Information technology continues to have an ever-growing impact upon society and the way that society conducts its affairs. Information and communications technologies have spread out in almost in every professional, commercial and industrial activity and most organizations would find it difficult, if not impossible, to function without relying heavily on these technologies.
On the other hand, information and communications technologies have posed and continue to create novel and complex social and legal problems. Frequently, the law has been found wanting when dealing with the issues raised by these constantly evolving technologies, and legislators and the courts have often struggled to come to terms with the challenges raised by them.
An understanding of the legal issues involved remains of key importance to persons and organizations concerned with information and communications technology, and it is only armed with such understanding that they can satisfactorily address and cater for the problems raised by the development and use of these technologies.
Success in any field of human activity leads to crime that needs mechanisms to control it. Legal provisions should provide assurance to users, empowerment to law enforcement agencies and deterrence to criminals. The law is as stringent as its enforcement. Crime is no longer limited to space, time or a group of people. Cyber space creates moral, civil and criminal wrongs. It has now given a new way to express criminal tendencies. Back in 1990, less than 100,000 people were able to log on to the Internet worldwide. Now around 500 million people are hooked up to surf the net around the globe.
In many cases, law enforcement officers have lacked the tools needed to tackle the problem; old laws didn't quite fit the crimes being committed, new laws hadn't quite caught up to the reality of what was happening, and there were few court precedents to look to for guidance.
Furthermore, debates over privacy issues hampered the ability of enforcement agents to gather the evidence needed to prosecute these new cases. Finally, there was a certain amount of antipathy or at the least, distrust between the two most important players in any effective fight against cyber crime: law enforcement agencies and computer professionals. Yet close cooperation between the two is crucial if we are to control the cyber crime problem and make the Internet a safe 'place' for its users.
Law enforcement personnel understand the criminal mindset and know the basics of gathering evidence and bringing offenders to justice. IT personnel understand computers and networks, how they work, and how to track down information on them. Each has half of the key to defeating the cyber criminal.
IT professionals need good definitions of cybercrime in order to know when (and what) to report to police, but law enforcement agencies must have statutory definitions of specific crimes in order to charge a criminal with an offense. The first step in specifically defining individual cybercrimes is to sort all the acts that can be considered cybercrimes into organized categories.
In this assignment I will be focused on various aspects of the issues and situations in cyber space, the types of cyber crimes, cyber crimes in various jurisdictions and criminal justice system in Sri Lanka. In further understanding I would like to state that, the cyber crimes in cyber space I will explain as social issues in cyber space.
SOCIAL ISSUES AND CYBER SOCIAL ISSUES
In Sri Lanka we can identify some special social issues in ordinary circumstances. I will list out those as follows:-
' Social disorganization
' Age and the life course
' Education and public schools
' Work and occupations
' Health and medicine
' Alcohol and drugs
' Crime and the justice system
' Environmental issues
Now I would like to list out the cyber crime issue in cyber space as follows:-
' Data Theft
' Source Code Theft (Stealing Computer Programs)
' Denial of Service Spreading Virus & Malicious Codes
' Defamation & Social Networking Abuse(eg. FACEBOOK etc)
' Cyber pornography
' Child Pornography
' Email related crimes
' Cyber Stalking
' Cyber terrorism
' Intellectual Property crimes- software piracy, copyright infringement, trademarks violations.
According to these two lists we can identify that the social issues in ordinary circumstances and in cyber space are quiet different. Therefore we have to go into depth here for recognized major cyber issues in relation to the criminal justice system in Sri Lanka.
Cyber crime is the latest and perhaps the most complicated problem in the cyber world. 'Cyber crime may be said to be those species, of which, genus is the conventional crime, and where either the computer is an object or subject of the conduct constituting crime. 'Any criminal activity that uses a computer either as an instrumentality, target or a means for perpetuating further crimes comes within the ambit of cyber crime'
The computer may be used as a tool in the following kinds of activity - financial crimes, sale of illegal articles, pornography, online gambling, intellectual property crime, e-mail spoofing, forgery, cyber defamation, cyber stalking.
The computer may however be target for unlawful acts in the following cases- unauthorized access to computer/ computer system/ computer networks, theft of information contained in the electronic form, e-mail bombing, data diddling, salami attacks, logic bombs, Trojan attacks, internet time thefts, web jacking, theft of computer system, physically damaging the computer system.
United Nations' Definition of Cybercrime
Cybercrime spans not only state but national boundaries as well. Perhaps we should look to international organizations to provide a standard definition of the crime. At the Tenth United Nations Congress on the Prevention of Crime and Treatment of Offenders, in a workshop devoted to the issues of crimes related to computer networks, cybercrime was broken into two categories and defined thus:
a. Cybercrime in a narrow sense (computer crime): Any illegal behavior directed by means of electronic operations that targets the security of computer systems and the data processed by them.
b. Cybercrime in a broader sense (computer-related crime): Any illegal behavior committed by means of, or in relation to, a computer system or network, including such crimes as illegal possession and offering or distributing information by means of a computer system or network.
