Concerted strategies needed to fight cybercrimes

The fight against cybercrimes calls for concerted strategies, asserted Attorney General Mohan Pieris, President’s Counsel.

The Attorney General made this comment when delivering his keynote address as Chief Guest at the international workshop on ‘Cooperation against Cybercrime in South Asia,’ held in Colombo recently.

The event was hosted jointly by Council of Europe and the ICT Agency of Sri Lanka (ICTA) in association with the Ministry of Justice. The participants consisting of Government and law enforcement representatives from South Asian countries – Bangladesh, India, Maldives, Pakistan and Sri Lanka, came together to enhance their capacity for cooperating against cybercrime. The workshop provided an ideal opportunity to assess cybercrime and IT related legislation of the countries concerned.

At the outset the Attorney General commended ICTA for its “contributions towards recent IT related legislation, particularly, the Electronic Transactions Act No. 19 of 2006 and the Computer Crimes Act No. 24 of 2007. Whilst the Electronic Transactions Act provides an excellent framework legalising e-commerce, e-business and e-governance with a unique evidence regime for the admissibility of electronic documents in courts, the Computer Crimes Act provides the safeguards against cybercrime. Both these legislations and consequential policy changes make Sri Lanka e-ready to march towards e-governance.”

The keynote address of President’s Counsel Pieris took the participants through a legal journey traversing many countries, including the Philippines, Russia, USA, UK as well as Hungary, which has now become famous for the Budapest Cybercrime Convention adopted in 2001.

Throwing open before the audience thoughts for consideration during the deliberations at this first-ever international workshop on cybercrime, the Attorney General said: “Given the ubiquitous nature of the internet and its ability to swiftly and effectively transcend national borders and sovereign territories, we today live and transact business in a borderless world.”

Emphasising on the importance of mutual co-operation in fighting against cybercrime, the Attorney General said: “It is axiomatic that criminal activity involving the use of computers has come to stay. As such this is an area where global cooperation and mutual assistance must be fostered and promoted. There is sensitivity internationally that practical efforts must be made to protect us from cybercrime and it in this backdrop that I find it quite opportune that this all important international workshop on cooperation against cybercrime in South Asia should take place in Sri Lanka.”

He then went on to elaborate on a “story told and retold many a time about the brief but destructive career of the infamous ‘Love Bug’ virus, which would illustrate the stupendous challenges cybercrimes pose to us today. The virus, which destroyed files and stole passwords, appeared in Hong Kong some years back and rapidly spread around the world.

“Virus experts traced the ‘Love Bug’ to the Philippines. Using information supplied by an Internet Service Provider, agents from Philippine’s National Bureau of Investigation and from the FBI identified individuals suspected of creating and disseminating the ‘Love Bug,’ but then they ran into problems with their investigations: The Philippines had no cybercrime laws. As such, creating and disseminating a virus was not a crime known to the Philippines law. Consequently, the investigators had a difficult time convincing a magistrate to issue a warrant to search the suspect’s apartment.

“Obtaining the warrant took days, allowing the suspect ample time to destroy essential evidence. Authorities finally executed the warrant and seized evidence, indicating that Onel de Guzman, a former computer science student, was the person responsible for creating and disseminating the ‘Love Bug’. But, because Philippine law did not criminalise hacking or the distribution of viruses, officials struggled to prosecute Guzman. They finally charged him with theft and credit card fraud, the usual penal code offences, but the charges were dismissed as inapplicable and unfounded.

“What made it worse was that Guzman could not be extradited for prosecution in other countries – such as the United States – that have cybercrime laws. This would, in my view, illustrate the need to have legislation to fight cybercrime. In Sri Lanka this problem would not arise because adequate legislation is in place, as manifested in the Computer Crimes Act No. 24 of 2007. What is unique is that our legislation provides adequate checks and balances, consistent with the Budapest Convention,” the AG observed.

