IT LAWIT LAWIntroduction to Information Security, IT Crimes and Cybercrimes

1

Basics of it law & jurisdictionBasics of it law & jurisdiction• Meaning of the term computer

• No hard and fast rule of defining it• That is, there is no universal acceptable definition of this

term• What is regarded as a computer in one industry or

sector might not necessarily mean the same in another

• The Oxford Dictionary:• “An electronic device which is capable of receiving

information (data) and performing a sequence of logical operations in accordance with a predetermined but variable set of procedural instructions (program) to produce a result in the form of information or signals”

By I. MGETA 2

Continue Continue S.3 of The Electronic and Postal Communications

Act, 2010 (Act no.3 of 2010);“Computer “means an electronic device used to input,

process store and output data In short, there are disparities in defining the term

Computer. The common aspects/elements of definition are;

Electronic device, used forKeeping data-input (data storage)Processing dataProducing data-output

By I. MGETA 3

The link-Law & ComputerThe link-Law & ComputerDevelopment of Computer technology

has not only affected the field of science and technology rather affected also other disciplines, e.g law

Areas of interest in law: Privacy and security Freedom of expression and information sharing Business operation and transactions interchange Terms and conditions of use of software programs,

etc

By I. MGETA 4

Meaning of Computer/Internet LawMeaning of Computer/Internet Law

They are not synonymous but inter-related◦ IT Law deals with all issues related to the use of

IT including privacy.◦ Computer Law:

Law regulating the use and application of computer related technology and the control of computer related crimes and abuse of electronic services

◦ Internet Law: The law that regulates internet services, usage,

electronic communication, rights and obligations of ISPs and Internet users, control of online abuse, etc

Jurisprudential foundationJurisprudential foundationAn area of the law which has developed

because of technical legal issues that arose with the emergence of computer technology

Legal Issues which gave rise to IT law Electronic commerce and contract formation Admissibility of electronic evidence and computer

print-outs Privacy online and data protection Computer and ICT crimes IPR and computer technology, etc

ContinueContinueSources of IT law

International conventions-e.g UNCITRAL Model Law on E-Commerce

The Constitution-basic human rights, eg right to privacy and freedom of expression

Statutes Case laws Legal opinions from prominent lawyers and IT

IntroductionIntroduction Development in ICT has paved a new era in

communication technology With this development, new challenges have

emerged: How to deal with threats to electronic

communications How to harmonize traditional laws to cover new

sophisticated offences Redefinition of some of the offences, etc

Electronic privacy is also another issue not only on individual data but even on governmental information

All these are challenges to a new digital/cyber-era

8

Computer Crime/ICT CrimeComputer Crime/ICT CrimeScholars have distinguished computer

crime/ICT crime from Cyber crimeComputer crime is defined as;

Any criminal activities that are committed against a computer or similar device, and data or program therein.

In computer crimes, the computer is the target of criminal activities.

9

ContinueContinue The “computer” in this context refers to the

hardware, but the crimes, …, more often than not relate to the software and the data or program contained within it.

The criminal activities often relate to the functions of the computer; in particular, they are often facilitated by communications systems that are available and operated through the computer, thereby contributing to a less secure computing environment.

10

ContinueContinue It is also defined as;

Computer crime encompasses the use of a computer as a tool in the perpetration of a crime, as well as situations in which there has been unauthorised access to the victim’s computer, or data.

Computer crime also extends to physical attacks on the computer and/or related equipment as well as illegal use of credit cards and violations of automated teller machines, including electronic fund transfer thefts and the counterfeit of hardware and software.

11

Continue Continue Further that;

“Computer crime covers all sets of circumstances where electronic data processing forms the means for the commission and/or the object of an offence and represents the basis for the suspicion that an offence has been committed.”

12

ContinueContinueA distinction between Computer crime

and cyber crime is explained as:“Computer Crime” encompasses crimes

committed against the computer, the materials contained therein such as software and data, and its uses as a processing tool. These include hacking, denial of service attacks, unauthorized use of services and cyber vandalism.