In the present global situation where cyber control mechanisms are important and we need to push cyber laws but the real issue is how to prevent cyber crime. For this, there is need to raise the probability of apprehension and conviction. For this Sri Lanka needs total international cooperation with specialized agencies of different countries. Police has to ensure that they have seized exactly what was there at the scene of crime, is the same that has been analyzed and the report presented in court is based on this evidence. It has to maintain the chain of custody. The threat is not from the intelligence of criminals but from our ignorance and the will to fight it. The law is stricter now on producing evidence especially where electronic documents are concerned.
CLASSIFICATION OF CYBER CRIMES
The subject of cyber crime may be broadly classified under the following four groups.
01. Against Individuals
i. Harassment via e-mails.
iii. Dissemination of obscene material.
v. Unauthorized control/access over computer system.
vi. Indecent exposure
vii. Email spoofing
viii. Cheating & Fraud
02. Against Individual Property: -
i. Computer vandalism.
ii. Transmitting virus.
iii. Unauthorized control/access over computer system.
iv. Intellectual Property crimes
v. Internet time thefts
03. Against Organization: -
i. Unauthorized control/access over computer system
ii. Possession of unauthorized information.
iii. Cyber terrorism against the government organization.
iv. Distribution of pirated software etc.
04. Against Society at large:
i. Pornography (basically child pornography).
ii. Polluting the youth through indecent exposure.
iv. Financial crimes
v. Sale of illegal articles
vi. Online gambling
TYPES OF CYBER CRIMES AND SOCIAL ISSUES IN CYBER SPACE
' Unauthorized access to computer systems or networks / Hacking- This kind of offence is normally referred as hacking in the generic sense. However the framers of the information technology act 2000 have no where used this term so to avoid any confusion we would not interchangeably use the word hacking for 'unauthorized access' as the latter has wide connotation.
' Theft of information contained in electronic form-This includes information stored in computer hard disks, removable storage media etc. Theft may be either by appropriating the data physically or by tampering them through the virtual medium.
' Email bombing-This kind of activity refers to sending large numbers of mail to the victim, which may be an individual or a company or even mail servers there by ultimately resulting into crashing.
' Data diddling-This kind of an attack involves altering raw data just before a computer processes it and then changing it back after the processing is completed. The electricity board faced similar problem of data diddling while the department was being computerized.
' Salami attacks- This kind of crime is normally prevalent in the financial institutions or for the purpose of committing financial crimes. An important feature of this type of offence is that the alteration is so small that it would normally go unnoticed.
' Denial of Service attack-The computer of the victim is flooded with more requests than it can handle which cause it to crash. Distributed Denial of Service (DDOS) attack is also a type of denial of service attack, in which the offenders are wide in number and widespread. E.g. Amazon, Yahoo.
' Virus / worm attacks-Viruses are programs that attach themselves to a computer or a file and then circulate themselves to other files and to other computers on a network. They usually affect the data on a computer, either by altering or deleting it. Worms, unlike viruses do not need the host to attach themselves to. They merely make functional copies of themselves and do this repeatedly till they eat up all the available space on a computer's memory. E.g. love bug virus, which affected at least 5 % of the computers of the globe. The losses were accounted to be $ 10 million. The world's most famous worm was the Internet worm let loose on the Internet by Robert Morris sometime in 1988.
' Logic bombs-These are event dependent programs. This implies that these programs are created to do something only when a certain event occurs.
' Trojan attacks-This term has its origin in the word 'Trojan horse'. In software field this means an unauthorized programme, which passively gains control over another's system by representing itself as an authorized programme. The most common form of installing a Trojan is through e-mail. E.g. a Trojan was installed in the computer of a lady film director in the U.S. while chatting. The cyber criminal through the web cam installed in the computer obtained her nude photographs. He further harassed this lady.
' Internet time thefts-Normally in these kinds of thefts the Internet surfing hours of the victim are used up by another person. This is done by gaining access to the login ID and the password.
' Web jacking- This term is derived from the term hi jacking. In these kinds of offences the hacker gains access and control over the web site of another. He may even mutilate or change the information on the site. This may be done for fulfilling political objectives or for money.
' Phishing It is the process by which someone obtains private information through deceptive or illicit means in order to falsely assume another person's identity. The Phisher will use spoofed emails to lead the recipient to counterfeit websites. Once here, the victim is tricked into divulging credit card information, account usernames and passwords, social security numbers, etc. E.g. "Verify your account'. Businesses should not ask to send passwords, login names, or other personal information through e-mail. If we receive an e-mail message from Google asking you to update your credit card information, it is a phishing scam.
' Intellectual Property rights violations
Intellectual property law is important because it is the key to protecting innovation in computer hardware and software in its widest sense. Intellectual property rights, which are include copyright, the law of confidence, design rights, trade marks, patents and regulations to protect integrated circuits etc.
These rights provide a basic framework of protection from piracy and plagiarism for computer programs, databases and works created using a computer and works or other information created, stored, made available online and transmitted digitally.
