Bread & Kaya 2023 Pt2: The syariah court tackles crypto, the importance of experts in software disputes and online sexual grooming
By Foong Cheng Leong November 5, 2024
- Parameters by Jawatankuasa Fatwa Negeri Selangor to be followed if dealing with Bitcoin
- Not a defence for an accused to claim that they did not know that the victim is a child
After sharing some standout cases yesterday, today I look at a few more cases that readers will surely find interesting. I end with some thoughts on what to look out for in 2024 cyber related cases that could hit the courts.
Ownership of cryptocurrencies in the Syariah Court
In Rosmaliza Binti Mohamad Rosli lwn Mohd Nahar Bin Mohd Nasir (Mahkamah Tinggi Syariah Shah Alam di Negeri Selangor. Kes Mal Bil.: 10100-049-0757-2019), the plaintiff wife sought a declaration that Bitcoin amounting to 206.9967889 which is equivalent to RM10,095,109.20 to be a marriage debt between the plaintiff wife and defendant husband pursuant to s. 61 of the Administration of the Religion of Islam (State of Selangor) Enactment 2003, and that the Bitcoin be returned to the plaintiff wife.
The Syariah High Court directed the issue of whether Bitcoin can be claimed as a marriage debt to be heard as a preliminary issue. In this regard, the Court referred to the "Keputusan Mesyuarat Jawatankuasa Fatwa Negeri Selangor yang telah bersidang pada 8 Muharram 1443H bersamaan dengan 17 Ogos 2021" made a decision on "Hukum Matawang Kripto (Cryptocurrency) : Satu Analisa Syarak" which states the following:
“HARUS untuk menjalankan urus niaga menggunakan mata wang digital sama ada sebagai perantara pembayaran (medium of payment); pemindahan wang (remittance) dan aset simpanan SEKIRANYA memenuhi parameter-parameter di bawah.
a. Urus niaga melibatkan mata wang digital hendaklah dilakukan melalui platform pertukaran mata wang digital berlesen yang diluluskan dan dikawal selia oleh pihak berautoriti sahaja;
b. Pengguna hendaklah mempunyai pengetahuan yang mencukupi mengenai:
i. Jenis, ciri-ciri utama dan risiko berkaitan mata wang digital;
ii. Perkara-perkara teknikal yang mencukupi mengenai bagaimana untuk memperoleh mata wang digital dan di mana ia perlu disimpan untuk memastikan keselamatannya;
iii. Peraturan-peraturan yang ditetapkan oleh platform pertukaran mata wang digital berlesen yang diluluskan dan dikawal selia oleh pihak berautoriti; daniv. Undang-undang dan peraturan yang berkaitan mata wang digital.
c. Sebagaimana mata wang yang lain, mata wang digital hendaklah tidak digunakan sebagai bayaran kepada barangan, perkhidmatan dan aktiviti tidak patuh Syariah seperti pembelian dadah, pelacuran, perjudian dan pendanaan aktiviti keganasan serta penggubahan wang haram.”
The Syariah High Court was of the view that the parameters set in the decision of Jawatankuasa Fatwa Negeri Selangor must be followed if one intends to deal with Bitcoin.
The Syariah High Court held that the plaintiff wife must show that the Bitcoin account claimed by the plaintiff wife to follow the parameters set by the Jawatankuasa Fatwa Negeri Selangor. However, she did not do so during the proceedings or in any of her pleadings. As such, the Syariah High Court dismissed the action.
Loss of cryptocurrencies
A recognised market operator was also found to be liable for negligence over the losses of Bitcoins by a user. In Yew See Tak v Luno Malaysia Sdn Bhd (Petaling Jaya Sessions Court Suit No. BB-B52NCvC-43-08/2021), the plaintiff sued the defendant, a registered market operator licensed by the Securities Commission to operate a Digital Asset Exchange (DAX) for negligence for failing to secure and safeguard his cryptocurrencies. The sum of RM566,570.70 in the Luno account was used to purchase 2.730096 Bitcoins, and the said Bitcoins with his other Bitcoins (amounting to 0.15106083 Bitcoins) in the said Luno account were transferred to an unknown account.
[Ed: Para updated for clarity with the amount of money and Bitcoins involved.]
The Bitcoins were transferred to an unknown account in three different transactions but on a single day. The defendant reported that the unauthorised transactions were accessed using the plaintiff’s Luno account and authorised through SMS sent to the plaintiff’s mobile number, among others. The plaintiff had activated a two factor authentication (2FA) in his Luno account and as such, any person who wants to access his account needs to use the 2FA code generated by the 2FA application i.e. Google Authenticator. The defendant concluded that there was nothing to show that his wallet was compromised, and the transactions were irreversible due to Blockchain technology.
