Legal and Regulatory Issues in the Information Economy/Cybercrimes

Is crime possible in the Internet?
The Internet has the potential to be one of humankind’s greatest achievements. Telecommunications, banking systems, public utilities, and emergency systems rely on the network. But there are those who use it to inflict harm on others. In the short life of the Internet, we have already seen a wide array of criminal conduct. Although it is often difficult to determine the motives of these digital outlaws, the result of their conduct threatens the promise of the Internet by reducing public confidence and consumer trust in the whole system.

The threat of growing criminal conduct in the Internet is such that the US Federal Bureau of Investigation (FBI) has taken the unprecedented step of making the fight against cybercrime and cyber terrorism the bureau’s No. 3 priority, behind counterterrorism and counterintelligence. In addition, the FBI has changed its hiring practices to focus on recruiting a new type of agent that can bring a bedrock of experience from the world of IT.

What are computer crimes or cybercrimes?
“Computer crime” or cybercrime refers to a misdeed involving the use of a computer. Cybercrimes can be divided into three major categories: cybercrimes against persons, property and government.

Cybercrimes against persons include transmission of child pornography, harassment with the use of a computer such as e-mail, and cyber stalking.

Cybercrimes against property include unauthorized computer trespassing through cyberspace, computer vandalism, transmission of harmful programs, and unauthorized possession of computerized information. Hacking and cracking are among the gravest of this type of cybercrimes known to date. The creation and dissemination of harmful computer programs or viruses to computer systems is another kind of cybercrime against property. Software piracy is also a distinct kind of cybercrime against property.

A distinct example of cybercrimes against government is cyber terrorism, in which cyberspace is used by individuals and groups to threaten governments and to terrorize the citizens of a country. This crime may take the form of individuals “cracking” into a government or military-maintained Web site.

What are examples of common misdemeanors on the Internet?

 * 1) Mail bombing involves the sending of messages to a target recipient repeatedly. The mailboxes of the recipients are then flooded with junk mail.
 * 2) Spamming is often used as a tool for trade or promotion. It targets multiple recipients and floods selected mailboxes with messages.
 * 3) List linking involves enrolling a target in dozens-sometimes hundreds-of e-mail listings.
 * 4) Spoofing is faking the e-mail sender’s identity and tricking the target recipient into believing that the e-mail originated from the supposed mail sender.
 * 5) Linking/Framing involves displaying one’s site content on another’s Web page without permission.
 * 6) Denial of Service (DoS) is an explicit attempt by attackers to prevent legitimate users of a service from using that service.
 * 7) Cracking is the act of gaining unauthorized access to a system and subsequently destroying or causing damage thereto.

In cyber stalking the “victim” is repeatedly flooded with messages of a threatening nature.

What is the reach of cybercrimes?
Crimes in cyberspace do not respect geographical boundaries or national jurisdictions. If left unchecked or unpunished, cybercrimes will adversely affect the growth of e-commerce. In addition, there is the rapid migration of real-world crimes such as child pornography, fraud, forgery, falsification, intellectual property theft, theft of information and money, as well as grave threats, to the virtual world.

What legal policies should be in place for the prevention, apprehension and prosecution of cybercrimes?
Legal provisions on theft or stealing need to be reviewed. In many jurisdictions, or in the real world, stealing or theft refers to taking a thing or depriving the victim of ownership thereof. What happens when a person accesses without authorization another person’s file and then proceeds to copy it? In this case, it may be argued that theft did not occur because the thing was simply copied, not taken. Making things even less clear is a case in the US where it was held that the law pertaining to inter-State transportation of stolen property refers only to corporeal things and does not apply to intangible property.

The US Department of Justice has classified the challenges to international as well as State prosecution of cybercrimes into three categories:


 * 1) Technological challenges - While it is possible to trace an electronic trail, the task has become very difficult because of the skill and technology that allow near-absolute anonymity for the cyber-culprit.
 * 2) Legal challenges - Laws and other legal tools to combat crime lag behind the rapid changes afforded by technology.
 * 3) Resource challenges - These refer to the problem of lack of sufficient experts, or the lack of an adequate budget for new technologies as well as for the training of personnel.

What is being done to prevent and/or prosecute cybercrimes?
The United States Congress passed the Computer Fraud and Abuse Act (18 USC 1030); 18 USC 2701 which punishes unlawful access to stored communications; 18 USC 2702 which prohibits divulging to any person the contents of a communication while in electronic storage; and 18 USC 2703 which allows government disclosure of the contents of electronic communications but only upon valid order of a court pursuant to a warrant.

