This article explores the concept of what is 'effective' or 'adequate' legislation to deal with computer insecurity and concludes that this will vary amongst sectors — government, military, banking, commercial, etc.
The Internet brings with it unprecedented potential for the positive development of our society.
The ability to disseminate information and to communicate almost instantaneously has already revolutionised numerous facets of our lives and will continue to do so.
Simultaneously, the computer and related activities or use enormously provide effective tools and mechanisms for individuals and groups who seek to conduct unlawful activity.
People have often argued that each advance in technology has brought new means which traditional crimes could be committed. So it is with the computer.
Recent developments at the Electoral Commission (EC) of Ghana regarding the issue of the bloated voters register in certain parts of the country raises the fundamental questions of computer and Internet crimes and how it can properly be dealt with by law.
The EC and the NDC argument on the issue of the doctored disk is the best case scenario for this exercise and probably sets the tone for the various arms of government especially the legislature and stakeholders to consider either a specific legislation that prosecutes individuals for Computer Misuse and Data Protection violations or consider amendment of the already existing Acts to effectively deal with computer and Internet-related crimes, which often contain wording to the effect that those responsible for data processing operations, such as company directors, data controllers, data processors etc. are under a statutory duty to take adequate, appropriate or effective technical security measures to protect data against accidental or unlawful destruction or alteration, and unauthorised access or disclosure. Examples of such legislation include:
• The Data Protection Act
• The Companies Act
• The Financial Service Act
So what is meant exactly by the term “effective”, “appropriate” or “adequate” computer security and how can one quantify this metric? And with the new means of facilitating mass communication comes the ability to commit crimes inexpensively, quickly, and across enormous geographical space.
The question then is:
The domestic criminal law in any civilised legal system is as important as, if not more important than, any computer specific legislation in the battle against cyber crime. But such a system does not necessarily hold all of the answers.
Critical analysis of what crime is, how crime is committed and how criminals are punished can best determine the above question.
Crime, in any well-organised, civilised legal system or society is defined as any unlawful activity or default that is an offence against the public and renders the person guilty of the act liable to legal punishment.
Criminal law suit are normally initiated by the state through the recommendation of the Attorney-General's Department or the office of the Director of the Public Prosecutions (DPP) or the police in most countries.
There are two main sources of law that can be used to prosecute computer-related crimes.
These are common laws and the statutory laws. To establish any form of criminal act against any accused person three elements come into play i.e. the actus reus and the mens rea and in some countries no defence.
Cyber crime — what is it?
Just as any other normal crime it is any unlawful conduct that involves the use of a computer or computer device for unlawful purposes. Domestic or traditional crimes such as fraud, data and privacy, computer hacking, crimes of dishonesty, child pornography and sexual crimes, offences against property, deformation, drug trafficking, road traffic offences, etc. are increasingly evident that crimes of this nature are now highly sophisticated, much more easily to commit with the aid of the Internet, computers and its related components than before and difficult to define when one commits it, hence the need for specific computer legislation to combat these crimes.
Case analysis in relation to computer crimes:
Crimes of dishonesty
In most cases when one commits a crime by using a computer or the Internet, the objective will be to simply break into a computer in order to get a thrill out of being able to do so, and do not wish to gain any tangible benefit from the act.
Such crimes can best be dealt with under a specific Computer Misuse Legislation. However, computer crime is often aimed at securing some positive gain, other than simply breaking into a system.
On occasions, the aim is to benefit financially, and in such cases a crime of dishonesty may be committed.
There are two main types of such crime that may affect computer activities: Theft and Fraud.
Theft: or stealing is defined according to the laws of Ghana as: The … taking or appropriation of the property of another without the consent of the owner and with the intention to deprive him of that property.
This definition is recognised in any or all jurisdictions. However, going by this definition, according to the law of Ghana, this will not be enough a law to deal with theft committed with the use or aid of a computer.
For example, it will be very difficult to hold one responsible for copying a document from the computer, since he will not permanently deny the owner of his/her property even though he might be taking it without his knowledge, because, there must be an intention to deprive the owner of the computer work under the definition of the law of theft.
Intention here is again relevant in establishing a criminal act, the person downloading or copying must have an intention not to return the document.
For instance, where a hacker gains access to a computer or computer network and removes some files from it simply to look at them as long as he intends to return them will not be committing the act of theft. Even though he took or committed the act without the knowledge or permission of the owner.
Fraud, data and privacy
Some of the topics that provide the main examples of conduct that may generally attract criminal sanctions in non-computer content are fraud and of damage to data.
Debatable areas are whether the act of obtaining unauthorised access to information held on a computer (commonly referred to as hacking) should be criminalised in the situation where the act of obtaining access does not serve as the precursor to further aggravating conduct such as the deletion and amendment of data or the evasion of access charges.
Deception and false pretence
The fact that the only contact may be with a computer was not constituted to pose any significant problems.
The offence of obtaining service by means of a 'false pretence' would be committed; if the intention is to deceive, the offence will be committed and the fact off whether the conduct operates upon a human or a machine is irrelevant.
The scope of the unauthorised access offence
Although in terms of its penalties, the unauthorised access offence is the last least significant of the new provisions, its linkage with other provisions makes it the most critical element of the UK's Computer Misuse legislation. The offence is defined in section one of the act, which provides that:
A person is guilty of an offence if he causes a computer to perform any function with intent to secure access to any programme or data held in any; the access he intends to secure is unauthorised; and that he knows at the time that it is unauthorised. In common with other statutory interventions no attempt is made to define any of the more technical terms referred to in the legislation.
It is clear from existing cases that the question of whether such access is authorised or not is determined by reference to the state of mind of the computer owner and/or of the person entitled to control access.
Next comes the question of whether access is authorised, in view of recent developments at the Electoral Commission of Ghana.
In the degree of intent that must be ascribed in any legislation for a person to be charged with this kind of offence.
Unauthorised use by authorised user
Distinction should be made clear in any specific computer legislation to prohibit unauthorised access because a lot of legislation does not strike at the situation where access is authorised but the use to which it is put is unauthorised.
For example, the use of an office machine for private activities will not impose an employee to criminal sanctions and it will be most inequitable to alter that situation merely because the machine was used.
There may, however, be situations where such approach may limit the effectiveness of any computer legislation.
Therefore, many computer hackers who are often quiet young and possibly in school attempt to gain access to other people's computers simply because of the intellectual and technical challenges that activity present.
Although I am not sympathetic to the view that unauthorised hacking should be encouraged, so long as it is only for intellectual exercise I recognise that as a matter of public policy it is probably preferable that any act that would be considered an offence should have a semblance of mischief.
By Abed Bandim
SSNIT must be managed without gov’t interference – Austin Gamey
Ejisu by-election could go either way between NPP and independent candidate — Gl...
We never asked ministers, DCEs to bring NPP apparatchiks for returning officer r...
No one denigrated the commission when you appointed NDC sympathizers during your...
Used cloth dealers protests over delayed Kumasi Central Market project
A/R: Kwadaso onion market traders refuse to relocate to new site
Dumsor: Corn mill operators at Kaneshie market face financial crisis
Jamestown fishermen seek support over destruction of canoes by Tuesday's heavy d...
Election 2024: EC to commence voter registration exercise on May 7
Public schools rebranding: We’re switching to blue and white, we’re painting all...
