Key features of the Computer Crimes Act

By Jayantha Fernando

The Computer Crimes Bill was recently enacted by Parliament and certified by the Speaker as the Computer Crimes Act No. 24 of 2007. This legislation is the result of numerous contributions from sources such as the CINTEC Law Committee, a Sub-Committee ofthe Law Commission and the Ministry of Justice. It is being enacted at a time when advancements are being made in the field of Information Communication Technology (ICT) in Sri Lanka, through several development initiatives such as the e-Sri Lanka Project.

Background
Apart from providing a better way of life for society the rapid growth of ICT raises fundamental questions regarding storage of confidential information, privacy, data protection and crime. Computers are not only targeted for crime but are also important instruments used in the commission of other offences such as theft, fraud, forgery, damage, deletion of business information and sabotage of computer facilities, etc.

The term “Computer Crime” is a generic term used to identify all crimes or frauds that are connected with or related to computers and information technology.

Generally computer crime consists of three components. They are:-

(1) Computer Related crimes – Computers used as a tool for criminal activity such as theft, fraud, etc.
(2) Hacking offences – which affects integrity, availability and confidentiality of a computer system or network (also includes the introduction of viruses, worms etc).
(3) Content related Cyber Crime – where computers together with Internet resources are used to distribute illegal data. Eg;- Internet based pornography, criminal copyright infringement

Computer Crimes Act
The Sri Lankan Computer Crimes Act No. 24 of 2007 primarily addresses computer-related crimes and hacking offences. Content related offences are being addressed through a series of changes to the Penal Code and other statutory provisions.

The first class of offences in the Computer Crimes Act criminalizes attempts at unauthorised access to (a) computer or (b) any information held in any computer (Vide Section 3) and doing same for the commission of any other offence (Vide Section
4) The Act also contains provisions which state that any person who intentionally or without lawful authority carries out a function which has the effect of modification or damage or potential damage to any computer or computer system or computer programme shall be guilty of an offence (Section 5).

The illustrations given in the Act states that for any unauthorised modification or damage or potential damage to take place, any one of the following should occur –

(a)Impairing the operation of any computer, computer system or the reliability of any data or information held in any computer; or

(b) Destroying, deleting or corrupting or adding, moving or altering any information held in any computer;

(c) Making use of a computer service involving computer time and data processing for the storage or retrieval of data;

(d)Introducing a computer program which will have the effect of malfunctioning of a computer or falsifies the data or any information held in any computer or computer system (eg:- viruses, worms, etc).

Other offences sought to be created include unauthorised obtaining of information from a computer or a storage medium; unauthorised use of computer service and interception of data; selling, importing or distributing any device or computer access code or password for the commission of offences under the Act; providing access information to a service without authority or in breach of a contract.

Investigating offences
The new Act introduces a new regime for the investigation of offences. The value of legislating on this subject will be of no effect unless investigations can be done efficiently and effectively.

To achieve this objective, a provision has been included enabling a panel of experts to assist the Police in the investigation of computer crime offences. In terms of the role envisaged for experts they will assume jurisdiction only when their assistance is called for. The Act empowers the experts with specific powers, such as visiting the scene of crime for purposes of investigation, to access and examine computer systems, data or information held in a computer, etc.

The Act also provides for the retention and preservation of information required from computer devices for the purpose of carrying out investigations.

In carrying out investigations the law prescribes that legitimate business activity using computers should not be hindered and that strict confidentiality should be maintained in respect of data and information.

The introduction of the concept of experts to the Act together with other provisions was necessary to ensure that the skilled task of accessing a computer is done only by a person who has the competence to perform an efficient detection while at the same time ensuring that the computer hardware and software is not damaged.

Addressing enforcement needs
The ICT Agency of Sri Lanka (ICTA) has identified and commenced a programme of work to develop capacity in the Police Department so that Police personnel would be well equipped to investigate computer crime. The development of digital forensic labs and the setting up of the Computer Crimes Unit is planned.

For ICT to contribute to economic growth, consumers and other users must have an assurance on the security and trustworthiness of these technologies.

The Computer Crimes Act helps achieve this objective, enabling bona-fide users of technologies to operate in a better environment than before.