Computer Crime Research Center


Legalweek: Law On Cyber Crime Overdue

Date: February 22, 2005
By: Mathew Ngugi

The penal sanction against trespass or breaking and entry cannot hold against an act of hacking into a computer network and unlawfully acquiring proprietary data, writes lawyer MATHEW NGUGI of the inadequacy of Kenya law in fighting cyber crime.

Perhaps the most sweeping influence on our lives is that of electronic technology.

From sophisticated airline reservation systems and military early warning mechanisms to the ATM and the digital supermarket till, the IT revolution has brought a vast array of aids and conveniences that have indelibly influenced modern communication, travel, security and commerce.

However, the massive gains brought by the information age are not perfect.

With the pervasive correlation of human activity with electronic resources and infrastructure comes a crucial vulnerability Ð the ever-present risk of abuse, insidious manipulation and sabotage of computers and computer networks.

On several occasions the world has witnessed electronic attacks of catastrophic proportions. January 2003, for instance, saw the strike of the infamous Slammer worm.

Slammer worm is a simple but versatile malicious code that, within 15 minutes of its first infection voraciously replicated itself throughout the World Wide Web Internet), disabling over half a million cable modems, disrupting numerous flights, stalling emergency services and interrupting internet and cell phone use for over 100 million people worldwide.

Estimated losses topped Sh80 billion within a week of the ensuing mayhem. Aside from the threat periodic virus attacks of this magnitude, is the ever-present use of computer technology for diverse illegal purposes, chiefly piracy, and commercial espionage and credit card fraud.

These observations bring to the fore questions on the state of Kenyan legislation in addressing the hazards posed to national security and individual welfare by this emerging brand of crime widely known as cyber crime.

Information subjected to various forms of abuse, which may include theft

There are two main aspects to cyber crime. One involves the employment of the computers and their networks for unlawful purposes. Hacking is one such activity. This involves unauthorised electronic intrusion into a computer or a computer network for acquisition of important and confidential information. This information is then subjected to various forms of abuse, which may include theft of proprietary material. Business secrets are also abused and sensitive records manipulated while usernames, passwords and credit card numbers are acquired to facilitate fraud.

A second example of this form of cyber crime entails denial of service (or DOS) attacks. These occur when a saboteur deploys a computer - or a battery of them - to bombard a server hosting an important website with rapid streams of nonsense information. This causes the server in question to stall. The targeted website becomes unresponsive thus denying legitimate users of the service access to useful information or services.

Often DOS attacks are directed against important service providers, such as search engines, news sites and e-mail hosts, common perpetrators being extortionists who hold the service provider at ransom or malicious triflers hungry for fifteen minutes of fame.

The second aspect of the cyber crime relates to utilisation of information technology as incidental aid to the actualisation of more conventional forms of crime. An example is the Nigerian 419 scam, which involves a 'confidential' e-mail, purportedly from a prominent Nigerian who wants assistance to transfer ill-gotten funds offshore. Despite the patent disingenuity of the pitch, the trick continues to net hundreds of victims every year.

In the Kenyan context, perhaps the most evident variance between the law and Internet use centres on publication and consumption of prohibited material - pornography, to be specific. Despite the prohibition of trafficking, publishing and exhibition of obscene publications under section 181 of the Penal Code, the ready availability of sexually explicit material prevailed to the extent of causing public outcry on more than one occasion.

Of even greater concern is the use of the Internet as a conduit for illegal exploitation of intellectual property. A cursory study of any public cyber facility in Nairobi will reveal widespread popularity of what are commonly known as peer-to-peer networks - internet sites via which vast communities of net users freely swap pirated data, software, music and audio-visual material.

Pundits will recall the landmark case of the A&M Records Inc. Vs Napster Inc. AUS Court of Appeal for the Ninth circuit outlawed the operation of such networks, noting the adverse effects of, then a premier peer-to-peer utility, on the fortunes of the motion picture and recording industry in the US.

Though cyber crime in Kenya is yet to manifest itself in the appalling proportions observed in the western world, it is worth noting that incidence of these is likely to go unreported due to lack of confidence in the law enforcers. There is also the tendency of corporate victims to cast a shroud of secrecy over attacks against them to avoid perceptions of ineptitude and diminished credibility.

The current state of our legislation is dismally wanting as far as the protection of our collective and individual interests relating to the electronic domain are concerned.

Save for section 2 of the Evidence Act (after amendment 69 of 2000), which makes a comprehensive definition of the word 'computer' for purposes of the act, our entire body of statute law remains entirely oblivious of the pervasive changes and developments wrought by the digital era.

However, some electronic crimes inherently feature a non-electronic element that, by extension or analogy, places them within the ambits of existing legislation.

For instance, the most of common Internet scams fall under section 313 of the Penal Code, which sanctions obtaining by false pretences. The same applies to the various forms of fraud, extortion and theft commonly perpetrated by electronic means. Similarly, There is also no doubt concerning the proscriptive adequacy of existing laws on illegal distribution of copyrighted material, and publishing of libellous, seditious or obscene material.

The problem, however, is not one of prohibition, but of enforcement. The nature of the World Wide Web and the ever-compounding complexity of electronic systems make the virtual arena difficult to administer, accordingly complicating the investigation and prosecution of cyber crimes, a situation aggravated by the lack of a statutory structure to address these intricacies.

To reconsider the prohibitive aspect of our laws, the inadequacy of our legislation turns out to be even more serious when we consider the lack of analogy between most cyber crimes and their conventional counterparts. For instance, the penal sanction against trespass or breaking and entry cannot hold against an act of hacking into a computer network and unlawfully acquiring proprietary data. Similarly, the act of perpetrating a DOS attack or distributing a destructive virus lacks crucial elements of malicious damage to property and cannot be prosecuted as such.

This situation discloses the need for a comprehensive framework of legislation addressing specific threats to electronic activity and infrastructure. This is important for two reasons, the first being to pre-empt the rise of cyber crime in its most nascent stages.

Second is the need to act in concert with the global community in combating cyber crime. Presently, if a fugitive international cyber criminal were to operate from or flee into Kenya, our legislative vacuum would effectively provide such wrongdoer with safe haven. This is an implication of the principle of dual criminality, under which international law requires that whenever one state requests another for the extradition of a criminal in the latter's territory, the act in question must be criminal in both the requesting and the requested state.

A comprehensive framework of anti cyber crime legislation is needed to safeguard moral standards, proprietary interests, privacy and the integrity of national security and healthy foreign relations, which are increasingly at stake as digital technology continually extends its influence over our day to day activities.

Apart from criminalising certain acts, such a system would further bolster related spheres of legislation to make them relevant to the intricacies and challenges posed by electronic age law and order. For instance, provisions of the Criminal Procedure Code on preventive action by the police including search and entry need to be updated to accommodate the minutiae of investigating electronic crime.

Further, statutes must address certain acts which, though not criminal of themselves, involve deliberate or negligent facility to the perpetration of cyber crimes; distribution of software used for illegal purposes, hosting of websites that provide resources for cyber criminals and dissemination of information that encourages or informs the commission of cyber crime.

Only such a legislative structure, one that adequately captures emerging ethical notions that delineate minimum rights and liabilities of Internet users, can properly lay the juridical foundation for a predisposition to IT-driven national development.

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2010-01-11 10:26:50 - hackers are bad JOHN HENRY
2005-03-17 19:22:24 - what would be the case where a hacker... John Wainaina Mitugo
Total 2 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo