AN EVALUATION OF THE LEGAL FRAMEWORK OF CYBER-CRIMES IN SRI LANKA
DAMITHRI KODITHUWAKKU
Attorney-at-law, LL.B(Hons)(United Kingdom)
Technical infrastructure of today’s world new means of committing traditional crimes highly depends on internet. Social, political, have been discovered. business, education, health, leisure and “The computer is rapidly increasing entertainment, media practices of people are society’s dependence upon it, with the highly influenced with the rapid result that society becomes development of Information technology. progressively more vulnerable to Internet has become the basic tool which computer malfunction, whether facilitates the global communication and all accidental or deliberately induced, and are provided with increased opportunities in to computer manipulation and white- the global cyber arena.1 With the color law-breaking”.2 development of Information technology to cater human needs using virtual dimension, With the emerging use of information ordinary services have converted into technology and computers related crimes electronic forms and the E-Banking, E- have become a global concern. Gradually Business, Communication, Education and E- almost all the electronic devices including Governance fields are highly utilised. smartphones, tablets, watches, health Despite the all advantages of IT related devices would have a distinct developments number of crimes relating to Internet Protocol (IP) address and with the IT have been increasing and more people facility to connected to the internet and as a become vulnerable each day. result of that vulnerability of users get
With the rapid development in technology increased and attacks on these devises could 3 and the internet, new types of crimes and damage the core functions of the society. As a result of storage of confidential information, privacy and data protection has
2 1 KennedyD Gunawardana , 'Current Status of Information C. G. Weeramantry, Justice Without Frontiers: Furthering Human Rights, (First published 1997, Published online by Technology And Its Issues in Sri Lanka ' [September - Cambridge University Press: 27 February 2017) 259 December, 2007] Vol 15(No3 )International Journal of The 3 Computer, the Internet and Jayantha Fernando, ‘THE IMPACT OF THE BUDAPEST CYBERCRIME CONVENTION ON SRI LANKAN LEGAL Management
4 Gade, Nikhita Reddy & Reddy, A Study Of Cyber Security 10 Computer Crime Act No.24 of 2007 Challenges And Its Emerging Trends On Latest 11 Marco Gercke, Understanding cybercrime: phenomena, Technologies. Ugander. (2014). challenges and legal (ITU Telecommunication Development 5 The Evidence(Special Provisions) Act No.14 of 1995 Bureau) < www.itu.int/ITU- 6 Information and Communication Technology Act No.27 of D/cyb/cybersecurity/legislation.html> Accessed on 5th August 2003 12 7 Payment and Settlement Systems Act No.28 of 2005 Computer Crime Act No.24 of 2007 , Section 2, 13 8 Electronic Transactions Act No.19 of 2006 Computer Crime Act No.24 of 2007 Section 2, 14 9 Payment Devices Frauds Act No.30 of 2006 Computer Crime Act No.24 of 2007, Section 27. can’t solely fight against the computer In Sri Lanka, there is a challenge in crimes.15 preventing cyber-crime. The growth of network-based crime has raised difficult In Section 3 to Section 10, the Act describes issue in respect of appropriate balance the key substantive offences under between the needs of those investigating and Computer Crime Act such as Hacking (illegal prosecuting such crime, and the rights of access)16 , Cracking17, unlawful users of such networks, so there is a need to modification18, offences against national empower the coordination process. security19, dealing with unlawfully obtained Prosecutors, investigators, and Judges need data20, illegal interception of data21, using to work in coordinating manner and 22 illegal devices and unauthorized experienced investigators need to be trained 23 disclosure of information which are properly in order to deal with cyber-crime. adequately consistence with the Budapest Awareness in new media literacy and Convention under the heading of computer- information technology is one way of 24 integrity offences . minimizing cyber-crime. Further, Sri Lankan