13

Continue Continue “Cyber Crime” describes criminal activities

committed through the use of electronic communications media.

One of the greatest concerns is with regard to cyber-fraud and identity theft through such methods as phishing, pharming, spoofing and through the abuse of online surveillance technology.

There are also many other forms of criminal behaviour perpetrated through the use of information technology such as harassment, defamation, pornography, cyber terrorism, industrial espionage and some regulatory offences”.

14

ContinueContinue So one may gather from all those definitions that:

Cyber crime is a computer enabled crime Computer crime is a crime where by the computer is a

target Cyber crime is a criminal activity that involves a

computer and network that links computers. These crimes can be categorized into two:

Crimes that can only be committed which were previously not possible before the advent of the computer such as hacking, cracking, sniffing and the production and decimation of malicious code.

The other category of crimes are much wider and have been in existence for centuries but are now committed in the cyber environment such as internet fraud, possession and distribution of child pornography etc

15

ContinueContinue UK author Ian Walden, distinguishes these crimes

in the following categories; “computer-related crimes” (such as fraudulent

activity involving the use of computers) “content-related offences” (such as the distribution

of pornographic material involving children by means of computers and cellphones),

“computer integrity offences” (in which the computer itself is the object of an attack).

Suffices to say that, there is no universal accepted classification of computer crimes/cyber crimes

Much will depend on what a particular scholar has intended to say or local legislations.

16

Types of Cyber crimesTypes of Cyber crimesAccording to Mumbai Police department;

HackingPhishingDenial of service attackSpoofingCyber-stalkingVirus dissemination

17

Continue Continue Software piracyCyber-defamationPornographyInternet Relay Chat (IRC) Crimecredit card fraudNet extortion, Threatening and salami attack

18

ContinueContinue According to the Australian Institute of

Criminology; Theft of telecommunication services Communications in furtherance of criminal

conspiracies Telecommunication piracy Dissemination of offensive materials Electronic money laundering and tax evasion Electronic vandalism Terrorism and extortion Sales and investment fraud Illegal interception of telecommunications and

Electronic funds transfer fraud.

19

ContinueContinueTherefore, even in classification of cyber

crimes scholars do differ in their classification and even authorities responsible in controlling such kinds of crimes differ in the way they classify them

For the purpose of this lecture, the two terms computer crime and cyber crime will be used interchangeably

20

Continue Continue The discussion will cover the following types of

cyber crimes: Computer fraud

Simply means any dishonest misrepresentation of fact by using any electronic device intending to induce another to do or refrain from doing something which causes loss or any psychological suffering.

Computer fraud include some forms like;Concealing unathorised transactionsElectronic funds transfer fraudIdentity theftEntering unauthorised instructions or processes in a

computer, etc

21

ContinueContinue Hacking

This simply means unathorised access to a computer system. In telecommunication services, this practice is called ‘phone phreaking’.

It is an illegal intrusion into a computer system without the permission of the computer owner/user

Unathorised modification of dataData need to be set in a systemic form so that the

system can function effectively. Any unauthorized alteration or modification of such

information or data may render the entire system to be ineffective or produce undesired outcomes.

22

ContinueContinueA person may gain access to the computer

system and without permission may modify the data kept in a computer and rendering the whole or part of the system to stop functioning

This can also be done through sending of malicious code which may render the computer system ineffective.

23

Continue Continue Dissemination of malicious code-use of viruses and

other nasty computer programsComputer virus simply means a malicious software

which is capable of replicating itselfNot all computer viruses are harmful-some are

essential in the programming processes, e.g Computer bugs

This crime can be committed through dissemination of malicious code or virus dissemination which attaches itself to other software and renders alteration in its functioning system.