The plaintiff testified that he opened an account with Luno to be able to use its functions securely and safely, and he had entrusted Luno to keep and care for the monies and cryptocurrencies in the Luno account. As such, there was a fiduciary relationship between defendant and plaintiff as its customer.
The Court found that the defendant had been negligent and awarded general, aggravated and exemplary damages of RM100,000.
The Court found that the defendant had been lacking in its customer service as it took them 36 hours to inform the plaintiff that his account had been locked over safety reasons. This shows that the defendant did not look at the complaint seriously. The customer service personnel also did not testify to show the role and responsibilities taken by the defendant in handling complaints submitted by their customers. The defendant should take appropriate action within a reasonable time to address the problem complained about.
The defendant’s system ought to have detected the suspicious transactions and trigger a notification. This is a case involving a large amount in two transactions in a short time. The plaintiff is not a new customer but a customer of 5 years. The transactional pattern of the plaintiff can be read and predicted by the defendant. The defendant cannot escape liability by just implementing a 2FA system.
Furthermore, after the plaintiff’s incident, the defendant introduced a new fraud prevention policy to limit transactions made through the platform. With this policy, the defendant can detect if there are transactions which are not normal or above the limit and if so, the transactions will be suspended or investigated. In addition, the Court recognised that other platforms could block suspicious transactions and the defendant failed to do so.
Not only the defendant did not report the incident to the Securities Commission, but there was also a breach of the Securities Commission’s Guidelines on Prevention of Money Laundering and Terrorism Financing For Capital Market Intermediaries.
The Guidelines provide that a reporting institution must conduct ongoing due diligence and scrutiny of its customers throughout the course of the business relationship. Such measures shall include monitoring and detecting patterns of transactions undertaken throughout the course of the business relationship to ensure that the transactions being conducted are consistent with the reporting institution’s knowledge of the customer. It should also consider reclassifying a customer as higher risk and consider lodging a suspicious transaction report with the Financial Intelligence and Enforcement Department of Bank Negara Malaysia.
In respect of the general, aggravated and exemplary damages, the Court considered -
- the defendant’s position that its security measures are very good and anything more is not their problem but nevertheless admitted that there was improvement in the security after the incident,
- the defendant could at least provide a detailed and urgent investigation and transactions in such an account should be postponed or frozen until the investigation is completed,
- the plaintiff had trusted his investment fully on the defendant, and
- the plaintiff could have continued with his investment into cryptocurrencies but for the loss of the cryptocurrencies.
However, the High Court overturned the Sessions Court decision on appeal. It was reported that the learned High Court Judge was of the view that the Sessions Court judge had imposed a high standard of care and duty to Luno with not enough evidence tendered. The High Court’s grounds are not available as at the time of writing.
Online sexual grooming
The Sexual Offences Against Children Act 2017 also saw its bite on online sexual grooming. In Hendra Bin Mulana v Pendakwa Raya [2023] CLJU 2230, the Court showed its abhorrence towards child sexual abuse materials and child grooming. The accused was convicted on four charges under the section 8(b) of the Sexual Offences Against Children Act 2017 for requesting for child pornography and sentenced to thirteen years imprisonment from date of conviction and three strokes of rotan (caning) in respect of each charge by the Sessions Court.
The accused had met the victim through a social media platform by the name of BIGO and through his conversation with the victim, he had made the victim send him sexual-related pictures and videos to the accused and had lewd conversations with her. The accused however had never met the victim, but they had communicated via live streaming and WhatsApp calls.
The accused’s defence was that he did not know the true age of the victim because her BIGO profile stated she was 19 years old. He also claimed that the victim had told him that she was still in school, and she was in Form Six (Upper). The accused argued that he had taken all reasonable steps to ascertain the age of the victim and relied on the defence under section 20 of the Sexual Offences Against Children Act 2017. The victim admitted that she did not give her true age but had told the accused that she was 14 years old. The BIGO account was her friend’s account.
The High Court held that there were two ingredients to be fulfilled for an offence under section 8(b) by the prosecution and they were that the victim is a child, and the accused had asked for pornography from the child at the material time. The High Court held that the Sessions Court did not err by ruling that both ingredients were fulfilled. In respect of the first ingredient, it was fulfilled by the provision of the victim’s birth certificate. As for the second ingredient, this was fulfilled through the evidence provided by the prosecution witness, the accused’s own statements and documentary evidence.
