Chapter 1 INTRODUCTION Information and communications technologies (ICT) are now part of everyday life and now it‘s increasing in rapid growth of the internet and other social networks in cyber space. Now ICT has become an essential function of commerce and government. With the help of computers and the Internet, businesses are now able to provide immediate services to their customers. It also plays a very important role in education and entertainment also. But it has its negative side also. The biggest threat of the internet is the security threat. The rapid evolution of the computer networks that comprise the Internet from a government and research focus to the e-commerce and domestic arena has provided a gateway for offenders. The topic of cybercrime is discussed much more today than it was five years ago. Computers have become integral parts of daily lives of citizens around the world. The number of individuals who gain access to the World Wide Web, both for legitimate and for illegitimate reasons, continues to increase every day. Criminal activities involving computers and technology continue to be a problem for the criminal justice system. It is worth noting that while crime numbers have increased over the last five years, the criminal justice response has also increased. Today there are more criminal justice agencies stuffing cybercrime-related investigators. Additionally there is more computer forensics service available for investigators. However there is still a continuing need to increase awareness and understanding of cybercrime.1 1 Robert Moore, Cybercrime investigating high-technology computer crime. 2nd ed. (New York: Routledge, 2015) p. ix. 1 1.1 What is Cybercrime? Cybercrime, returning to a definition provided by Casey, refers to any crime that involves a computer and a network, where a computer may or may not have played an instrumental part in the commission of the crime. The term cybercrime would be use to refer to a criminal act like that of identity theft, which involves the theft of someone‘s personal information such as their credit card number or social security number. When an individual commits the crime of identity theft, there are several methods of obtaining the target‘s personal information. Many of the techniques involve the use of a computer or a network, but many more techniques have nothing to do with computers other then information stored in text files on a computer hard drive.2 1.2 Why call it Cybercrime? First coined by William Gibson (1982) and then popularized in his 1984 novel Neuromancer, the term ―cyberspace‖ became a popular descriptor of the mentally constructed virtual environment within which networked computer activity takes place. ‗Cybercrime‘ broadly describes the crimes that take place within that space and the term has come to symbolize insecurity and risk online. By itself ‗Cybercrime‘ is fairly meaningless because it tends to be used metaphorically and emotively rather than scientifically or legally, usually to signify the occurrence of harmful behavior that is somehow related to the misused of a networked computer system. If we could turn the clock back in time then perhaps the term ‗cyberspace crime‘ would have been more precise and accurate descriptor. However, regardless of its merits and demerits, the term ‗cybercrime‘ has entered the public parlance and we are stuck with it. It is argued here and elsewhere that the term has a greater meaning if we construct it in the terms of the transformation of criminal or harmful behavior by networked technology, rather than simply the behavior itself. As stated earlier, cybercrimes are understood here to be criminal or harmful activities that involve the acquisition or manipulation of information for gain. 2 ibid, p.4. 2 Not only has the term ‗cybercrime‘ acquired considerable linguistic agency, but over the past decade ‗cybercrimes‘ have become firmly embedded in public crime agendas as something that must be governed. This is an interesting happenstance within the context of the transformation thesis, because although the contemporary meaning of ‗cyber‘ is firmly linked to technological innovation, its origins lie in the Greek kubernetes or steersman, which is also the root of the word ‗govern‘. See, for example the French usage of the term ‗cybernetique‘- the art of governing. The word ‗cyber‘ entered the English language in ‗cybernetics‘, which is the study of systems of control and communications (linked with computers). More by coincidence than design, the words ‗cyber‘ and ‗crime‘ actually sit well together linguistically. The linkage becomes more significant if we understand cybercrimes as crimes which are mediated (governed if you like) by networked technology and not just computer.3 1.3 Characteristics of Cyber Crime Cyber crime may include broader terms like hacking, copying of copy righted materials, child grooming, stealing and misuse of confidential or private information of someone else, making a computer virus or a bug or a malware with an intention to plot at someone‘s computer or a network in order to gain a benefit or to take revenge or another cause which makes someone do such an act is a cyber crime.4 Most of the cybercrimes are transnational in character; inconsistency of laws and regulations across country borders makes it especially difficult for countries to cooperate when investigating cross-border cyber crimes. As Katyal5 observed, many countries will find it increasingly difficult to enforce their national laws against activities which are considered offensive or harmful to local taste or 3 David wall, Cybercrime: The Transformation of Crime in the Information Age. (Cambridge: Polity press, 2007) p. 10 4 [http://teletechblog.blogspot.com/2013/05/cyber-crime-cyber-security-and.html] last visited February 20, 2016. 5 Katyal, N. K., Digital architecture as crime control. (Yale Law Journal, 2003) p.180 3 culture. The harmonization of cyber-laws and regulations and the building of cooperation and comity among nations are vitally important countermeasures against cybercrime. The first step in that direction was the Convention on Cybercrime proposed by the Council of Europe of 2001, which provided a common legal framework on cybercrime. Cyber crime refers to all activities done with criminal intent in cyberspace. These fall into three slots6. a) Against persons b) Against Business and Non-business organizations c) Crime targeting the government Cyber crime is the unlawful act wherein the computer information technology is used either as a tool or a target or both. Cyber crime covers many crimes. The computer itself is a tool that may be used for an unlawful act. This kind of activity usually involves modification of a conventional crime by using computers. Objective of cyber crimes: a) To identify certain cyber crime divisions. b) To make misuse of data, systems and networks. c) To make changes in the confidential/secret information Now that we have a basic understanding of cybercrime, questions that remain involve gaining a better understanding of high-technology crime and determining whether such criminal behavior is a serious problem that truly warrants examination and consideration. 6 [http://teletechblog.blogspot.com/2013/05/cyber-crime-cyber-security-and.html] last visited February 20, 2016. 4 Chapter 2 KINDS OF CYBER CRIME 2.1 Ancient Cyber Crime The first recorded cyber crime took place in the year 1820. That is not surprising considering the fact that the abacus, which is thought to be the earliest form of a computer, has been around since 3500 B.C. in India, Japan and China. The era of modern computers, however, began with the analytical engine of Charles Babbage. In 1820, Joseph-Marie Jacquard, a textile manufacturer in France, produced the loom. This device allowed the repetition of a series of steps in the weaving of special fabrics. This resulted in a fear amongst Jacquard's employees that their traditional employment and livelihood were being threatened. They committed acts of sabotage to discourage Jacquard from further use of the new technology. This is the first recorded cyber crime! Today, computers have come a long way with neural networks and nano –computing promising to turn every atom in a glass of water into a computer capable of performing a billion operations per second. In a day and age when everything from microwave ovens and refrigerators to nuclear power plants are being run on computers, cyber crime has assumed rather sinister implications. Cyber crime can involve criminal activities that are traditional in nature, such as theft, fraud, forgery, defamation and mischief. The abuse of computers has also given birth to a gamut of new age crimes such as hacking, web defacement, cyber stalking, web jacking etc.7 A simple yet sturdy definition of cyber crime would be ―unlawful acts wherein the computer is either a tool or a target or both‖. 7 Prashant Mali, Text book of cyber crime and penalties. p.5 5 The term computer used in this definition does not only mean the conventional desktop or laptop computer. It includes Personal Digital Assistants (PDA), cell phones, sophisticated watches, cars and a host of gadgets. Recent global cyber crime incidents like the targeted denial of service attacks on Estonia have heightened fears. Intelligence agencies are preparing against coordinated cyber attacks that could disrupt rail and air traffic controls, electricity distribution networks, stock markets, banking and insurance systems etc. Unfortunately, it is not possible to calculate the true social and financial impact of cyber crime. This is because most crimes go unreported. 2.2 Child Pornography In pre-Internet days, individuals who wished to view this kind of material would need to seek it out, bring it into their home or have it delivered in physical form as magazines, videos, photographs etc, risking discovery and embarrassment at every stage. Now they are able to access it from their computers at home (or from their place of work) with relative ease. Perhaps the most tragic aspect of the Internet and the proliferation of digital technology has been their ability to facilitate the production and distribution of child pornography and other forms of child sexual abuse. Prior to the advent of these technologies, such material was difficult to transport without detection, production was hampered by the need to have film processed, and equipment was costly and relatively difficult to use. As digital technology has become more widely available, and the Internet more pervasive, there has been a corresponding rise in the number of child-pornography prosecutions. While this is explained in part by changing priorities of law enforcement agencies, this is itself undoubtedly a response to the proliferation of child pornography on the Internet.8 The connection between digital technology and this type of offending is easily understood. The technology is relatively cheap, easy to access, and portable. It allows for storage of large amounts of material which would be conspicuous if 8 Jonathan Clough, Principles of cybercrime,(New York, Cambridge University Press, 2010) p. 247 6 stored in hard copy. For example, in R v. Jones9 the defendant was found to be in possession of more than 162,600 images of child pornography, although this is by no means the greatest number. More typically, one US study found that 48 per cent of offenders had more than 100 images, with 14 per cent having more than 1,000. The increasing availability of broadband further enables the downloading of large amounts of material, including data-intensive video files. The ability to produce child pornography is greatly enhanced by the fact that digital images may be produced cheaply without the need for external processing, and reproduced with no diminution of quality. Images of child abuse may also be transmitted in real time through the use of webcams or instant messaging, sometimes at the request and direction of paying customers. There is also the potential to create ‗virtual‘ child pornography – that is, where imaging software is used to create an image which appears to be of child pornography, but which does not involve any actual children. For example, a UK man was convicted over images of naked women which he manipulated using imaging software to reduce the apparent size of the breasts, made them appear to be partially dressed in school uniforms and apparently under the age of eighteen. Cyber pornography is believed to be one of the largest businesses on the Internet today. The millions of pornographic websites that flourish on the Internet are testimony to this. While pornography per se is not illegal in many countries, child pornography is strictly illegal in most nations today. 