Sri Lankan Cyber Crime LegislationA developing country perspective

Jayantha Fernando, Director/ Legal Advisor, ICT Agency of Sri LankaJFDO@ICTA.LK or JFDO@SLTNET.LK

Outline

• Country Statistics• Glimpse of Sri Lanka’s Policy Reform Stack

– Cyber Law Stack

• Sri Lankan Cyber Crime Framework– Computer Crimes Act No. 24 of 2007

• Unique Enforcement Procedures• Addressing Challenges& Institutional arrangements• Conclusions

Agenda

Sri Lanka – Country Facts

Land Area: 65,610 Sq. Km

Population: 21,130,000

GDP: US$ 27 Billion

GDP/cap: US$ 1600

Currency: Sri Lankan Rupee

Time Zone: GMT +5:30

Capital: Colombo (Commercial)

Sri Jayawardenepura (Ad)

Languages: Sinhala, Tamil, English

Exports: Garments, Tea, Gems, Rubber, Tourism,

IT/BPO

Administr’n: 9 Provinces, 25 Districts, 325 Divisional Secretariats

Sri Lankan ICT-BPO Sector

ICT Sector - 5th Largest Revenue Earner for Sri Lanka

First in South Asia to Liberalise Telecom Sector – 70% mobile penetration. (5 mobile operators, Large No of ISPs, 5 gateways)

A large pool of educated workers – 50,000 new accountants per annum, 30% per annum growth in IT workforce

Colombo Stock Exchange - Fastest Growing in Asia Colombo Stock Exchange Software replicated in Croatia, Mauritius etc (LSE bought MIT)

Sri Lanka is ranked 16th in the “Top 50 Global Outsourcing Destinations’ (A.T Kearney Global Services Location Index- 2009) and amongst the Top 20 emerging cities.

ICT Development Strategy inSri Lanka - towards a knowledge economy

The The e-Sri Lanka Development Projecte-Sri Lanka Development Project - USD 83 Million Prepared from 2002-2005 & started since 2005 Prepared from 2002-2005 & started since 2005

““Taking dividends of ICT to every village, every citizen, Taking dividends of ICT to every village, every citizen, every business and Transform the way the Government every business and Transform the way the Government thinks and worksthinks and works” (” (www.icta.lk) )

Implemented by ICT Agency of Sri Lanka (ICTA)Implemented by ICT Agency of Sri Lanka (ICTA) Information & Communication Technology Act No. 27 of Information & Communication Technology Act No. 27 of

2003 (amended by Act 33 of 2008)2003 (amended by Act 33 of 2008) Two main functions of ICTATwo main functions of ICTA

Catalyst for ICT development – Implements the ICT Catalyst for ICT development – Implements the ICT Development StrategyDevelopment Strategy

Directs ICT Legal & Policy ReformDirects ICT Legal & Policy Reform

Companies Off-Shoring in Sri Lanka

Network Readiness Index (NRI)

Network Readiness Index (NRI)

Year 2002/03 2003/04 2004/05 2005/06 2006/07 2007/08 2008/09

Countries 82 102 104 115 122 127 134India 45 39 40 44 50 54

Sri Lanka 54 66 71 83 86 79 72Nepal - - - 108 119 127

Bangladesh 93 100 110 118 124 130

Butan - - - - - -

Maldives - - - - - -

Pakistan 76 63 67 86 84 98

Afganistan - - - - - -

SL – Percentile Ranking 66 % 65 % 68 % 72 % 70 % 62 % 54 %

SAARC Region

Policy Reforms AgendaE-Laws Program

• Intellectual Property Act No. 36 of 2003 (based on TRIPS)– Copyright Protection for IT Products Services & Protection of Integrated chips

• Electronic Transactions Act No. 19 of 2006 (based on UNCITRAL Model on e-Commerce 1996 and UNCITRAL Model Law on e-Signatures 2001) – Ensures Technology Neutrality

• Includes features of the “UN Convention on the Use of Electronic Communications in International Contracts” (UN e-Contracting Convention of 2005)

• Sri Lanka – one of the first 3 countries in Asia to sign the convention (on 6th July 2006) along with China & Singapore