The accused defence was that he did not know the true age of the victim. The Sessions Court dismissed this argument and held that the accused should have made an effort to go and meet the victim in person to discover her true age. Pursuant to section 20 of the Sexual Offences Against Children Act 2017, it is not a defence for the accused to claim that he did not know that the victim is a child unless the accused took all reasonable steps to ascertain the age of the person.
The High Court agreed with the Sessions Court and commented that the victim’s photograph shows that she is just a child. The accused should have also tendered evidence to show that he had taken reasonable steps to ascertain the age of the victim. As such, the High Court upheld the conviction of the Sessions Court but reduced the sentence from 13 years for each charge to 10 years each. The Court of Appeal upheld the conviction and sentence by the High Court.
Software Dispute
The High Court case of Liberty Technology Resources Sdn Bhd v. Suruhanjaya Syarikat Malaysia (SSM) [2023] 1 LNS 1294 highlights the importance of terms on refund and liquidated damages, and role of experts in software disputes.
The dispute centered around a contractual agreement by the name of ERP Agreement where Liberty Technology Resources (the plaintiff) was tasked with developing an ERP system for Suruhanjaya Syarikat Malaysia (the defendant). The agreement was terminated by the defendant due to delays in the project's completion, leading to legal proceedings initiated by both parties.
The plaintiff alleged wrongful termination and sought significant contractual payments, primarily for third-party software licenses and subscription fees purchased on behalf of the defendant. However, the court found that the ERP Agreement did not explicitly impose on the plaintiff the obligation to acquire third-party software at its own expense unless specifically provided for in the contract. Therefore, the plaintiff's claim for reimbursement of these costs was dismissed.
Regarding the delays in project completion, the plaintiff argued that these were caused by actions of the defendant. However, the court noted a lack of substantive evidence, such as expert reports or detailed delay analyses, supporting this assertion. Consequently, the plaintiff failed to prove that the defendant was responsible for the delays, which was crucial in the context of their claim for wrongful termination.
On the defendant's counterclaim, seeking a refund of payments made under the ERP Agreement upon termination, the court ruled in favor of defendant. This decision was based on clear contractual provisions allowing for such refunds in the event of termination. Additionally, the court upheld the defendant's entitlement to liquidated damages, distinct from the refund, which were deemed necessary to compensate for losses resulting from the project delays.
Throughout the case, expert opinions played a significant role. The defendant presented expert analysis regarding the causes of project delays, which went uncontested by the plaintiff. This further supported the court's decision in favor of the defendant on issues related to termination, refunds, and damages.
Closing
In 2024, we can expect more interesting developments in the cyberlaw and IT sphere.
- The Cyber Security Bill 2024 came to force on 26 June 2024. This new law aims to enhance the national cyber security by providing for, among others, functions and duties of the national critical information infrastructure (NCII) sector leads and national critical information infrastructure entities, management of cyber security threats and cyber security incidents to national critical information infrastructures and to regulate the cyber security service providers through licensing, and to provide for related matters. Details of this article can be found in my June article “Bread & Kaya: Impact of the Cyber Security Bill 2024 on the Cybersecurity Industry in Malaysia”.
- Our government introduced amendments to the Personal Data Protection Act 2010 during the July 2024 Parliament sitting. The new provisions will now require data controllers (a new name replacing data users) the requirements of a data protection officer, data breach notification and right to transmit a person’s personal data to another data controller i.e data portability, among others.
- Singapore may require online platforms Carousell and Facebook to verify the identity of all their sellers if the number of scams reported on the respective platforms does not drop significantly. This is a welcoming effort by the Singapore Government to curb scam which should be emulated by our government as well.
- On the topic of scam, new laws are being introduced to combat scams by coming down hard on those involved in the operation of mule accounts. Currently, mule account holders are charged under s. 414 (assisting in the concealment of stolen property) and s. 424 (dishonest or fraudulent removal or concealment of consideration) of the Penal Code, among others. The new proposed provisions will now criminalise any person who has unlawfully in his possession or control of payment instrument or account of another person (s. 424A), giving possession of the same (s. 424B) and engaging in transaction of the same (s. 424C).
- Social media service and instant messaging service providers with 8 million or more users in Malaysia are required to obtain an applications service provider class licence with the Communications and Multimedia Commission by 1 January 2025 pursuant to Communications and Multimedia (Licensing) (Exemption) (Amendment) Regulations 2024 and Communications and Multimedia (Licensing) (Exemption) (Amendment) (No 2) Regulations 2024. This requirement was introduced to combat rise in cybercrime offences including online scams and gambling, cyberbullying, and sexual crimes against children.
Related Stories :