3:55 AM
ABSTRACT
Cybercrime is a kind of crime that happens in cyberspace world, it happens in the world of
computer (network or system) and the Internet. It is obvious that, many people have a limited
knowledge of cybercrime, and this kind of crime has the serious potential for severe impact on
people’s lives and society, because our society is becoming an information society in everyday
life, full of information exchange happening in cyberspace world. People are committing
cybercrime because of the cheapness of technology today by storing data in small space, millions
of people operating system in the same time through internet, very easy to destroy evidence with
no time, and slightest negligence of the user creating chaortic conditions.
Cooperate officers of the company, government, people and business people needs cyber
legislation to curb the problem of cybercrime. It is difficulty to implement cybercrime laws, due
to the jurisdiction maintainability, investigation outside the limits, loss of evidence of the
computer data, and cyber army will need high technical persons. Damages of computer data
causes computer and computer program not to function or working properly, and destroys data
itself. Data used in cyberspace is like property when it is used in traditional way. This study
paper will talk more about " Damage to data."
1.0 INTRODUCTION
This study paper highlights and cover the background of cybrcrime, with its types. Following by
damage to data, modes of acces to data, impairment of data, ways to damage data, the victim of
the data, hacking and who is a hacker, and types of hackers. Further, computer virus can damage
the computer system, also the question of tangiability and intangiability of data. Lastly, paper
will be concluded with some final thoughts like conclusion and recommendation.
1.1 Background
The history of computer-related crime begins with the history of computers. The first published
account
of computer manipulation, sabotage, espionage, and the illegal use of
computer systems date back to the published press and scientific
literature of the 1960s.1 These early computer
1
ULRICK SIEBER, LEGAL ASPECTS OF COMPUTER-RELATED CRIME IN THE
INFORMATION SOCIETY, COMCRIME Study prepared for the European Commission
19 (Jan. 1998), http://europa.eu.int/ISPO/legal/en/comcrime/sieber.doc
1
crimes differed in type and scale of cyber crimes: Early computers were dedicated mainframes
and users were generally directly wired into the computers. Thus, early computer crime cases
were characterized by authorized users manipulating computer programs to, for example, steal
money from a bank or other employer. Other typical early computer crimes included attacks on
telephone systems and networks or diversion of money through electronic funds transfers.
Because early users of computers were highly centralized and not very interconnected, the
opportunity for computer crime tended to be limited to misuse of systems by authorized users.
The nature of early computer offenses likewise was limited by the talents of the users and the
nature of the non-distributed computer systems.
Prosecutors and judges were forced to deal with computer miscreants by resorting to ordinary
criminal law concepts of theft, destruction of property, trespass and criminal mischief. At that
time, computers tended to be large, dedicated stand-alone machines, and access was generally
restricted by limiting access to the physical terminals which were connected to the mainframe
computer. As a result, virtually all computer crimes were committed by insiders or quasi-
insiders. Legitimate computer users with authorized access to the computers, software
developers, vendors and other authorized users were the primary perpetrators of these computer crimes. . . . .2
1.2 Cybercrime
“Cybercrime,” "computer crime", "Information Technology crime," and "high-tech crime" are
often used inter-changeably to refer to two major categories of offenses: in the first, the computer
is the target of the offense; attacks on network confidentiality, integrity and/or availability i.e.
unauthorized
access to and illicit tampering with systems, programs or data all fall
into this category,3 the other category consists of traditional
offenses, such as theft, fraud, and forgery that
are
committed with the assistance of or by means of computers, computer
networks and related information and communications technology.4
Computers can also play an incidental role in the
commission of a traditional offense, as an example, when a blackmailer uses a computer to
2
MARK D. RASCH, THE INTERNET AND BUSINESS: A LAWYER’S GUIDE TO THE
EMERGING LEGAL ISSUES, Chapter 11 (Criminal Law and the Internet) § II
(1995), available at
http://www.swiss.ai.mit.edu/6805/articles/computer-crime/rasch-criminal-law.html.
