‘’Using Computers doesn’t make it any less serious than real world crime- huge amounts of money can be stole, big businesses can be brought to a halt and illegal information can be swapped. It does mean, however, that criminals can live far away from their targets, and never leave their bedrooms to commit their crimes’’[1]

INTRODUCTION

Today, the Cyberspace plays a major role in the day to day transaction and communication activities of the peoples as the fifth space after Land, Sea, Air and Outer space[2] which is a consequence of the Digital revolution. The Information Technology has introduced to fulfill the humans’ needs, as a result now Information technology contributes to the E-Banking, E-Business, Communication, Education and E-Governance fields. The ultimate fruit of the technology revolution is the advent of the computer and internet. Moreover, its new dimension is extended to the current smart phones, robots and artificial intelligence. Despite the aim of the IT to make the people to do functions easily and quickly but some people use the computer or computer system to commit crimes, simply they misuse the benefits of the IT.

There is a slight difference between the terms of cyber-crime and computer crime. Computer crime means any criminal act which has been facilitated by computer use which has included both internet and non-internet activities[3] but cyber-crime is a specific term used to refer to any criminal activity which has been committed through the internet[4]. Cyber-crime comes in many different forms and causes great damage to internet users and online businesses. Generally computer crimes connect with confidentiality, computer related matters, content related matters and intellectual property rights (Examples) Hacking (illegal access), Cracking, Unlawful modification, Illegal interception, Computer related forgery and fraud, identity theft, cyber defamation, cyber pornography, domain name violations and phishing, etc. Furthermore, the rapid growth of the internet, threatens the international peace and security, questions the sovereignty of the states (examples) Cyber Terrorism and cyber-attack on the nuclear control systems.

The misuse of the technology has created the necessity to enact cyber laws to combat against the computer crimes. However the specific nature of the computer crime questioned the adequateness of the traditional criminal justice system because which was inadequate to cover such crimes.

PECULIAR CHARACTERISTICS OF CYBER OR COMPUTER CRIMES

‘’Border-less’’ nature of cyber-crimes: these crimes occurs in cyberspace[5]. One a person enters the cyberspace through the internet service providers, there are no geographical borders. This nature contradicted with the sovereignty and territorial principles of the states. Thus computer crimes connect with multi jurisdiction (transnational nature) of the states, one state can’t solely fight against the computer crimes. Cyber criminals use this deficiency to search safe havens (example) Edward Snowden who copied and leaked the secret information of the US National Security Agency, however he found asylum in Russia.

The information technology world moves fastly, the forms of the computer crime can be changeable and these crimes occur within a second (example) recently Ransomware[6] attacked the computer system of the several states within few minutes.

In order to investigate the computer crime, investigation officers must have adequate knowledge regarding the computer technology but traditional law enforcement authorities lacked with this requirement. Sometimes, cyber-criminals have more knowledge than the officers.

For the purpose of adjudicate the computer crime which requires the proof of digital evidences, in this regard traditional evidence system was lacked.

In order to tackle the above said challenges, several international/regional bodies have striven to establish international cooperation and harmonization of cyber laws among the states.

INTERNATIONAL OR REGIONAL CONVENTIONS FOR THE INTERNATIONAL CORPORATION AND HARMONIZATION

International cooperation is the key to repress the computer crime, because through that states can assist mutually to harmonize the cyber laws, share investigation techniques and evidences, which helps to prevent the safe havens.

International (Regional) conventions

The council of Europe: European Convention on Cyber-crime[7] (2001) (Budapest Convention) and Its Additional Protocol (2006).

The Shanghai Convention on Combatting Terrorism, Separatism and Extremism (2001).

The League of Arab States: Convention on Combating Information Technology Offences (2010).

Harmonization of ICT Policies, Legislation and Regulatory Procedures in the Caribbean (2012).

The European Union: Directive on attacks against information systems (2013).

African Union: Convention on Cyber Security and Personal Data Protection (2014).

The Budapest convention is considered the most relevant international convention for fighting cybercrime to date. Until 2016, 52 states have ratified this convention. Though this convention has drafted and regulated by the European council, other non-European countries also can become a member to this convention[8]. This instrument provides a three-path solution to combat against computer crimes, those are, harmonization of cyber laws among the member states, introduction of new investigation techniques and the facilitation of international cooperation.

HARMANIZATION OF LAWS

The Budapest Convention strives to remove the inconsistencies among the national laws of the member states, for that purpose which requires member states to criminalize the following computer crimes under their domestic laws.

