|
Comments on the CyberCrime Bill 2003
Cyber crimes
Cyber crime has evolved from hacking to virus spreading and now there are a lot
of issues related to copyright infringements, spamming and child pornography.
The main cyber crimes are listed below with a brief description:
§
Hacking, cracking and viruses
§
Denial of service and Distributed Denial
of service attacks
§
Copyright infringements
§
Spamming
§
Child pornography
§
Fraud, Illegal trade and commerce
Hacking, cracking and viruses
Cracking is used to define the act of breaking into secure computer systems
whereas hacking involves gaining knowledge about computer systems mainly for
fun. Since these terms have not been properly understood by mass media in the
80’s, they are commonly interchangeable for defining breaking into a secure
computer system. Hacking can make companies lose a lot of money in the form of
lost of data, breach of secrecy and loss of customers amongst others.
Similarly, computer viruses, Trojan horses and worms can cause severe damage to
computer systems connected to the internet and people writing and wilfully
spreading these software are committing cyber crimes.
Denial of service attacks
(DoS) and Distributed DoS.
Denial of Service is an attack that hackers use to render a computer system
incapable of providing normal services to its legitimate users. This is usually
done by using all the resources of the computer system by flooding it with a
high volume of traffic preventing legitimate user from getting through.
A Distributed Denial of Service (DDoS) attack is basically a DoS attack that
makes use of the client/server technology to multiply the effectiveness of the
DoS attack. It is similar to using an army of computers to attack one or more
computer systems.
Copyright and Intellectual Property
Infringements
This involves the illegal use, copying and distribution of copyright material
(documents, software, media, etc) on the internet.
Spamming
Spamming is the illegal attempt to deliver a message, over the Internet, to
someone who would not otherwise choose to receive it. Most spam is of
commercial advertising nature.
Pornography and paedophile
The internet can be a powerful tool to illegally promote teenage pornography and
paedophile by displaying illicit child/teenage pictures on the net.
Illegal Trade and Commerce
The internet can be used as a medium for trade of illegal things like prescribed
medicines and drugs amongst others. The internet can also be a medium for
fraudulent transactions, like use of stolen credit card numbers to purchase
items on the internet.
According to the character of using computers or computer systems, there are
three types of cybercrimes: the computer is an object of crime (unauthorized
access, destruction of files and devices, theft of information); the computer is
a tool of crime (e-thefts and so on); the computer plays a role of intellectual
means (for example: placing porno sites on the Internet)
In 2002, the USA accounted for 35.4% of all cybercrimes committed in the world
when compared with South Korea (12.8%), China (6.9%), Germany (6.7%), France
(4%) and Great Britain (2.2%). The most popular among them were program viruses,
self-reproducing computer viruses and other forms of program code malfunctions.
As to the number of cyberattacks per 1000 Internet-users, South Korea took the
first place last year (3.7%) leaving behind Poland (18.4%), Czech Republic
(14.2%), France (14,1%) and Taiwan (14%)
During 1997-2002, the number of crimes committed in Russia by using e-computers
has increased from 33 up to 3700. Russia and Ukraine are known to be among five
countries having the highest level of computer piracy.
It should be reminded that according
to UNO expert recommendations, the term of “cybercrimes” covers any crime
committed by using computer systems or networks, within their frameworks or
against them. Theoretically, it embraces any crime that can be committed in the
electronic environment. In other words, crimes committed by using e-computers
against information processed and applied in the Internet can be referred to
cybercrimes.