3 Marc D. Goodman, Why the Police Don't Care About Computer Crime, 10
HARV. J.L. & TECH., 465, 468-469 (1997), available at
http://jolt.law.harvard.edu/articles/10hjolt465.html. See also Criminal
Threats to E-Commerce 17, INTERPOL, Jan. 2001 4 Ibid
2
generate
blackmail letters (or emails) or a drug dealer who uses Quicken to
track his drug purchases and sales.5 Cybercrimes range from economic
offenses (fraud, theft, industrial
espionage, sabotage and extortion, and product piracy) to infringements on privacy, propagation
of
illegal and harmful content, facilitation of prostitution and other
moral offenses, and organized crime.6 At its most severe, cybercrime
borders on terrorism, encompassing attacks against human
life and against national security establishments, critical infrastructure, and other vital veins of
society.
2.0 DAMAGE TO DATA
"Data" means a representation of information, knowledge, facts, concepts, computer software,
computer
programs or instructions. Data may be in any form, in storage media, or
as stored in the memory of the computer or in transit or presented on a
display device.7 Data are the quantities,
characters, or symbols on which operations are performed by a computer, being stored and
transmitted in the form of electrical signals and recorded on magnetic, optical, or mechanical
recording media.
8
“Computer data” refers to any representation of facts, information, or concepts in a form
suitable for processing in a computer system including a program suitable to cause a computer
system
to perform a function and includes electronic documents and or
electronic data messages, whether stored in local computer systems or
online.9 Also, “damaged data” refers to any compressed file which has
been altered in some part.10
Damage
to data means impairment to the integrity or availability of data or a
program, or a system of information.11 Impairment is caused by the way
of deleting data, modifying data,
concealing of data, destructing computer data and creating unsolicited data, which cannot be
5Goodman,
supra note 1 6 Criminal Threats to E-Commerce, supra note 35, at 17 7
Larceny [484. - 502.9.],
http://codes.lp.findlaw.com/cacode/PEN/3/1/13/5/s502, OK Electronic
Crime Statutes (http://www.lsb.state.ok.us) 8"Data". Oxford
Dictionaries. Retrieved 2012-10-11 9 Ibid, section 3(e) 10 Bora P.,
Antonio S., Paolo G., Jungheum P., Seok H. L. and Sangjin L., Center for
Information Security Technologies, Korea University, Seoul, Korea, Pg.
90 11United States Code Act, section 3 (l)
3
retrieved.
"Damage to Computer Data or Computer Programs", is the erasure,
damaging, deterioration or suppression of computer data or computer
programs without right.12
Damage
is defined as “any impairment to the integrity or availability of data,
a program, a system, or information.”13 Although this definition is
broad and inclusive, as the use of the word
“any”
suggests, the definition differs in some ways from the idea of damage
to physical property.14 Damage occurs when an act impairs the integrity
of data, a program, a system, or
information. This part of the definition would apply, for example, where an act causes data or
information
to be deleted or changed, such as where an intruder accesses a computer
system and deletes log files or change entries in a bank database.15
Similarly, “damage” occurs when an
intruder changes the way a computer is instructed to operate. For example, installing key logger
software
on a home computer can constitute damage. Damage also occurs if an
intruder alters the security software of a victim computer so that it
fails to detect computer trespassers.16 In the United States V.
Middleton17 for example, part of the damage consisted of a user
increasing his
permissions on a computer system without authorization. The definition of damage also includes
acts that simply make information or computers “unavailable.” Intruders have devised ways to
consume all of a computer’s computational resources, effectively making it impossible for
authorized users to make use of the computer even though none of the data or software on the
victim computer has been modified. Similarly, a “denial of service attack” can flood a
computer’s
Internet connection with junk data, preventing legitimate users from
sending or receiving any communications with that computer. Netdating V.
Mitchell,18 granting temporary
restraining order where defendant installed code on plaintiff’s web server that diverted certain
users trying to access plaintiff’s website to a pornography website.
Anyone possessing a degree of familiarity with computers and their methods of operation will be
only aware of how fragile is the hold on its electronic life of any piece of data. The accidental
depreciation of a key or the placing of a computer disk in undue proximity to a magnetic field as
12
CyberWar,
RESEARCH-PAPERS.COM, at
http://www.research-papers.com/papers/tech2.shtm 13 18 United States
Code Act § 1030(e)(8). 14 This definition contains several concepts that
allow section 1030(a)(5) to apply to a wide variety of situations. 15
Ibid 16 Ibid 17 231 F.3d 1207, 1213-14 (9th Cir.2000) 18 88 F. Supp. 2d
870, 871 (N.D. Ill. 2000)
4
produced
by electrical motors, or even telephones, can speedily consign data to
electronic oblivion. To the risks of accidental damage must be added
those of deliberate sabotage.19
The vulnerability of computer users to such events is not questioned. Once again, our concern
must be with the legal consequences which may follow such behaviour. The basic scenario
involves a party altering or deleting data held on a computer system, such action taking place
without the consent of the system owner. Within this, a wide range of activities can be identified.