2.3 Cyber Bullying With today‘s technology bullying has become easier than even the children and youth of this generation do not even need to have personal confrontation. Cyber bullying can be defined as any communication posted or sent by a minor online, by instant messenger, e-mail, Social Networking Site, website, diary site, online profile, interactive game, handheld device, cell phone or other interactive device that is intended to frighten, embarrass, harass or otherwise target another minor. Cyber bullying is disturbingly common among teens. ‗Cyber-Bullying: Our Kids‘ New Reality is a survey that was conducted from December 2006 – January 2007 7 by the members of Kids Help Phone that had over 2500 respondents. More than 70 per cent of respondents to the survey reported that they have been bullied online, while 44 per cent said they have bullied someone online. At least 38 percent reported having experienced cyber-bullying within the last three months. Of the methods used, 77 percent reported being bullied by instant messaging, 37 per cent by e-mail and 31 per cent on social networking sites, such as MySpace and Facebook. When bullied online, 43 per cent said they did nothing, 32 per cent confronted the person who bullied them, and 27 per cent told a friend. Although most cyber bullying cases go unreported, police departments take action in trying to prevent it. Because many people are afraid to come to the police about an online problem, the police go to great lengths to find the problems themselves online.9 The worst thing about social networking sites and messaging apps is that anything nasty posted about you can be seen by lots of people and these posts can go viral very fast and be shared by so many people within minutes in some cases. From what we have heard from people who have been bullied online, the most vicious gossip and rumors are often spread by people who were once your best friends so it's best to keep secrets and personal information to yourself. Only tell people things if it wouldn't embarrass you if other people found out about them. Posting false and malicious things about people on the internet can be classed as harassment.10 A large number of youth and their parents think that cyber bullying is not a big enough deal to cause problems. However, it has been proven that a victim of this type of bullying can be lead to serious disorders for the future including suicide. When one becomes a victim of cyber bullying, they are a victim for life. Though the bullying itself may go away, the fear, the hurt, and the memories scar the victim forever.11 9 Prashant Mali, Text book of cyber crime and penalties. p.15 10 [http://www.bullying.co.uk/cyberbullying/what-is-cyberbullying] last visited March 27, 2016. 11 Prashant Mali, Text book of cyber crime and penalties. p.15 8 2.4 Identity theft: "But he that filches from me my good name/Robs me of that which not enriches him/and makes me poor indeed." - Shakespeare, Othello, act iii. Sc. 3. The short answer is that identity theft is a crime. Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. These Web pages are intended to explain why you need to take precautions to protect yourself from identity theft. Unlike your fingerprints, which are unique to you and cannot be given to someone else for their use, your personal data - especially your Social Security number, your bank account or credit card number, your telephone calling card number, and other valuable identifying data - can be used, if they fall into the wrong hands, to personally profit at your expense. In the United States and Canada, for example, many people have reported that unauthorized persons have taken funds out of their bank or financial accounts, or, in the worst cases, taken over their identities altogether, running up vast debts and committing crimes while using the victim‘s names. In many cases, a victim's losses may include not only out-of-pocket financial losses, but substantial additional financial costs associated with trying to restore his reputation in the community and correcting erroneous information for which the criminal is responsible.12 In one notorious case of identity theft, the criminal, a convicted felon, not only incurred more than $100,000 of credit card debt, obtained a federal home loan, and bought homes, motorcycles, and handguns in the victim's name, but called his victim to taunt him -- saying that he could continue to pose as the victim for as long as he wanted because identity theft was not a federal crime at that time -before filing for bankruptcy, also in the victim's name. While the victim and his wife spent more than four years and more than $15,000 of their own money to restore their credit and reputation, the criminal served a brief sentence for making 12 [https://www.justice.gov/criminal-fraud/identity-theft/identity-theft-and-identity-fraud] last visited March 27, 2016. 9 a false statement to procure a firearm, but made no restitution to his victim for any of the harm he had caused. This case, and others like it, prompted Congress in 1998 to create a new federal offense of identity theft. Many people do not realize how easily criminals can obtain our personal data without having to break into our homes. In public places, for example, criminals may engage in "shoulder surfing" Â- watching you from a nearby location as you punch in your telephone calling card number or credit card number Â- or listen in on your conversation if you give your credit-card number over the telephone to a hotel or rental car company. If you receive applications for "pre-approved" credit cards in the mail, but discard them without tearing up the enclosed materials, criminals may retrieve them and try to activate the cards for their use without your knowledge. (Some credit card companies, when sending credit cards, have adopted security measures that allow a card recipient to activate the card only from his or her home telephone number but this is not yet a universal practice.) Also, if your mail is delivered to a place where others have ready access to it, criminals may simply intercept and redirect your mail to another location. In recent years, the Internet has become an appealing place for criminals to obtain identifying data, such as passwords or even banking information. In their haste to explore the exciting features of the Internet, many people respond to "spam" Â- unsolicited E-mail Â- that promises them some benefit but requests identifying data, without realizing that in many cases, the requester has no intention of keeping his promise. In some cases, criminals reportedly have used computer technology to obtain large amounts of personal data. With enough identifying information about an individual, a criminal can take over that individual's identity to conduct a wide range of crimes: for example, false applications for loans and credit cards, fraudulent withdrawals from bank accounts, fraudulent use of telephone calling cards, or obtaining other goods or privileges which the criminal might be denied if he were to use his real name. If the criminal takes steps to ensure that bills for the falsely obtained credit cards, or bank statements showing the unauthorized withdrawals, are sent to an address 10 other than the victim's, the victim may not become aware of what is happening until the criminal has already inflicted substantial damage on the victim's assets, credit, and reputation. 2.5 E-mail Spoofing: Spam and e-mail-laden viruses can take a lot of the fun and utility out of electronic communications, but at least you can trust e-mail that comes from people you know – except when you can‘t. A favorite technique of spammers and other ―bad guys‖ is to ―spoof‖ their return e-mail addresses, making it look as if the mail came from someone else. In effect, this is a form of identity theft, as the sender pretends to be someone else in order to persuade the recipient to do something (from simply opening the message to sending money or revealing personal information).13 If you receive a snail mail letter, you look to the return address in the top left corner as an indicator of where it originated. However, the sender could write any name and address there; you have no assurance that the letter really is from that person and address. E-mail messages contain return addresses, too – but they can likewise be deliberately misleading, or ―spoofed.‖ Senders do this for various reasons, including: a) The e-mail is spam and the sender doesn‘t want to be subjected to antispam laws b) The e-mail constitutes a violation of some other law (for example, it is threatening or harassing) c) The e-mail contains a virus or Trojan and the sender believes you are more likely to open it if it appears to be from someone you know d) The e-mail requests information that you might be willing to give to the person the sender is pretending to be (for example, a sender might pose as your company‘s system administrator and ask for your network password), as part of a ―social engineering‖ attack 13 [http://www.windowsecurity.com/articles-tutorials/content_security/Email-Spoofing.html] last visited March 27, 2016. 11 e) The sender is attempting to cause trouble for someone by pretending to be that person (for example, to make it look as though a political rival or personal enemy said something he/she didn‘t in an e-mail message) E-mail spoofing is a growing problem and has reached the point where you cannot rely on the information displayed in your e-mail client to tell you who really sent a message. Some jurisdictions have enacted laws against this form of ―e-mail identity theft,‖ but the more effective solution is apt to be a technological one that makes it possible to authenticate the senders of e-mail messages. 