• Sector specific Certificate Authorities established (for Banking + Govt Network)• Payment and Settlement Systems Act of 2005• Monetary Law (Amendment) Act 2002 and Treasury Bills (Amd) 2004

– Establishes Sri Lanka as a destination for Electronic based Financial Transactions

Cyber Crime Framework

Primarily Embodied in 3 Statutes• Computer Crimes Act No. 24 of 2007

– (Provides for the identification as well as Investigation and prevention of Computer Crime)

• Payment Devices Frauds Act No. 30 of 2006– (Protects persons lawfully using payment devices; Criminalises &

Prevents the possession and use of unauthorised or counterfeit payment devices and provides for investigation of offences)

• Penal Code (Amendment) Act No. 16 of 2006– (Prevents Computer based services being used for Child exploitation)

Other Relevant Statutes• Prevention of Money Laundering Act No. 5 of 2006 • Financial Transactions Reporting Act No. 6 of 2006• Obscene Publications (Amendment) Bill 2010 – (Prevent Child Image Abuse)

Policy & Regulatory – NRI Rankings

2003 2004 2005 2006 2007 2008102 104 115 122 127 134

Policy and Regulatory Environment for ICT Development

62 67 72 58 72 71

Laws relating to ICT 69 78 87 71 64 59

Percentile RankingLaws to ICT 3.18 3.13 2.99 3.31 3.80 3.94

Percentile RankingPolicy & Regulatory 3.79 2.98 2.95 3.95 3.80 4.00

Computer Crimes Act No. 24 of 2007Historical Evolution

1995 - Process commenced (CINTEC Law Committee)1997 – Working paper on Computer Crimes (Public Consultation)Law Commission & Justice Ministry Review

2000 – 2003 Bill Presented to Parliament – 23rd Aug 2005Parliamentary Committee Review (2005-07)Legislation Enacted on 8th May 2007Date of Operation – 15th July 2008 (Gazette Extraordinary – No 1559/41 of 25th July 2008)

Computer Crimes Act No. 24 of 2007Key Features

• Applicability (Section 2)

• A person commits an offence under the Act while being present in Sri Lanka or outside Sri Lanka

• The Computer, computer system or information affected, by the act which constitutes an offence under this Act, was at the material time in Sri Lanka or outside Sri Lanka

• The facility or service, including computer storage or information processing service, used in the commission of an offence under this Act, was situated in Sri Lanka

• The loss or damage is caused within or outside Sri Lanka by the commission of an offence under the Act, to the state or to a person resident in Sri Lanka or outside Sri Lanka.

Sri Lankan Law - Key Provisions

• Section 3 - Criminalises the securing of unauthorised access to a computer, or any information held in any computer, with knowledge that the offender had no lawful authority to secure such access.

• Section 4 is an enhanced version of Section 3 and criminalises unauthorised access with the intention of committing another offence under the Computer Crimes Act or any other law.

• Section 5 criminalises activities which results in unauthorised modification and damage to a computer, computer system or computer program.

• What constitutes “Modification or damage” clarified– impairing the operation of any computer, or the reliability of any data or

information held therein– destroying, deleting or corrupting or adding, moving or altering any information

held in any computer– unauthorized use of Computer services etc– Introduction of a program resulting in malfunction (Viruses, worms etc)

Sri Lankan Law - Key Provisions

• Causing a computer to perform a function which will result in harm to National Economy, National Security and Public Order, an offence (Section 6)

• Obtaining information from a computer or a storage medium without authority (Section 7)

Including buying, selling, uploading and downloading, copies or acquires the substance or meaning of such information

• Illegal interception of Data (Section 8)• Use of Illegal devices (Section 9)• Unauthorised disclosure of Information (Section 10)

Enforcement

Ensuring Appropriate Balance and creating conducive environment for enforcement

• Criminal investigations interfere with “rights of subjects”

• In a democratic society any such interference must be justifiable and “proportionate” to the needs of the Society sought to be protected

• Growth of Cyber Crime creates challenges in respect of how best an appropriate balance could be reached between the needs of investigators and rights of Data users

• Interests of ISP’s / intermediaries likely to be affected

Investigation &Enforcement Procedure(Unique Features)

• Provision to designate “experts” to assist Investigators with defined powers (Section 17 – 22)