' Face Book issue
Cyber Social networks are popular platforms for interaction, communication and collaboration between friends.
Facebook as one of these social networks has become a popular social medium among contemporary Sri Lankan youth. But in today's context this face book becomes a nuisance to the society. Because, in past there were some suicide issues in relation to the Facebook.
On the other hand, a massive attack was carried out through 'Facebook' against Muslims in Sri Lanka.
'There are some peoples attempt to interpret suicides committed by four young women during the past two months as deaths that occurred due to 'Facebook'. Certain media had reported these deaths as 'another death due to 'Facebook'. There is a dialogue in the society as well regarding these events. Now the intention of the government in Sri Lanka to ban 'Facebook' using the suicide committed by a married woman at Padukka, the deaths of Inusha Imandi of Kothalawala, Kurunegala, Dinishika Kannangara of Pitigala in Elpitiya and the student at Polpithigama should be recognized.
One of the four deaths was due to an illicit affair. There had been various incidents that have been reported due to illicit affairs. The girl at Kurunegala committed suicide due to frustration as a result of the punishment meted out to her. The death of the young woman at Pitigala was due to the love industry created by the present society. Present day young women have been subjected to an inferior complex that only beautiful people can have love affairs. It is a result of the love commercial industry created by capitalism. The suicide committed by the student at Polpithigama was due to the absence of a person for her to discuss her frustration and mental stress. There fore on one hand these kinds of useless actions are happening not because of face book. People should have the responsibility to protect their lives and they have a duty to maintain a privacy with these social networks.
According to reports compiled by psychiatrists and researchers Sri Lanka is placed 11th in the number of suicides committed in the world. Annually about 4000 commit suicide in the country. The number of suicides by young people in Sri Lanka is higher. We are placed 5th in suicides by young people. Our country is placed 2nd in suicides by young women and girls aged between 10 and 29. Latest research reports state that when one person commits suicide 20 others attempt suicide. It is also stated that the number of suicides is low due to emergency health care.
The reason for many of these suicides is poverty, failure in examinations, breaking down of love affairs, drunkenness, domestic quarrels and violence, abuse, marginalizing and mental sickness. But in majority position of the society is going against with these social networks like face book and twitter etc. However these kinds of issues become major social issues in cyber space.
' Social and cultural issues relating to the gender and ICT
In our society there are lots of gender discrimination situations. Especially in relation to the ICT there are some social issues like accessibility of the ICT to women and the harassments using ICT. Women tend to have less access than men to those ICT facilities that do exist. Frequently, rural information centers or cyber cafes are located in places that women may not be comfortable frequenting. Since most communications facilities in rural areas are shared public access, women also have problems of time. Given multiple roles and heavy domestic responsibilities, their leisure hours are few, and the centers may not be open when women can visit them. Or they may be open evenings, when it is problematic for women to visit them and return safely to their homes in the dark. Their mobility to access to transport to those areas are also more limited than that of men. Some accommodations that may be needed to ensure gender equality in access and use of ICTs are adaptation of schedules to suit women's hours and availability of women support staff and trainers.
Another cultural aspect of gender and ICTs is gender bias in attitudes towards women studying or using information technology. Throughout the world, there are problems in attracting young women to science and technology studies. The problem is worse in Africa than in any other region. 'Many (predominantly male) math and science teachers in Africa hold outmoded views that girls cannot think or work scientifically and that science is too mechanical and technical for girls, thus discouraging female students'
In some Pacific countries (especially those of Melanesia) traditional cultural attitudes discriminate against women having access to education and technology. Girls are encouraged to take any job or get married rather than seek higher education. The alternative of doing two things at the same time is not realistically entertained.
Sometimes collateral cultural factors, other cultural attitudes based in gender bias, and not the immediate gender identification of technology use, prevent young girls and women from accessing and using ICTs. In Uganda, girls did not get access to the limited number of computers installed in school because of the socio-cultural norm that 'girls do not run.' As a result, boys ran and got to the computers first and refused to give them up to girls. 'In India, in the well-known 'whole in the wall' experiment, the aggressiveness of boys pushing away girls prevented the girls from using the computers'
Above acts we can consider as the major cyber crimes and social issues in cyber space in world. In the sense of criminal justice system in Sri Lanka we can identify another major issue as cyber terrorism. Now I will explain the cyber terrorism in a broader perspective.
DEFINITION OF THE CYBERTERRORISM
Defines cyber terrorism as "The use of computer network tools to shut down critical national infrastructure (such as energy, transportation, government operations) or to coerce or intimidate a government or civilian population"
The United States Federal Bureau of Investigation (FBI) defines 'Terrorism as the unlawful use of force or violence, committed by a group(s) of two or more individuals, against persons or property, to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives'.