There are no laws or policies to ensure cyber legal system needs to be reviewed in order security, privacy or data protection in Sri to identify areas which need further Lanka. Although hacking and some other modifications. activities are offences under the Computer Computer Crime Act introduced new Crime Act, a remedy can’t be offered to a procedures in addition to the ordinary citizen if his or her sensitive data is criminal procedures and every offences withheld. This has a direct impact on our under this Act are cognizable offences25. trade because some countries are reluctant Further a significant arrangement is that, to enter into transactions with us due to the government can appoint a panel of experts lack of security in these on-line transactions. to assist police officers.26 A panel of experts If a country wants to actually enter into shall be appointed in order to assist the international trade and commerce, then police officers in the investigation process. there must be directives and policies to In the process of investigating the police protect data. officers and the experts are required to
15 Jonathan Clough, A World Of Difference: The Budapest 20 Computer Crimes Act No. 24 of 2007, Section 7 Convention On Cybercrime And The Challenges Of 21 Computer Crimes Act No. 24 of 2007, Section 8 Harmonisation, Monash University Law Review2011 (Vol 22 Computer Crimes Act No. 24 of 2007, Section 9 40, No 3) 23 Computer Crimes Act No. 24 of 2007, Section 10 16 Computer Crimes Act No. 24 of 2007 Section 3. 24 Convention on Cybercrime, Budapest, 23 November 2001 17 Computer Crimes Act No. 24 of 2007 Section 4 25 Computer Crimes Act No. 24 of 2007 Section 21 18 Computer Crimes Act No. 24 of 2007 Section 5 26 Computer Crimes Act No. 24 of 2007 Section 17 19 Computer Crimes Act No. 24 of 2007 Section 6 consider the protection of information and through that Sri Lanka can combat against rights of the individuals. the computer crime.31
Computer Crime Act complies with the In 2015, as the first country from South Budapest Convention (Art 16-21), and Asian region Sri Lanka acceded to the provides special power to the investigation Budapest Convention. Though the Computer officers including the power of search and crime Act was enacted before the said seizure which includes the laws for accession, the majority of the provisions interception and real time collection of were in compliance with the Budapest traffic data27, and the request to preserve Convention. Some provisions of the information28. However, some procedures Convention were not covered by the have to be strengthened based on Computer Crimes Act such as Child international standards. Compiles with Pornography32. However the Sri Lankan Article 15 of the Budapest convention, Penal code has provisions to address this, Computer Crime Act strives to ensure the however it may not adequate enough to right to privacy of the victims29 however prosecute these crimes when it is committed when it comes to Sri Lankan contest right to using Internet.33 privacy of victims cannot be ensured in the A major challenge in the existing legal investigation and prosecution process. framework is that the Computer Crimes Act Furthermore, for the purpose of effective has failed to identify some of the most enforcement Sri Lanka has established the common cyber-crime offences, such as computer crime division of police Illegal gambling, cyber-squatting, hate department and computer emergence speech and statements promoting racism, response team(CERT). Moreover, the cyber defamation, identity theft, cyber Computer Crime Act enables mutual bullying and cyber stalking making it assistance of states for investigation and difficult take precautions against such prosecution of cybercrime through the offences.34 The term computer was not Criminal matters Act 2002.30 Furthermore, defined adequately in the Act and with the Sri Lanka’s accession to the Budapest limited elements of the offences such as convention which leads to obtain mutual legal assistance from other member states,
