ARE THE SRI LANKAN CYBER-CRIME LAWS SUFFICIENT TO SAFEGUARD IT PROFESSIONALS AND THE VICTIMS OF CYBERATTACKS IN SRI LANKA?

Basically, Cyber-Crimes Laws can be defined as the laws which are related to Information Crimes, Technology Crimes, Internet Crimes, Computer Crimes and Technology and Communication Crimes.

Over the past few decades, the drastic improvement of internet and computers have influenced the world of men in both positive and negative ways. The origin of internet dates back to 1960s, with the purpose of designing networks to share information efficiently. However, with time this advancement has paved ways to commit new types of crimes from online identity theft to viruses.

There are many definitions as to “what is a cyber-crime?” One definition is that “Cyber-crime refers to any illegal activity that occurs in the virtual world of cyberspace”. (Henson, Reyns, & Fisher, 2011). According to Gordon and Ford Cyber-crime is “any crime that is facilitated or committed using a computer, network, or hardware device” (Gordon & Ford, 2006).The European commission has divided cyber-crime in to 3 sections as follows. Crimes specific to the Internet, including attacks against information systems (e.g. fake bank websites to solicit passwords enabling access to victims' bank accounts), online fraud and forgery and illegal online contents.

The need of law for computers and internet is necessary as computers and the networks are vulnerable in modern world. This vulnerability may arise due to the capacity to store data in small space, easy access and complexity

1. Sri Lanka enacted the computer Crime bill on 8^th May 2007.This Bill was certificate at the parliament on 9^th July 2007 and brought in to operation with effect from 15^th July 2008. The major two categories of offenses considered in this act are computer related crimes and hacking offenses. (https://rm.coe.int/16802f264b ).

2. (Reference: https://www.researchgate.net/publication/294725446_Cyber -Crime_in_Sri_Lanka )

When considering the European Cyber-Crime Laws, a convention was established by the European Council in 8^th November 2001. There were about 30 European states which agreed and signed this convention.

Europe has implemented legislation and supported operational cooperation in order to prevent cyber-crime. Some of these legislation actions include, a directive on attacks against information systems (2013), a directive on combating the sexual exploitation of children online and child pornography (2011), ePrivacy directive (2002) and Framework Decision on combating fraud and counterfeiting (2001).

A cyber-crime is multi judicial in most of the time. This is because these criminal actions can reach out to many people in different countries and evidences spread in different countries. Hence, the need for global legislative standards, tool for police and judicial collaboration occurs.

(Reference: https://ec.europa )

The provisions of Computer Crime act of Sri Lanka are applicable where,

1. A person commits a crime under the act while being in Sri Lanka or outside in Sri Lanka.

2. The computer, computer system or information affected was at the material time in Sri Lanka or outside of Sri Lanka.

3. The facility or service (including any computer storage or data/information processing service) used for in offense in Sri Lanka.

4. Loss of damage caused within or outside of Sri Lanka to state or a person resident in Sri Lanka or outside.

Sri Lanka, as a third world developing country, the use of modern technology is not as the same as a European country. But Sri Lanka is one of the most developed country in Asia, which means compared to the other countries in Asia, Sri Lanka uses modern technology.

People with various occupations or social status often be a victim to a cyber-crime. There may be an individual or a group that will be a victim in a cyber-crime. In here, the above-mentioned groups can be Corporate or Unincorporated. these individuals or group can be referred as ’Cyber Victim’. Anyone who use internet or receiving electronic input devices that are not confirmed safety, can be a Cyber Victim within seconds. This threat increases proportionally with the increment of technology.

When considering the EU cyber-crime laws act, following offences are mainly considered;

1. Cyber-Crimes which are against Integrity, Confidentiality and Accessing into networks or computers. This covers all the Hacking crimes.