Since cyber terrorism covers a vast area of technical aspects it is required to know the exact differences between the following:
i. Hacker: A term used by some to mean "a clever programmer" and by others, especially those in popular media, to mean "someone who tries to break into computer systems."
ii. White hat: A hacker, who identifies a security weakness in a computer system or network but, instead of taking malicious advantage of it, exposes the weakness in a way that will allow the system's owners to fix the breach before it can be taken advantage by others.
iii. Black hat: A hacker who breaks into a computer system or network with malicious intent. Unlike a white hat hacker, the black hat hacker takes advantage of the break-in, perhaps destroying files or stealing data for some future purpose. The black hat hacker may also make the exploit known to other hackers and/or the public without notifying the victim. This gives others the opportunity to exploit the vulnerability before the organization is able to secure it.
iv. Grey hat: A hacker who exploits a security weakness in a computer system or product in order to bring the weakness to the attention of the owners. Unlike a black hat, a grey hat acts without malicious intent. The goal of a grey hat is to improve system and network security. However, by publicizing vulnerability, the grey hat may give other hackers the opportunity to exploit it. This differs from the white hat who alerts system owners and vendors of vulnerability without actually exploiting it in public.
v. Phishing: An e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well-known and trustworthy Web sites. Web sites that are frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and America Online. A phishing expedition, like the fishing expedition it's named for, is a speculative venture. The phisher puts the lure hoping to fool at least a few of the prey that encounter the bait.
vi. Rootkit: A collection of tools or programs that enable administrator-level access to a computer or computer network. Typically, a hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network.
vii. Spam: The use of electronic messaging systems to send unsolicited bulk messages, especially advertising, indiscriminately. While the most widely recognized form of spam is e-mail spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, Web search engine spam, spam in blogs, wiki spam, online classified ads spam, mobile phone messaging spam, Internet forum spam, junk fax transmissions, social networking spam, social spam, television advertising and file sharing network spam.
viii. Spyware: Any technology that aids in gathering information about a person or organization without their knowledge. On the Internet (where it is sometimes called a spybot or tracking software), spyware is a programme that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program.
ix. Trojan horse: A program in which malicious or harmful code is contained inside apparently harmless programme or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk. A Trojan horse may be widely redistributed as part of a computer virus.
x. Virus: A program or programming code that replicates by being copied or initiating its copying to another program, computer boot sector or document. Viruses can be transmitted as attachments to an e-mail note or in a downloaded file, or be present on a diskette or CD. The immediate source of the e-mail note, downloaded file, or diskette you've received is usually unaware that it contains a virus. A virus that replicates itself by resending itself as an e-mail attachment or as part of a network message is known as a worm.
THE MAJOR HACKING EVENTS WORLD EXPERIENCED.
Hacking has been around for decades. During the 1960s, the word "hacker" grew to prominence describing a person with strong computer skills, an extensive understanding of how computer programs worked, and a driving curiosity about computer systems. Hacking, however, soon became nearly synonymous with illegal activity. While the first incidents of hacking dealt with breaking into phone systems, hackers also began diving into computer systems as technology advanced. Today's crimes are often financially-motivated fraud. There are some major hacking incidents that made some of the biggest headlines in history.
In 1994: Russian hackers siphon $10 million from Citibank and transfer the money to bank accounts around the world. Vladimir Levin, the 30-year-old ringleader, uses his work laptop after hours to transfer the funds to accounts in Finland and Israel. Levin stands trial in the United States and is sentenced to three years in prison.
In 1996: i. Hackers alter Web sites of the United States Department of Justice (August), the CIA (October), and the U.S. Air Force (December). ii. Canadian hacker group, Brotherhood, breaks into the Canadian Broadcasting Corporation. iii. The U.S. General Accounting Office reports that hackers attempted to break into Defense Department computer files some 250,000 times in 1995 alone. According to the report about 65 percent of the attempts were successful.
In 1997: i. A 15-year-old Croatian youth penetrates computers at a U.S. Air Force base in Guam. ii. First high-profile attacks on Microsoft's Windows NT operating system.
In 1998 : i. January: Yahoo notifies Internet users that anyone visiting its site in recent weeks might have downloaded a logic bomb and worm planted by hackers claiming a "logic bomb" will go off if Kevin Mitnick is not released from prison. ii. Ethnic Tamil guerrillas swamped Sri Lankan embassies with over 800 e-mails a day for more than two weeks. The messages read as 'We are the Internet Black Tigers and we're doing this to disrupt your communications.' Intelligence authorities characterized it as the first known attack by terrorists against a country's IT infrastructure.
In 1999 : i. Software security goes main stream in the wake of Microsoft's Windows 98 release, year 1999 become a banner for security (and hacking). Hundreds of advisories and patches were released in response to newly found (and widely publicized) bugs in Windows and other commercial software products. A host of security software vendors release anti-hacking products for use on home computers. ii. The Melissa worm is released and quickly becomes the most costly malware outbreak to date. iii. 'Level Seven' hacks The U.S Embassy in China's Website and places racist, anti-government slogans on embassy site in regards to 1998 U.S. embassy bombings. In 2000 the I LOVE YOU worm, also known as VBS/Love letter and Love Bug worm, is a computer worm written in VB Script. It infected millions of computers worldwide within a few hours of its release. It is considered to be one of the most damaging worms ever. It originated in the Philippines; made by an AMA Computer College student for his thesis.
