaseReport/USAPatriotAct.htm. The text regarding the definition of critical infrastructure is cited as "Critical Infrastructure Defined- In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matter. " 3.Introduction of Consumer Protection in Taiwan , Republic of China , Consumer Protection Commission (CPC), Executive Yuan.http://www.fas.org/irp/offdocs/nspd/hspd-7.html ( Last visit 2008/6/27 )

In light of the influence on social security of Internet-related crime, in 2007 Taiwan passed the amendment to the Communication Protection and Inspection Act (CPIA) to update the articles relating to the surveillance of Internet-related crimes. Moreover, the notification obligator clause was added to the Child and Adolescent Sex Trade Prevention ACT (CASTPA), and the penalty for copyright infringement over the Internet was prescribed in the Copyright Act in order to stop Internet-related crimes. 1. Amendment to the CPIA On 15 June 2007, the legislature of Taiwan passed the amendment to the CPIA which was promulgated by the President of Republic of China on 11 July 2007. The amendment mainly concerns the update of the power of issuing surveillance warrants, the scope of emergency surveillance, the supervisory agencies of relevant surveillance activities, and the evidence power of illegal surveillance. The amendment will be brought into force in five months. Currently, a surveillance warrant is issued (1) by the district prosecutor following an application made by the police or based on his authority for cases under investigation; and (2) by the judge based on his power for cases on trial. According to Article 5.2 of the amended CPIA, for cases under investigation, the district prosecutor should record the details of surveillance in writing following the applications made by the judiciary police or based on his authority and should state the reasons and submit relevant documents before applying to the jurisdiction court for the issue of the surveillance warrant. The district prosecutor should approve and reply to the applications made by the judiciary police within 2 hours. For cases of greater complexity, the approval and reply time may be extended for another 2 hours with the consent of the chief district prosecutor. After receiving an application for a surveillance warrant from the district prosecutor, the jurisdiction court should approve and reply to the application within 24 hours. For cases on trial, a surveillance warrant should be issued by the judge based on his authority. Also, the judge may give appropriate instructions for the surveillance in the warrant. Moreover, if an application for a surveillance warrant is rejected by the court, the district prosecutor should make no objection in any form. In other words, the power of issuing a surveillance warrant for cases under investigation has been transferred from the district prosecutor to the judge. Furthermore, the law-enforcement authorities are given the right to initiate an “emergency surveillance” before application during the investigation of serious criminal cases according to Article 6 of the CPIA. In an investigation of serious criminal cases involving obstruction of voting, kidnapping, offence of the President and Vice President Election and Recall Act, the judiciary police may request the district prosecutor to orally notify the implemental authorities of an emergency surveillance. However, the district prosecutor should report to the jurisdiction court to apply for a make-up issue of the surveillance warrant within 24 hours. The district prosecutor’s office should appoint a responsible district prosecutor or a head district prosecutor as the emergency contact for cases involving emergency surveillance. The court should also assign a special window to take charge of the applications for surveillance warrants made by the district prosecutor, and should issue a make-up surveillance warrant within 48 hours of the acceptance of the application. Should the make-up surveillance warrant not be issued within 48 hours, the emergency surveillance should be terminated immediately. The district prosecutor, the court of law and agencies taking charge of the country’s intelligence work are responsible for the supervision of surveillance. According on Articles 12 and 16 of the amended CPIA, regulations governing the period and supervision of surveillance are summarized as follows: (1) The period of surveillance should not exceed 30 days for serious and emergency cases involving endangering national security or social order and blackmailing as in Article 5 of the CPIA; or for cases involving obstruction of voting, kidnapping and offence of the President and Vice President Election and Recall Act as in Article 6 of the CPIA. The responsibility of supervision is the district prosecutor's office for cases under investigation and the court of law for cases on a trial. (2) The period of surveillance should not exceed 1 year for collecting information of foreign powers or offshore opposing powers as in Article 7 of the CPIA. Intelligence authorities should send agents to supervise the electronic surveillance equipment or to the supplier of surveillance equipment to supervise the conditions of surveillance. Should continual surveillance be needed, the implemental agency should submit concrete reasons to make a second application for surveillance two days before the end of the first surveillance period. However, the surveillance should be terminated immediately when the chief of the intelligence agency believes that it is no need to continue the surveillance before the end of the surveillance period. Lastly, the exclusivity of the evidence power of information collected from illegal surveillance is added to Articles 5, 6, 7 and 32 of the amended CPIA. According to Articles 5 and 6, should the surveillance involve severe offence of regulations, the information or evidence collected from the surveillance will not be accepted as evidence in a judiciary investigation, a trial or relevant procedure. Additionally, according to Articles 7 and 32, information or evidence collected from illegal surveillance will not be accepted as evidence in a judiciary investigation, a trial or relevant procedure. The severity of the offence should be determined by the judge based on individual cases. 