Cybercrimes
have specific reasons and fighting them means to apply specific means. The world
has already accumulated some appropriate positive skills. Thus, early 2003, the
USA created the corresponding national system specified in the “National
strategy of cybersecurity” and “National strategy of physical protection of
critical infrastructure”. The latter (regarded as “a combination of physical and
virtual systems and means that can result in ruining the national defence,
economic, security and public health service when disabled or destroyed) has a
list of objects included into the above structure
After adopting the Charter of global
information society in 2000 and well-known European Council Convention on
fighting cybercrimes in 2001, special forums on this problem were held
throughout the world. In December 2002, the first Strategic congress on fighting
e-crimes took place in London. In February 2003, the first international summit
on fighting cybercrimes was held in the USA (Atlanta) under support of the
Cybercrime Research Institute. Nevertheless, the problem remains very acute and
it will take much time to solve it.
A report by anti-virus vendor Symantec
found network-based attacks spiked 20 per cent in the last six months of 2002,
compared with the same period in 2001. It also found power and energy companies
attracted 60 per cent of targeted attacks, with telecommunications and financial
services companies following close behind. These attacks have made investors
wary of organisations that cannot demonstrate business continuity.
Outside the organisation, CIOs need to inquire about their ISPs’ security
practices and appropriate routing strategies. Internally, “we should be looking
at the next generation of secure operating systems,” examples Secure Linux,
Trusted Solaris and Hewlett-Packard’s Virtual Vault.
All systems should have a minimum-security level of B1 by the Information
Technology Security Evaluation and Certification, a body that provides a uniform
standard of security certification. B1 certification requires mandatory access
control over named subjects and objects. “All Internet connected servers should
fall into that area.”
That should be the minimum due diligence for IT governance
COMMENTS on Computer Misuse and CyberCrime Bill 2003
From above, Spamming is also considered
as a cybercime. However the Computer Misuse and Cybercrime Bill 2003 does not
classify spamming as a cyber crime and thus there is no penalty for this act.
The criminal liability of an Internet Service Provider (ISP) which is used to
disseminate criminal material (such as child pornography) is to be restricted by
law.
In general a provider will only be criminally liable if it knew or could have
known of the distribution of the punishable material and failed to take
countermeasures.
In addition e-mail is to receive statutory protection. If the mail is stored in
a mailbox, privacy of correspondence will apply, while during transport the
statutory tapping protection for telecommunications will apply.
In order to furnish clarity on the criminal liability of an ISP and to provide
the ISP with protection against frivolous prosecution, the prosecution-exclusion
grounds applying to publishers and printers have been extended to any
"intermediary" whose task it is to disseminate utterances, in word, picture,
sound or writing
The inspection without consent of protected e-mail is a computer breach of the
peace. Another new element is the fact that it will become a punishable offence
for the provider to inspect mail without the user's consent. The requirement for
the protection of e-mail is a low-level one: a password is sufficient.
A
legislative proposal that treats all computers as equal is therefore fraught
with danger, especially as many of the offences proposed do not require an
element of damage, physical or monetary, as a prerequisite for imposing criminal
liability. Caution therefore needs to be exercised to ensure that the new
offence provisions have adequately addressed this changed operating environment
and that they do not criminalise trivial matters or innocent behaviour.
Many of the
problems and security breaches that are being experienced with computer systems
today are the result of inadequate security protections, faulty or insecure
software, or poorly qualified operators. If confidential information were left
lying around in a public place, would we charge the finder with a criminal
offence?
The
proposals in the Bill are indeed controversial. The matter of Disclosure Orders
is aimed squarely at the problems presented by security passwords and, more
particularly, encrypted data. To the best of our knowledge, the only other
country that has previously tried to address this problem with specific
legislation is the U.K. with its highly reviled and controversial
Regulation of Investigatory Powers Bill 2000 more commonly known as
the R.I.P. Bill.
One of the
major problems with this Bill was its cursory treatment of the requirement for
persons to reveal encryption keys (in Part III - Investigation of Electronic
Data Protected by Encryption etc.).