In 2010: i. UN department of safety and security hacked by Turkish hacker DigitALL(1923Turk)Mirror Link. ii. The Stuxnet worm is found by VirusBlokAda. Stuxnet was unusual in that while it spread via Windows computers, its payload targeted just one specific model and type of SCADA systems. It slowly became clear that it was a cyber-attack on Iran's nuclear facilities - with most experts believing that Israel was behind it - perhaps with US help.
In one of the first events to really bring 'hacktivism' to the attention of the mainstream press, it was reported that some of the documents stolen by Anonymous revealed HB Gary Federal was working with Bank Of America(BOA) to respond to Wikileaks' planned release of BOAs internal documents. 40. The HB Gary documents detailed some planned shady tactics, including launching a 'dirty tricks' campaign against Wikileaks and disrupting a Salon.com reporter who was assumed to be sympathetic to Wikileaks.
SRI LANKAN EXPERIENCES OF CYBER TERRORISM.
Sri Lanka, for the second time in three years, grabbed the attention of cyber security experts when a new computer virus started circulating around the globe last week. In its original form, the virus displays a message box entitled "Mawanella" and copies itself to the hard disk and thereafter replicates itself, copying the virus code to all out-going email messages from the infected computer. The virus code is based on the now infamous "Love Bug" virus, which originated from the Philippines, in 1997.
LTTE cyber attack on Sri Lanka Army website. Sri Lankan Army site 'assassinated' by rebels 'Horrible' and 'gruesome'[1st May 2009] "Sri Lanka Army's official news wing, (www.army.lk) has been illegally hacked and technically 'assassinated' by suspected Tiger terrorists or their proxies, during the wee hours on Friday (1st May), inserting some horrible and gruesome images," ."This new form of information 'terrorism' is a criminal offence that can be subjected to prosecution, according to international legal provisions. "The attack on the www.army.lk site sent army technicians scrambling to remove the content. By Friday afternoon California time, the site appeared to be running normally.
Another government website has been hacked by suspected Tiger rebels the government. Information Department said. The government news portal www.Lankapuvath.lk has come under a cyber .Attack this morning by the suspected LTTE hackers.
SRI LANKAN CRIMINAL JUSTICE SYSTEM
GOVERNMENT'S PERSPECTIVE SRI LANKA'S LEGISLATIONS ON CYBER ISSUES
The law regarding Legal Security and Copy Right Laws in Sri Lanka based on the English law. Both English law and Sri Lankan laws are having common features in regarding to the e-media. Furthermore in Sri Lanka there is no any difference between domestic law and the international law regarding cyber-terrorism.
There are several legislations which passed by the Parliament recently.
i. Information and Communication Technology Act (No.27 of 2003)
ii. Evidence (Special Provisions) (Act No.14 of 1995)
iii. Intellectual Property Act (No. 36 of 2003 (Sections related to Copyright)
iv. Electronic Transactions Act (No. 19 of 2006)
v. Computer Crimes Act (No. 24 of 2007)
vi. Payment And Settlement Systems Act, (No. 28 of 2005)
vii. Payment Devices Frauds Act (No.30 of 2006)
Information and Communication Technology Act (No.27 of 2003)
This act is developed to improve ICT and resolve its disputes efficiently. In UK there are several laws as Computer Misuse Act (1990), Trade Marks Act (1994), Defamation Act (1996), Data Protection Act (1998), the Copyright and Related Regulations (1996), Electronic Communication Act (2000), Telecommunications Regulations (1999), 'The Consumer Protection (Distant Selling) Regulations (2000)
By this act it establishes a national committee on Information and Communication Technology in Sri Lanka and to introduce a national policy on ICT and for the preparation of an action plan.
Intellectual Property Act (No. 36 of 2003 (Sections related to Copyright)
We are mainly considering regarding the copy rights sections of this act. According to the act Copyright means the rights given by law to the creators for their literary and artistic works. The rights take two forms
i. Economic rights
ii. Moral rights.
Copyright protects the rights of the authors of literary and artistic works and ensures them the economic benefits and recognition thereby promoting creativity in literary and artistic fields and investment. Such creations enhance economic development, education, culture, and enjoyment of life. When it comes to the Cyber terrorism it deals with the software matters or any matter which related to computers.
Electronic Transactions Act (No. 19 of 2006)
This act deals with the creation and exchange of data messages, electronic documents, electronic records and other communications in electronic form in Sri Lanka. And it provides for the appointment of a certification authority and accreditation of certification service providers.
Computer Crimes Act (No. 24 of 2007)
This is an act to provide for the identification of computer crime and to provide the procedure for the investigation and prevention of such crimes; and to provide for matters connected there with and incidental. The Sri Lankan Computer Crimes Act No. 24 of 2007 primarily addresses computer-related crimes and hacking offences. Content related offences are being addressed through a series of changes to the Penal Code and other statutory provisions.