2. Amendment to the CASTPA Child pornography is easily distributed because of the advancement of Internet communication; and the prepubescent pornography market is expanding as a result. The legislature of Taiwan thus passed on 15 June 2007 the amendment to the CASTPA that was promulgated by the President of Republic of China on 4 July 2007. In the amendment, neighborhood heads, ISPs and telecommunication system providers are the obligator of notification, and “possessors” of child pornography are to be penalized. According to the explanatory statement of the act, child pornography is the permanent record of the abuse of the victims. This will inflict continual damage on the victims. Moreover, child pornography is considered a “serious child exploitation” all over the world. Therefore, there is an international understanding to penalize the possession of child pornography. Before the amendment, Article 28 of the statue simply penalizes people distributing and selling child pornography in the form of disc, videotape and printing. Those deliberately distributing, broadcasting and/or selling child pornography in the form of pictures, videotape, film, disc, electronic signal or other form will be penalized by imprisonment for a term of less than 2 years and with a fine of under NT$2 million. [In the amendment,] those deliberately distributing, broadcasting and/or selling child pornography are penalized and imprisonment for a term of less than 3 years and with a fine of under NT$5 million. While child pornography inflicts continual damage on the victims, Article 28.3 has been added to statute. According to this new Article, those in possession without a proper reason of pictures, films, videotapes, discs, electromagnetic recordings and/or other articles containing sexual intercourses or acts of indecency by people under 18 are to be penalized. In this case, the “possession” of child pornography is penalized. The penalization falls into two stages: competent authorities of municipalities and local counties and cities may order the offender to receive guidance education for 2-10 hours if he/she is detected possessing child pornography without a proper reason for the first time; if offenders are detected for the second time or more, they will be fined NT$20000 to NT$200000. The amendment also refers to the legislation in Canada and the Netherland to reduce the scope of “proper reasons for possession” to scientific study, education and for medical treatment purposes in order to protect prepubescent children from sexual exploitation. Moreover, the amendment has expanded the scope of the notification obligator by including ISPs and telecommunication system providers as the notification obligator. While the Internet and mobile phones are widely used by the public and prepubescent children often receive pornographic information via the chat rooms on the Internet and SMS, this will cause many side effects on prepubescent children in the absence of appropriate management and protection. According to the statistics provided by the Ministry of the Interior, about 300 prepubescent children are sexually assaulted every year from online dating. According to The Garden of Hope Foundation, 40% of sex trade with prepubescent girls found in Taipei County during 2003-5 was conducted over the Internet, and it was 100% for prepubescent boys. It is thus clear that the Internet has become a platform for distributing child pornography. ISPs and telecommunication system providers are included as the notification obligator in Article 9 of the amended statute. Therefore, if they do not notify the authorities in the knowledge of child pornography, they will be fined NT$6000-NT$30000 according to Article 36 of the statue. Therefore, neighborhood heads, ISPs and telecommunication system providers must notify the local competent authorities or authorities specified in Article 6 of any prepubescent children who engage or probably engage in the sex trade in their knowledge. This is designed in order to strengthen the notification and prevention functions and to effectively stop those who deliberately use chat rooms on the Internet and SMS to engage in true sex trade in the disguise of online dating. Though the scope of notification obligation has been expanded in the amendment to the CASTPA to strengthen the notification and prevention mechanisms of prepubescent children sex trade and to define the notification obligations of the supplier and provider of SMS, network chat rooms, BBS, blogs and e-news services, many problems arise as a result. First, when telecommunication system providers have the obligation of notification, they also need to submit relevant evidence. However, this may involve the infringement of privacy of communication. If telecommunication system providers must not commit illegal surveillance, they are unable to acknowledge the contents of communication of consumers. In this case, how can they notify any crime? On the other hand, though information over the Internet is open to the public, it is a tough question for law enforcement officers to provide solid evidence proving that the administrator of online chat rooms and blogs has failed to perform his obligation of notification. 