2. Crimes which computer related Forgery and Fraud.

3. Crimes related to eMoney, Banking Systems and all other Electronic payment methods.

4. Cyber-Crimes in Content Related Crimes such as Child Pornography or possessing them.

Nowadays the most common cyber-crimes are,

• Data/Information theft.

• eMoney related crimes.

When comparing these EU Cyber-Crime Laws with the Sri Lankan Laws, some of the EU laws are covered by the Sri Lankan Laws while some are not.

The cyber-crimes which are against Integrity, Confidentiality and accessing to one’s computer or network offences are covered by the Computer Act No.27 of 2007. Also, the computer related Fraud and Forgery crimes are covered by the Computer Act No.27 of 2007.

The Content Related Cyber-Crimes are under Intellectual Property hence the Intellectual Property Act No.36 0f 2003 covers it.

The Electronic Payment Devices Fraud will come under Act No.30 of 2006. But sometimes in these situations, the criminal was able to get away with it because he deleted every trace that can lead back to him. So, in many occasions it is very difficult catch the Criminal or the Hacker because that person outsmarts the authorities. Because of these kinds of reasons, the cyber victim sometimes will not get any payment or any other damage control for his/her damage. This situation will badly impact on ICT Industry within the country.

Besides every other cyber-crime, Hacking is the most common and major cyber-crime in a global state. To hack a someone’s computer or a network, the hacker must be well educated on computers and all sorts of ICT techniques and Algorithms. IT professionals are often the targets of these hackers and in many occasions, websites get hacked worldwide. This kind of situation could arise many problems such as profit loss from certain organizations, deleting or banning the website and sometimes National Security.

Most of these Hackers try to steal sensitive data such as Banking details, Financial details from large companies which can lead to bankruptcy.

The next one the most common cyber-crimes are related with Computer Viruses, Computer

Worms, Computer Trojans and other kinds of computer malware software. These Computer Malwares has the ability to change files, copy or move the files to another location on computer, replicate files, corrupt files, delete or modify data and replicate itself inside another computer or a network. Some malwares such as Computer Worms can replicate itself without having a host. In many occasions these malwares can enter our computers or networks through many means such as,

• Playing online games

• Installing not secure programs to the computer

• Downloading from not secure websites

• Spam emails

In this modern world majority of the population use emails and other electronic devices to communicate each each other. Hence thousands of crimes through the email happens daily around the world.

Some of the major email related crimes are:

1. Email spoofing.

2. Sending malicious codes through email.

3. Email bombing.

4. Sending threatening emails.

5. Defamatory emails.

6. Email frauds.

(Reference: http://cybercrime.planetindia.net )

Sometimes these cyber-crimes happen due to the carelessness of the certain individual or group. If someone gets a spam email or an email from an unknown user, by ignoring it without opening could reduce the threat to become a cyber victim.

Some cyber-crimes such as Cyber Stalking and data diddling are rising day by day. In here, Cyber Stalking basically means the attacker follows and studying every online move a person or a group makes. This cyber stalking happens through the internet without physically and the attacker study every move the victim makes. The Cyber Stalking attacker can do this for their own purposes or for someone else. Simply, Data Diddling means someone changes the data before entering to a computer or any other electronic device. These data diddling is very hard to identify hence many occasions attackers slip through the internet unnoticed.

Cyber Stalking and Data Diddling crimes are punishable by law in both EU and Sri Lankan Computer Crime Law Acts. These crimes come under computer integrity, accessibility and confidentiality of data.

Above mentioned content of cyber-crimes covered by the article 2-8 in EU Legislation and covered by the section 3-10 0f Sri Lankan Computer Crime Act.

Due to the cyber-crimes happened since the Computer Crime Act established by The European Council, many modifications took place over the years in the Computer Crime Act.