2.6 Intellectual Property Crime: Intellectual property (IP) theft is defined as theft of material that is copyrighted, the theft of trade secrets, and trademark violations. A copyright is the legal right of an author, publisher, composer, or other person who creates a work to exclusively print, publish, distribute, or perform the work in public. The United States leads the world in the creation and selling of IP products to buyers nationwide and internationally. Examples of copyrighted material commonly stolen online are computer software, recorded music, movies, and electronic games.14 Theft of trade secrets means the theft of ideas, plans, methods, technologies, or any sensitive information from all types of industries including manufacturers, financial service institutions, and the computer industry. Trade secrets are plans for a higher speed computer, designs for a highly fuel-efficient car, a company's manufacturing procedures, or the recipe for a popular salad dressing, cookie mix, or barbeque sauce. These secrets are owned by the company and give it a competitive edge. Theft of trade secrets damages the competitive edge and therefore the economic base of a business. A trademark is the registered name or identifying symbol of a product that can be used only by the product's owner. A trademark violation involves counterfeiting or copying brand name products such as well-known types of 14 [http://law.jrank.org/pages/11992/Cyber-Crime-Intellectual-property-theft.html] last visited March 31, 2016. 12 shoes, clothing, and electronics equipment and selling them as the genuine or original product. The two forms of IP most frequently involved in cyber crime are copyrighted material and trade secrets. Piracy is a term used to describe IP theft—piracy of software, piracy of music, etc. Theft of IP affects the entire U.S. economy. Billions of dollars are lost every year to IP pirates. For example, thieves sell pirated computer software for games or programs to millions of Internet users. The company that actually produced the real product loses these sales and royalties rightfully due to the original creator. Historically, when there were no computers, IP crimes involved a lot of time and labor. Movie or music tapes had to be copied, physically produced, and transported for sale. An individual had to make the sale in person. To steal a trade secret, actual paper plans, files, or blueprints would have to be physically taken from a company's building and likewise sold in person. In the twenty-first century software, music, and trade secret pirates operate through the Internet. Anything that can be digitized—reduced to a series of zeroes and ones—can be transmitted rapidly from one computer to another. There is no reduction of quality in second, third, or fourth generation copies. Pirated digital copies of copyrighted work transmitted over the Internet are known as "warez." Warez groups are responsible for illegally copying and distributing hundreds of millions of dollars of copyrighted material. Pirated trade secrets are sold to other companies or illegal groups. Trade secrets no longer have to be physically stolen from a company. Instead, corporate plans and secrets are downloaded by pirates onto a computer disc. The stolen information can be transmitted worldwide in minutes. Trade secret pirates find pathways into a company's computer systems and download the items to be copied. Companies keep almost everything in their computer files. Pirated copies are sold over the Internet to customers who provide their credit card numbers then download the copy. 13 2.7 Cyber Crime Related to Finance There are various types of Cyber Crimes which are directly related to financial or monetary gains by illegal means, to achieve this end, the persons in the cyber world who could be suitably called as fraudsters uses different techniques and schemes to be fooled other peoples on the internet. Online fraud and cheating is one of the most lucrative businesses that are growing today in the cyber space. It may assume different forms. Some of the cases of online fraud and cheating that have come to light are those pertaining to credit card crimes, contractual crimes, online auction frauds, online investment schemes, offering jobs, etc.15 2.8 Cyber Crime with Mobile & Wireless Technology At present the mobile is so developed that its becomes somewhat equivalent to personal computer, as we can do a lot of work on our mobile phones which were earlier possible on the computers only, such as surfing, sending e-mails etc. There is also increase in the services which were available on the mobile phones such as Mobile Banking which is also prone to cyber crimes on the mobile as it is on the Internet. Due to the development in the mobile and wireless technology day by day, the day is not far away when the commission of cyber crimes on the mobile will become a major threat along with other cyber crimes on the net.16 2.9 Phishing In computing, phishing is a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an e-mail or an instant message. The term phishing arises from the use of increasingly sophisticated lures to fish for users, financial information and passwords. He act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam 15 Zulfiquar Ahmed, A Text Book on Cyber Law in Bangladesh, 1st ed., (Dhaka: National Law Book Company, 2009), p.145. 16 Ibid, p.145. 14 the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user‘s information. By spamming large groups of people, the phisher counted on the e-mail being ready by a percentage of people who actually had listed credit card numbers with legitimately. Phishing, also referred to as brand spoofing or carding, is a variation on fishing, the idea being that bait is thrown out with the hopes that while most will ignore the bail, some will be tempted into bitting.17 The damage caused by phishing ranges from loss of access to e-mail to substantial financial loss. This style of identity theft is becoming more popular, because of ease with which unsuspecting people often divulge personal information to phishers, including credit card numbers and social security numbers. Once this information is acquired, the phishers may use a person‘s details to create fake accounts in a victim‘s name, ruin a victim‘s credit, or even prevent victims from accessing their own accounts. It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing/totaling approximately $929 million US Dollar. U.S. businesses lose an estimated $2 billion USD a year as their clients become victims, The United Kingdom also suffers from the immense increase in phishing. In March 2005, the amount of money lost in the UK was approximately £12 million Pound Sterling.18 2.10 Denial of Service Attack (Dos Attack) This is an act by the criminal, who floods the bandwidth of the victim‘s network or fills his e-mail box with spam mail depriving him of the services he is entitled to access or provide short for denial-of-service attack, a type of attack on a network that is designed to bring the network to its knees by flooding it with 17 Ibid, p.146. 18 Ibid, p.148. 15 useless traffic. May Dos attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known Dos attacks are constantly being dreamed up by hacker. This involves flooding a computer resource with more requests than it can handle. This involves flooding a computer resource with more requests than it can handle. This causes the resource (e.g.a web server) to crash thereby denying authorized users the service offered by the resource. Another variation to a typical denial of service attack is known as a Distributed Denial of service (DDoS) attack wherein the perpetrators are many and are geographically widespread. It is very difficult to control such attacks. The attack is initiated by sending excessive demands to the victim‘s computer‘s, exceeding the limit that the victim‘s servers can support and making the server‘s crash. Denial-of-service attacks have had an impressive history having, in the past, brought down websites like Amazon, CNN, Yahoo and eBay.19 2.11 Data Diddling Data diddling involves changing data prior or during input into a computer. In other words, information is changed from the way it should be entered by a person typing in the data, a virus that changes data, the programmer of the databases or application, or anyone else involved in the process of having information stored in a computer file. The culprit can be anyone involved in the process of creating, recording, encoding, examining, checking, converting, or transmitting data. This kind of an attack involves altering raw data just before it is processed by a computer and then changing it back after the after the processing is completed. Electricity Boards in India have been victims to data diddling programs inserted when private parties were computerizing their systems.20 This is one of the simplest methods of committing a computer-related crime, because it requires almost no computer skills whatsoever. Despite the ease of committing the crime, the cost can be considerable. For example, a person entering accounting may change data to show their account, or a person entering 19 Ibid, pp.149-150. 20 Ibid, p.156. 16 accounting may change data to sho9w their account, or that or a friend or family member, is paid in full. By changing or failing to enter the information, they are able to steal from the company. To deal with this type of crime, a company must implement policies and internal controls. This may include performing regular audits, using software with built-in features to combat such problems, and supervising employees.21 2.12 Salami Attacks A salami attack is a series of minor data-security attacks that together result in a larger attack. For example, a fraud activity in a bank where an employee steals a small amount of funds from several accounts, can be considered a salami attack. Crimes involving salami attacks typically are difficult to detect and trace. These attacks are used for the commission of financial crimes. They key here is to make the alteration so insignificant that in a single case it would go completely unnoticed, e.g. a bank employee inserts a program, into the bank‘s servers, that deducts a small amount of money (say Rs. 5 a month) form the account of every customer. No account holder will probably notice this unauthorized debit, but the bank employee will make a sizable amount of money every month.22 To cite an example; an employee of a bank in USA was dismissed from his job. Disgruntled at having been supposedly mistreated by his employers the man first introduced a logic bomb into the bank‘s systems. Logic bombs are programmes, which are activated on the occurrence of a particular predefined event. The logic bomb was programmed to take ten cents from all the accounts in the bank and put them into the account of the person whose amen was alphabetically the last in the bank‘s rosters. Then he went and opened an account in the name of Ziegler. The amount being withdrawn from each of the accounts in the bank was so insignificant that neither any of the account holders nor the bank officials noticed the fault. It was brought to their notice when a person by name of Zygler opened his account in that bank. He was surprised to find a sizable amount 21 Ibid, p.156. 22 Ibid, pp.156-57. 17 of money being transferred into his account every Saturday. 