New laws to curb cyber crimes

November 6, 2015

The government is drafting new laws to address emerging crime trends involving cyberspace as they cannot be curtailed under the existing legal framework. The CID Computer Crimes Division is to establish 22 new units under each SSP division to address computer related crimes.
The need for Internet privacy laws is felt when the norms of data protection are violated, said Jayantha Fernando, Programme Director, ICTA, emphasizing that Sri Lanka has no specific laws on Internet privacy.
Fernando said that the government has begun policy level discussions at the initiative of ICTA on Internet privacy laws and data protection. He said the process of formulating the draft is in progress.
Privacy laws count on how information is collected, processed and transferred to the third party, he said.
The Computer Crimes Division of the CID set up under the Computer Crimes Act 2007 deals with an increasing number of complaints on email scooping and privacy violations. The division has investigated over 100 on internet related crimes, including 50 complaints of cyber deformation, 21 complaints related to obscene publications and another 22 related to email hacking this year.
Another 2,000 complaints involving Facebook and Twitter were reported to the Computer Emergency Readiness Team (CERT) in the first seven months of this year. Most incidents had occurred on Facebook, and primarily involved in the use of fake profiles, Senior Security Engineer of CERT, Roshan Chandragupta said.

He said that people are affected in different ways through internet. Some are threatened with information related to the victim, some are harassed sexually, some are blackmailed for money, and some are even bullied to the point of death.
However, CERT limits their assistance to IT related options. Further legal action would have to be resorted externally, he said.
He said “there were many people who had been affected by impersonators on social media. Some are not aware where to complain and had, therefore, not made a complaint in relation to fake profiles.”
“Current laws make it difficult for us to bring in the culprits” claims an investigation officer attached to the Computer Crimes Division of the CID.
“For example, there were many incidents that are reported in which an aggrieved party shares the contact details of another party. Usually, the victim is a former girlfriend of the culprit who does that to avenge her. This does not fall under deformation law, as there is no defamation, so it becomes difficult for us to bring the culprit to book”, he said.
The Computer Crimes Division lacks officers to carry out work. The division has no branches. However, the CID is in the process of training more officers, CID Director SSP.R Nagahamulla said.
With new plans to establish branches, the CID is in the process of selecting officers to be trained on computer related investigations.
“We need 120 personnel. Training takes time. We have assigned new officers to be trained on investigations under officers in the Computer Crimes Division” he said.
Following a proposal made by the Law, Order and Prison Reforms Ministry, a Hi-tech Crime Unit will be established under the purview of the IT division of the Police to look into the issues in concern with Cyber Crimes, said Police Information Technology Division ASP Damayantha Hettiarachchi.
“The unit will assist the police to find digital forensic evidence to the complaints received on cyber-crimes whilst general Police officers cannot analyse electronic evidence,” the ASP said.
The Police Department lacks electronic devises. The department is in the process of purchasing standardised equipment to track offences to continue investigations.
A standard operation procedures will be used to gather electronic evidence.
There are 10 IT labs under the Police IT division. Another 12 labs will be opened soon, but there are only limited Police officers certified by the IGP to look in to forensic electronic evidence, he said.
Pointing out that the Budapest Convention is an effective tool for law enforcement, ASP Hettiarachchi said “The Council of Europe will attend the Cyber Crime Meet to be held in Sri Lanka this week. They will provide assistance to train police officers to enhance their IT capacity. IT experts will conduct training programmes at the Kalutara Police Training College for law enforcement officers”
In 2015, Sri Lanka was invited to join the European Cyber Crime Convention. The Foreign Affairs Ministry together with the ICT Agency (ICTA), has fast-tracked Sri Lanka’s entry into the Council of Europe (CoE) Cyber Crime Convention also known as the Budapest Convention.

“The Budapest Convention on Cyber crime, seeks to address Internet and computer crimes by harmonising national laws, improving investigative techniques and increasing cooperation among nations,” Fernando said.
Sri Lanka has overtaken Philippines, Costa Rica, Argentina, Mexico, South Africa and several other countries in the process towards joining the Budapest Cybercrime Convention. Sri Lanka becomes the first Country in South Asia to join the Cybercrime Convention, which is the only international treaty on cyber crimes globally, he said.
“This is a significant policy breakthrough for Sri Lanka. It will create a whole new possibilities with regard to cyber crimes. The Criminal Justice Authority can investigate and prosecute offences,” he said.
It is an obligation of the Budapest Convention to open 24/7 contact points in Sri Lanka to get mutual assistance from other member countries when dealing with cyber incidents, he said.
Sri Lanka has to think about the strategy on data privacy and data protection to introduce laws compatible with European and other international standards, ICTA Programme Director Fernando said.
The benefit of the convention is that all will be compelled to adhere to the data protection and privacy safeguards. Privacy laws are important where investors from Europe or other countries will look at how information provided is protected in Sri Lanka.
Referring to maintenance of the data privacy, Fernando said many internal steps that can be taken to ensure privacy, suggesting that the government and private authorities should adopt common internal privacy policies. Organizations or companies offering services on Internet should state their privacy policies in their home page. The companies should have policies to safeguard information collected from those organizations.
“Data owners and the companies will have greater comforts when dealing with various organizations, he said.
Fernando said the government needs to take more efforts to educate people on the need to ensure privacy and respect the privacy of the fellow people.

Sourced by :