There may
sometimes be legitimate reasons why a private key or plain text could not be
handed over to a law enforcement agency, and it would be difficult for the
subject of an Disclosure Order to provide proof that they did not possess or
have access to a key or plain text. The prospect of users of encryption being
jailed despite having genuinely lost their private keys is a major and quite
legitimate concern. I believe that the proposed legislation should provide an
indication as to how those served with Disclosure Orders requiring plain text or
encryption keys can successfully demonstrate that they cannot comply with the
notice.
Furthermore, the
1997 OECD cryptography guidelines, which Australia has adopted, specifically
recognize the fundamental right of privacy in relation to encrypted data:
Article 5.
The fundamental rights of individuals to privacy, including secrecy of
communications and protection of personal data, should be respected in national
cryptography policies and in the implementation and use of cryptographic
methods.
A further
problem is that a single encryption key often serves the dual purpose of
ensuring confidentiality and providing secure authentication of the signatory to
a document (through a digital signature). Revealing the key (or the passphrase
therto) can therefore compromise the integrity of the owner's digital signature.
(It should be noted that the person on whom the Disclosure Order is served is
not necessarily assumed to be guilty of an offence).
Clearly
there is tension between privacy rights and legitimate law enforcement needs. An
approach needs to be found that balances these issues, or at least recognises in
the law that an offence is not automatically criminalised in the event of
failure to provide assistance.
The law
enforcement provisions may also have the effect of over-riding the common law
privilege against self-incrimination. This situation could arise where a person
was compelled to reveal a password or encryption key as a requirement of an
Disclosure Order. The right to silence is a long-standing right in most
jurisdictions and it is unacceptable that it should be potentially over-ridden
in the Bill without strong justifictation or even acknowledgement.
The
legislation should be carefully scrutinised to ensure that innocent behavior is
not criminalised.
I. Search and seizure
1. The legal distinction between searching computer systems and seizing data
stored therein and intercepting data in the course of transmission should be
clearly delineated and applied.
2. Criminal procedural laws should permit Investigatory Authorities to search
computer systems and seize data under similar conditions as under traditional
powers of search and seizure. The person in charge of the system should be
informed that the system has been searched and of the kind of data that has been
seized. The legal remedies that are provided for in general against search and
seizure should be equally applicable in case of search in computer systems and
in case of seizure of data therein.
3. During the execution of a search, Investigatory Authorities should have
the power, subject to appropriate safeguards, to extend the search to other
computer systems within their jurisdiction which are connected by means of a
network and to seize the data therein, provided that immediate action is
required.
4. Where automatically processed data is functionally equivalent to a
traditional document, provisions in the criminal procedural law relating to
search and seizure of documents should apply equally to it.
II. Technical surveillance
5. In view of the convergence of information technology and
telecommunications, laws pertaining to technical surveillance for the purposes
of criminal investigations, such as interception of telecommunications, should
be reviewed and amended, where necessary, to ensure their applicability.
6. The law should permit Investigatory Authorities to avail themselves of all
necessary technical measures that enable the collection of traffic data in the
investigation of crimes.
7. When collected in the course of a criminal investigation and in particular
when obtained by means of intercepting telecommunications, data which is the
object of legal protection and processed by a computer system should be secured
in an appropriate manner.
8. Criminal procedural laws should be reviewed with a view to making possible
the interception of telecommunications and the collection of traffic data in the
investigation of serious offences against the confidentiality, integrity and
availability of telecommunication or computer systems.
III. Obligations to co-operate with the Investigatory
Authorities
9. Subject to legal privileges or protection, most legal systems permit
Investigatory Authorities to order persons to hand over objects under their
control that are required to serve as evidence. In a parallel fashion,
provisions should be made for the power to order persons to submit any specified
data under their control in a computer system in the form required by the
Investigatory Authority.
10. Subject to legal privileges or protection, Investigatory Authorities
should have the power to order persons who have data in a computer system under
their control to provide all necessary information to enable access to a
computer system and the data therein. Criminal procedural law should ensure that
a similar order can be given to other persons who have knowledge about the
functioning of the computer system or measures applied to secure the data
therein.
