Comments on the CyberCrime Bill 2003

Cyber crimes 

Cyber crime has evolved from hacking to virus spreading and now there are a lot of issues related to copyright infringements, spamming and child pornography. The main cyber crimes are listed below with a brief description:     

§         Hacking, cracking and viruses

§         Denial of service and Distributed Denial of service attacks

§         Copyright infringements

§         Spamming

§         Child pornography

§         Fraud, Illegal trade and commerce

 

Hacking, cracking and viruses

Cracking is used to define the act of breaking into secure computer systems whereas hacking involves gaining knowledge about computer systems mainly for fun. Since these terms have not been properly understood by mass media in the 80’s, they are commonly interchangeable for defining breaking into a secure computer system. Hacking can make companies lose a lot of money in the form of lost of data, breach of secrecy and loss of customers amongst others. 

Similarly, computer viruses, Trojan horses and worms can cause severe damage to computer systems connected to the internet and people writing and wilfully spreading these software are committing cyber crimes.   

Denial of service attacks (DoS) and Distributed DoS. 

Denial of Service is an attack that hackers use to render a computer system incapable of providing normal services to its legitimate users. This is usually done by using all the resources of the computer system by flooding it with a high volume of traffic preventing legitimate user from getting through.  

A Distributed Denial of Service (DDoS) attack is basically a DoS attack that makes use of the client/server technology to multiply the effectiveness of the DoS attack. It is similar to using an army of computers to attack one or more computer systems.  

Copyright and Intellectual Property Infringements

This involves the illegal use, copying and distribution of copyright material (documents, software, media, etc) on the internet.  

Spamming

Spamming is the illegal attempt to deliver a message, over the Internet, to someone who would not otherwise choose to receive it.  Most spam is of commercial advertising nature. 

Pornography and paedophile 

The internet can be a powerful tool to illegally promote teenage pornography and paedophile by displaying illicit child/teenage pictures on the net.  

Illegal Trade and Commerce

The internet can be used as a medium for trade of illegal things like prescribed medicines and drugs amongst others.  The internet can also be a medium for fraudulent transactions, like use of stolen credit card numbers to purchase items on the internet.  

According to the character of using computers or computer systems, there are three types of cybercrimes: the computer is an object of crime (unauthorized access, destruction of files and devices, theft of information); the computer is a tool of crime (e-thefts and so on); the computer plays a role of intellectual means (for example: placing porno sites on the Internet) 

In 2002, the USA accounted for 35.4% of all cybercrimes committed in the world when compared with South Korea (12.8%), China (6.9%), Germany (6.7%), France (4%) and Great Britain (2.2%). The most popular among them were program viruses, self-reproducing computer viruses and other forms of program code malfunctions. As to the number of cyberattacks per 1000 Internet-users, South Korea took the first place last year (3.7%) leaving behind Poland (18.4%), Czech Republic (14.2%), France (14,1%) and Taiwan (14%)

During 1997-2002, the number of crimes committed in Russia by using e-computers has increased from 33 up to 3700. Russia and Ukraine are known to be among five countries having the highest level of computer piracy.

It should be reminded that according to UNO expert recommendations, the term of “cybercrimes” covers any crime committed by using computer systems or networks, within their frameworks or against them. Theoretically, it embraces any crime that can be committed in the electronic environment. In other words, crimes committed by using e-computers against information processed and applied in the Internet can be referred to cybercrimes. 

 Cybercrimes have specific reasons and fighting them means to apply specific means. The world has already accumulated some appropriate positive skills. Thus, early 2003, the USA created the corresponding national system specified in the “National strategy of cybersecurity” and “National strategy of physical protection of critical infrastructure”. The latter (regarded as “a combination of physical and virtual systems and means that can result in ruining the national defence, economic, security and public health service when disabled or destroyed) has a list of objects included into the above structure

After adopting the Charter of global information society in 2000 and well-known European Council Convention on fighting cybercrimes in 2001, special forums on this problem were held throughout the world. In December 2002, the first Strategic congress on fighting e-crimes took place in London. In February 2003, the first international summit on fighting cybercrimes was held in the USA (Atlanta) under support of the Cybercrime Research Institute. Nevertheless, the problem remains very acute and it will take much time to solve it.
 

A report by anti-virus vendor Symantec found network-based attacks spiked 20 per cent in the last six months of 2002, compared with the same period in 2001. It also found power and energy companies attracted 60 per cent of targeted attacks, with telecommunications and financial services companies following close behind. These attacks have made investors wary of organisations that cannot demonstrate business continuity. 

Outside the organisation, CIOs need to inquire about their ISPs’ security practices and appropriate routing strategies. Internally, “we should be looking at the next generation of secure operating systems,” examples Secure Linux, Trusted Solaris and Hewlett-Packard’s Virtual Vault.
 

All systems should have a minimum-security level of B1 by the Information Technology Security Evaluation and Certification, a body that provides a uniform standard of security certification. B1 certification requires mandatory access control over named subjects and objects. “All Internet connected servers should fall into that area.”