At
the most basic level, the perpetrator may use “delete” or “reformat”
command or even bring a magnet into close proximity to a computer
storage device.20 Amendment of data may be made a
component
of scheme of fraud. Other actions may be made for a variety of motives.
In some cases, such as that at issue in R v. Thompson21, amendment of
data may be a component of a
scheme of fraud. Other actions may be driven by the intent to cause disruption to the computer
owner’s activities. This might involve the manipulation of computer programs through, for
example, the insertion of logic bombs, which cause a computer to function in a manner desired
by the perpetrator rather than its owner, whilst an ever-expanding range of computer viruses
present a continual treat to the well being of computer owners.
During
the 1980’s, a number of cases involving damage to data had been
prosecuted as a form of criminal damage under the criminal Damage Act
1971.22 The appropriateness of this approach was confirmed by the court
of Appeal in the case of R v. Whiteley.23 Here, a computer hacker
had accessed computer network and, inter alia, deleted a number of files. Upon being detected,
he was prosecuted and convicted of the offence of criminal damage. Appealing against
conviction, it was argued that his conduct had not caused any tangible form of damage to the
victim computers. Rejecting this contention, the Lord Justice ruled that:
What
the Act requires to be proved is that tangible property has been
damaged, not necessarily that the damage itself should be tangible.
There can be no doubt that the magnetic particles upon the metal disc
and if the appeal was proved to the intent and without lawful excuse
altered the particles in such a way as to cause an impairment of the
value or usefulness of the disc to the owner, there would be damage
within the meaning of section 1. The fact that the alteration could only
be perceived by operating
19
Ian J. Lloyd, INFORMATION TECHNOLOGY LAW, Oxford University Press, 6
Edition, 2011. Pg. 232 20 Ibid 21 [1990] 2 S.C.R. 1111 22 Ian J. Lloyd,
INFORMATION TECHNOLOGY LAW, Oxford University Press, 6 Edition, 2011.
Pg. 232 23 (1991) 93 Crim App Rep 25
5
the
computer did not make the alterations any the less real, or the damage,
if the alteration amounted to damage, any the less within the ambit of
the Act.24
By the time the judgment was handed down, the point was of little practical relevance. In its final
report, the Law Commission had indicated that the difficulty had been uncounted by:
The
police and prosecuting authorities who have informed us that, although
convictions have been obtained in serious cases of unauthorised access
to data or programs, there is recurrent (and understandable) difficulty
in explaining to judges, magistrates and juries how the facts fit in
with the present law of criminal damage.25
The Law Commission recommended the establishment of an offence of causing an unauthorised
modification to a program or data held on a computer and this was implemented in section 3 of
the Computer Misuse Act. The section was amended by the Police and Justice Act 2006 to take
account of the provisions of the Cybercrime Convention and the Framework Decision. Article 4
of the Cybercrime Convention provides that:
1. Each party shall adopt such legislative and other measures as may be necessary to
establish as criminal offences under its domestic law, when committed intentionally, the
damaging, deletion, deterioration, alteration, suppression, of computer data without right.
2. A party may reserve the right to require that the conduct described in paragraph 1 result
in serious harm.
Also relevant in this context are the provisions of Article 5, which provides that:
Each
party shall adopt such legislative and other measures as may be
necessary to establish as criminal offences under its domestic law, when
committed intentionally, the serious hindering without right of the
functioning of a computer system by inputting, transmitting, damaging,
deletion, deterioration, alteration or suppression, computer data.
There is considerable overlap between the two provisions.26 In the explanatory report
accompanying the convention, it is indicated that the intention of the Article 4 is to provide
computer data and computer programs with protection similar that enjoyed by corporeal
objects against intentional inflictions of damage and continues: the input of malicious codes,
such
as viruses and Trojans horses is, therefore, covered under this
paragraph, as is the resulting modification of the data.27 Article 5 is
also relevant to the situation where viruses
24
Ibid. at 28 25 Law Commission No. 186 (1986), Para 2.31 26 Ian J.