The European Commission again proposed a new Framework in 2002 as Framework Decision on Attacks Against Information Systems. This contains the definitions of cyber-crimes, rules and penalties on the crimes and cyber-crime fighting within the general procedural assistance. The purpose of the Framework Decision is to approximate (i.e. harmonize) the Member States’ legislation concerning attacks against information systems and to improve cooperation between judicial authorities. The Framework Decision covers areas also covered by the Council of Europe Convention, but is not as extensive in scope. (Erik Wennerström: EU-legislation and Cybercrime)

The major challenge that face by EU is to introducing better rules on data protection, while carrying out measures to prevent cyber-crime. A “Directive on the treatment of personal data and the protection of privacy in the field of telecommunications” was published in July 2000 by the commission to address this matter. The new directive concerns the protection of privacy in electronic communication sector including satellite, ground carried and digital TV systems. It also concerns the processing of personal data. .

The basic challenges in cyber-crime security in Sri Lanka are problems of identification and capacity building needs, lack of reporting and investigation and international cooperation. The identification problems concerns the lack of understanding of victims and law enforcement as to what constitute cyber-crime. Furthermore, it includes the lack of awareness by judges and prosecution and retaining trained officials. The absence of secure locations and systems to report cyber-crimes, not protecting the confidentiality of the victim, need of oral evidence in court are some problems with regard to reporting cyber- crime. Other than these problems, the lack of proper framework and labs also cause cyber related problems in Sri Lanka.

The basic ways to address these problems in Sri Lanka are awareness, infrastructure and creating institutions. This include ensuring safe and secure reporting through separate hot lines, establishing digital forensic labs, development of capacity and awareness and, implementing IT usage and information securities policies. Government has established arrangements with privet sector driven companies and have established international best practices which ensures compatibility of legislation.

(Reference: https://afilias.info/webfm_send/132 )

Apart from the above-discussed cyber-crimes, data inferences, system inferences, misuse of computer-based devices, computer related forgery and fraud, illegal interception of traffic data and child pornography are some other network related crimes. Data inferences due to alteration suppression and deletion of data is criminalized in article 4 of EU convention. System inferences results due to data manipulation, spams and emails. It is criminalized under article 5.

Cyber-crime can be carried out by only using a computer and internet. Computer related fraud is one of the most common type of crimes in the world. These frauds include online auction frauds and advance fee fraud.Article 6 concerns the misuse of computer-based devices whereas article 7 and 8 criminalize computer related forgery and fraud.

Articles 9 and 10 of the EU convention look in to content related crimes. Laws similar to EU legislation can also be seen in Sri Lankan cyber-crime act.EU legislation specially contain laws regarding child pornography while Sri Lankan legislation contain laws regarding child abuse. The child abuse law is due to a amendment made in 2006 which imply that cyber café services should not perform activities leading to sexual abuse of children. Comparatively EU has better laws against child abuse than Sri Lanka.

Some groups use social media and network media to spread hatred among counties and races. This trend has increased recently due to lower distribution costs, non-specialized equipment and a global audience. Racism related crimes and xenophobia are covered by EU laws but not by Sri Lankan laws. Religious offences are also another example for misuse of internet. The internet gives the freedom to debate, criticize and leave comments on a subject. This can be done without revealing the identity which gives an advantage to the offender.

Illegal gambling and online games can also cause offensive charges. Internet allows people to take part in online gambling easily. Some countries have no specific rules and regulations to prevent this. The US Gambling Prohibition Enforcement Act of 2006 tries to limit illegal gambling. The means of this act is to prosecute financial services providers if they carry transaction settlements with illegal gambling.

Another major sector which discussed when discussing cyber-crimes is the Banking sector. In early ages, the Banking Industry was just a simple money transaction or deposit place with manual labour. But with the development of technology, the Banking Industry too evolved. Now the Banking services are available for 24 hours a day and many more services offer due to the advancement of the technology. At present, the Banking services offer transactional services, such as details on verification of accounts, details on account balance and to transfer the funds, and advisory services about loans, investments et cetera that help individuals and groups about how to plan and manage their finances and property.