That should be the minimum due diligence for IT governance 

COMMENTS on Computer Misuse and CyberCrime Bill 2003 

From above, Spamming is also considered as a cybercime. However the Computer Misuse and Cybercrime Bill 2003 does not classify spamming as a cyber crime and thus there is no penalty for this act.

The criminal liability of an Internet Service Provider (ISP) which is used to disseminate criminal material (such as child pornography) is to be restricted by law.

In general a provider will only be criminally liable if it knew or could have known of the distribution of the punishable material and failed to take countermeasures.

In addition e-mail is to receive statutory protection. If the mail is stored in a mailbox, privacy of correspondence will apply, while during transport the statutory tapping protection for telecommunications will apply.

In order to furnish clarity on the criminal liability of an ISP and to provide the ISP with protection against frivolous prosecution, the prosecution-exclusion grounds applying to publishers and printers have been extended to any "intermediary" whose task it is to disseminate utterances, in word, picture, sound or writing 

The inspection without consent of protected e-mail is a computer breach of the peace. Another new element is the fact that it will become a punishable offence for the provider to inspect mail without the user's consent. The requirement for the protection of e-mail is a low-level one: a password is sufficient. 

A legislative proposal that treats all computers as equal is therefore fraught with danger, especially as many of the offences proposed do not require an element of damage, physical or monetary, as a prerequisite for imposing criminal liability. Caution therefore needs to be exercised to ensure that the new offence provisions have adequately addressed this changed operating environment and that they do not criminalise trivial matters or innocent behaviour.  

Many of the problems and security breaches that are being experienced with computer systems today are the result of inadequate security protections, faulty or insecure software, or poorly qualified operators. If confidential information were left lying around in a public place, would we charge the finder with a criminal offence? 

The proposals in the Bill are indeed controversial. The matter of Disclosure Orders is aimed squarely at the problems presented by security passwords and, more particularly, encrypted data. To the best of our knowledge, the only other country that has previously tried to address this problem with specific legislation is the U.K. with its highly reviled and controversial Regulation of Investigatory Powers Bill 2000 more commonly known as the R.I.P. Bill.

One of the major problems with this Bill was its cursory treatment of the requirement for persons to reveal encryption keys (in Part III - Investigation of Electronic Data Protected by Encryption etc.).

There may sometimes be legitimate reasons why a private key or plain text could not be handed over to a law enforcement agency, and it would be difficult for the subject of an Disclosure Order to provide proof that they did not possess or have access to a key or plain text. The prospect of users of encryption being jailed despite having genuinely lost their private keys is a major and quite legitimate concern. I believe that the proposed legislation should provide an indication as to how those served with Disclosure Orders requiring plain text or encryption keys can successfully demonstrate that they cannot comply with the notice.

Furthermore, the 1997 OECD cryptography guidelines, which Australia has adopted, specifically recognize the fundamental right of privacy in relation to encrypted data:

Article 5. The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods.

A further problem is that a single encryption key often serves the dual purpose of ensuring confidentiality and providing secure authentication of the signatory to a document (through a digital signature). Revealing the key (or the passphrase therto) can therefore compromise the integrity of the owner's digital signature. (It should be noted that the person on whom the Disclosure Order is served is not necessarily assumed to be guilty of an offence).

Clearly there is tension between privacy rights and legitimate law enforcement needs. An approach needs to be found that balances these issues, or at least recognises in the law that an offence is not automatically criminalised in the event of failure to provide assistance.  

The law enforcement provisions may also have the effect of over-riding the common law privilege against self-incrimination. This situation could arise where a person was compelled to reveal a password or encryption key as a requirement of an Disclosure Order. The right to silence is a long-standing right in most jurisdictions and it is unacceptable that it should be potentially over-ridden in the Bill without strong justifictation or even acknowledgement.  

The legislation should be carefully scrutinised to ensure that innocent behavior is not criminalised. 

I. Search and seizure

1.    The legal distinction between searching computer systems and seizing data stored therein and intercepting data in the course of transmission should be clearly delineated and applied.

2.    Criminal procedural laws should permit Investigatory Authorities to search computer systems and seize data under similar conditions as under traditional powers of search and seizure. The person in charge of the system should be informed that the system has been searched and of the kind of data that has been seized. The legal remedies that are provided for in general against search and seizure should be equally applicable in case of search in computer systems and in case of seizure of data therein.

3.    During the execution of a search, Investigatory Authorities should have the power, subject to appropriate safeguards, to extend the search to other computer systems within their jurisdiction which are connected by means of a network and to seize the data therein, provided that immediate action is required.

4.    Where automatically processed data is functionally equivalent to a traditional document, provisions in the criminal procedural law relating to search and seizure of documents should apply equally to it.

II. Technical surveillance

5.    In view of the convergence of information technology and telecommunications, laws pertaining to technical surveillance for the purposes of criminal investigations, such as interception of telecommunications, should be reviewed and amended, where necessary, to ensure their applicability.