Lloyd, INFORMATION TECHNOLOGY LAW, Oxford University Press, 6 Edition,
2011. Pg. 233 27 At paras, 60-61
6
impair the operation of computers but it will additionally apply to so-called denial of service
attacks.
For the United Kingdom section 36 of the Police and Justice Act replace section 3 with a
new and broader provision headed unauthorized acts with intent to impair operation of
computer. This provides that;
1. A person is guilty of an offence if-
a) He does any unauthorized act in relation to computer;
b) At the time when he does the act he knew that it is unauthorized; and
A person convicted of the offence may be sentenced to a maximum of 12 months imprisonment
on summary conviction (6 months in Scotland) or ten years on indictment.
The concept of an unauthorized act encompasses both the addition of data or its alteration or
erasure.
A modification will be regarded as unauthorized if the person causing
it is not authorized so to act or does not posses the consent of a
person who is so entitled.28 Again the
possibility of different categories of rights and privileges attaching to different users must be
borne
in mind. Typically, an employee or a student may be entitled to use the
facilities of a computer system but will not be entitled to delete any
portions or to add any program.29
The effect of the unauthorized act must be;
(a) To impair the operation of any computer
(b) To prevent or hinder access to any program or data held in any computer
(c) To impair the operation of any such program or the reliability of any such data
(d) To enable any of the things which impair the operation of any computer, and impair the
operation of any such program or the reliability of any computer data.30
The 1990 Act provides that, as with the authorised access offense, the prosecution would have to
demonstrate that an accused person had acted intentionally. The 2006 modifications reduce the
burden somewhat in requiring that conduct may be either intentional or reckless as to whether impairment will be caused.31
At the most basic level of activity, this provision would apply in the situation where a user
intentionally causes the deletion of programs or data held on a computer. The manner in which
28
Computer misuse Act, 1990, s. 17 29 Ian J. Lloyd, INFORMATION
TECHNOLOGY LAW, Oxford University Press, 6 Edition, 2011. Pg. 234 30
Section 3 (2) 31 Ian J. Lloyd, INFORMATION TECHNOLOGY LAW, Oxford
University Press, 6 Edition, 2011. Pg. 234
7
this
is accomplished will be immaterial. At the simplest level, the user may
operate delete functions so as to remove the program or data.32 In
first prosecution brought under this provision
of the Computer Misuse Act 1990, the accused had installed a security package on a computer
belonging to a firm which he claimed owed some $ 2,000 in fees. The effect of the installation
was to prevent the computer being used unless a password was entered. As this was not
disclosed,
the computer was effectively rendered unusable for several days with
resultant losses estimated some $ 36,000. The accused was convicted and
fined $ 1,650.33
An offence may also be committed when data is added to the computer system. One instance of
this, is occurs when a computer is infected with a virus. The offence will also be committed
where logic bombs or other programs are added to the computer system with the intent that these
will operate so as to cause inconvenience to the computer user. In one instance, an IT manager
added a program to his employer’s system which had the effect of encrypting incoming data. The
data would automatically, be decrypted when it was subsequently accessed. The manager left his
employment following a disagreement and some time later the decryption function ceased to
operate. Once again, the effect was to render the computer unusable. Despite claims that the
encryption function was intended as a security device and that the failure of the decryption
facility was an unforeseen error, the manager was convicted of an offence under the Computer Misuse Act 1990.34
A further case brought under the legislation concerned a contract for the supply of bespoke
software. The customer was late in making payment for the software and shortly afterwards they
stopped working. It transpired that the supplier, anticipating possible problems with payment,
had inserted a timelock function. Unless removed by the supplier upon receipt of payment, the
software
would stop working from a specified date. This conduct resulted in
prosecution and conviction under the unauthorized modification
offence.35
32
The use of such commands may well remove details of the programs or
data from any directories. The program or data will not be removed at
that stage, the effect of the command being to render it liable to being
overwritten as further programs or data are added to the computer. Such
conduct will constitute the unauthorised modification offence, even
though the ‘Damage’ may be recoverable. 33 R v. Whitaker (1993)
Scunthorpe Magistrates Court. Details of this and a range of other
prosecutions under the Computer Misuse Act 1990 are reported in R.