24

ContinueContinueThis kind of dissemination may include;

Virus-These infect computers or other electronic devices and are passed on by user activity, for example by opening an email attachment or opening any document or device that contains them

Worms-These are self-propagate malware using an internet connection to access vulnerabilities on other computers and to install copies of them. They are often used as a conduit to grant attackers to the computer. Masquerade

25

Continue Continue Trojan horse-These are malware masquerading (impersonating) as something the user may want to download or install, that may then perform hidden or unexpected actions, such as allowing external access to the computer.

Other forms of malicious software like time bomb, logic bomb, etc

Malicious software can be transmitted from one computer to another through network sharing, sharing of hard drives, flash disks, etc.

26

ContinueContinue◦ Denial of service attack

This is an act by the criminal who floods the bandwidth of the victim’s network or fills his e-mail box with spam mail depriving him of the services he is entitled to access or provide.

The main purpose is to create such a surge in the volume of email traffic in order to degrade network performance

27

Continue Continue It is often aimed at businesses engaging in e-

commerce the aim being to generate such a volume of spurious messages that the victim site becomes clogged up and is unable to accept messages from genuine users wishing to place orders for goods or services.

Denial of service attack may cause both financial loss and loss in goodwill

Customers who are unable to access services may lose confidence in a certain service provider or businessman

28

ContinueContinue For example, on February 2000 denial of

service attacks was initiated by a single man (teenager!) in Canada, who slowed down dramatically the most famous e-commerce servers like amazon.com, ebay, yahoo.

These servers could not sell their products any more for some few days. They claimed to have globally endured more than $1 billion in damages

29

ContinueContinue◦ Unauthorised interception

Development in telecommunications provides new opportunities for electronic eavesdropping.

Interception of communications has not been used only for surveillance of an unfaithful spouse, but it has developed to be used against politicians and for industrial espionage.

The electromagnetic signals emitted by a computer may be intercepted.

Cyber criminals often obtain valuable information by intercepting and monitoring communications sent via the internet or other information networks.

30

ContinueContinue Electronic mail messages can easily be

intercepted by third parties, thereby enabling them to obtain bank account numbers, password, access codes and various other forms of data.

While interception of communication may be legal if permitted by the law, unlawful interception is illegal and is one of the cyber crimes.

The challenges that exist in regulating interception of electronic communication is the need to balance unathorised interception and the question of freedom of expression.

31

ContinueContinue◦ Extortion

Extortion is a process from which criminal intruders disrupt the information system in order to execute any bad motive behind such disruption.

Such intrusion in a computer system may cause damage in storage system and loss of some important data.

The act also can be used to disrupt the security system so as to facilitate the commission of other crimes.

32

ContinueContinue◦ Pornography, cyber-obscenity and cyber-

stalking Pornography is the first consistently successful

e-commerce product By using deceptive marketing tactics and mouse

trapping technologies pornography has been a tool for encouraging customers to access certain websites.

The access of this kind of materials is open to both children and adults who uses the Internet

33

Continue Continue One of the impacts of pornography is a

crime known as paedophilia. Paedophilia is criminal activity involving

sexual offences against children by adults, including the production and distribution of child pornography.

A paedophile is a person who is sexually attracted to children

Most of the countries now have criminalized child pornography

34

ContinueContinue◦ Cyber stalking is a technologically-based

“attack” on one person who has been targeted specifically for that attack for reasons of anger, revenge or control. Using this technique a criminal follows a

victim by harassing or persecuting him/her with unwanted and obsessive attention through sending emails, forum chat, etc

35

Continue Continue Cyber stalking may take forms of;

harassment, embarrassment and humiliation of the victim,

emptying bank accounts or other economic control such as ruining the victim's credit score, harassing family, friends and employers to isolate the victim,

scare tactics to instill fear, etc.