Cultures globally are progressively reliant on information and communication technologies (ICT) and thus susceptible to risks such as cyber-crime which comprises a misuse of technological innovation. To deal with this element Sri Lanka introduced the Computer Crimes Act No. 24 of 2007 which was introduced into functional impact from July 15, 2008.
Apart from offering a better way of life for community the fast growth of ICT increases essential questions regarding storage space of private details, privacy, data protection and crime. Computer systems are not only focused for criminal activity but are also important equipment used in the commission payment of other violations such as fraud, scams, forgery, damage, removal of business details and ruin of computer features, etc. The phrase 'Computer Crime' is a common phrase used to recognize all criminal offenses or scammers that are linked with or related to computers and it.
Generally computer crime consists of three components. They are:-
i. Computer Related crimes ' Computers used as a tool for criminal activity such as theft, fraud, etc.
ii. Hacking offences ' which affects integrity, availability and confidentiality of a computer system or network (also includes the introduction of viruses, worms etc).
iii. Content related Cyber Crime ' where computers together with Internet resources are used to distribute illegal data. E.g.;- Internet based pornography, criminal copyright infringement
Sri Lankan Computer Crime act is content with 38 chapters. All those rules and regulation are discussed in the Computer Crime Act. Any person who obtains unauthorized access to a computer or network (Computer hacking and cracking), modification of a computer or network unlawfully, offences committed against national security, dealing with data unlawfully obtained illegal interception of data, using of illegal device, unauthorized disclosure of information enabling access to a service are the offences defined under sections 3 to 10 of the Act respectively. It states:
i. The illustrations given in the Act states that for any unauthorized modification or damage or potential damage to take place, any one of the following should occur '
ii. Impairing the operation of any computer, computer system or the reliability of any data or information held in any computer; or
iii. Destroying, deleting or corrupting or adding, moving or altering any information held in any computer;
iv. Making use of a computer service involving computer time and data processing for the storage or retrieval of data;
v. Introducing a computer program which will have the effect of malfunctioning of a computer or falsifies the data or any information held in any computer or computer system (eg:- viruses, worms, etc).
Other than that following offences also include in computer crime act. Unauthorized obtaining of information from a computer or a storage medium; unauthorized use of computer service and interception of data; selling, importing or distributing any device or computer access code or password for the commission of offences under the Act; providing access information to a service without authority or in breach of a contract. Section 15 & 16 of the act describes regarding the investigations in connection with offences under the same Act. To achieve this objective, the act has been included allowing a board of professionals to assist the Cops in the research computer crime activity offences. In terms of the role imagined for professionals they will believe legislation only when their assistance is called for. The Act encourages the professionals with specific abilities, such as visiting the scene of crime for purposes of investigation, to access and analyze computers, data or information organized in a computer, etc.
A panel of experts will be appointed by the Minister-in-charge of the subject of Science and Technology. Qualifications, experience and remuneration of such experts are explained in the section 17 of the Act.
Section 18 of the act states that such experts called upon to assist any police officer shall have power to enter any premises along with a police officer not below the rank of a sub-inspector, access any information system, computer or computer system or any program, data or information held in such computer to perform any function or to do any such other thing, require any person to disclose any traffic data, oral examination of any person, do such other things as may be reasonably required for the purpose of the same Act. Further section 19 & 21 also describe that if preservation of information reasonably required for the purposes of investigations, expert or Police officer has powers to arrest, search and seize any information accessible within any premises without a warrant in the course of investigation.
Section 23, section 24, section 28 and section 29 is related to the duties of the investigator. Section 28 provides immunity from legal proceedings against experts (who are peace officers under the section 29 of the Act) and Police officers appointed for investigations under the Act.
Section 33 of the Act provides where a request is made to the Government of Sri Lanka, by or on behalf on another Government for the purpose of extradition of the person accused or convicted of an offence under this Act the Minister shall forthwith notify the requesting Government of the measures which the Government of Sri Lanka has taken, or proposed to take to extradite the person for that offence. Rights of non-resident persons arrested under this Act specified under Section 34 of the Act.
Under section 35 of the Computer Crime Act the provisions of the Mutual Assistance in Criminal Matters Act No. 25 of 2002 are applicable for the investigation and prosecution of the offences under the Computer Crime Act.
Provisions under the Mutual Assistance in Criminal Matters Act explain that the procedure shall be followed to make a request from the authority of a foreign State by Sri Lankan Authority and vice versa to transfer of evidence, thing, witnesses and accused and the procedure after complying with such request.
Other computer related offences are:
i. Publication of an obscene article electronically may be a criminal offence under amended section 2 of the Obscene Publication Ordinance, No. 22 of 1983.
ii. Section 286B of the Penal Code (Amendment Act No. 16 of 2006) introduced the offence as it is a duty of person providing service by computer to prevent sexual abuse of a child and person who contravenes the same shall be guilty of an offence.
iii. Further, storing or distribution of child phonography by e-mail and the Internet may be an offence under section 286(c) of the Penal Code (Amendment) No. 22 of 1995 read with provisions under Electronic Transactions Act No. 19 of 2006.