Illegal access to a computer system[9].

Illegal interception of computer data[10].

Illegal interference with computer data[11].

Illegal interference with computer system[12].

Misuse of devices[13].

Computer related forgery[14].

Computer related fraud[15].

Cyber child pornography[16].

Copyright infringements[17].

INVESTIGATIONS PROCEDURES UNDER THE BUDAPEST CONVENTION

The Budapest Convention provides following procedures and powers to the law enforcement bodies which are required to adopt under the domestic law of the parties.

Expedited preservation of stored computer data: which enables the authorities to order or obtain the preservation of specific digital information already stored[18]. Likewise allow to obtain traffic data[19].

Production order: which impose duty on a person or service provider to disclose information[20].

Search and seizure: enabling authorities to search a computer or other data storage device[21].

Real time collection of traffic data[22] and content data[23].

Article 15 is the important arrangement, which requires the state members to balance the investigation procedures with human rights and liberties on the basis of proportionality doctrine.

ARRANGEMENT FOR INTERNATIONAL COOPERATION

Jurisdiction: Article 22 requires the member states to determine their application of their domestic law as following manner, offence is committed in its territory or on board a ship flying the flag of that Party or on board an aircraft registered under the laws of that Party or by one of its nationals, if the offence is punishable under criminal law where it was committed or if the offence is committed outside the territorial jurisdiction of any State.

However this provision is criticized that, failed to address the positive jurisdiction conflicts (that situation when more than one country claims to have jurisdiction over a crime).

The Budapest Convention makes possible arrangement to extradite the cyber criminals from one party to another party.[24]

Several provisions of the Budapest Convention enable mutual legal assistance not only to the investigation and prosecution but also the collection of evidence in digital form[25].

In addition, following special arrangements are provided for the best international cooperation.

Sharing confidential matters between member states[26].

One member state can make request to another member to expeditious preservation of data for investigations[27].

One state can request another state to disclose traffic data of service providers[28].

Article 32 permits a member state to access computer data (open source) of another state without authority.

Another important tool is the establishment of a network of national contact points for assistance and collection of evidence available on a 24/7 basis[29].

THE SRI LANKAN LEGAL FRAMEWORK ON COMPUTER CRIME

Orthodox offences of theft and criminal trespass under the penal code of Sri Lanka, are inadequate to criminalize the computer crime which was evident from the case of Nagaiya v Jayasekara[30].

In order to overcome the deficiencies and fill the gaps, Sri Lanka has introduced several statutes such as, Information and Communication technology Act No 27 of 2003, the Payment and Settlement Act No 28 of 2005, the Payment Device Frauds Act No 30 of 2006, the Electronic Transaction Act No 19 of 2006 and the significantly the Computer Crime Act No 24 of 2007 which has enacted to criminalize the computer crimes.

Moreover, in 2015, Sri Lanka became a party to the Budapest Convention which was the first accession from the South Asia and second from the Asia. Though the Computer crime Act enacted before the accession but this Act was modeled on the Budapest Convention and most of the provisions complied with it.

EFFECTIVENESS OF THE SRI LANKAN COMPUTER CRIMES ACT

Effectiveness of an Act depends on whether the Act achieved its objectives or not. Following are the objectives (preamble) of the Computer crime Act, identification of computer crimes, providing the investigation procedures and prevention of such crimes.

Whether the Sri Lankan Computer crime Act adequately identified the computer crimes?

Computer crime Act provides the offences of Hacking (illegal access)[31], Cracking[32], unlawful modification[33], offences against national security[34], dealing with unlawfully obtained data[35], illegal interception of data[36], using illegal devices[37] and unauthorized disclosure of information[38] which are adequately consistence with the Budapest Convention under the heading of computer-integrity offences[39].

However the Sri Lankan Act failed to deal with the computer related crimes such as computer related forgery and fraud.

Moreover Article 9 of the Budapest Convention requires the parties to criminalize the offences related to cyber child pornography but computer crime act has not touched this offence however sec 286A of Sri Lankan penal code and Obscene publication ordinance adequately deal with this issues. However, there is no specific provision for cyber child pornography when committed on the Internet. In addition, Article 10 of the Budapest Convention requires the parties to criminalize copyright infringements, SL Intellectual property act adequately deal with this issues.

Furthermore, cyber defamation, identity theft, cyber bullying and cyber stalking are the most prevalent offences in Sri Lanka but computer crime act is silent on them.