36

Cyber-StalkingCyber-Stalking

37

ContinueContinue◦ Cyber obscenity is closely associated with

cyber stalking. In this techniques, a criminal causes a

transmission of distasteful, obscene or offensive materials through the Internet to another person

Distribution of indecent/obscene materials is largely criminalized by most of the countries-such prohibition extends on the Internet

38

Continue Continue Publication of offensive materials is an

offence and may also be defamatory However what is offensive in one country

may not be the same in another country. This causes a great disparity in laws

regulating offensive materials on the Internet

39

ContinueContinue◦ Software piracy

This encompasses a range of forms of conduct like; Unlawful Multiple installation End-User Piracy Client/Server Piracy Online Piracy

Software piracy infringes IPR and mostly raises civil liability other than criminal liability

However, IPR has also criminal sanctions which may also relate to software piracy

40

ContinueContinue◦ Use of unlawful devices and unlawful

programs Because of various threats posed by electronic

technology, companies and governments have developed some security measures to help in preventing unauthorised access or use of certain information

Criminals frequently use sophisticated technology to intrude in these protected systems so as to commit crimes

41

Continue Continue More often, criminals use some devices or

programs which can disrupt the security system or any protected material

E.g, Criminals may use skimming devices to capture all the data contained on the magnetic strip and thereafter, with assistance of a computer terminal, download such data and use them for any unlawful activity including credit card fraud acts

42

43

ContinueContinue◦ Spoofing and phishing

Phishing is a pulling out of confidential information from the bank/financial institutional account holders by deceptive means.

Phishing is a general term for e-mails, text messages and websites fabricated and sent by criminals and designed to look like they come from well-known and trusted businesses, financial institutions and government agencies in an attempt to collect personal, financial and sensitive information.  It’s also known as brand spoofing.

44

ContinueContinueE.g, A Criminal may send scams, which may be in

form of an email, to a victim informing him that his email has won a certain sum of money and that the email has been randomly selected from several emails following the draw conducted on a certain date.

Characteristics ◦ The content of a phishing e-mail or text message

is intended to trigger a quick reaction from you. It can use upsetting or exciting information, demand an urgent response or employ a false pretense or statement. 

45

Continue Continue ◦ Typically, phishing messages will ask you to

"update," "validate," or "confirm" your account information or face dire consequences.  They might even ask you to make a phone call.  ◦ Often, the message or website includes

official-looking logos and other identifying information taken directly from legitimate websites.

46

ContinueContinue The criminal may ask the victim to verify his

email details (pretending that it is for security purposes) and send back all his full details including bank account details and that the money will be deposited to that account as soon as all correct details are received.

Sometimes the criminal may link a victim to a certain website pretending that it is for security reasons

47

Continue Continue Brand Spoofing is a technique of getting one

computer on a network to pretend to have the identity of another computer, usually one which has special access privileges, so as to obtain access to other computers on the network

Government, financial institutions and online payment services are common targets of brand spoofing.

48

49

Legislative MeasuresLegislative MeasuresBefore 2010 there was no specific law

that was enacted to regulate cyber crimes◦ The Law Reform Commission-prepared a Bill

Computer and Computer-related Crimes Bill: That was aimed at regulating;

Illegal access and interfering with computer systems

Use of illegal devices Interfering with data and computer system

50

ContinueContinuePublication of immoral materials (eg. obscenity, inciting hatred, harmful to children, etc.)

Production of computer viruses, worms, logic bombs, etc.

Powers of authorised officers to search & seize computer systems/e-devices and access data

Powers of authorised officers to prosecute cyber-crimes

51

ContinueContinueThe response of the Government was the enactment

and passing by the parliament of the Electronic and Postal Communications Act, 2010 (Act no.3 of 2010)

Part VI of the Act establishes offences and penalties in relation to;◦ Electronic communications-ss 116-124◦ SIM Cards-ss125-137◦ Postal Communications-ss 138-150◦ Additional offences and penalties-ss 151-160

The new law has made a number of amendments to the TCRA Act and the Fair Competition Act

52

ContinueContinueIt is significant to note that, some of

commonly known cyber-crimes have been criminalized under the new law;

These include;◦ Offences relating to interception of electronic

communication-s.120◦ Offences relating to interference of electronic

communication-s.123◦ Fraudulent use of electronic services-s.122◦ Unauthorised access or use of computer system-

s.124◦ Transmission of obscene materials-s.118

53

ContinueContinueS.124(1) of the Act establishes a National

Computer Emergency Response Team (CERT) whose role is;◦ To coordinate response to cyber security incidents at

the national level ◦ Cooperate with regional and international entities

involved with the management of cyber security incidents.