11. Specific obligations should be imposed on operators of public and private
networks that offer telecommunication services to the public to avail themselves
of all necessary technical measures that enable the interception of
telecommunications by the Investigatory Authorities.
12. Specific obligations should be imposed on service-providers who offer
telecommunication services to the public, either through public or private
networks, to provide information to identify the user, when so ordered by the
competent Investigatory Authority.
IV. Electronic evidence
13. The common need to collect, preserve and present electronic evidence in
ways that best ensure and reflect their integrity and irrefutable authenticity,
both for the purposes of domestic prosecution and international co-operation,
should be recognised. Therefore, procedures and technical methods for handling
electronic evidence should be further developed, and particularly in such a way
as to ensure their compatibility between states. Criminal procedural law
provisions on evidence relating to traditional documents should similarly apply
to data stored in a computer system.
V. Use of encryption
14. Measures should be considered to minimise the negative effects of the use
of cryptography on the investigation of criminal offences, without affecting its
legitimate use more than is strictly necessary.
VI. Research, statistics and training
15. The risks involved in the development and application of information
technology with regard to the commission of criminal offences should be assessed
continuously. In order to enable the competent Authorities to keep abreast of
new phenomena in the field of computer-related offences and to develop
appropriate counter-measures, the collection and analysis of data on these
offences, including modus operandi and technical aspects, should be
furthered.
16. The establishment of specialised units for the investigation of offences,
the combating of which requires special expertise in information technology,
should be considered. Training programmes enabling criminal justice personnel to
avail themselves of expertise in this field should be furthered.
VII. International co-operation
17. The power to extend a search to other computer systems should also be
applicable when the system is located in a foreign jurisdiction, provided that
immediate action is required. In order to avoid possible violations of state
sovereignty or international law, an unambiguous legal basis for such extended
search and seizure should be established. Therefore, there is an urgent need for
negotiating international agreements as to how, when and to what extent such
search and seizure should be permitted.
18. Expedited and adequate procedures as well as a system of liaison should
be available according to which the Investigatory Authorities may request the
foreign Authorities to promptly collect evidence. For that purpose the requested
Authorities should be authorised to search a computer system and seize data with
a view to its subsequent transfer. The requested Authorities should also be
authorised to provide trafficking data related to a specific telecommunication,
intercept a specific telecommunication or identify its source. For that purpose,
the existing mutual legal assistance instruments need to be supplemented.
Under US
law, such an obligation in enshrined in the law:
Carriers are required to "facilitate authorized communications interceptions and
access to call-identifying information…in a manner that protects…the privacy and
security of communications and call-identifying information not authorized to be
intercepted;"
In the UK,
the distinction is made between the communication and ‘traffic data’:
"(a) any data identifying, or purporting to identify, any person, apparatus or
location to or from which the communication is or may be transmitted,
(b) any data identifying or selecting, or purporting to identify or select,
apparatus through which, or by means of which, the communication is or may be
transmitted,
(c) any data comprising signals for the actuation of apparatus used for the
purposes of a telecommunication system for effecting (in whole or in part) the
transmission of any communication, and
(d) any data identifying the data or other data as data comprised in or attached
to a particular communication,
but that expression includes data identifying a computer file or computer
program access to which is obtained, or which is run, by means of the
communication to the extent only that the file or program is identified by
reference to the apparatus in which it is stored."
From a law enforcement perspective, the intangible nature of data generated by
the use of communications technologies creates obvious evidential problems
during an investigation. As a consequence, there have been some calls for a
legal obligation to be imposed upon ISPs to retain certain types of data for a
minimum period of time for the purpose of potential subsequent criminal
investigations. Such data retention obligations could be in respect of data
recorded by ISPs in the normal course of business (eg. billing data), or could
encompass categories of data specifically identified as being of assistance in
any subsequent criminal investigation (eg. Internet log-on session data).
|