However, it is time to bring new amendments to the same law avoiding certain unnecessary disputes that arise over interpretation of creation of pseudo-photographs under this Ordinance
When compared to other countries legislative enactments on Cyber Crimes, the adequacy of Sri Lankan legislation need to be examined the provisions of Computer Crimes Act No 24 of 2007 in the view of Indian legislations.
Sri Lanka legislative enactment on Cyber Crimes is Computer Crimes Act No 24 of 2007and Indian legislation is Information Technology Act 2000 and its Amendment Act on 2008 which is known as the Cyber law. Securing unauthorized access to a computer is an offence and under Section 2 of the Sri Lankan Computer Crimes Act and also by Section 1(2) of the Indian IT Act state that a person can commit an offence being in the country or being outside of the country and also the affected media can be in or outside the country. By Section 75 of the Indian IT Act the offender can be of other nationality if he commits the offence to an Indian located computer or network. Therefore both India and Sri Lanka have extended its legislative applications to identify offenders even outside of their jurisdictions. Section 3 of the Sri Lankan Computer Crimes Act covers unauthorized access and similarly the Indian IT Act covers it under the cyber security of Section 2 of the Act.
Section 6 of the Sri Lankan Computer Crimes Act defines that offences committed against the national security, the national economy or public order shall be guilty of an offence. Indian IT Act covers this area under Section 70 of its Act. Illegal interception of data is an offence under Section 8 of the Sri Lankan Computer Crimes Act and Section 9 states that using of illegal devices is an offence and for committing this offence using a computer password or access code to access the computer is sufficient. Similarly using another's password or unique identification code is a punishable offence under the Section 66C of the Indian IT Act.
Part II of the Sri Lankan Computer Crimes Act deals with investigations procedures and appointment of panel of experts for such investigations. Code of Criminal Procedure Act, No. 15 of 1979 applies for the Section 15 and appointment of a panel of experts is stated under Section 17 (Code of Criminal Procedure Act No.15, 1979). Experts in this section are persons who are having electronic engineering or software engineering qualifications to assist Police Officers. Comparatively the Indian IT Act applies Indian Code of Criminal Procedure 1973 for investigations.
Both Sri Lankan Computer Crimes Act and the Indian IT Acts have provided provisions to appoint computer emergency response teams termed as Sri Lanka CERT and Indian CERT respectively. Punishments by ways of fines and imprisonment are key features of provisions of both Sri Lankan and Indian computer crimes legislations and the minimum and maximum periods of imprisonments have been defined. However Indian IT Act provides a separate chapter on offences.
Chapter 38 of the Intellectual Property Act No.36 of 2003 defines the Offences and Penalties against violation of Intellectual Property Rights and these provisions are applicable for Intellectual Property Rights violations in cyber space as well.
Under the Sri Lanka Telecommunications Act No. 25 of 1991 'Intrusion', 'interception and disclosure of contents of message' by telecommunication officials, other than in the course of his duty are offences under sections 52-54 of the Act. "Usage information" means information relating to the identity of calling subscriber, called subscriber, date and time of originating of message and the type of message for the purpose of sections 52 and 54.
Provisions under Code of Criminal Procedure Act No. 19 of 1979 are applicable for investigations of these offences. The Payment Devices Frauds act was introduced to deal with fraudulent transactions taken place in connection with electronic devices and similar provisions relating to Computer Crime Act on procedural matters can be found under the present Act as well.
Offences under this Act are cognizable offences. Section 12 explains on Confidentiality of information obtained in the course of an investigation. Even though Sri Lanka currently has Methods on fighting criminal activity like the method against interaction that increases national hate, the new law is to help deal with these concerns better. And we still need more exercising and attention.
Sri Lanka is completely helpful of the strategy implemented by the authorities of European countries and is efficiently looking at the alternatives to accede to the meeting. Initial actions have already been started by the government in this relationship and it is predicted that formal conversation would started with the Council of European countries for this objective, during 2009.
ACTIONS TAKEN BY THE SRI LANKAN GOVERNMENT
With the rapid development of the Internet, many economies are now increasingly dependent on public network applications such as online banking, online stock trading, e-business, e-government and e-customs. The protection of the various national information infrastructures that make up this new and emerging e-economy is critical to a country's political and economic stability and security. The need to protect these critical national information infrastructures is also urgent.
Attacks on information infrastructures are increasing in frequency, sophistication and scale. For example, the Code Red II Internet worm integrated characteristics of a computer virus, Trojan, Worm and Hacking activity to propagate quickly across the Internet and infect massive numbers of host computers.
When discussing the Sri Lankan situation it is a must to gain an idea on the background. Sri Lanka's telecommunication regulator is Telecommunication Regulatory Commission Sri Lanka (TRCSL) and its main objective is to ensure the availability of advanced and high quality service throughout the country at an affordable price. TRCSL directly engage with the telecommunication service providers to ensure the aim is being achieved and also regulates the services given by drafting policies in the field of telecommunication.