Due to the computerization of Banking Industry, many cyber attackers target this new banking systems. Currently, people can pay mostly anything using electronic currency system. It maybe a small value or it can be a million rupees. Either way any kind of transaction can done through internet without involving real money. Banks and other money involving institutes encourage people to always use this eMoney system because its very safe to do transactions without carrying any real money. So, in every country ATMs are very famous in transactions because they are very easy to use and convenient. But there are few crimes related to ATMs and ATM Fraud is the major problem amongst them. In both European and Sri Lankan Computer Crime Law Acts has taken actions against the cyber-crimes related to Banking Industry and other money involving institutions. As state in the deliberations of European Computer Crime Law, framework decisions on fraud of non-cash payment means and combating fraud were taken from European Commission.

Many cyber attackers tend to steal peoples’ Bank Account information by creating a website looks same as the official website of a bank and asks people to enter their account details such as account number and the PIN number. After they enter their account details, attacker can use the victims account details to anything; such as to buy illegal material. Theses type of cyber-attacks are known as Phishing Attacks and they are very common not only in Banking sector, but also in many fields such as,

• Cyber Terrorism

• Cyber Extortion

• Cyber Warfare

Cyber Terrorism can be simply defined as an act to spread terrorism through any electronic media by an individual or by a group. This cyber terrorism can be towards an individual, group, company or a family for various reasons such as,

• To collect information

• To take control over them

• To blackmail them

Another most common but a concerning cyber-crime is Identity Theft. The basic definition of Identity Theft is Using someone else’s identity and pretend to be someone else. Cyber attackers mainly use these types of cyber-crimes to gain financial benefits. But also, cyber attackers pretend to be someone else to commit crimes such as illegal weapons and arms deals, illegal drug deals and child phonography. It is punishable by law to use someone else’s name, their social security number, their driver’s licence, bank or credit card numbers, their passwords and PIN numbers, fingerprints and many other personal things to commit a crime or to use them in any offensive way. But according to an unpublished research by Carnegie Mellon University, “In many instances, the reason for the identity theft is unknown”.

According to the European Law, Identity theft comes under Data Protection Act 1998. By this act, covers all the personal data above mentioned. There are many indications that you might be a victim to Identity Theft. Some of the basic indications are,

• Debit or Credit card charges from your account for goods or services that you did not know of.

• Receiving calls from your bank’s debit or credit card fraud department for unusual activity from your debit or credit card.

• Receiving details that a credit scoring investigation is ongoing or done by your bank.

People need to be more careful and educated about Identity Theft and online Banking System.

With the development of technology, many new cyber-crime threats and trends are introduced to the modern world. Many occasions cyber victims have stated that they were not aware of a cyber attacker could do. So, people need to be educated about the new technology, how to prevent from a cyber-attack, what should be done if a cyber attack took place and the related laws on cybercrimes. People in Asian countries like Sri Lanka which is not developed as any European countries, are not very accustomed to the new technological advancement. Due to this majority of the population don’t know about cyber-crimes and related laws when an attack happened. People have some knowledge about cyber-crimes on banking industry but not on other things. So, to prevent this kind of situation, people need to be educated about cyber-crimes and related laws.

In EU Legislation,

• Attacks against Information Systems is covered by article 2 – 6 in The Council of CyberCrime Convention.

• Fraud and Counterfeiting of non-cash means of payment Systems is covered by article 7 – 8 in Council of Cyber-Crime Convention.

• Sexual exploitation of children and child phonography is covered by article 9 in The Council of Cyber-Crime Convention.

• Crimes against intellectual property rights are covered by article 10 in The Council of Cyber-Crime Convention.

When considering European and Sri Lankan Computer Crime Laws, they both have many similarities in the legal frameworks in many aspects. But when it comes to sections like child pornography, ATM frauds and data theft, Sri Lankan laws are not at a satisfactory level. Therefore, Sri Lankan cyber-crime laws must be modified to cover all these sections as the European Computer Crime Laws.