sign in sign up
<<
Home , Convention on Cybercrime

AN EVALUATION OF THE LEGAL FRAMEWORK OF CYBER-CRIMES IN

DAMITHRI KODITHUWAKKU

Attorney-at-law, LL.B(Hons)(United Kingdom)

Technical infrastructure of today’s world new means of committing traditional crimes highly depends on . Social, political, have been discovered. business, education, health, leisure and “The computer is rapidly increasing entertainment, media practices of people are society’s dependence upon it, with the highly influenced with the rapid result that society becomes development of Information technology. progressively more vulnerable to Internet has become the basic tool which computer malfunction, whether facilitates the global communication and all accidental or deliberately induced, and are provided with increased opportunities in to computer manipulation and white- the global cyber arena.1 With the color law-breaking”.2 development of Information technology to cater human needs using virtual dimension, With the emerging use of information ordinary services have converted into technology and computers related crimes electronic forms and the E-Banking, E- have become a global concern. Gradually Business, Communication, Education and E- almost all the electronic devices including Governance fields are highly utilised. smartphones, tablets, watches, health Despite the all advantages of IT related devices would have a distinct developments number of crimes relating to Internet Protocol (IP) address and with the IT have been increasing and more people facility to connected to the internet and as a become vulnerable each day. result of that vulnerability of users get

With the rapid development in technology increased and attacks on these devises could 3 and the internet, new types of crimes and damage the core functions of the society. As a result of storage of confidential information, privacy and data protection has

2 1 KennedyD Gunawardana , 'Current Status of Information C. G. Weeramantry, Justice Without Frontiers: Furthering Human Rights, (First published 1997, Published online by Technology And Its Issues in Sri Lanka ' [September - Cambridge University Press: 27 February 2017) 259 December, 2007] Vol 15(No3 )International Journal of The 3 Computer, the Internet and Jayantha Fernando, ‘THE IMPACT OF THE BUDAPEST CONVENTION ON SRI LANKAN LEGAL Management accessed 4 August 2019 become a major concern as computers are related offences, content-related offences not only targeted for crime but are also and -related offences.11 important instruments used in the In Sri Lanka, Computer Crimes Act No. 24 of commission of other offences. 2007 primarily addresses computer-related Enhancing cyber security and protecting crimes and hacking offences. In this Act, critical information infrastructures are computer crime is a term used to identify all essential to each nation’s security and crimes that are connected with or economic well-being. Making the Internet related to computer and Information and safer (and protecting Internet users) has Communication Technology Act No.27 of become integral to the development of new 2003information technology. This Act services as well as government policy.4 The covers a broad range of offences which are Evidence(Special Provisions) Act5, the common offences identified and recognized Information and Communication internationally as well. Recognising the Technology6, the Payment and Settlement nature of computer crimes which are Systems Act7, the Electronic Transactions committed disregarding boundaries under Act8, the Payment Devices Frauds Act9 and the Section 2 of the Computer Crime Act the Computer Crime Act10 are the main courts have a wide jurisdiction to attend the pieces of legislations which governs the matters irrespective of whether the person legal regime in the area of Information resides, the crime was committed or the Technology in Sri Lanka. The term “cyber- damage was caused a person or corporation 12 crime” is used to cover a wide variety of within or outside Sri Lanka. In line with criminal conduct and include a broad range Article 22 of the Budapest convention, of different offences. One approach can be Computer Crime Act covers wide range of found in the Convention on Cybercrime, application without considering the 13 which distinguishes between four different geographical boarders and nationality. types of offences: offences against the Section 27 enables the extradition of cyber 14 confidentiality, integrity and availability of criminals among the states. However, computer data and systems, computer- above said provisions will not effectively function without the international cooperation among the states, one state

