“A research study of the Computer Crimes in Sri Lanka and the protective acts taken by the Sri Lankan government.”

Background

Computer systems are everywhere and control a great deal of our day to day life. Computer systems make our life so much easier. All the people around the world are forced to use the computer systems even if they do not like. These computer systems can be used in a good way or in a bad way. The bad way is known as a computer crime.

Motivation

Presently, individuals and companies are struggling from computer crimes, thinking is it a crime or not? what are laws available for it, where to file a complaint? etc.

To improve the understanding of computer crimes, this topic has been chosen, which allows studying about different kinds of computer crimes and the respective laws applies for those crimes.

In this research, the computer crimes in Sri Lanka and the counteract applicable for those crimes and different country laws will be discussed.

“Computer crime, also known as cybercrime, is any illicit action that includes a computer or network associated gadget, for example, a cell phone. The Department of Justice partitions computer crime into 3 classifications: violations in which the computer gadget is the victim, for instance, getting access to the network; violations in which the computer is utilized as a weapon, for instance, to dispatch a Denial of Service (DoS) attack; and violations in which the computer is utilized as an accomplice to a wrongdoing, for instance, utilizing a computer to save wrongfully acquired information (Rouse, 2010).”

Examples of computer crime:

• “Making Malware – Making and spreading viruses, Trojans or other kinds of malware.”
• “DoS attack – Impacting the server performance by sending large amount requests.”
• “Unauthorized access – Accessing the computer system without any lawful authority.”
• “”Intellectual property theft – Thieving an organization’s or individual’s intellectual belongings.”
• Child pornography – Creating or selling youngster erotica.”
• “Cyberstalk or Cyberbullying – Harassing others online.”
• “Cyber terrorism – Threat to the national security or national economy or public safety.”
• “Fraud – Altering data, for instance, altering bank account balance amount details.”
• “Espionage – Infiltration (an organization or someone).”
• “Harvesting – Gather account associated data from people.”
• “Identity theft – Pretend to be someone else.”
• “Spoofing – Cheating a system by pretending someone else.”
• “Spamming – Annoying unwelcome large amount of emails trying to fill the inbox.”
• “Phishing – Fool someone by pretending or acting to be a trustable individual in an e-mail or an organization and trying to get their personal information.”

(ComputerHope, 2017)

• To destroy a person’s or organization’s reputation.
• To make money or steal money from a person or an organization.
• Full-fill their desires (by blackmailing, threatening etc.).
• Show off their skills to their friends / for enjoyment.
• Lack of authorities or less severe punishments.

The Computer Crimes reported, in Sri Lanka are financial frauds, abuse/hate/privacy violation, phishing, scams, malware, unauthorized access, intellectual property violation, DoS/DDoS attack, Social media related incidents.

According to SLCERT (Sri Lankan Computer Emergency Readiness Team), Fake accounts crimes are major crimes committed in Sri Lanka.

Computer crimes in Sri Lanka keep up increasing every year. According to SLCERT, the computer crime rate has increased up to 4733% from 2008 to 2014. Particularly fake account crimes have increased from nearly 0 to 2300.

Figure 2 – Computer Crimes Reported from 2008 to 2014

“From Colombo to the countryside, Twitter, Instagram, Facebook and other social media web applications have spread and it has begun to create an impact on the society and culture particularly among the younger generation. Facebook crimes are the majority of the social media related crime in Sri Lanka. There are many Facebook crimes which ended up with suicides, rapes, or even murders not only among teenagers but also among adults too.”

(SLCERT, n.d.)

“Mr. Jayantha Fernando, Program Director, Information and Communication Technology Agency (ICTA) stated that there is a necessity for Internet privacy acts when the standards of information protection are violated since Sri Lanka has no specific acts on Internet privacy.”

“Jayantha mentioned that the Sri Lankan administration has started strategy level deliberations at the initiative of ICTA on data protection and internet privacy acts, and the process of developing the draft is ongoing.”

“In 2015, the Computer Crimes Division of the Criminal Investigation Department (CID) arrangement below the Computer Crimes Act 2007 managing an expanding amount of complaints on privacy violations and email scooping. The department has explored more than hundred on internet associated misconducts, including twenty-one protests associated with obscene publications, fifty protests of cyber defamation and twenty associated to e-mail hijacking.”

