By Kiyoshi Berman
The fifth Ethical Hacker’s Forum organised by CICRA Holdings was held recently in Colombo focussing on ‘A Lawful Cyber Sphere – Review of Legal Frameworks in Information Security’.
ICTA Sri Lanka Program Director/Legal Advisor Jayntha Ferndo delivered the keynote speech with a quick snapshot of the legal landscape concerning computer related crimes in Sri Lanka.
Fernando explained that cybercrime is not only about attacks against machines. “Cybercrime talks of any illegal activity where computers are used for the storage of evidence. It’s a threat to the core values of a democratic society – whether data theft, attacks against media, social organisations, or parliaments. Even the phenomenon of radicalisation on the internet and misuse of information are all touching the traditional boundaries of what we call cybercrime offences. Then we have the non-traditional realm of evidence where electronic evidence is stored on computers or servers on the Cloud from crimes such as murder, attempted murder, robbery, rape, attempted rape, counterfeit, piracy and a number of other offences.”
He further explained the major challenges faced when dealing with cybercrime. “We have a major challenge. There is no common standard to define cybercrime so there is a common standard globally with regard to what human behaviour constitutes cybercrime. Then we also have the challenge of identifying the procedures, the police and others involved in the investigation of a cybercrime offence, the judges who give the preliminary order and the prosecutors, are supposed to follow. There is another challenge which is international corporation in investigations.”
From left Dr. Thusitha Abeysekara, Senior Lecturer in Law, General John Kotelawala Defence University, ICTA Sri Lanka Program Director/Legal Advisor Jayntha Ferndo, CICRA Holdings CEO Boshan Dayaratna and Sri Lanka Cert CEO Lal Dias
Jayantha highlighted the privileges Sri Lanka can gain from being a part of the Budapest Convention which is the first and only treaty of cybercrime. He stated that, the Budapest Convention is not a model law, it’s a binding force which applies from the moment a country accedes the convention. It’s a technology neutral legal instrument. Sri Lanka was the first in South Asia to join this Convention and it has been valid from 1 September.
“Experts from a number of developed countries got together and eventually agreed on a global standard as a solution to this problem of setting a global benchmark standard with regards to criminalising conduct, developing procedural provisions and formulating mechanisms for international corporation. That global standard was adopted in the city of Budapest on the 11th of November 2001 and became known as the Budapest Convention.”
“It criminalises most of the offenses such as intellectual property rights, child pornography, unauthorised access etc. More than identifying crimes that involve a digital element, it’s even more difficult to identify the procedural methods that countries should adopt. This is the only international legal instrument that has standardised the procedures with regard to international investigation on cybercrime offenses from a global context. That is why it led to a common standard with regard to international corporation covering extradition, which means the offender will be taken to the country of his origin and charged under their local law.
“Sri Lanka has extradition agreements with a number of countries. Then we have MLA (Mutual Legal Assistance) between countries that help to expedite processes and most importantly, the 24x7 contact points between the countries for police to police corporation. All these have got standardised over the years under the framework of the Budapest Convention of cybercrime,” he added.
It is easier for countries that are part of the Budapest Convention to make international requests. The corporation from Google, Microsoft, Facebook and such organisations are very generous with requests for information for investigations from Budapest member countries, he emphasised.
Fernando further explained a few laws and procedures involved in cybercrime investigations. To illustrate a point, he mentioned the details of a real case where electronic data was requested and received to solve a crime successfully.
“There was a Canadian-American couple hitchhiking in the ecological paradise in Costa Rica when they were kidnapped. Somehow their families knew the various email accounts they used. The relatives shared the relevant email addresses with the law enforcement in Costa Rica. The Costa Rican 24x7 contact point transmitted the documentation to the US department of justice. Costa Rica was not a Budapest member but was invited to accede at the time, but because this was an emergency request Yahoo even sent the content of the emails.