4 Gade, Nikhita Reddy & Reddy, A Study Of Cyber Security 10 Computer Crime Act No.24 of 2007 Challenges And Its Emerging Trends On Latest 11 Marco Gercke, Understanding cybercrime: phenomena, Technologies. Ugander. (2014). challenges and legal (ITU Telecommunication Development 5 The Evidence(Special Provisions) Act No.14 of 1995 Bureau) < www.itu.int/ITU- 6 Information and Communication Technology Act No.27 of D/cyb/cybersecurity/legislation.html> Accessed on 5th August 2003 12 7 Payment and Settlement Systems Act No.28 of 2005 Computer Crime Act No.24 of 2007 , Section 2, 13 8 Electronic Transactions Act No.19 of 2006 Computer Crime Act No.24 of 2007 Section 2, 14 9 Payment Devices Frauds Act No.30 of 2006 Computer Crime Act No.24 of 2007, Section 27. can’t solely fight against the computer In Sri Lanka, there is a challenge in crimes.15 preventing cyber-crime. The growth of network-based crime has raised difficult In Section 3 to Section 10, the Act describes issue in respect of appropriate balance the key substantive offences under between the needs of those investigating and Computer Crime Act such as Hacking (illegal prosecuting such crime, and the rights of access)16 , Cracking17, unlawful users of such networks, so there is a need to modification18, offences against national empower the coordination process. security19, dealing with unlawfully obtained Prosecutors, investigators, and Judges need data20, illegal interception of data21, using to work in coordinating manner and 22 illegal devices and unauthorized experienced investigators need to be trained 23 disclosure of information which are properly in order to deal with cyber-crime. adequately consistence with the Budapest Awareness in new media literacy and Convention under the heading of computer- information technology is one way of 24 integrity offences . minimizing cyber-crime. Further, Sri Lankan

There are no laws or policies to ensure cyber legal system needs to be reviewed in order security, privacy or data protection in Sri to identify areas which need further Lanka. Although hacking and some other modifications. activities are offences under the Computer Computer Crime Act introduced new Crime Act, a remedy can’t be offered to a procedures in addition to the ordinary citizen if his or her sensitive data is criminal procedures and every offences withheld. This has a direct impact on our under this Act are cognizable offences25. trade because some countries are reluctant Further a significant arrangement is that, to enter into transactions with us due to the government can appoint a panel of experts lack of security in these on-line transactions. to assist police officers.26 A panel of experts If a country wants to actually enter into shall be appointed in order to assist the international trade and commerce, then police officers in the investigation process. there must be directives and policies to In the process of investigating the police protect data. officers and the experts are required to

15 Jonathan Clough, A World Of Difference: The Budapest 20 Computer Crimes Act No. 24 of 2007, Section 7 Convention On Cybercrime And The Challenges Of 21 Computer Crimes Act No. 24 of 2007, Section 8 Harmonisation, Monash University Law Review2011 (Vol 22 Computer Crimes Act No. 24 of 2007, Section 9 40, No 3) 23 Computer Crimes Act No. 24 of 2007, Section 10 16 Computer Crimes Act No. 24 of 2007 Section 3. 24 Convention on Cybercrime, Budapest, 23 November 2001 17 Computer Crimes Act No. 24 of 2007 Section 4 25 Computer Crimes Act No. 24 of 2007 Section 21 18 Computer Crimes Act No. 24 of 2007 Section 5 26 Computer Crimes Act No. 24 of 2007 Section 17 19 Computer Crimes Act No. 24 of 2007 Section 6 consider the protection of information and through that Sri Lanka can combat against rights of the individuals. the computer crime.31