3. Amendment to the Copyright Act The online music downloading service debate has become a heated issue in recent years for the following reasons: “to select only the songs I like”, “comprehensive repertoires”, and “convenience”. According to the Online Music Downloading Survey by the Secure Online Shopping Association (SOSA), 85% consumers have tried the online music downloading service, thus giving rise to the comprehensive online music downloading software and services. However, to attract consumers with files containing unlicensed music, video or other files and charge users of such services, some ISPs provide computer programs or technologies, e.g. point-to-point (P2P), for users to exchange such outlawed materials and charge users for such services. Such acts of making profit from copyright infringement has inflicted disputes in copyright infringement. For example, the IFPI’s accusation in 2003 of Kuro, a P2P platform provider, is the first convicted case of P2P music downloading service in Taiwan. Though the software supplied by Kuro is a neutral technology which is not illegal, Kuro recruited members and charged them membership fees for allowing them to illegally downloading, exchanging and reproducing a large amount of unlicensed copyrighted materials with such software and the platform services it supplies. Kuro also advertised that consumers can download tens of thousands of the latest popular songs with the Kuro software and even encouraged members to download them. Therefore, the court decided that Kuro and its members who have practically downloaded copyrighted music illegally are guilty of copyright infringement. On the other hand, ezPeer, another P2P downloading platform provider, was not found guilty of copyright infringement because no law was practiced at that time to prohibit or restrict the use of P2P software. Also, as a transfer platform, ezPeer offers comprehensive functions and it is thus not a tool for committing crime. Even some users transfer or download unlicensed copyrighted materials with this tool, there is possibility for the non-liability reasonable use. Moreover, ISPs have no filtering obligations in the Copyright Act of the ROC. Therefore, even consumers may use the services for illegal activities, P2P service providers are not an accomplice. Therefore, to define the liabilities of P2P platform providers, the legislature of Taiwan passed on 14 June 2007 the amendment to the Copyright Act to include P2P software providers in governance of the act. In the future, platform providers will be prohibited by the Copyright Act from charging members for unlicensed activities. New objects of copyright infringement are added to the amendment, and the amendment includes the addition of Article 87.1.7, 87.1.2, and 97.1; and the revision of Article 93.4. According to Article 87.1.7, attempt to allow the public to openly transfer or reproduce works of others without prior consent or licensing from the owner is copyright infringement, and supply of computer programs and/or technologies that can be used for public transfer and/or reproduction of such for the purpose of making profits is deemed as copyright infringement. As the supplier of computer programs and/or technologies is the focus of this article, behaviors categorized based on this article must also meet the following requirements: (1) attempt to allow the public to download and/or transfer over the Internet copyrighted materials without prior consent or licensing of the copyright owner; (2) the act of supply of computer programs and/or technologies; (3) and making profits from such behaviors. In other words, the focus of the amendment is to prohibit providers by written law from supplying computer programs and/or technologies for users to transfer and/or exchange unlicensed music, video and/or other copyrighted materials and from charging users or making profits from such services. However, the amendment has adopted the principle of technology neutrality and specifies that P2P software providers will only be penalized when they have the act of making profit and the intention of copyright infringement in order not to prevent technological development and to save ISPs from breaking the law all the time. As the “intention” of copyright infringement is the criterion of judgment, Article 87.2 is added to the Copyright Act in the present amendment. According to this article, whether or not the doer instigates, guides or incites in advertisements or other active actions the public to use the computer programs and/or other technologies it supplies to commit copyright infringement is the criterion for determining the “intention” of copyright infringement. Also, the court will determine with severity whether or not the advertisements or other active actions are ready for instigating, guiding or inciting the public use the computer programs and/or other technologies the doer supplies to commit copyright infringement. In general, when providers offer services, such as web photo albums, BBS, instant messengers, auctions, web disks and online discussions, it is not their initial intention to supply software and/or technologies for users to illegally download and/or transfer the copyrighted materials of others, nor do they encourage, instigate, guide, incite and/or convince users to commit copyright infringement. Even such software can be used for transferring and/or distributing unlicensed copyrighted materials, providers must not be restricted, and it should be the users who take the liability of copyright infringement. After the enactment of the amendment, providers who make profit from supplying software for others to distribute unlicensed copyrighted materials and encourage users to exchange such materials with the software are to be penalized by imprisonment for a term of less than 2 years, community service, or fined, or penalty together with a find of under NT$500000 according to Article 93. Moreover, by adding Article 97.1, the competent authorities are entitled to order ISPs to shutdown or close the business when they are convicted for the abovementioned offences and refuse to stop such illegal acts after being determined for “severe copyright infringement” and “severely injury of the benefits of the copyright owner”. After this amendment of the Copyright Act, service providers can no longer use the excuse “we simply provide a service platform and have no right to check the behavior of consumers” as an escape of their liabilities. In fact, P2P service providers who charge users monthly fees for the P2P software, such as Kuro and ezPeer, have already signed licensing agreements with music companies before the enactment of this amendment. Therefore, the music they provide for users to download is no more unlicensed copyrighted materials. Therefore, the amendment has certain effect on improving copyright protection.