27 Computer Crimes Act No. 24 of 2007 Section 18 32 Article 9 of the Budapest Convention 28 Computer Crimes Act No. 24 of 2007 Section 19 33 Sri Lankan penal code section 286A 34 29 Computer Crimes Act No. 24 of 2007 Section 24 Selvaras Janaha, 'Has Sri Lanka Worked Out Effective 30 Computer Crimes Act No. 24 of 2007 Section 35. Ways of Fighting Computer Crime?' (Open University of Sri 31 Convention on Cybercrime, NOVEMBER 13, 2018 The Lanka 2013) < Lakshman Kadirgamar Institute (LKI) < http://www.kdu.ac.lk/proceedings/irc2013/2013/l006.pdf https://www.lki.lk/publication/convention-on- >Acsessed on 5th August 2019 cybercrime/> Accsesed on 5th August 2019 unauthorized access can be seen as stalking offenders. The above examples from inadequate areas of the Act.35 other jurisdictions effectively illustrates how those jurisdictions have stepped towards As a developing country Sri Lanka can implementation of an effective legal always take lessons from other developed framework by identification of common jurisdictions such as USA, UK, Australia and cyber-offences as criminal offences. even from India as they have taken some different approaches in recognizing new The “Access” is a commonly used term in types of cyber-crimes. Australia has ICT law, especially in relation to cyber- recognised online illegal gambling as a crimes. Yet, the term is not interpreted in the criminal offence by the Interactive statutes. In this case, the Information Gambling Act 2001. Further, USA in order to Technology Act 2008 of India provides an prevent cyber-squatting, abusive interpretation to the term “access”. registration and use of the distinctive Accordingly, “access” means; “gaining entry trademarks of others as internet domain into, instructing or communicating with the names, with the intention of earning profits logical, arithmetical, or memory function through the goodwill associated with those resources of a computer, computer system or trademarks has introduced anti- computer network”38 The element of cybersquatting Consumer Protection Act of “unauthorised access to commit an offence” 1999.36 In the UK, hate speech is recognised is the given term as the actus reus for several as an offence under many statutes and under offences in Sri Lankan Computer Crime Act. the Communications Act 2003, many However, as there are various types of offenders have been convicted for the offences which come under cyber-crimes it publication of statements promoting hatred may be difficult to take each and every in social media.37 Section 66A of the offence under this element as in order to Information Technology Act 2008 of India, identify as a cyber-crime, as there are provides the law governing a wide range of several offences which can be done with common cyber-crimes. It provides the lawful access. The 2008 amendment to the punishment for sending offensive messages Information Technology Act 2000 of India through communication services and the has introduced offences such as sending provision is so drafted to provide for the offensive messages, spam, identity theft, punishment of cyber-bullying, cyber-
35 Dr Thusitha ABEYSEKARA and Samindika ELKADUWE, ‘A
39 Lionel Faleiro, IT Act 2000 – Penalties, Offences With D/cyb/cybersecurity/legislation.html> Accessed on 5th Case Studies, June 24, 2014 August < https://niiconsulting.com/checkmate/2014/06/it-act- 41Vishni Lakna Ganepola, Effectiveness Of The Existing 2000-penalties-offences-with-case-studies/> Accessed on Legal Framework Governing Cyber-Crimes In Sri Lanka 10th August 2019 40 Marco Gercke, Understanding cybercrime: phenomena, challenges and legal (ITU Telecommunication Development Bureau) < www.itu.int/ITU- Although the Computer Crimes Act seems to Sri Lanka needs to enact laws to streamline be adequate in comparison to the Budapest the existing legal framework on cyber- convention, as it provides for identification crimes with the international standards such of crimes, identifies a wide jurisdiction and as identifying new types of offences, provides an investigation procedure, the introduce Data Protection Act and Reform extent of implementation of the provisions defamation laws and introduce cyber of Computer Crime Act cannot be seen as a defamation laws. In achieving these result of various reasons such as lack of developments Sri Lanka can use reporting, lack of investigation officers who International Conventions such as Budapest has adequate knowledge to deal with highly Convention, developments of other skilled cyber criminals and lack of jurisdictions as guidelines and can seek investigation equipment. Further, social assistant from them. Awareness about media flat forms such as Facebook are existing legal framework is much important unwilling to provide information such as IP since victims of cyber-crimes need to be addresses of users and therefore it is encouraged to report such crimes which will necessary to take steps coordinating with eventually contribute towards the those international corporations. development of legal framework relating to cyber-crimes. .