“Then the process was expedited through the Mutual Legal Assistance channel. They found that certain emails have come from the kidnappers. With the location data and IP address data shared by Google, they managed to find from where those emails were sent to the victims. Within eight hours, the law enforcement raided the location and found the victims alive,” he said.
The next presentation was delivered by Dr. Thusitha Abeysekara, Senior Lecturer in Law, General John Kotelawala Defence University on the topic of his PhD research which was digital databases and their protection in Sri Lanka.
“This research examines the existing international protection of digital databases and its relevance to the possible new mechanism for the protection of digital databases in Sri Lanka. This can be divided into two separate parts -legal protection and technological protection. This research did not specifically examine the technological aspects. This research is relevant in time to the current economic climate in Sri Lanka as it has become an important economy in the South Asian region and now, there is more than ever a compelling need for further investment, innovation and the transfer of knowledge and technology.
“It has been stated that the economies of the first world is dominated by the creation and manipulation of electronic data and this trend is now transferring to developing countries around the world. Electronic and digital concepts have become dependent on digital databases; therefore digital databases have become highly valued commercial commodities and in turn created a competitive market place which has attracted investors. The research argues that the abovementioned investment is not been identified in the existing database protection mechanism in Sri Lanka,” he said.
The protection applied depends on different types of databases – public, private, online and offline. The European Database Directive provides protection for public and private databases. The databases that are made publically available are made vulnerable to misuse and misappropriation. Arguably the legal protection of the databases is concerned with this kind of acts.
This research focuses mainly on databases stored on programs and accessed by electronic means. Dr. Abeysekara went on to explain the various uses and advantages of the digital databases and what type of information it can store and how it can be manipulated. Thereafter, he interpreted the definitions of databases, the patent rights and so forth from his research.
He concluded the presentation by emphasising the damage that can be caused when cybercriminals and hackers gain unauthorised access to digital databases and the necessity to protect these databases from a legal standpoint.
The final session was a panel discussion moderated by Boshan Dayaratna, CEO of CICRA Holdings. The panel comprised Lal Dias, CEO, Sri Lanka Cert|CC, Jayntha Ferndo and Dr. Thusitha Abeysekara.
The first question was poses to Lal Dias on how the CERT supports the implementation of laws in the country. “We can have laws in place such as the Computer Crimes Act 2007 and many other legislations in place but how do we make sure that these are enacted? For example, take a police department and they get a complaint but how do they act on it. One of our biggest tasks was to ensure the police officers have the capability to handle computer crime.
“Today we are inundated with complaints, we get around 100 a day but not all of them are reported to the police because people don’t really know where to go. Even if they go to the police station they wouldn’t know what to do. So we run regular training programs but we obviously can’t train every police officer. We do, train the trainer programs in training centres in Katana and Kalutara to train the officers to handle complaints and obtain evidence properly...we also have programs to keep the judges abreast of the digital evidence and crime and the third area is the Budapest Convention that facilitates cross border corporation,” he said.
For a question posed to Jayantha about how many offenders are actually been charged based on digital evidence and how many such cases have been documented so far; he mentioned that it’s not as many as it was expected but the law enforcement is taking measures to improve the processes and reporting mechanisms.
Having said that he also emphasised, “Our police officers are smart; if the case was reported in the way the investigation was done, criminals will find a way out of that process. So the police use other interesting techniques around it. But I do agree that we still have a problem, we don’t have sufficient number of convictions despite the large number of investigations. From about 28 cases investigated in 2006 we jumped to over 1,000 cases after 2010. Over 400 investigations so far have been completed by multiple branches.
“The CID has a very specialised dedicated cybercrime unit where CERT and ICTA and many government organisations link with... after completing the investigation an inditement has to be obtained from the High Court and the real problem is that this inditement can take weeks, months or years depending on the importance of the case,” he explained.
The forum concluded with a Question and Answer session.
Pix by Daminda Harsha Perera