• Experts – “Public Officers” qualified in Electronic engineering or Information Technology – Sec 17 (1)

• Broad powers for Experts – Section 17(4)• Powers of search and seizure with warrant – Section 18

Obtain information including subscriber information and traffic dataInterception of Communication at any stage of communication

• Expert or Police Officer can issue notice for preservation of Information for 7days - extension of time with Magistrate’s warrant (Sec 19)

• Normal use Computers not to be hampered (Sec 20)• Competency of Police Officers to be certified by IGP (Sec 21)• Ensure Strict confidentiality by Police & Experts in connection with

all information collected during an investigation (Sec 24)

Enforcement Challenges

• Problems of identification– Lack of understanding by “victims” what constitutes cyber crime– Lack of understanding by enforcement as to what is cyber crime – investigation

and prosecution under wrong provisions– Lack of under standing by the legal community – inability to map offences to

Computer Crimes Act (eg:- phishing, DNS Fast fluxing etc)

• Lack of Reporting– Lack of safe and secure locations and systems to report cyber crime– Lack of infrastructure to safeguard confidentiality of the victim– Requirement to give oral evidence in Courts (reluctance of victims and “experts”

to come forward)

• Investigation and Co-ordination– Lack of proper Digital Forensic Lab for e-Forensics with controls– Challenges in training and retaining good enforcement officials

Addressing Challenges

Awareness, Infrastructure and Creating Institutions– Awareness and Skills Development

• For Law enforcement, Stake holders (banking etc) and even public

– Establishing “Digital Forensic Lab” for Computer Crimes Unit of Police (CID) - ICTA Leadership

– Creating a hotline for reporting offences– Implementing IT Usage and Information Securities

Policies (Both Govt and Pvt Sector)• E-Government Policy adopted by Cabinet of Ministers on

16th December 2009 – See www.icta.lk – Admissibility of Electronic Evidence enhanced by

Evidence (Special Provisions) Act No. 14 of 1995 & Electronic Transactions Act 19 of 2006 (Dual Regime)

Addressing Challenges – Creating Institutional Arrangements (CERTs)

• Governments cannot rely on traditional Govt expertise to combat cyber threats and address Cyber Forensic issues

• ICTA Established Sri Lanka CERT as a subsidiary (Nov 2006)• See www.SLCERT.gov.lk• Private sector driven Company model with Government Stake

holders (handles threats, forensics and develops IS policies)• Handled over 350 incidents since inception (Approx 10

incidents a month)• Reported Incidents of Cyber Crime increased from 48 (in 2008)

to 69 in 2009• Creating sector specific CSIRTS (Banking sector, ISPs etc)• Admitted as full member of APCERT and FIRST

– Centre of Excellence to deal with Cyber security issues

Addressing Challenges – International Cooperation

• Cross border nature of cyber crimes Requires foreign bilateral co-operation between enforcement and judicial officials

• Consider signing Council of Europe (CoE) Convention on Cyber Crime (Budapest Convention)

• Review of Part V “Harare Scheme on Mutual Legal Assistance in Criminal Matters”- drawing on CoE

• Advantages of Budapest Convention– Legal and Contractual basis for International cooperation in Cyber

Crime enforcement (Ranging from Police to Judicial cooperation)– Facilitates the gathering of Electronic Evidence, investigation of

cyber-laundering, Cyber- terrorism and other serious crimes– Provides for Cyber Crime legislation harmonisation and allows

participation in Cybercrime Convention Committee (T-CY)

Conclusions

• Sri Lankan Computer Crime Legislation – Substantially compliant with the Budapest Convention

• Technology and cyber crime techniques several steps ahead – Laws are always behind Technology

• Cannot get the ideal framework to all address enforcement challenges (despite consistency in the Procedures in Computer Crimes Act & Payment Devices Frauds Act)

• Need for Multiple stake-holders to cooperate in enforcement (Private Sector and Civil Society inputs) – SL CERT Model

– Governments alone cannot enforce Cyber Crime• Draw on International Best Practices• Need for International Co-operation

– Council of Europe Convention as a tool for global cooperation– International Dialog – ICANN, CTO, IGF etc

THANK YOU