The security facet of cyberspace along with a world filled with CPU-controlled household and everyday items can be examined from various angles. The concept of security also varies in accordance with different stages of national conditions and industrial development in different nations. As far as our nation is concerned, the definition of security industry is "an industry offering protection for human bodies, important infrastructure, information, financial system, as well as offering equipment to defend the security of national lands and the service"1 as initially defined by "Security Industry Program Office." Judging from the illustration of the definition, the security industry should be inter-disciplinary and integrative, which covers almost all walks of life and fields, such as high-tech industrial security management, traffic & transportation security management, fire control and prevention against natural calamities, disaster relief, information security management, security management in defense of national borders, and prevention of epidemics. After the staged mission, "e-Taiwan program", was accomplished in 2007, our government hoped to construct a good surrounding by creating a comfortable life from a user’s point-of-view. This was hoped to be achieved by using "the development of a high-quality internet society" as a main source by using innovative services, internet convergence, perceptive environment, security, trust, and human machine linkage. At the Economic Development Vision for 2015: First-Stage Three-Year Sprint Program (2007~2009) formulated by the Executive Yuan, wireless broadband, CPU computer-controlled items all have become part of our every day lives, and healthcare, along with the green industry are listed as the next emerging industries; whereby the development of relevant critical technologies is hoped to be promoted to create higher industrial values and commercial opportunities. However, from a digitally-controlled-life viewpoint, the issue concerned by all walks of life is no longer confined to the convenience and security of personal life but gradually turns to protection of security of a critical infrastructure (CI) run by using information technology. For instance, finance management, stock market, communication network, harbors and airports, high speed rail, R&D of important technology, science parks, water purification facilities, water supply facilities, power, and energy facilities. 2Because security involves resources related with people's most fundamental living needs and is the most elementary economic activity of the society, it is regarded as an important core objective to promote the modern social security system. Therefore, critical infrastructure protection requires more dependence on information and communication technology to maintain the stability of finance and communication, as well as the security of facilities related with supply and economy of all sorts of livelihoods in order to ensure regular operation. With the influence of information and communication technology on the application of critical infrastructure on the increase, the society has increasingly deepened its dependence on the security of our cyber world. The concept and connotation of information security also keep extending with it toward the aforementioned critical infrastructure protection planning, making critical information infrastructure protection (CIIP) and critical infrastructure protection (CIP) more inseparable in concept3 , and becomes an important goal of policy implementation to achieve the vision of a digital lifestyle which is secure for every nation. In recent years, considerable resources have been invested to complete an environment whereby a legal system of “smart lifestyle” is developed. However, what has been done for infrastructure protection continues to appear as not being comprehensive enough. This includes vague definitions, scattered regulations and policies, different protection measures taken by different authorities in charge, obvious differences in relevant risk management measures and in the magnitude of management planning of information security and so on. These problems all influence the formation of national policies and are the obstacles to the promotion of relevant industrial development. In view of this, the 2008/2009 International CIIP Handbook will be used as the cornerstone of research in this project. After the discussion on how critical infrastructure protection is done in America, Germany and Japan, the contents of norms of regulations and policies regarding critical infrastructure protection in our nation will be explored to make an in-depth analysis on the advantages and disadvantages of relevant norms. It is hoped to find out what is missing or omitted in the regulations and policies of our nation and to make relevant amendments. Suggestions will also be proposed so that the construction of a safe environment whereby the digital age of our nation can be expanded to assist the “smart lifestyle” to be developed further. 1.See http://tsii.org.tw/modules/tinyd0/index.php?id=14 (last visited May 24, 2009) 2.For "2008 International Conference on Homeland Security and Application of Technology in Taiwan ~ Critical Infrastructure Protection~", please visit http://www.tier.org.tw/cooperation/20081210.asp (last visit date: 05/17/2009). 3.For critical infrastructure protection, every nation has not only proceeded planning for physical facilities but put even more emphasis on protection jobs of critical information & communication infrastructure maintained via the information & communication technology. In the usage of relevant technical terms, the term "critical infrastructure" has also gradually been used to include the term "critical information & communication infrastructure". Elgin M. Brunner, Manuel Suter, Andreas Wenger, Victor Mauer, Myriam Dunn Cavelty, International CIIP Handbook 2008/2009, Center for Security Studies, ETH Zurich, 2008. 09, p. 37.