Referring to a recent development, relevant in the context of social networking sites (Facebook and Twitter), the Attorney General drew the attention of the audience to a case of false identity created on Gacebook, which came under scrutiny in courts in UK.

Although the internet offers some level of anonymity, he explained the effect of a “powerful tool in English courts, which has now come to be known as Norwich Pharmacal orders, by which Facebook was compelled to lift the veil of anonymity and disclose the registration information used for the purpose of creating the false profile”.

The Norwich Pharmacal orders have become powerful weapons even in the case of money laundering offences, which too are committed using the internet. Despite the secrecy obligation of a banker towards his customer, the bank can be compelled by this order to disclose the identity of a money laundering customer, observed the Attorney General.

Pointing out to provisions equivalent to Norwich Pharmacal orders in the Sri Lankan context, the Attorney General explained: “You would find it in Section 18 of the Computer Crimes Act No. 24 of 2007, by which an expert or a police officer engaged in the investigation of cybercrimes in Sri Lanka can compel a service provider to reveal subscriber information and traffic data by virtue of a warrant obtained from a Magistrate. This Sri Lankan provision is consistent with Article 16 of the Budapest International Convention of Cybercrime.”

Drawing the attention of the audience to some of the salient provisions of the Budapest Convention vis-à-vis the Sri Lankan Computer Crimes Act, No. 24 of 2007 the Attorney General said: “The Convention provides new detection procedures of criminality including fraud and child pornography and gives greater powers to law enforcement agencies to patrol the internet. This is partly enabled by the involvement of Internet Service Providers (ISPs), upon whom some burdensome data preservation requirements are applied. Law enforcement agencies will be able to place 90 day preservation orders on ISPs to retain data for inspection during criminal proceedings. Furthermore, confidentiality clauses will prevent the ISP from disclosing the existence of a preservation order as it might impede a criminal investigation.”

“The International Convention on Cybercrime exhorts countries to harmonise national legislation and facilitate investigations and co-operation between law enforcement operations globally.”

The Attorney General said that harmonisation of cybercrime law, just like harmonisation of business law, was indispensable for the success in eliminating computer crimes. “Article 19 of the Convention provides for international cooperation by including that criminal offences covered by the convention shall be deemed to be included as extraditable offences in any extradition treaty existing between the parties. Sri Lankan Computer Crimes Act mirrors this Article in Section 27 which sets out computer crimes as extraditable offences.”

The Attorney General further observed: “Article 22 of the Convention provides that parties shall provide mutual assistance to one another in the investigations or proceedings concerning criminal offences. Interestingly, Section 35 of the Sri Lankan Act unequivocally declares that the Mutual Assistance in Criminal Matters Act No. 25 of 2002 shall be activated wherever it is necessary for the investigation and prosecution of an offence, when it comes to the question of providing mutual legal assistance. These are a handful of provisions among many of the salient Articles of the Convention vis-à-vis the Sri Lankan Act.”

In conclusion, the Attorney General noted: “The Sri Lankan legislation fully comports with the letter and spirit of the Budapest Cybercrime Convention.” He paid a glowing tribute to ICTA and its staff for their untiring efforts and also thanked the Council of Europe for their cooperation and support towards the legislative reforms process in Sri Lanka.

Sri Lankan speakers at the workshop included Suresh Chandra, Judge of the Supreme Court (Special Guest); Suhada Gamlath, Secretary Justice (Guest of Honour); Prof. P.W. Epasinghe (Chairman, ICTA); Deputy Solicitors General J. Jayasuriya and Wasantha N. Bandara, representing the Attorney General’s Dept.; Jayantha Fernando (Legal Advisor, ICTA); Wijaya Amerasinghe, SSP (Director CID); Sharmini Wickramasekera (Chief Risk Officer, Lanka Orix Leasing PLC); Lakshan Soysa (Manager Operations, SLCERT – ICTA); Rohana Palliyaguru (Senior Information Engineer, SLCERT – ICTA); and Wipul Jayawickrama (Managing Director, Infoshield Consulting, Australia).