23 In January 1993, four executives of a rental-car franchise in Florida were charged with defrauding at least 47, 000 customers using a salami technique. The federal grand jury in Fort Lauderdale claimed that the defendants modified a computer billing program to add five extra gallons to the actual gas tank capacity of their vehicles. From 1988 through 1991, every customer who returned a care without topping it off ended up paying inflated rates for an inflated total of gasoline. The thefts ranged from $ 15 per customer-rather thick slices of salami but nonetheless difficult for the victims to detect.24 In Los Angeles in October 1998, the district attorneys charged four men with fraud for allegedly installing computer chips in gasoline pumps that cheated consumers by oversetting the amounts pumped. The problem came to light when an increasing number of consumers charged that they had been sold more gasoline than the capacity of their gas tanks. However, the fraud was difficult to prove initially because the perpetrators programmed the chips to deliver exactly the right amount of gasoline when asked for five-and 10-gallon amounts-precisely the amounts typically used by inspectors.25 Unfortunately, salami attacks are designed to be difficult to detect. The only hope is that random audits, especially of financial data, will pick up a pattern of discrepancies and lead to discovery. As any accountant will warn, even a tiny error must be tracked down, since it may indicate a much larger problem. If we pay more attention to anomalies, we‘d be in better shape to fight the salami rogues. Computer systems are deterministic machines-at least where application programs are concerned. Any error has a cause. Looking for the causes of discrepancies will seriously hamper the perpetrators of salami attacks. From a 23 Ibid, p.157. 24 Ibid, pp.158-159. 25 [http://www. networkworld. com/newsletters/sec /2002/01467137.html] Last visited 27 March 2015 18 systems developments standpoint, such scams reinforce the critical importance of sound quality assurance throughout the software development life cycle.26 26 R. K. Chaubey, An Introduction to Cyber Crime and Cyber Laws, 1st ed., (Kolkata: Kamal Law House, 2009), p.159. 19 Chapter 3 INTERNATIONAL PERSPECTIVE ON CYBERCRIME The global world network, which united millions of computers located in different countries and opened broad opportunities to obtain and exchange information, is used with criminal purposes more and more often. The introduction of electronic money and virtual banks, exchanges and shops became one of the factors of the appearance of a new kind of crime- transnational computer crimes. Today law enforcement face tasks of counteraction and investigation of crimes in the sphere of computer technologies, cyber crimes. Still the definition of cyber crime remains unclear to law enforcement, though criminal actions on the Internet pose great social danger. Transnational character of these crimes gives the grounds to say that development of a mutual policy to regulate main problem should be a part of every strategy to fight cyber crime.27 Anonymity and absence of frontiers makes the Internet an efficient weapon in hands of criminals. Investigation and prevention of computer crimes turns into a ―headache‖ of law enforcement officer. In the virtual space criminals usually act form sites in other countries. In such cases it is necessary to cooperate with foreign law enforcement agencies, and that is possible not always. Taking into consideration that globalization of such crime, it is more and more obvious that so State is able to cope with such threats independently. During investigation of transnational cyber crimes law enforcement of a concrete State, authorities of which extend only on its territory exclusively, should cooperate with each other in accordance with international legal documents accepted by these countries. Depending on relations between interested countries and corresponding 27 R. K. Chaubey, ibid, p.167. 20 information or other facts, a necessary to develop additional authorities and procedures on investigating of such crimes may appear.28 One of the most serious steps taken on regulate this problem was the adoption of Cyber Crime Convention by European Council on 23 November 2001, the first investigating agreement on judicial and procedural aspects of investigating and prosecuting on judicial and prosecuting cyber crimes. It specifies efforts coordinated at the national and international level and directed at preventing illegal intervention into the work of computer systems. The Convention stipulates actions targeted at national and intergovernmental level directed to prevent unlawful infringement of computer system functions. The Convention divides forbidden content (racist websites and child porn content) and breaking copyright laws.29 3.1 Mysterious Cyber Crimes The most nefarious and crafty criminals are the ones who operate completely under the radar. In the computing world security breaches happen all the time, and in the best cases the offenders get tracked down by the FBI or some other law enforcement agency. But it's the ones who go uncaught and unidentified (those who we didn't highlight in our Cyber Crime Hall Fame that are actually the best. Attempting to cover your tracks is Law-Breaking 101; being able to effectively do so, that's another story altogether. When a major cyber crime remains unsolved, though, it probably also means that those of us outside the world of tech crime solving may never even know the crime occurred. These are some of the top headline-worthy highlights in the world of unsolved computing crime—cases in which the only information available is the ruin left in their wake. The WANK Worm (October 1989) Possibly the first "hacktivist" (hacking activist) attack, the WANK worm hit NASA offices in Greenbelt, Maryland. WANK (Worms Against Nuclear Killers) 28 Ibid, pp.167-168. 29 Ibid, p.168. 21 ran a banner (pictured) across system computers as part of a protest to stop the launch of the plutonium-fueled, Jupiter-bound Galileo probe. Cleaning up after the crack has been said to have cost NASA up to a half of a million dollars in time and resources. To this day, no one is quite sure where the attack originated, though many fingers have pointed to Melbourne, Australia-based hackers.30 Ministry of Defense Satellite Hacked (February 1999) A small group of hackers traced to southern England gained control of a MoD Skynet military satellite and signaled a security intrusion characterized by officials as "information warfare," in which an enemy attacks by disrupting military communications. In the end, the hackers managed to reprogram the control system before being discovered. Though Scotland Yard's Computer Crimes Unit and the U.S. Air Force worked together to investigate the case, no arrests have been made.31 CD Universe Credit Card Breach (January 2000) A blackmail scheme gone wrong, the posting of over 300,000 credit card numbers by hacker Maxim on a Web site entitled "The Maxus Credit Card Pipeline" has remained unsolved since early 2000. Maxim stole the credit card information by breaching CDUniverse.com; he or she then demanded $100,000 from the Web site in exchange for destroying the data. While Maxim is believed to be from Eastern Europe, the case remains as of yet unsolved. 32 Military Source Code Stolen (December 2000) If there's one thing you don't want in the wrong hands, it's the source code that can control missile-guidance systems. In winter of 2000, a hacker broke into government-contracted Exigent Software Technology and nabbed two-thirds of the code for Exigent's OS/COMET software, which is responsible for both missile 30 [http://www.pcmag.com/article2/0,2817,2331225,00.asp] last visited April 1, 2016. 31 Ibid. 32 Ibid. 22 and satellite guidance, from the Naval Research Lab in Washington, D.C. Officials were able to follow the trail of the intruder "Leaf" to the University of Kaiserslautern in Germany, but that's where the trail appears to end.33 Anti-DRM Hack (October 2001) In our eyes, not all hackers are bad guys (as evidenced by our list of the Ten Greatest Hacks of All Time); often they're just trying to right a wrong or make life generally easier for the tech-consuming public. Such is the case of the hacker known as Beale Screamer, whose FreeMe program allowed Windows Media users to strip digital-rights-management security from music and video files. While Microsoft tried to hunt down Beale, other anti-DRM activists heralded him as a crusader. 34 3.2 Initiatives taken by the Organizations worldwide from time to control the growing of cyber crime There are various initiatives taken by the Organizations worldwide from time to control the growing of cyber crime. Some of the initiatives taken by various organizations are: 3.3 The United Nation A Resolution on combating the criminal misuse of information technologies was adopted by the General Assembly on December 4, 2000 including as followings: (a) States should ensure that their laws and practice eliminate safe havens for those who criminally misuse information technologies. (b) Legal systems should protect the confidentiality integrity and availability of data and computer systems from unauthorized impairment and ensure the criminal abuse is penalized.35 33 Ibid 34 Ibid 35 Ibid, p.169. 23 3.4 The Council of Europe Convention on Cyber Crime of 2001 is a historic milestone in the combat against cyber crime. Member States should complete the ratification, and other States should consider the possibility of acceding to the Convention or evaluate the advisability of implementing the principles of the Convention. With the Council of Europe Convention on Cyber Crime and the recommendations from, G8, OAS, and APEC, we may reach our goal of a global legal framework against cyber crime. By ratifying or acceding to the Council of Europe Convention of Cyber Crime or implementing the principles States agree to ensure that their domestic laws criminalize conducts described in the substantive criminal law section and establish the procedural tools necessary to investigation and prosecute such crimes. This is the harmonizing of national legal approaches on cyber crime.36 The council of Europe established a Committee of Experts on Crime in CyberSpace in 1997. The committee prepared a proposal for a Convention on Cyber Crime, and the Council of Europe Convention on Cyber Crime was adopted and opened for signatures at a Conference in Budapest, Hungry, 2001, The convention entered into force on July 1, 2004. As of February 2007, the total numbers of signatures not followed by ratifications are 22 countries. The total number of ratifications/accessions at present is 21.37 3.5 The European Union In the European Union, the Commission of the European Communities presented on April 19, 2002 a proposal for a Council Framework Decision on attacks against information systems. The proposal was adopted by the Council in 2005 and includes Article 2: Illegal access to Information System, Article 3: Illegal System Interference and Article 4: Illegal DateInterference.38 36 Ibid, p.169. 37 Ibid, pp.169-70. 38 Ibid, p.170. 24 Article 2: Illegal access to Information systems. 1. Each Member State shall take the necessary measures to ensure that the intentional access without right to the whole or any part of an information system is punishable as a criminal offence, at least for cases which are not minor. 2. Each Member State may decide that the conduct referred to in paragraph I is incriminated only where the offence is committed by infringing a security measure. Article 3: Illegal access to Information systems. Each Member State shall take the necessary measures to ensure that the intentional serious hindering or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering, suppressing or rendering inaccessible computer data is punishable as a criminal when committed without right at least for cases which are not minor. Article 4: Illegal data interference. Each Member State shall take the necessary measures to ensure that the intentional deletion, damaging, deterioration, alteration, suppression or rendering inaccessible of computer date on an information system is punishable as a criminal offence when committed without right, at least for cases which are not minor.39 3.6 ASEAN The Association of Southeast Asian Nations (ASEAN) has established high level Ministerial Meeting on Transnational Crime (AMMTC). At the Meeting in Bangkok, January 8, 2004, a statement included cyber crime was recognized and the need for an effective legal cooperation to enhance the fight against transnational crime. A plan of Action to Implement the Joint Declaration on ASEAN China Strategic partnership for paces and prosperity was signed on October 8, 2003, in Bali, Indonesia. ASEAN and China will purses the following joint actions and measures.40 39 Ibid, pp.170-71. 