The enactment of this Law has not effectively succeeded to address challenges related to ICT/Cyber Crimes.There is initiative of coming with the Cyber-crimes

Act.

54

ContinueContinueOther JurisdictionThe Council of Europe’s Convention on

Cybercrime◦ In the absence of a more International instrument to

regulate and criminalize cyber crimes, this Regional instrument has proved to be a leading international instrument in this field

55

Continue Continue ◦ The Convention criminalizes cyber crimes in four

categories Offences against the confidentiality, integrity

and availability of computer data and systems; Illegal access Illegal interception Data and system interference

Computer-related offences Computer-related forgery Computer-related fraud

56

ContinueContinue Content-related offences

Computer pornography and other obscene materials

Offences related to infringements of copyright and related rights Software piracy, etc

Other countries have molded their laws largely from this Convention, e.g;◦ The Computer Misuse Act (UK)◦ The Electronic Communications and

Transactions Act (SA)

57

Case law analysisCase law analysisUnauthorised access to computer

systems (hacking) McKinnon v Government of the USA and another

[2008] UKHL 59 Accessed 97 US Navy, Army, Nasa and Pentagon computers Read para 11-16 of the case to see the facts of this case.

The order for his extradition from UK to US was granted and the appellant was challenging that order

The House of Lord dismissed his appeal against extradition.

58

Continue Continue Unauthorised access/use by authorized user

S v Douvenga (2003) A Secretary tried to e-mail certain information

obtained from a database and give it to a competitor

The Secretary had authorisation to access data (password)

The issue was whether a person who is authorized to access certain information can be liable for unauthorised access if he accesses information for unlawful purpose.

The Court found that to be unauthorised access.

59

ContinueContinue DPP v Bignall (1998) 1 Cr App R 1 Police officers obtained access to data held on

the police national computer for private purposes

No crime – was entitled to authorised use to gain access to data

R v Bow Street Magistrates’ Court, ex p Allison [1999] 4 All ER 1 Authorised access to certain data but this

enabled access to other data The Court held that Authorisation does not

only relate to type of data but also to type of access (i.e. purpose of access)-hence a crime 60

Continue Continue ◦ Denial of service (DoS) attacks

Flood servers with multiple requests or congest communication links

DPP v Lennon [2006] EWHC 1201 (Admin) The accused downloaded mail-bombing program and used it to bombard his former employer with e-mails

The Court held-A person does not consent to receive e-mails which are sent to disrupt the proper operation and use of the system

61

ContinueContinue◦ Extortion and Malicious damage to property◦ In S v Howard (Unreported case no.

41/258/02), Johannesburg regional magistrates’ court One of the issues in this case was whether

the erasure of digital data in a computer system amounts to malicious damage to property.

62

Continue Continue The court answered this issue in affirmative

because of the fact that the hard drive of a network server was damaged after it had attempted to reboot 256 times and the file loadtrm.exe had been altered, both as a result of interference with the system by the hacker.

The court found that because the point of sale systems were rendered unusable for a sometime, temporary damage had been done to corporeal property

63

ConclusionConclusionThe main challenge facing states in

regulating ICT related crimes is lack of universal guidelines on legislative measures which can be used to combat such crimes.

It remains to be within domestic and regional initiatives to deal with these modern threats.

Thus, until when there will be uniform standards, these threats will live with us.

64