Battcock. ‘Prosecutions under the Computer Misuse Act; Computers and Law
6 (1996), pg. 22 34 Battcock. (1996), pg. 22 35 Ibid
8
The issues raised in this case are undoubtedly less clear–cut than a number of other prosecutions
brought under the Computer Misuse Act. It was argued that the use of such timelocks was a
legitimate response to the failure of the customer to meet the contractual obligation to pay for the
software. A further point which does not appear to have been raised was whether the supplier
would retain sufficient intellectual property rights in the software to be entitled to control its
continued use. It could also be argued that the action would have been lawful had notice been
given to the customer of the fact that the software would stop working if payment was not made timeously.36
It may be that the drafting of the offence is sufficiently broad to make the mere act of
unauthorized use illegal. An example might concern an employee who types a private letter
using their employer’s computer. As section 3 (5) of the Computer Misuse Act states that the fact
whether a modification is permanent or temporary is immaterial, it would not even appear that
there is a necessity for the text of the letter to be stored on a computer. In the event that a portion
of text is stored on a computer’s hard disk, utilizing only a minuscule fraction of the disk’s
storage capacity, any degree of impairment of the computer’s capabilities will be similarly
minute. The Act, however, does not require that the degree of impairment be substantial or
significant. Such conditions would add further levels of complexity and uncertainty to the task of
defining the scope of the legislation. It is to be recognized, however, that the act of making an
unauthorized act constitutes only one element of the offence and that the prosecution is required,
additionally,
to establish that the party responsible intended to impair the
operation of the computer or was reckless as to whether an impairment
was caused.37 In addition to proscribing
acts impairing the operation of a computer, the unauthorized act offence may be its reliability. A
possible scenario might involve an individual giving false information with a view to causing the
modification of an unfavourable entry on a credit reference agency’s files. This might render
unreliable the data held on the computer and, as such, may constitute an offence under section 3.
Taking the concept of an unauthorised modification as a whole, it would seem clear that the
offence might be committed by a person who creates a computer virus and sends it out into the
world with the intention that it will infect other computers. The Computer Misuse Act provides
in this respect that:
36 Ian J. Lloyd, INFORMATION TECHNOLOGY LAW, Oxford University Press, 6 Edition, 2011. Pg. 235 37 Section 2 (2)
9
1. The intent need not be directed at:-
(a) Any particular computer
(b) Any particular program or data or a program or data of any particular kind or
(c) Any particular modification or a modification of any particular kind.
The virus creator will therefore cause the modification of any computer which is infected, even
though they may not be directly responsible for the infection of any particular machines, this
being brought about by an unsuspecting (or even reckless) authorised user. To this extent, the
phrase
to cause must be interpreted in two senses: in respect of the act which
causes the effect and also of the act which is approximately
responsible for its occurrence.38
One of the most publicized cases brought under the Computer Misuse Act involved the
prosecution of Christopher Pile. Using the Pseudonym ‘Black Baron’, the accused was reported
as having told detectives that ‘he had wanted to create a British virus which would match the
worst of those from overseas. A number of viruses were created by Pile and concealed in
seemingly innocuous programs which he published on the internet; from there they would infect
any computer onto which they were downloaded. It was estimated that the effects of the virus
cost companies in the region of $500,000 and Pile secured the dubious distinction of being the
first virus writer convicted under the Act, being sentenced to a term of eighteen month’s imprisonment.39
Whilst there was no doubt that the original section 3 offence was an effective tool against those
disseminating
viruses, conduct involving denial of service attacks was widely
perceived as more problematic. The All Party Internet Group in its
report on the Computer Misuse Act40 reported
that:
Almost every respondent from the industry told us that the CMA is not adequate for dealing with
DoS and DDoS attacks, though very few gave any detailed analysis of why they believed this to
be
so. We understand that this widespread opinion is based on some 2002
advice by the Crown Prosecution Service (CPS) that section. 3 might not
stretch to including all DoS activity.41
In contrast to the government, many academic lawyers and also, we understand, the NHTCU
(National High Technology Crime Unity), believe that s3 is sufficiently broad to cover DoS
38
Ian J. Lloyd, INFORMATION TECHNOLOGY LAW, Oxford University Press, 6
Edition, 2011. Pg. 236 39 M2 Presswire, 24 March 1997 40Available from
http://www.apcomms.org.uk/apig/archive/activities-2004/computer-misuse-inquiry/CMA
ReportFinalVersion1. 41 Ibid
10
0 comments:
Post a Comment