40 Ibid, p.171. 25 Formulate Cooperative and emergency response procedures for purposes of maintaining and enhancing cyber security and preventing and combating cyber crime. In a statement from ASEAN Regional Forum (ARF) on July 2006 it was emphasized that: ―Believing that an effective fight against cyber tacks and terrorist misuse of cyberspace requires increased rapid and well functioning legal and other forms of cooperation.‖41 3.7 APEC The Ministers and leaders of the Asia Pacific Economic Cooperation (APEC) have at a meeting in 2002 made a commitment to: ―Endeavor to enact a comprehensive set of laws relation to cyber security and cyber crime that are consistent with the provision of international legal instruments, including United Nations General Assembly Resolution 55/63 (2000) and Convention on Cyber crime (2001) by October 2003.‖In a Ministerial Meeting in Santiago, Chile, November 2004, it was agreed to strengthen the respective economies ability to combat cyber crime by enacting domestic legislation consistent with the provisions of international legal instruments including the Convention on Cyber Crime (2001) and relevant United General Assembly Resolutions.42 3.8 G-8 States The G-8 States established in 1997 the Subgroup of High-Tech Crime. At a meeting in Washington DC in 1997 the G8 countries adopted Ten Principles in the combat crime. The goal was to ensure that no criminal receives safe havens anywhere in the world. At the last Meeting of G8 Justice and Home Affairs Ministers in Washington DC, on May, 2004, a joint communiqué was including as follows: ―Continuing to Strengthen Domestic Laws. To truly build globe capacities to combat terrorist and criminal uses of the Internet, all countries must continue to improve laws that criminalize misuses of computer network and that allow for faster cooperation on Internet related investigations, with the council of 41 Ibid, p.171. 42 Ibid, p.171-72. 26 Europe‘s Convention on Cyber crime coming into force on July 1, 2004 we should take steps to encourage the adoption of the legal standards it contains on a broad basis.‖43 In a statement from the G8 Meeting in 2002 a goal was emphasized: ―To ensure that law enforcement agencies can quickly respond to serious cyber threats and incidents.‖ At the Moscow Meeting in 2006 in for the G8 Justice and Home Affairs Ministers discussed cyber crime and issues of cyberspace. In a statement it was emphasized: ―We also discussed issue related to shoring accumulated international experience in combating terrorism as well as comparative analysis of relevant pieces of legislation on that score. We discussed the necessity of improving effective countermeasures that will prevent IT terrorism and terrorist acts in this sphere of high technologies. For that it is necessary to device a set of measures to prevent such possible criminal acts including in the sphere of telecommunication. That includes and application of viruses and other harmful computer program. We will instruct our experts to generate unified approaches to fighting cyber criminality and we will need an international legal base for this particular work, and we will apply all of that to prevent terrorist from using computer and Internet sites to prevent terrorists and the recruitment of other illegal actors.‖ 44 3.9 Organization of American States The Ministers of Justice or Ministers or Attorneys General of the Americas in the Organization of American States (OAS) recommended in Peru in 1999 the establishment of a group of government experts on cyber crime. At a meeting in Trinidad and Tobago in 2002 recommendations were adopted giving the Group of experts the following mandate: 43 Ibid, p.172. 44 Ibid, pp.172-73. 27 ―To consider the Preparation of pertinent inter-American legal instruments and model legislation for the purpose of strengthening hemispheric cooperation in combating cyber crime. Considering standards relating to privacy, the protection of information procedural aspects and crime prevention.‖45 Consideration of recommendation was discussed at a meeting in Washington DC June 2003. The Fifth Meeting of Ministers of Justice or of Ministers or Attorneys General of the Americas in Washington DC on April 2004, approved conclusions and recommendation to the General Assemble of the OAS including as follows: ―That Member States evaluate the advisability of implementing the principles of the Council of Europe Convention on Cyber crime (2001) and consider the possibility of acceding to the convention.‖46 The General Assembly of the Organization of American States requested at the Meeting on June 7, 2005, the Permanent Council to convene the meeting of the Group of Government Experts on Cyber crime. The organization of American States in cooperation with the council of Europe and Spain, organized a conference in Madrid on December 2005. This conference was titled Cyber Crime a Global Challenge a Global response. Among the conclusion was adopted: ―Acknowledge the importance of the only international treaty in this field: the convention on Cyber crime which is open to all states as well as the importance of strengthening the international legal framework; Strongly encourage States to consider the possibility of becoming Parties to this Convention in order to make use of effective and compatible laws and tools to fight cyber crime at domestic level and on behalf of international cooperation Recognize the need of pursuing cooperation providing technical assistance and organizing similar events in other regions of the world.‖47 The permanent council of the Organization of American States resolves on December 15, 2005. That the Group of Government experts on cyber crime should meet on February 27-28, 2006. For the purpose of carrying out the mandates 45 Ibid, p.173. 46 Ibid, p.174. 47 Ibid, p.174. 28 referred to in the conclusions and recommendations of the fifth Meeting of Ministers of Justice on April 28-30, 2004. The Group of Governmental Experts on cyber crime me in Washington DC February 27-28, 2006.The Agenda included also: Challenges on accessing drafting and amending legislation consistent with the principles, substantive and procedural law of the council of Europe convention on cyber crime (2001).48 At the Sixth Meeting of Ministers of Justice in June 2006 it was made a statement as follows: ―…continue to strengthen cooperation with the council of Europe so that the OAS member states can give consideration to applying the principles of the council of Europe‘s Convention on Cyber Crime and to acceding thereto, and to adoption the legal and other measures required for its implementation. Similarly that efforts continue to strengthen mechanisms for the exchange of information and cooperation with other international organizations and agencies in the area of cyber crime, such as the United Nation, the European Union, the Asia Pacific Economic co-operation and Development, the G-8, the commonwealth and Interpol in order for the OAS member states to take advantage of progress in those forums.‖49 48 Ibid, p.174. 49 Ibid, pp.174-75. 29 Chapter 4 CYBER LAW IN BANGLADESH 4.1 Need for Cyber Law in Bangladesh Computer has become integral parts of the modern day homes and workplaces. Countries around the world continue to exhibit an encouraging trend of computer usage. Most academic institution has invested in the best technology to keep their students equipped and informed. As for the workplace, there is a gradual trend towards a possible future brimming with ‗paperless and selfless offices‘. The dependence on computer is increasing by the day as we are faced with better and faster machines geared up to fulfill operations that were not even imagined a few years back. The usage of computers have opened up newer possibilities for commerce and given fresh lease of life to several industries. The flexibility and economic feasibility of the Internet has transformed the cyberspace into a colossal market abundant with opportunities. The cyberspace knows no boundaries, no parameters and no precincts as it connects people around the world. The cyber world has rendered our physical tangible world a much smaller place with distance and time being no longer constraints of the modern day human. Computer and their influences have traveled into almost every sector. Business, travel, education, entertainment or any other industry cannot comprehend progress without the help of these machines, which look innocuous enough to be underestimated of their potential. Students, professional and organizations around the world need to understand the inescapable truth that computer are here to stay and in definite future, it might be difficult to even move an inch without it having an effect on us. Considering the present trend, it has become almost obligatory for 30 everyone to understand the jurisprudence that countries worldwide have framed to regulate and control the use of computers.50 For the past several years, many countries have been concentrating on the awareness on questions of about the governance of cyberspace. The question of who controls the Internet is directly related to the question who wants to control the Internet. From the moment that the Internet was opened up to commercial activity many different groups wanted to dominate, such as user, communication companies, ISPs, and the government. Of them all, the most objected was the government intervention, yet it is governments that have managed to exert the most control. However as Internet has grown in our country, the need has been felt to enact the appropriate cyber laws, which are indispensable to legalize and regulate Internet in Bangladesh. The need for cyber laws was propelled by numerous factors. The arrival of Internet signaled the commencement of the rise of new and intricate legal issues. Despite the brilliant acumen of our master draftsman, the requirement of cyberspace could hardly ever be anticipated. As such, the coming of the internet led to the emergence of numerous ticklish legal issues and problem which necessitated the enactment of cyber laws. The existing laws of Bangladesh, even with the most generous and moderate interpretation, could not be interpreted in the light of the promising cyberspace, to consist of all aspect relating to different activities in cyberspace. There are no existing laws that assigned any legal validity or sanction to the activities in cyberspace, as such, before passing Cyber Law, email was not ―legal‖ in our country and courts and judiciary in our country had been reluctant to grant judicial recognition to the legality of email in the absence of any specific law having been enacted by the parliament. The Government of Bangladesh responded by coming up with the first cyber law of Bangladesh – The Information and Communication Technology Act (ICT), 2006. The Cabinet of Minister of Bangladesh has approved the Information and Communication Technology bill (ICT), 2006 on February 2005 and it has been 50 Zulfiquar Ahmed, A Text Book on Cyber Law in Bangladesh, 1st ed., (Dhaka: National Law Book Company, 2009), p.39 – 52. 