Computer Crime Act complies with the In 2015, as the first country from South Budapest Convention (Art 16-21), and Asian region Sri Lanka acceded to the provides special power to the investigation Budapest Convention. Though the Computer officers including the power of search and crime Act was enacted before the said seizure which includes the laws for accession, the majority of the provisions interception and real time collection of were in compliance with the Budapest traffic data27, and the request to preserve Convention. Some provisions of the information28. However, some procedures Convention were not covered by the have to be strengthened based on Computer Crimes Act such as Child international standards. Compiles with Pornography32. However the Sri Lankan Article 15 of the Budapest convention, Penal code has provisions to address this, Computer Crime Act strives to ensure the however it may not adequate enough to right to privacy of the victims29 however prosecute these crimes when it is committed when it comes to Sri Lankan contest right to using Internet.33 privacy of victims cannot be ensured in the A major challenge in the existing legal investigation and prosecution process. framework is that the Computer Crimes Act Furthermore, for the purpose of effective has failed to identify some of the most enforcement Sri Lanka has established the common cyber-crime offences, such as computer crime division of police Illegal gambling, cyber-squatting, hate department and computer emergence speech and statements promoting , response team(CERT). Moreover, the cyber defamation, identity theft, cyber Computer Crime Act enables mutual bullying and cyber stalking making it assistance of states for investigation and difficult take precautions against such prosecution of cybercrime through the offences.34 The term computer was not Criminal matters Act 2002.30 Furthermore, defined adequately in the Act and with the Sri Lanka’s accession to the Budapest limited elements of the offences such as convention which leads to obtain mutual legal assistance from other member states,

27 Computer Crimes Act No. 24 of 2007 Section 18 32 Article 9 of the Budapest Convention 28 Computer Crimes Act No. 24 of 2007 Section 19 33 Sri Lankan penal code section 286A 34 29 Computer Crimes Act No. 24 of 2007 Section 24 Selvaras Janaha, 'Has Sri Lanka Worked Out Effective 30 Computer Crimes Act No. 24 of 2007 Section 35. Ways of Fighting Computer Crime?' (Open University of Sri 31 Convention on Cybercrime, NOVEMBER 13, 2018 The Lanka 2013) < Lakshman Kadirgamar Institute (LKI) < http://www.kdu.ac.lk/proceedings/irc2013/2013/l006.pdf https://www.lki.lk/publication/convention-on- >Acsessed on 5th August 2019 cybercrime/> Accsesed on 5th August 2019 unauthorized access can be seen as stalking offenders. The above examples from inadequate areas of the Act.35 other jurisdictions effectively illustrates how those jurisdictions have stepped towards As a developing country Sri Lanka can implementation of an effective legal always take lessons from other developed framework by identification of common jurisdictions such as USA, UK, and cyber-offences as criminal offences. even from as they have taken some different approaches in recognizing new The “Access” is a commonly used term in types of cyber-crimes. Australia has ICT law, especially in relation to cyber- recognised online illegal gambling as a crimes. Yet, the term is not interpreted in the criminal offence by the Interactive statutes. In this case, the Information Gambling Act 2001. Further, USA in order to Technology Act 2008 of India provides an prevent cyber-squatting, abusive interpretation to the term “access”. registration and use of the distinctive Accordingly, “access” means; “gaining entry trademarks of others as internet domain into, instructing or communicating with the names, with the intention of earning profits logical, arithmetical, or memory function through the goodwill associated with those resources of a computer, computer system or trademarks has introduced anti- computer network”38 The element of cybersquatting Consumer Protection Act of “unauthorised access to commit an offence” 1999.36 In the UK, hate speech is recognised is the given term as the actus reus for several as an offence under many statutes and under offences in Sri Lankan Computer Crime Act. the Communications Act 2003, many However, as there are various types of offenders have been convicted for the offences which come under cyber-crimes it publication of statements promoting hatred may be difficult to take each and every in social media.37 Section 66A of the offence under this element as in order to Information Technology Act 2008 of India, identify as a cyber-crime, as there are provides the law governing a wide range of several offences which can be done with common cyber-crimes. It provides the lawful access. The 2008 amendment to the punishment for sending offensive messages Information Technology Act 2000 of India through communication services and the has introduced offences such as sending provision is so drafted to provide for the offensive messages, spam, identity theft, punishment of cyber-bullying, cyber-