Information and Communication Technology Agency of Sri Lanka who is a fully owned organization of the Sri Lankan government work along with TRCSL in implementing the policies, building up ICT related infrastructure and ICT training with the aim of building Sri Lanka A IT save country.
With funding of the World Bank ICTA is conducting programmes to develop ICT infrastructure and it has been a major contributor in achieving the country's development objectives through the growths related to Connectivity, Accessibility and Content. Sri Lanka's Network Readiness Index has risen significantly during the recent past years and comparing it with Pakistan a similar South Asian developing country Sri Lanka is in a comprehensive status.
These development projects have made a significant change to the society at large and through this positive transformation there are some unavoidable drawbacks too. The newborn IT educated younger generation is involving in cyber related crimes more often and due to this vulnerabilities are growing within the networks To address this urgent need, countries have established Incident Response Teams and in Sri Lanka the national CERT is the SLCERT (Sri Lanka Computer Emergency Readiness Team) which is a fully owned subsidiary of ICTA (Information and Communication Technology of Sri Lanka).
A national CERT (Computer Emergency Readiness Team) is an organization which acts as the focal point for Cyber Security of a nation. It can be taken into consideration as the most trusted source of advice about the latest threats and vulnerabilities affecting computer systems and networks and a source of expertise assistance in responding to recovering from cyber attacks.
Since the inception of Sri Lanka CERT in 2006 the rate of incident reporting has increased rapidly and to prove that in 2010 it was only 151 whereas in 2011 it was 1469 and all these incidents have been resolved satisfactorily.
The following table elaborates the 2011's reported incidents.
Type of Incident No
Hate/Threat Mail 3
Unauthorized Access 3
Intellectual property violation 5
Social Network Accounts 1,425
What professionals believes is that the security is in the hands of the user itself and SLCERT always focus on the personal security of the user and to begin with, SLCERT encourages the user to use genuine software as much as possible to ensure a high level of security and also provide guidelines to achieve a high level of privacy within the network.
SLCERT provides its expertise through consultancy services to the government organizations, non government organizations, various institutions and individuals.
There they provide technical consultancy through ethical hacking and penetrant testing, and issues a security certification for the network's security level. Furthermore they provide legal consultancy if needed at an incident.
The present Sri Lankan legislation does not specifically cover Cyber Crimes to meet the global standards where as the Indian legislation has mostly addressed the Cyber Crimes issue.
The conclusion stresses the fact that the existing legislation and litigation is not merely sufficient to overcome these ever increasing crimes but also find new security measures in addition to the existing ones to override the hackers and strengthen the computer systems from possible cyber attacks.
Traditional crime has long ago moved online. Crimes like money laundering, child pornography, sexual exploitation of children, sale and trafficking of illegal drugs, prostitution, internet fraud, credit card fraud, illegal gambling, hate propaganda, racism crimes, intellectual property theft, piracy harassment, stalking threats, extortion identity theft and many more.
Cybercrime is rather a novel aspect of criminal activity to the Sri Lankan society. With the advancement of information technology and knowledge of computer science in Sri Lankans, some individuals have turned cybercrime as a mean of acquiring wealth in an unlawful and undetected manner and also to achieve political and social status. Cybercrime is mostly committed by the educated youth. There has been an increasing of cybercrime complains within the last year according to the Sri Lanka, Computer Emergency Response Team (SLCERT). In the recent past, an increase in the number of cyber-criminal activities in Sri Lanka had been observed. A representative of SLCERT said that most complaints are related to hacking of passwords, stealing of information, demanding ransoms in addition to Facebook and credit card related crimes.
Cyber crimes in Sri Lanka has made a major topic due to various reasons, most effecting reason is the lack of implementation of already enacted policies and regulations which is being put up to regulate the illegal activities in cyberspace and the mitigate the misconducts but in Sri Lanka most of them are being ignored by the law enforcement authorities and due to that criminals are acting without any consent.
The liability of the Government is to make sure that nationwide systems are protected and have not been occupied. To accomplish this, the countries internet actions need to be harmonized both on an institutional stage and region and provincial stages and this has to be led by the top organization for internet protection in Sri Lanka CERT.
One of the arguments, which are always advanced to justify this stand of non-enactment, is that 'the measures suggested are not adequate to deal with the problem'. It must be appreciated that 'something is better than nothing'. The ultimate solution to any problem is not to enact a plethora of statutes but their rigorous and dedicated enforcement. The courts may apply the existing laws in a progressive, updating and purposive manner. It must be appreciated that it is not the 'enactment' of a law but the desire, will and efforts to accept and enforce it in its true letter and spirit, which can confer the most strongest, secure and safest protection for any purpose. The enforcement of these rights requires a 'qualitative effort' and not a 'quantitative effort'. Thus, till a law dealing expressly with cyber terrorism is enacted, we must not feel shy and hesitant to use the existing provisions.