After the terrorist attacks of September 11, 2001, the US Congress enacted the USA Patriot Act. This is a comprehensive legislation aimed specifically at countering the threat of terrorism, including cyber terrorism. The new law gives sweeping powers to both domestic law enforcement agencies of the US Government and US international intelligence agencies to help thwart terrorist attacks. The Patriot Act expands all four traditional tools of surveillance-wiretaps, search warrants, pen/ trap orders and subpoenas-to make it easier for US law enforcement and intelligence agencies to combat terrorism. For instance, the US government may now spy on Web surfing of Americans by merely telling a judge that the spying could lead to information that is “relevant” to an ongoing criminal investigation.

The Patriot Act likewise made two changes on how much information the government may obtain about users from their ISPs. First, Section 212 of the law allows ISPs to voluntarily hand over all “non-content” information to law enforcement with no need for any court order or subpoena. Second, Sections 210 and 211 expand the records that the government may seek with a simple subpoena to include records of session times and durations, temporarily assigned network addresses, means and sources of payments, including credit card or bank account numbers.

Are there intergovernmental efforts at combating cybercrimes?
The 41-nation Council of Europe has approved a Convention on Cybercrime. The treaty provides for the coordinated criminalization of the following:


 * 1) Offenses against the confidentiality, integrity, and availability of computer data and systems, such as illegal access, illegal interception, data or system interference, and illegal devices;
 * 2) Computer-related offenses like computer-related forgery and computer-related fraud;
 * 3) Content-related offenses like child pornography; and
 * 4) Copyright-related offenses.

The Treaty also urges its members to enter into cooperative efforts, through mutual assistance, extradition agreements and other measures, in order to combat cybercrime. The call for international cooperation is important given the fact that cybercrimes do not respect State, sovereign or national borders.

Similarly, the Asia Pacific Economic Cooperation (APEC) has endorsed the following action items to combat the growing threat of cybercrime:


 * immediate enactment of substantive, procedural and mutual assistance laws relating to cyber security;
 * making cybercrime laws as comprehensive as those proposed in the Council of Europe Cybercrime Convention;
 * assistance between and among the economies in developing threat and vulnerability assessment capabilities;
 * security and technical guidelines that can be used by governments and corporations in their fight against cybercrime; and
 * outreach programs to economies and consumers regarding cyber security and cyber ethics.

The member-countries of the Association of Southeast Asian Nations (ASEAN) have agreed to create an ASEAN Network Security Coordination Center that will help combat cybercrimes and cyber terrorism. Computer emergency response teams (CERTs) will also be established in each ASEAN country to serve as early warning systems against viruses. The ASEAN nations will likewise focus on strengthening their respective ICT infrastructure to attract more investors.

Are there anti-cybercrime efforts in developing countries?
In the Philippines, the E-commerce Act also penalizes hacking or cracking, as well as the introduction of viruses.

Malaysia’s Computer Crimes Act of 1997 penalizes unauthorized access to computer material, unauthorized access with intent to commit an offense, unauthorized modification of the contents of a computer, and wrongful communication.

The Computer Misuse Act of Singapore criminalizes unauthorized access to computer material, access with intent to commit or facilitate an offense, unauthorized modification of computer material, unauthorized use or interception of computer service, unauthorized obstruction of use of computers, and unauthorized disclosure of access code.

In India, the Information Technology Act of 2000 prohibits tampering with computer source documents and hacking.

What lies ahead in the fight against cybercrimes?
It is thought that the best tool against cyber attacks and cybercrimes is still prevention. Available to many corporate users are a host of technologies that prevent, if not minimize, the occurrence of these attacks. Some of these are firewalls, encryption technologies, and public key infrastructure systems.

Aside from legislation, adequate resources must be provided to law enforcement agencies so that they can acquire the tools, equipment, and know-how necessary for the successful defense of network systems from cyber attacks. Laws to combat cybercrimes are useless if law enforcement agencies do not have the education and training necessary to even operate a computer. Judges, too, must be trained.

In addition, consultation, coordination and cooperation between and among governments and the private sector are important, in order to harmonize as completely as possible measures, practices, and procedures that will be utilized in combating this problem. Harmonization of laws at the international, regional and national levels is necessary to meet the challenges of a worldwide technology and its accompanying problems.

Who should be involved in preventing cybercrimes?
Security and privacy are not the responsibility of governments alone. There is a need for the private sector to implement user-friendly, self-regulatory policies.

Governments will have to work with industry and other cybercrime advocates to develop appropriate solutions to cybercrime concerns that may not be addressed adequately by the private sector.

An overarching task is to increase awareness at every level of society-in government, in the private sector, in civil society, and even among individuals-of the need for, and the goals of, security, privacy and cybercrime prevention and control. Also needed is awareness of the crimes that are committed in cyberspace and the possible measures against them. Finally, and perhaps most important, it is vital that we develop a social consensus about the proper and ethical use of computers and information systems.