35 Dr Thusitha ABEYSEKARA and Samindika ELKADUWE, ‘A accessed 28 August 2019 the Computer Crimes Legislation in Sri Lanka, Second 37 'Everything You Need To Know About Cyberbullying And International Conference on Interdisciplinary Legal Studies How To Stop It' 2015( ISBN-978-0-9939889-3-6)page28 accessed 28 August 2019 36 Martin Samson, 'The Anti-cybersquatting Consumer 38 Information Technology Act 2008, section 2(1)(a) Protection Act: Key Information - Internet Library Of Law And Court Decisions' (Internetlibrary.com, 2019) cheating by personation, and violation of numbers of cases are taken before the courts privacy rather than placing them under the which make impossible to develop the legal unauthorized access.39 A further challenge framework relating to cyber-crimes. which is faced by the law enforcement Further, most of the individuals are not authorities is that the offences under the aware that they are victims of cyber-crimes Computer Crime Act are entirely based on and victims are not aware that there are the principle of unlawful access. legal remedies which they can seek out to Accordingly, the Act fails to cover situations mitigate the harm. Therefore, only a few where information/data is obtained by numbers of cases are reported to the courts lawful access, but are consequently misused and the judges don’t get an opportunity to for unauthorized purposes; for example, administer law against the offenders.41 Cookies issues. Sri Lanka is actually a pioneer in terms of Cyber defamation is one of most common ratifying international and regional type of cyber-crime globally as well as in Sri conventions related to ICT Law. However, Lanka. Since, defamation is not a criminal ironically, when it comes to adopting them offence, the Police or any other law and implementing them, we are lagging enforcement officials are unable to prevent behind. There are special and simplified such crimes. It is evidential that in social procedures provided by the law in relation media platforms people are daily subject to to computer crimes where the police can cyber defamation. even obtain the help of experts who hold One of the major challenges faced by the Sri proper qualifications. They can perform Lankan legal system is the lack of reporting several tasks without even receiving a court of cyber-crimes. A main cause behind lack of order. However, none of this is reporting is that the victims fear that their implemented. It is necessary to research on data might get destroyed or they might lose how other countries have enforced their the confidentiality of their private data.40 laws and integrated the culture of Another one of the main drawbacks in the responsibly using the internet and digital existing legal framework on cyber-crimes is devices and educate our society. that lack of case law. There are no reported case law on cyber-crimes and very limited

39 Lionel Faleiro, IT Act 2000 – Penalties, Offences With D/cyb/cybersecurity/legislation.html> Accessed on 5th Case Studies, June 24, 2014 August < https://niiconsulting.com/checkmate/2014/06/it-act- 41Vishni Lakna Ganepola, Effectiveness Of The Existing 2000-penalties-offences-with-case-studies/> Accessed on Legal Framework Governing Cyber-Crimes In Sri Lanka 10th August 2019 40 Marco Gercke, Understanding cybercrime: phenomena, challenges and legal (ITU Telecommunication Development Bureau) < www.itu.int/ITU- Although the Computer Crimes Act seems to Sri Lanka needs to enact laws to streamline be adequate in comparison to the Budapest the existing legal framework on cyber- convention, as it provides for identification crimes with the international standards such of crimes, identifies a wide jurisdiction and as identifying new types of offences, provides an investigation procedure, the introduce Data Protection Act and Reform extent of implementation of the provisions defamation laws and introduce cyber of Computer Crime Act cannot be seen as a defamation laws. In achieving these result of various reasons such as lack of developments Sri Lanka can use reporting, lack of investigation officers who International Conventions such as Budapest has adequate knowledge to deal with highly Convention, developments of other skilled cyber criminals and lack of jurisdictions as guidelines and can seek investigation equipment. Further, social assistant from them. Awareness about media flat forms such as are existing legal framework is much important unwilling to provide information such as IP since victims of cyber-crimes need to be addresses of users and therefore it is encouraged to report such crimes which will necessary to take steps coordinating with eventually contribute towards the those international corporations. development of legal framework relating to cyber-crimes. .