6.    The law should permit Investigatory Authorities to avail themselves of all necessary technical measures that enable the collection of traffic data in the investigation of crimes.

7.    When collected in the course of a criminal investigation and in particular when obtained by means of intercepting telecommunications, data which is the object of legal protection and processed by a computer system should be secured in an appropriate manner.

8.    Criminal procedural laws should be reviewed with a view to making possible the interception of telecommunications and the collection of traffic data in the investigation of serious offences against the confidentiality, integrity and availability of telecommunication or computer systems.

III. Obligations to co-operate with the Investigatory Authorities

9.    Subject to legal privileges or protection, most legal systems permit Investigatory Authorities to order persons to hand over objects under their control that are required to serve as evidence. In a parallel fashion, provisions should be made for the power to order persons to submit any specified data under their control in a computer system in the form required by the Investigatory Authority.

10.    Subject to legal privileges or protection, Investigatory Authorities should have the power to order persons who have data in a computer system under their control to provide all necessary information to enable access to a computer system and the data therein. Criminal procedural law should ensure that a similar order can be given to other persons who have knowledge about the functioning of the computer system or measures applied to secure the data therein.

11.    Specific obligations should be imposed on operators of public and private networks that offer telecommunication services to the public to avail themselves of all necessary technical measures that enable the interception of telecommunications by the Investigatory Authorities.

12.    Specific obligations should be imposed on service-providers who offer telecommunication services to the public, either through public or private networks, to provide information to identify the user, when so ordered by the competent Investigatory Authority.

IV. Electronic evidence

13.    The common need to collect, preserve and present electronic evidence in ways that best ensure and reflect their integrity and irrefutable authenticity, both for the purposes of domestic prosecution and international co-operation, should be recognised. Therefore, procedures and technical methods for handling electronic evidence should be further developed, and particularly in such a way as to ensure their compatibility between states. Criminal procedural law provisions on evidence relating to traditional documents should similarly apply to data stored in a computer system.

V. Use of encryption

14.    Measures should be considered to minimise the negative effects of the use of cryptography on the investigation of criminal offences, without affecting its legitimate use more than is strictly necessary.

VI. Research, statistics and training

15.    The risks involved in the development and application of information technology with regard to the commission of criminal offences should be assessed continuously. In order to enable the competent Authorities to keep abreast of new phenomena in the field of computer-related offences and to develop appropriate counter-measures, the collection and analysis of data on these offences, including modus operandi and technical aspects, should be furthered.

16.    The establishment of specialised units for the investigation of offences, the combating of which requires special expertise in information technology, should be considered. Training programmes enabling criminal justice personnel to avail themselves of expertise in this field should be furthered.

VII. International co-operation

17.    The power to extend a search to other computer systems should also be applicable when the system is located in a foreign jurisdiction, provided that immediate action is required. In order to avoid possible violations of state sovereignty or international law, an unambiguous legal basis for such extended search and seizure should be established. Therefore, there is an urgent need for negotiating international agreements as to how, when and to what extent such search and seizure should be permitted.

18.    Expedited and adequate procedures as well as a system of liaison should be available according to which the Investigatory Authorities may request the foreign Authorities to promptly collect evidence. For that purpose the requested Authorities should be authorised to search a computer system and seize data with a view to its subsequent transfer. The requested Authorities should also be authorised to provide trafficking data related to a specific telecommunication, intercept a specific telecommunication or identify its source. For that purpose, the existing mutual legal assistance instruments need to be supplemented.

Under US law, such an obligation in enshrined in the law:

Carriers are required to "facilitate authorized communications interceptions and
access to call-identifying information…in a manner that protects…the privacy and security of communications and call-identifying information not authorized to be intercepted;"

In the UK, the distinction is made between the communication and ‘traffic data’:

"(a) any data identifying, or purporting to identify, any person, apparatus or location to or from which the communication is or may be transmitted,

(b) any data identifying or selecting, or purporting to identify or select, apparatus through which, or by means of which, the communication is or may be transmitted,

(c) any data comprising signals for the actuation of apparatus used for the purposes of a telecommunication system for effecting (in whole or in part) the transmission of any communication, and

(d) any data identifying the data or other data as data comprised in or attached to a particular communication,

but that expression includes data identifying a computer file or computer program access to which is obtained, or which is run, by means of the communication to the extent only that the file or program is identified by reference to the apparatus in which it is stored."

From a law enforcement perspective, the intangible nature of data generated by the use of communications technologies creates obvious evidential problems during an investigation. As a consequence, there have been some calls for a legal obligation to be imposed upon ISPs to retain certain types of data for a minimum period of time for the purpose of potential subsequent criminal investigations. Such data retention obligations could be in respect of data recorded by ISPs in the normal course of business (eg. billing data), or could encompass categories of data specifically identified as being of assistance in any subsequent criminal investigation (eg. Internet log-on session data).


Back ] Home ] Next ]