31 enacted on 8th October, 2006. The ICT Act defines various terms, which are innovative in the legal lexicon in Bangladesh. The law consists of a preamble, 97 sections and four schedules. Cyber Laws are contained in the ICT Act, 2006. This Act aims to provide the legal infrastructure for e-commerce in Bangladesh. And the cyber laws have a major impact for e-businesses and the new economy in Bangladesh. So, it is important to understand what are the various perspectives of the ICT Act, 2006 and what it offers. 4.2 Historical Background of the Information and Communication Technology Law or Cyber Law Bangladesh Government has recently enacted The Information and th Communication Technology (ICT) Act, 2006 on 8 October, 2006. The law has been made in the shape of the United Nations Commission on International Trade Law (UNCITRAL) of 1996, which is called UNCITRAL Model Law on economic commerce. The Model Law does not have any force but merely serves as a model to countries for the evaluation and modernization of certain aspects of their laws and practices in the field of communication involving the use of computerized or other modern techniques, and for the establishment of relevant legislation where none exists. The law is sometimes called cyber law and sometimes the law of ―Internet‖ or ―Computer‖. Bangladesh is the 32nd nations in the world that has cyber legislation apart from countries like India, Singapore, France, Malaysia and Japan.51 4.3 Sides of Cyber Law or ICT Act of Bangladesh Cyber laws are meant to set the definite pattern, some rules and guidelines that defined certain business activities going through internet legal and certain illegal and hence punishable. The ICT Act 2006, the cyber law of Bangladesh, gives the legal framework so that information is not denied legal effect, validity or 51 Ibid, p.52. 32 enforceability, solely on the ground that it is in the form of electronic record. One cannot regard government as complete failure shielding numerous e-commerce activities on the firm basis of which this industry has got to its skies, but then the law cannot be regarded as free ambiguities.52 The Information and Communication Technology Act (ICT), 2006 also aims to provide for the legal framework so that legal sanctity is accorded to all electronic records and other activities carried out by electronic means. The Act states that unless otherwise agreed, an acceptance of contract may be expressed by electronic means of communication and the same have legal validity and enforceability. Some highlights of the Act has been given below: Chapter I of the ICT Act 2006 specifically defines some term which are used in ICT sector and cyber legislation for clearing the concept. This chapter also stipulates the jurisdiction and superiority of the Act. Extra regional effect of the Act has been discussed in the chapter. Chapter II of the Act specifically stipulates that any subscriber may authenticate an electronic record by affixing his digital signature. It further states that any person can verify an electronic record by use of a public key of the subscriber. The said chapter also details the legal recognition of Digital Signature and electronic records. Chapter II of the ICT Act details about Electronic Governance and provides inter alia amongst others that where any law provides that information or any other matter shall be in writing or in the typewritten or printed from, then, notwithstanding anything contained in such law, such requires shall be deemed to have been satisfied if such information or matter is rendered or made available in an electronic from; and accessible so as to be usable for a subsequent reference. Chapter III of the ICT Act details for application to the attribution, acknowledgement and dispatch of electronic records among parties. Chapter IV of the ICT Act provides rules for secure electronic records & secure digital signature. 52 Ibid, p.53. 33 Chapter V of the said Act gives a scheme for regulation of Certifying Authorities. The Act envisage a Controller of Certifying Authorities who shall perform the function of exercising supervision over the activities of the Certifying Authorities as also laying down standards and conditions governing the Certifying Authorities as also specifying the various forms and content of Digital Signature Certificates. The Act recognizes the need for foreign Certifying Authorities and it further details the various provisions for the issue of license to issue Digital Signature Certificates. Chapter VI of this Act details about applying the security procedure, acceptance of Digital Signature Certificate, obtaining Digital Signature Certificate and Control of Private Key. The duties of subscribers are enriched in this said Act. Chapter VII & VIII of the ICT Act talks about penalties, adjudication, investigation, judgment and punishment for various offences. The penalties for damage to computer, computer systems etc. has been fixed as damages by way of compensation not exceeding Tk. 1,00,00,000 to affected persons. The Act talks of appointment of any officer not below the rank of a Director to the Government of Bangladesh or an equivalent officer of state government as an Adjudicating Officer who shall adjudicate whether any person has made a contravention of any of the provision of the said Act or rules framed there under. The said Adjudicating Officer has been given the power of a civil court. Chapter VIII of the Act also talks of the establishing of the Cyber Regulations Appellate Tribunal, which shall be an appellate body where appeals against the order passed by the Adjudicating Officer, shall be preferred. Chapter – VIII of the Act talks about various offences and the said offences shall be investigated only by a Police Officer not below the rank of the Deputy Superintendent of police. Chapter IX of the Act details about police servant, protection of action taken in good faith. The said Act also proposes to amend the Penal Code, 1860, the Evidence Act, 1872, the Bankers‘ Books Evidence Act, 1891 to make them in tune with the provision of the ICT ACT.53 53 Ibid, pp.53-55. 34 4.4 Objective of the ICT Act, 2006` The preamble of the ICT Act, 2006 declares that, an Act to provide legal recognition for transaction carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as ―electronic commerce‖, which involve the use of alternative to paper-based methods of communication and storage of information, to facilitate electronic filing of documents with the Government agencies and further to amend the Penal Code, 1860, the Evidence Act, 1872 and the Bankers‘ Books Evidence Act, 1891 and for matters connected therewith or incidental thereto. The object of the ICT Act, 2006, have been illustrated by the Law Commission‘s Final Report to give effect to the following purposes: (a) to facilitated electronic communications by means of reliable electronic records; (b) to facilitate electronic commerce, eliminate barriers to electronic commerce resulting from uncertainties over writing and signature requirements, and to promote the development of the legal and business infrastructure necessary to implement secure electronic commerce; (c) to facilitate electronic filing of documents with government agencies and statutory corporation, and to promote efficient delivery of government services by means of reliable electronic records; (d) to minimize the incidence of forged electronic records, intentional and unintentional alteration of records, and fraud in electronic commerce and other electronic transaction; (e) to help to establish uniformity of rules, regulations and standards regarding the authentication and integrity of electronic records; and (f) To promote public confidence in the integrity and reliability of electronic records and electronic commerce, and to faster the development of electronic commerce through the use of electronic signatures to lend authenticity and integrity to correspondence in any electronic medium.54 4.5 Establishment & Jurisdiction of Cyber Tribunal in Bangladesh Government of Bangladesh by gazette notification, for the purpose of quick and effective trial of crimes committed under the Act, may establish one or more cyber 54 Ibid, p.57. 35 tribunal, sometimes which is stated later as tribunal under section 68(1) of the ICT Act. The cyber tribunal that is stated in section (1) of the section will comprise of a session judge or an assistant session judge appointed by the government with consulting with the Supreme Court; and such a judge appointed will be introduced ―judge, cyber tribunal‖.55 The cyber tribunal under the section may be given jurisdiction of whole Bangladesh or one or more session jurisdiction; and the tribunal will only judge the cases of crimes under the Act.56 The special tribunal may sit and continue its procedure on a place at a certain time and government will dictate all this by its order.57 Establishment & Jurisdiction of Cyber Appellate Tribunal in Bangladesh the ICT Act envisages the establishment of the Cyber Appellate Tribunal at one or more places as the government may deem fit. Section 82(1) of the ICT Act provides that the government shall, by notification in the Official Gazette, establish one or more appellate tribunals to be known as the Cyber Appellate Tribunal. The cyber appellate tribunal will be comprised of a chairman and two members appointed by the government.58 The chairman will be such a person, who was a justice of the Supreme Court or is continuing his post or capable to be appointed as such and one of the member will be as an appointed judicial executive as a district judge or he may be retired and the other will be a person having the knowledge and experience in information and technology that is prescribed.59 The chairman and the members will be in their post minimum 3 years and maximum 5 years and the conditions of their service will be decided by the government.60 The Cyber Appellate Tribunal shall have the power to hear and settle the appeal made against the judgment of cyber tribunal and session court.61 55 The Information and Communication Technology Act, 2006, s. 68(2). 56 Ibid, s. 68(3). 57 Ibid, s. 68(4). 58 Ibid, s. 82(2). 59 Ibid, s. 82(3). 60 Ibid, s. 82(4). 61 Ibid, s. 83(1). 36 The appeal tribunal will have authority of supporting, canceling, changing, or editing the judgment of the cyber tribunal.62 The decision of the appellate tribunal will be final. The Cyber Appellate Tribunal does not seem to be vested with any original jurisdiction; it has been vested with the powers of a Civil Court in respect of, interalia, a. Summoning and examining of witnesses b. Requiring production of document c. Receiving evidence d. Issuing commissions and e. Reviewing its decisions.63 62 Ibid, s. 83(2). 63 Zulfiquar Ahmed, A Text Book on Cyber Law in Bangladesh, 1st ed., (Dhaka: National Law Book Company, 2009), p.150-52. 