British and Sri Lankan Computer Crime law in safeguarding IT professionals

Computer Crimes[1] are the modern crimes happening in today’s world[2]. It could be perpetrated through any electronic device[3]. Computer Crimes can be either hacking[4] attacks on network as well. Here, we discuss and argue necessary actions that can be taken when such offences are being committed[5]. The SL CCA[6] has commenced on 2007 and the CMA[7] in the UK has been commenced on 1990. In terms of safeguarding the IT professionals, these Acts play a very significant role in the IT industry. SL CCA states that it is an extraterritorial Act[8], while the British CMA[9] states it is territorial[10]. This simply means SL law has achieved the legal terms in relation to the globalization.

 

Safeguarding the IT Professionals against Unauthorized Access

At the beginning, the CCA in SL describes computers[11] , and it is strange to observe that there is no direct definition for the term “Computer” in the CMA.

“In the UK, the offence of unauthorised access and the computer misuse offences in general are included in the CMA, which has been amended by the Police and Justice Act of 2006 and the Serious Crime Act 2015.”[12]

In both the Acts, a separate section is being referred to the unauthorised access to the computer devices[13]. Both the Acts state that a person intentionally tries to access a computer device is to be guilty[14]. Some cases[15] are held due to the unauthorised secure access to the networks. In the CCA, it specifically says that “mere turning on a computer is sufficient”[16] to be an offence. How can it be an offence for such aspects? The person should either get access to the respective data[17], rather than that turning on a computer cannot be considered as a crime[18]. In that case, necessary amendments should be injected into the SL Act in safeguarding the IT industry. In the SL Act, it states committing such offences lead to a payment of fine or an imprisonment of 5 years[19]. In such cases, getting access to unauthorised data is a serious crime. Data is a highly confidential object. Once the person has got access to such data, the imprisonment should not be limited to just 6 months. Just conceive about the victim of such hackers. In such matters, the CMA should be amended to safeguard the IT professionals.   

Modification of the data held on any computers or malware dissemination can be an offence according to both jurisdictions. In the CCA[20], it affirms that in order to consider the data theft as a crime, the data/information should have been in a protected state. If the owner of the computer has not protected his data by using a password[21], even though the data extracted by a third party may not considered as a theft[22]. In the business world, this is particularly important when the client has transferred his/her computer to the IT service provider[23]. According to the aforementioned section[24], the client should have an intension to protect their local data[25]. Otherwise it is legal to get the data[26] for the purpose of repairing the computer. This is a loophole in the SL CCA. This may cause a computer to operate different from the usual behavior[27]. CCA states about the intension of the attacker is important[28]. But anyone can claim it has not done intentionally[29]. It is advisable to amend the current Act saying that the victim should have the proper detection of malware in their own[30]. Similarly, in the British law, there is no such provision[31].

In the CCA[32], impairing the operation of a computer is considered as a crime[33]. This prevents DoS[34] attacks if the attacker has not obtained any data from the victim’s computer[35].This has also stated in the British law as well. There is a case happened in 2015, where a Plymouth boy tried to attack the American Airlines and Delta Airlines using DoS[36]. R v Nazariy Markuta is another case held due to unauthorized modification data.

 

Safeguarding the IT Professionals against Illegal Device Usage 

Penetration programs are used by the computer professionals to ensure the level of security in a device/s. But anyone can use it illegally to crack/get the password of particular devices[37]. This is covered under the CCA[38]. But it is absent in the British Law. In that aspect, the person has the right to crack the password of a computer, but he/she is not allowed to get into the system[39]. As a result, the necessary alterations should be done.

 

Safeguarding the IT Professionals against Illegal Interception of Data

The ISPs[40] are tracking what their clients do. It is a major issue in privacy aspect[41]. In the CCA[42], it states that the illegal data tracking which is generating from a computer is a crime. Do the ISPs are taking part of a crime? No, because they are having an agreement when they are issuing the connection. In some circumstances, the ISPs may have to deliver the data as per government needs[43].  Thus, it could not be considered as a crime even though it tracks the data which emissions from a computer[44]. In this case, the users should go through their agreements in order to protect themselves. There is no such provision in the CMA[45].

 

Safeguarding the IT Professionals against Unauthorized Disclosure of Information

IT administrators have all the sensitive information in a firm[46]. There is a provision regarding that in the SL law[47]. But not stated in the CMA. It is covered under the UK DPA[48]. But there is a loophole in both of the jurisdictions. If the disclosed data is helping to the investigations done by the government[49], the person who is disclosing such information shall not be convicted. This should be included in the both Acts.

 

Conclusion

The SL CCA has comprehensive laws in comparison with the British law. The CMA in the UK has to be more powerful and comprehensive in safeguarding the IT professionals[50]. The SL CCA is adequate for the time being. Computer Crime is an area which has been vastly developing in a small period of time; as a result, all jurisdictions should make modifications, justifications and amendments together to achieve a comprehensive protection against infringements in the near future (in safeguarding IT professionals rather than coming up with isolated Acts).

 

[1] The attacks that are done over computer devices.

[2] And it has escalated throughout the world regardless of the physical barriers

[3] such as a phone, computer, watch etc.

[4] stealing of information by unauthorizedly accessing the device

[5] especially in safeguarding the IT professionals

[6] Computer Crime Act, No 24 of 2007

[7] Computer Misuse Act 1990

[8] sec 2 of Computer Crime act

[9] Computer Misuse Act 1990

[10] sec 4 of Computer Misuse act

[11]  as “An electronic or similar device having information processing capabilities”   –  Sec 38 of Computer Crime Act

[12] Karagiannopoulos, V. (2016) ‘Insider unauthorised use of authorised access: What are the alternatives to the Computer Misuse Act 1990?’, International Journal of Law, Crime and Justice, Vol.47, pp. 85-96. doi: 10.1016/j.ijlcj.2016.08.003.

[13] Section 1 in the Computer Misuse act and Section 3 in the Computer Crime Act

[14] But, comparing both the sections, the CMA seems to be a little ambiguous to the reader.

[15] such as R v Gold and Schifreen, R v Adam Penny (Case Law)

[16] Section 4 Ex.1 – Computer Crime Act

[17] or else he/she should at least get access to the desktop.

[18] Theofel v. Farey-Jones (Case Law)

[19] whereas in the British Act, it leads to an imprisonment not exceeding 6 months.

[20] section 4.Ex2

[21] or a similar mechanism

[22] DPP v Ellis [2001] EWHC Admin 362 (QBD) (Case Law)

[23] when there is a need of repairing the computer

[24] Sec 4.ex2 Computer Crime Act

[25] by using an administrator password or a similar mechanism

[26] This is not ethical in the industrial aspect

[27] George, E. (2004) ‘UK Computer Misuse Act—the Trojan virus defence: Regina v Aaron Caffrey, Southwark Crown Court, 17 October 2003’, Digital Investigation, Vol.1(2), pp.89-89. doi: 10.1016/j.diin.2004.04.005.

[28] sec 5 of Computer Crime act

[29] Thus, according to the current law, anyone can use their USB flash drives to spread a computer virus, claiming that he/she does not know about anything related to the particular case.

[30] either using a commercially available Antivirus software or from their own security practices

[31] in safeguarding the IT industry

[32] section 5.(a) CC Act – this shows a loophole in the British act

[33] R v Feltis [1996] EWCA Crim 776 (Case Law)

[34] Denial of Service – means the unlimited traffic in the network that causes the entire network to be breakdown.

[35] Rahman, R. (2012) ‘The legal measure against Denial of Service (DoS) attacks adopted by the United Kingdom legislature: should Malaysia follow suit?’, International Journal of Law and Information Technology, Vol. 20(2), pp.85-101. doi: 10.1093/ijlit/eas003.

[36] The Guardian (2015) Boy, 16, in court charged with cyber-attacks and airline bomb hoaxes. Available at: https://www.theguardian.com/uk-news/2015/dec/18/sixteen-year-old-boy-plymouth-youth-court-charged-with-cyberattacks-bomb-hoaxes (Accessed: 02 April 2017).

[37] Cormack, A. (2015) ‘Internet vulnerability scanning – is it lawful? (United Kingdom)’, Journal of Internet Law, Vol.18(9), p.3(4).

[38] sec 9 of the Computer Crime act

[39] sec 1.(1) of Computer Misuse Act

[40] Internet Service Providers

[41] Grabosky, P., Smith, R. (Year of publication) ‘Telecommunications and Crime: Regulatory Dilemmas’, Law & Policy, Vol.19(3), pp.317-341. doi: 10.1111/1467-9930.00031.

[42] Section 8 – CC Act

[43] it could be for the investigation of a criminal case

[44] sec 8 of the Computer Crime act describes – in order to consider as a crime, he/she must not have a lawful authority to do such.

[45] But it is covered under the Data Protection Act 1998.

[46] If he/she leaks the data/information, the company will have a threat against its security – Nasu, H. (2015) ‘STATE SECRETS LAW AND NATIONAL SECURITY’, International and Comparative Law Quarterly, Vol.64(2), pp.365-404. doi: 10.1017/S0020589315000056.

[47] sec 10 in Computer Crime act

[48] Data Protection Act 1998

[49] such as terrorist attacks

[50] Better consideration to the technological items might increase the effectiveness of the CMA.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s