A further point is, the offences under the computer crime act are entirely based on the principle of unlawful access thereby the act failed to cover the situation where information/data obtained by lawful access but which are misuses for unauthorized purposes (example) Cookies issues.

Even the SL Act failed to address several computer crimes, adequately complied with the offences under the Budapest Convention.

Does SL Act provide adequate investigation procedures and safeguards measures?

Computer crime act introduced new procedures in addition to the ordinary criminal procedures and every offences under this act are cognizable offences[40]. Further a significant arrangement is that, government can appoint a panel of experts to assist police officers[41].

SL Act complies with the Budapest Convention (Art 16-21), provides special power to the investigation officers such as, power of search and seizure which includes the laws for interception and real time collection of traffic data[42], request to preserve information[43].

However, some procedures have to be strengthened based on international standards.

Compiles with Art 15 of the Budapest convention, SL act strives to ensure the right to privacy of the victims[44] however it has drafted narrowly.

Furthermore, government has established the computer crime division of police department and computer emergence response team for the purpose of effective enforcement.

Does SL Act adequately deal with multi-jurisdictional issue and extradition problems?

Complies with Article 22 of the Budapest convention, computer crime act covers wide range of application without considering the geographical boarders and nationality [45].

Sec 27 enables the extradition of cyber criminals among the states.

Above said provisions will not effectively function without the international cooperation among the states, one state can’t solely fight against the computer crimes.

Moreover, the SL Act enables mutual assistance of states for investigation and prosecution of cybercrime through the Criminal matters Act 2002[46].

Furthermore, Sri Lanka’s accession to the Budapest convention which leads to obtain mutual legal assistance from other member states, through that Sri Lanka can combat against the computer crime.

Despite the SL computer crimes act adequately complied with the Budapest convention regards identification of crimes, investigation procedures and jurisdictional issues, but the implementation of the computer crime act is in a lower level due to the following practical issues.

Lack of reporting of cyber crimes: victims concerning with their privacy matters.

Experts are not willing to assist investigation procedures.

Today, most of the violations are happening in social media (Facebook) but organizations are unwilling to provide information (IP address).

Lack of trained cyber cops in Sri Lanka.

Lack of Digital Forensic Lab to investigate and collect digital evidences.

Judges and lawyers are not familiar with this field.

Lack of awareness among the peoples regarding cyber crimes.

Sri Lankan existing legal framework on cyber crime theoretically effective but it lacks with technical (Internet security) and intelligence matters. Cyber crime act and the Budapest Convention only deals with defining the offences and investigation after the offence has committed and complained. Thus Sri Lanka needs to enact laws to regulate internet usage, security in order to make precautionary actions to fight against cyber crime, (examples) The US Communications Decency Act  which attempts to regulate children’s access to obscene material on the internet, the US Child Online Protection Act: requiring commercial websites to verify the age of the users before giving access to sexually explicit material, the US Children’s internet Protection Act: requiring schools and libraries to install pornography-blocking software however some states have enacted very strict laws (China has blocked the Facebook, YouTube and twitter, Internet Content Filtering Ordinance of South Korea) which are not a proportionate action.

CONCLUSION AND RECOMMENDATION

Transnational nature of the cyber crime questioned the adequateness of the traditional criminal law because which can only be tackled through the international cooperation. The Budapest convention strives to improve the European and international cooperation against cyber crime through the harmonization of cyber laws, investigation techniques and mutual assistance. Compared with other regional conventions it has enabled positive initiative actions (harmonization) to combat against cyber crimes, based on it many states have drafted their national cyber laws even some non-European countries also[47]. However, this convention is criticized that, it failed to establish adequate guarantees for due process and human rights[48]. Moreover, the actual implementation of this convention is not effective because the majority of the states (have highest number of internet users) have not ratified this convention (India, Russia, UK, Brazil and South Korea)[49]. In future, if more states may ratify this convention which will help to effectively prevent the safe havens for cyber criminals. Moreover, an impartial international body (like UN) may draft a better legal framework on cyber crime to the entire world without regional basis, which should include following matters: Ensure the secure, stable and reliable functioning of the internet; Deals with cyberspace regulations; Internet security issues should be evolved and make regulations on usage of internet and construction of websites; Well strengthened International coordination and cooperation through Interpol in investigation of cross-border issues and mutual assistance regarding internet security; Standards for global partnerships with the private sector for the investigation and prosecutions; Establishment of International Criminal Court or Tribunal for Cyberspace; Harmonization of cyber laws among the countries.

The Sri Lankan Computer Crimes Act adequately complies with the Budapest convention regarding the offences, investigation procedures, jurisdictional and international cooperation but due to the technological (internet security) matters and certain practical issues, the implementation of the act is not in effective manner. Author of this paper personally believes that only the technology and its wide expansion can give strong fight against the computer crimes rather than the mere deterrent laws. (Examples) using encryption and other technologies, government may fund to develop new security technologies, using technological modes to easily identify the internet users especially in net cafes, educate the safe computing among the peoples, technologically trained the cops, should ensure the protection of Confidentiality through Information Security Measures and should develop a digital forensics lab.

[1] Neil Mclntosh, Cyber Crime (Just the facts), 2002.

[2] J Stein Schjolberg, (Road for a Geneva Declaration for Cyberspace),Pg3, 2016.

[3] Murjie T.Britz, Computer Forensics and Cyber-crime, 3rd edition.

[4] Ibid.

[5] The virtual space made up of the internet’s phone lines and computer connections.

[6] A type of malicious software designed to block access to a computer system until a sum of money is paid.

[7] Council of Europe (2001), ‘Convention on Cybercrime’, 23 November 2001.

[8] Art 37, the Budapest Convention.

[9] Art 2, the Budapest Convention.

[10] Art 3, the Budapest Convention.

[11] Art 4, the Budapest Convention.

[12] Art 5, the Budapest Convention.

[13] Art 6, the Budapest Convention.

[14] Art 7, the Budapest Convention.

[15] Art 8, the Budapest Convention.

[16] Art 9, the Budapest Convention.

[17] Art 10, the Budapest Convention.

[18] Art 16, the Budapest Convention.

[19] Art 17, the Budapest Convention.

[20] Art 18, the Budapest Convention.

[21] Art 19, the Budapest Convention.

[22] Art 20, the Budapest Convention.

[23] Art 21, the Budapest Convention.

[24] Art 24, the Budapest Convention.

[25] Art 25, the Budapest Convention.

[26] Art 28, the Budapest Convention.

[27] Art 29, the Budapest Convention.

[28] Art 30, the Budapest Convention.

[29] Art 35, the Budapest Convention.

[30] 28 NLR 467 in which held that theft of electricity (intangible thing) was not met the requirements under Sec 366 of penal code.

[31] Sec 3, the Sri Lanka Computer Crime Act.

[32] Sec 4, the Sri Lanka Computer Crime Act.

[33] Sec 5, the Sri Lanka Computer Crime Act.

[34] Sec 6, the Sri Lanka Computer Crime Act.

[35] Sec 7, the Sri Lanka Computer Crime Act.

[36] Sec 8, the Sri Lanka Computer Crime Act.

[37] Sec 9, the Sri Lanka Computer Crime Act.

[38] Sec 10, the Sri Lanka Computer Crime Act.

[39] Art 2-6, the Budapest Convention.

[40] Police officer may arrest the cyber criminals without warrant if there is a reasonable suspicion.

[41] Sec 17, the Sri Lanka Computer Crime Act.

[42] Sec 18, the Sri Lanka Computer Crime Act.

[43] Sec 19, the Sri Lanka Computer Crime Act.

[44] Sec 24, the Sri Lanka Computer Crime Act.

[45] Sec 2, the Sri Lanka Computer Crime Act (application of the act) –  (a) a person commits an offence under this Act while being present in Sri Lanka or outside Sri Lanka ;

(b) the computer, computer system or information affected or which was to be affected, by the act which constitutes an offence under this Act, was at the material time in Sri Lanka or outside Sri Lanka ;

(c) the facility or service, including any computer storage, or data or information processing service, used in the commission of an offence under this Act was at the material time situated in Sri Lanka or outside Sri Lanka ; or

(d) the loss or damage is caused within or outside Sri Lanka by the commission of an offence under this Act, to the State or to a person resident in Sri Lanka or outside Sri Lanka.

[46] Sec 35, the Sri Lanka Computer Crime Act.

[47] Non-Council of Europe states which have ratified the Budapest convention-USA, Sri Lanka, Australia, Canada, Israel, Japan, Panama, Maurities and Diminican Republic.

[48] IDSA Task Force Report 2012, India’s Cyber security challenges, p48.

[49] Calderoni, Francesco, the European legal framework on cyber-crime, p11,2010.