37 Chapter 5 PREVENTIVE MEASURES ON CYBER CRIME: PERSPECTIVE BANGLADESH 5.1 What makes cybercrime laws so difficult to enforce Deb Shinder discusses both the difficulty of enforcing cybercrime laws and of tracking down cybercriminals in the first place. When the Internet first "went commercial" and became affordable enough and easy enough to access for ordinary people (that is, those outside academia and government), it was a new frontier. Like the Wild West of old, it was mostly unregulated; legislators hadn't anticipated the rapid growth or the types of online behaviors that would require new laws to protect innocent users. Over the more than two decades since, state and federal governments have passed many statutes to address the problem of criminal activities that take place over the Internet. Cyberbullying, cyberstalking, theft of wireless services, spamming, unauthorized access - most of these laws didn't exist twenty-five years ago. So now we have plenty of laws on the books, but enforcing them is another matter. It can be frustrating for the victims of such crimes, when the perpetrators are never brought to justice. Some local police departments have set up divisions specifically devoted to computer crimes enforcement, but some shy away from investigating and enforcing these types of crime. That's because, for a number of reasons, enforcing laws governing online behavior is intrinsically more difficult than the enforcement of "traditional" laws. In this article, we'll take a look at those reasons. 5.2 Jurisdictional issues The concept of jurisdiction pertains to which agency or court has the authority to 38 administer justice in a particular matter, and to the scope of those agencies' and courts' authority. Jurisdiction can be based on a number of different things64: Branch of law. In the U.S., there are three broad branches of law: criminal law, civil law, and regulatory law. The criminal (or penal) system deals with offenses that are prosecuted by the government - local, state or federal - and can be punished by monetary fines, loss of liberty (jail or prison), or in extreme cases, even loss of life (death penalty). The civil system deals with disputes between individuals or organizations (including in some cases government agencies), in which the party found liable is ordered to pay monetary damages and/or ordered to do or not do something (injunction). Regulatory agencies have jurisdiction over specific industries or activities and can impose fines and/or take away an individual's or organization's authorization to conduct business or engage in the regulated activity. Type of case. Within each system, there can be different agencies or courts assigned responsibility for different types of cases. For example, within the criminal system, some courts deal exclusively with traffic offenses and some deal with domestic violence and other family law cases. Some law enforcement agencies have jurisdiction only over crimes that violate the state's alcoholic beverage code, or only investigate and prosecute offenses that fall under the parks and wildlife code. Within the civil system, some courts handle only divorce cases, others handle only probate matters, and so forth. Grade of offense. In the criminal justice system, different courts have jurisdiction over different grades of offense, based on severity. Municipal courts may handle only city ordinance violations and/or certain misdemeanor offenses. County courts may handle more serious misdemeanors, while district courts handle felony offenses. Monetary damages. In the civil system, different courts handle cases based on the monetary damages. For example, small claims courts or justice of the peace courts may have jurisdiction over lawsuits up to a few thousand dollars. Level of government. In the U.S., there are separate laws, law enforcement agencies and court systems for different levels of government. In the criminal system, you have 64 [http://www.techrepublic.com/blog/it-security/what-makes-cybercrime-laws-so-difficult-toenforce/4997/] Last visited 10 May 2016 39 municipal police, county sheriffs (and in some states, constables and/or marshals), state police or troopers, and numerous federal agencies such as the FBI, DEA, BATF, etc., enforcing the laws that are passed by the governing bodies at the corresponding levels (city and county ordinances passed by city councils and county commissioners, state statutes passed by state legislative bodies and federal laws passed by the U.S. Congress).65 Because these systems are separate, a person can be charged, tried and acquitted under state law, for example, and then charged, tried and convicted under federal law for the same act, without incurring double jeopardy. There are also international law-making bodies such as the EU and the UN; their laws are generally adopted by the member nations via treaties. Geographic area. Any good real estate agent will tell you it's all about location, location, location - and that's what geographic jurisdiction pertain to. In the case of the courts, it's also referred to as venue. A law enforcement agency or court has jurisdiction only over crimes that take place in the geographic location where that agency or court has authority. That may include the location of the perpetrator, the location of the victim, or the location where the crime actually occurred. Before a law enforcement agency can investigate a cybercrime case, it has to have jurisdiction. The first thing that must be determine is whether a crime has taken place at all. In some cases, there is no law on the book that covers the particular circumstance. In other cases, the wrongful action that took place is a civil matter, not a criminal one. This might be the case, for instance, if you entrusted your data to a company and that company lost it. If a criminal offense has occurred, the next step is to determine what law was violated. Was it a city ordinance, a state statute, or a federal law? Local police don't generally pursue a person for federal crimes, and the FBI doesn't generally investigate and arrest for state offenses (although in some serious matters, agencies at different levels come together to form task forces and work together to 65 [http://www.techrepublic.com/blog/it-security/what-makes-cybercrime-laws-so-difficult-toenforce/4997/] Last visited 10 May 2016 40 pursue criminals who commit offenses that are violations at both levels). The next, and in the case of cybercrime the stickiest point, is to determine the geographic jurisdiction. This is more difficult in cybercrime cases than in other types of crime because often the perpetrator is not in the same city, state or even country as the victim.66 Why is geographic jurisdiction such a big problem? There are a couple of important reasons: Laws differ from state to state and nation to nation. An act that's illegal in one locale may not be against the law in another. This complicates things if the perpetrator is in a location where what he/she is doing isn't even against the law - even though it's a clear-cut crime in the location where the victim is. Law enforcement agencies are only authorized to enforce the law within their jurisdictions. A police officer commissioned in California has no authority to arrest someone in Florida, the FBI doesn't have the authority to arrest someone in Spain and so forth. Extradition (the process by which a state or nation surrenders a suspect to another) is difficult at best, and often impossible. Under international law, a country has no obligation to turn over a criminal to the requesting entity, although some countries have treaties whereby they agree to do so. Even in those cases, it's usually an expensive and long, drawn-out process. Thus jurisdictional issues frequently slow down or completely block the enforcement of cybercrime laws. Extradition treaties often require "double criminality," meaning the conduct must be a crime in both the jurisdiction seeking to extradite and in the jurisdiction from which the extradition is sought. 5.3 Anonymity and identity Before jurisdiction even comes into play, it's necessary to discover where - and who - the criminal is before you can think about making an arrest. This is a problem with online crime because there are so many ways to hide one's identity. There are numerous services that will mask a user's IP address by routing traffic through various servers, usually for a fee. This makes it difficult to track down the criminal. 66 [http://www.techrepublic.com/blog/it-security/what-makes-cybercrime-laws-so-difficult-toenforce/4997/] Last visited 10 May 2016 41 In 2009, Eugene Kaspersky identified the relative anonymity of Internet users as a key issue that enables cybercrime and proposed Internet "passports" for individuals and accreditation for businesses to help combat the problem.67 Some studies have shown that people are more likely to engage in offensive and/or illegal behavior online because of the perception of anonymity. However, attempts to better track online identity raise serious issues for privacy advocates and result in political backlash. And end to anonymity on the Internet could have serious consequences in countries where the government punishes dissenters, so even if the technological challenge of identifying every online user could be overcome, many lawmakers would be hesitant to mandate it. Cybercriminals exploit the rights and privileges of a free society, including anonymity, to benefit themselves.68 5.4 Nature of the evidence Yet another thing that makes cybercrime more difficult to investigate and prosecute in comparison to most "real world" crimes, is the nature of the evidence. The problem with digital evidence is that, after all, it is actually just a collection of ones and zeros represented by magnetization, light pulses, radio signals or other means. This type of information is fragile and can be easily lost or changed. Protecting the integrity of evidence and maintaining a clear chain of custody is always important in a criminal case, but the nature of the evidence in a cybercrime case makes that job far more difficult. An investigator can contaminate the evidence simply by examining it, and sophisticated cybercriminals may set up their computers to automatically destroy the evidence when accessed by anyone other than themselves. In cases such as child pornography, it can be difficult to determine or prove that a person downloaded the illegal material knowingly, since someone else can 67 [http://www.techrepublic.com/blog/it-security/what-makes-cybercrime-laws-so-difficult-toenforce/4997/] Last visited 10 May 2016 68 [http://www.techrepublic.com/blog/it-security/what-makes-cybercrime-laws-so-difficult-toenforce/4997/] Last visited 10 May 2016 42 hack into a system and store data on its drive without the user's knowledge or permission if the system isn't adequately secured. In cases of intrusion or cybervandalism, the bad guy often erases all logs that show what happened, so that there is no evidence to prove that a crime even occurred, much less where the attack came from.69 5.5 Criticisms of the Cyber Law of Bangladesh The ICT Act has identified some critical situation, which is not clear to our archaic legal provisions. The law does something regulate the social norm and then control of information technology. Ever since the passing of the Information and Communication Technology Act by parliament, a lot has been said both for and against the Act. Although the newly enacted Cyber Law has some weakness, something is better than nothing. The criticism of the Cyber Law of Bangladesh is given below: Internet is a borderless medium; it spread to every corner of the world where life is possible and hence is the cyber criminal. Then how come is it possible to feel relaxed and secure once law is enforced in the nation? The Act initially was supposed to apply to crimes committed all over the world, but nobody knows how can this be achieved in practice, how to enforce it all over the world at the same time? Can we track down the Emil Indian Hacker who recently hacked our 17 district web portal?70 The Act empowers the Deputy Superintendent of Police to look up into the investigations and filling of charge sheet when any case related to cyber law is called. This approach is likely to result in misuse in the context of Corporate Bangladesh as companies have public offices which would come within the ambit ―public place‖ under the Act. As a result, companies will not be able to escape potential harassment at the hand of the Deputy Superintendent of Police. Cyber Offences Investigation Police Officer must have relevant expertise: Under section 80 of the ICT Act, 2006 that a police officer not below the rank of an Inspector of 69 [http://www.techrepublic.com/blog/it-security/what-makes-cybercrime-laws-so-difficult-toenforce/4997/] Last visited 10 May 2016 70 The Prothom Alo (21 March 2010), p.24. 43 Police shall investigate any offences under this Act. This section should be modified that Inspector of Police and above, must have appropriate ICT knowledge (i.e. Diploma/Bachelor‘s degree in ICT related subject proper training in this area). The draconian power have been given to police officers that a police officer not below the rank of an Inspector of Police (IP), or any other officer of the Government authorized by the Government in this behalf for purpose of investigating and preventing the commission of a cyber crime under section of the ICT Act, 2006. The unrestricted power given by the ICT Act to the said IP includes the power ‗to enter any public place and search and arrest without warrant any person found therein who is reasonably suspected of having committed or of committing or being about to commit any offences under this Act‘.71 It is very much possible that the given power may be misused and abused by the said police officers. This law has given more power to police officer in case of arresting cyber criminals, albeit cyber crime detection is very difficult. So, this is similar to section 54 of the Criminal Procedure Code in case of harassment to public. Spamming is not an offence under the ICT Act, 2006 in Bangladesh. But Spamming has become a peril in USA, UK and other developed nations and antispamming provision need to be included. Implementation of Global Cyber Law: Implementation of the law is a big question mark for any nations‘ law enforcing agency. The implementation of the global cyber law is a big challenge without any law enforcing agencies. But countries can take the lead in implementation the law within their national boundaries. Like the US, this has cyber squatting laws that make cyber squatting is a punishable offence. But other countries are very confused and Bangladesh is one of those countries. In fact, the ICT Act 2006 has a provision wherein the law is not only applicable to Bangladeshi‘s netizens but also to any contravention or any violation done by anybody anywhere in the world is also liable to the penalties under section 84, which is very impractical unless cyber law related global agreement is in existence. The provision in section 84 is not 71 The Information and Communication Technology Act, 2006, s. 79. 44 clearly defined as to how and what particular manner, this ICT Act shall apply to any offence or contravention there-under committed outside of Bangladesh by any person. The ICT Act does not provide extra-territorial jurisdiction or multiterritorial jurisdiction to law enforcement agencies, but such powers are basically ineffective. This is because Bangladesh does not have reciprocity like EU countries and extradition treaties with a large number of countries. ―Domain Name‖ is the major issue, which related to Internet thoroughly. But the ICT Act, 2006 does not define ―domain Name‖ and the rights and liabilities. ―Domain Name‖ owners do not find any mention in the ICT Act. There is no provision about the Intellectual Property Rights of ―domain Name‖ owners. These need proper attention. Section 56 of the ICT Act, 2006, that the order of the Government appointing any person as the Presiding officer of a Cyber Appellate Tribunal shall be final and shall not be called in question in any manner and no Act or proceeding before a Cyber Appellate Tribunal shall be called in question in any manner on the ground merely of any defect in the constitution of a Cyber Appellate Tribunal. The said provisions is a violative of the Fundamental rights of the citizens as are enshrined in Chapter III of the Constitution of Bangladesh and the said provision is not convenient and is likely to be struck down by the courts. The Government cannot claim immunity in appointment to Cyber Appellate Tribunal, as the same is contrary to the spirit of the Constitution of Bangladesh. So, under the Constitution of Bangladesh, all proceeding and Act of the Cyber Appellate Tribunal are null and void-ab-initio. 45 Chapter 6 CONCLUDING REMARKS 6.1 Recommendations The following recommendations could be taken under consideration for the betterment of the present conditions. (l) The existing law does not sufficiently provide compensation to victims of the cyber crime for injuries caused or loss suffered by them due to the offender's cyber act. The payment of compensation may be made from the money recovered by the State from the offender by way of fine. (2) Cyber Crime reporting in Bangladesh continues to be faulty even to this day. As a result of this, crimes are either Suppressed, minimized or not reported. The reporting procedure, therefore, needs to be overhauled (3) The government may develop a separate authority to monitor the abuse of cyber. (4) Cyber crime related cases could be adjudicated under the Druto Bicher Tribunal. (5) Regular training campaigning should be arranged for the skill development of experts who are going to chase these cyber criminals. (6) The modern western trend favors deletion of all such offences from the Cyber Act which are solely dependent on morality. (7) To keep the national security uninterrupted and avoid hacking, web servers running public sites must be separately protected from internal corporate network and web site owners should watch traffic and check any inconsistency on the site by installing host-based intrusion detection devices on servers. 46 6.2 Conclusion As we move forward into the 21st century, technological innovations have paved the way for us to experience new and wonderful conveniences in the how we are educated, the way we shop, how were entertained and the manner in which we do business. Capacity of human minds is immeasurable. It is not possible to eliminate cyber crime form the cyber space. It is quite possible to check them. History is the witness that no legislation has succeeded in totally eliminating crime from the globe. The only possible step is to make people aware of their rights and duties and further making the application of the laws more stringent to check crime. Undoubtedly the ICT Act is a historical step in the cyber world. Further it cannot be denied that there is a need to bring changes in the Information Technology Act to make it more effective to combat cyber crime law are not made so stringent that it may retard the growth of the industry and prove to be counter-productive. The Penal Code, 1860 was found insufficient to cater to the needs of new crimes emerging from Internet expansion. Even some of the traditional crimes such as conspiracy, solicitation, securities, fraud, espionage etc. are now being committed through Internet which necessitates a new law to curb them. It was in the background that the ICT Act, 2006 was enacted in Bangladesh for prevention and control of cyber crimes. Prior to the enactment of this Act, the law applicable to cyber offences was the Penal code, 1860 which was enacted long back in 1860 when no one even thought of computer technology or cyber criminality. With the coming into force of ICT Act, 2006, it become necessary to introduce certain consequential change in certain provisions of the Penal Code, 1860 as also in the Evidence Act, 1872, in order to meet the new requirements of the cyber space crimes.72 However, the conception of cyber crime is relating to the age of information super highway of the contemporary world. Now-a-days crimes are spreading at an alarming rate in the field of online communication system by the intellectual criminals. Through the development of technology crimes have been developing 72 N. V.Paranjape, Criminology and Penology, 13th ed., (Allahabad: Central Law Publications, 2008-09) p.141. 47 in different ways and means. So laws should be developed in such a way that crimes in the field of technological arena can be controlled in an iron hand. But no such effective legal provisions exist at home and abroad. Though there are some laws and convention, they cannot be implemented due to some technical difficulties like procedural complexities and lack of proper executing system. Taking these advantages, the criminals are occurring heinous crimes like Hacking, Sending malicious mails, spreading vulgar pictures, cyber terrorism & and illegal using of intellectual properties. It causes harm to the privacy of individuals as well as creates threat to the international peace and solidarity. Now it is the demand of time to prevent such type of crimes for keeping individual privacy as well as international peace and security. Every country of the world can enact effective legal provisions within the purview of their national boundary to protect cyber crimes. United Nations can also take necessary steps to prevent cyber crimes from the cyber space.73 73 Abdul Halim & N. E. Siddiki, The Legal System of Bangladesh after Separation, 1st ed., (Dhaka: University Publications, 2008) p.387. 48 REFERENCE STATUTES 1. The Constitution of the People‘s Republic of Bangladesh. 2. The Computer Misuse Act (1990). 3. The Computer Fraud and Abuse Act, 1984. 4. The Information and Communication Technology Act (ICT), 2006. 5. The United Nations Commission on International Trade Law (UNCITRAL), 1996. 6. The Penal Code, 1860. 7. The Evidence Act, 1872. 8. The Bankers‘ Books Evidence Act, 1891. 9. The Criminal Procedure Code, 1898. 10. The Bangladesh Bank order, 1972. 11. The Lunatic Act, 1912. 12. The Convention on Cyber Crime, 2001. JOURNAL 1. Katyal, N. K., Digital architecture as crime control. (Yale Law Journal, 2003) BOOKS 1. Abdul Halim & N. E. Siddiki, The Legal System of Bangladesh after Separation, 1st ed., (Dhaka: University Publications, 2008). 2. David wall, Cybercrime: The Transformation of Crime in the Information Age. (Cambridge: Polity press, 2007) 3. N. V. Paranjape, Criminology and Penology, 13th ed., (Allahabad: Central Law Publications, 2008-09). 4. Prashant Mali, Text book of cyber crime and penalties. 5. Robert Moore, Cybercrime investigating high-technology computer crime. 2nd ed. (New York: Routledge, 2015) 49 6. R. K. Chaubey, An Introduction to Cyber Crime and Cyber Laws, 1sted., (Kolkata: Kamal Law House, 2009). 7. Zulfiquar Ahmed, A Text Book on Cyber Law in Bangladesh, 1st ed., (Dhaka: National Law Book Company, 2009). NEWSPAPER 1. The Prothom Alo. ELECTRONIC DATA 1. [http://www.crime-research.org/analytics/702/.] 2. [http://www.techrepublic.com/blog/it-security/what-makes-cybercrime-laws-sodifficult-to-enforce/4997/] 3. [http://www.techterms.com/definition/cybercrime.] 4.[http://www.associatedcontent.com/article/44605/cybercrime_a_revolution_in_t errorism.html?cat=37.] 5. [http://www.networkworld.com/newsletters/sec/2002/01467137.html.] 6. [http://www.cknow.com/cms/vtutor/logic-bombs.html.] 7.[http://teletechblog.blogspot.com/2013/05/cyber-crime-cyber-security-and.html] 8.[https://www.justice.gov/criminal-fraud/identity-theft/identity-theft-andidentity-fraud] 9.[http://www.windowsecurity.com/articles-tutorials/content_security/EmailSpoofing.html] 10.[http://law.jrank.org/pages/11992/Cyber-Crime-Intellectual-propertytheft.html] 50