“Additional two thousand protests relating Twitter and Facebook (FB) were informed to the SLCERT in the first 7 months of 2015. The majority of the events had happened on Facebook, and mainly the involvement of fake profiles, Senior Information Security Engineer of SLCERT, Mr. Roshan Chandragupta stated.”

“Mr. Roshan stated that people were hurt in various ways over the internet. Few were threatened with data associated with the target, few were blackmailed for cash, few were harassed sexually and few were even harassed to the point of deceased.”

“A lot of people were hurt by impersonators via social media. Most of them do not know where to file a complaint, hence, the protest related to fake profiles were not filed, he said.”

An inquiry officer of the Computer Crimes Division of CID expressed “Present acts make it very hard for us to bring in the culprits“.

“The officer also said that most of the events that were informed, in which an angry person dispenses the contact information of another person. Generally, this target would be an ex-lover of the offender who eagerly wants to punish her. Since there was no defamation, it does not come under defamation law, therefore it becomes very hard for the police to put the offender behind bars.”

“CID Director SSP.R Nagahamulla said that the Computer Crimes Division does not have enough officers to do the work, and also do not have an adequate amount of standard electronic equipment support investigation. The department has no divisions. Nevertheless, the course of training extra officers and the process of purchasing the devices were begun by the CID.”

(Nafeel, 2015).

Mr. Roshan said that lack of knowledge about computer security on cyber platforms is the main reason for many of the computer crimes.

“The absence of computer proficiency, correspondence, and breakage in family connections were the genuine foundations for the present surge in social media-related incidents, said by Manoj Jinadasa, senior lecturer at the Department of Mass Communication at the University of Kelaniya.”

“In Western countries, media literacy is built into the school curriculum. This should be done here too,” he said.

(Dissanayake, 2014)

“The senior CID officer said that every day, the CID gets a minimum of ten to twelve cybercrime grievances, which adds up to more than 400 cases for each month. Since the team at CID is little, resolving these cases will be deferred (Wickramasekera, 2015).”

Here is an example social media crime incident:

“The headmaster of John Kothalawala School in Kurunegala has been captured by the Police Unit of the National Child Protection Authority. The headmaster was criticized for disgracing a young lady over a Facebook photograph, prompting her suicide. He has been captured as a component of the examination (NewsFirst, 2014).”

The Computer Crime Act, No.24 of 2007

“This act describes the ways of identifying computer crimes and if such crimes occur the procedure for the investigation and the prevention mechanism for the crimes.”

The provisions of this Act will applicable where:

• The lawbreaker in or outside Sri Lanka.
• Computer storage or information affected in or outside Sri Lanka.
• Facility or service used to commit the crime in or outside Sri Lanka.
• Loss or damages caused to state or person in or outside Sri Lanka.

The offenses and punishments stated in this act are simplified into a table format below:

And / Or

Table 1 – Offences and the penalties mentioned in Computer Crime Act 2007

(SLCERT, 2007)

Who will be involved in the investigation?

• Police officers
• Computer experts

The panel will appoint computer experts to support police department to help with the case. If the police department has sufficient experts, then there is no necessary for more computer experts.

Convention on Cybercrime

“The Convention on Cybercrime is also called as Budapest Convention or Budapest Convention on Cybercrime or European Cybercrime Convention. The Budapest Convention tries to address Internet and computer violations by agreeing to national acts, enhancing analytical strategies and expanding collaboration among countries.”

“The European Cybercrime Convention dealing criminal activities carried out through the computer and the Internet, especially with copyright infringements, child pornography, infringement of system security, hate crimes, and computer associated frauds.”

“In 2015, Sri Lanka was welcomed to participate in the Budapest Convention on Cybercrime. The Foreign Affairs Ministry working with the ICTA has optimized Sri Lanka’s entrance into the Council of Europe (CoE) Cybercrime Convention.”

“Sri Lanka went beyond South Africa, Argentina, Costa Rica, Mexico, Philippines and a few different nations in the procedure towards participating the Convention on Cybercrime. Sri Lanka turns into the 1^st Nation in South Asia to participate the Convention on Cybercrime, which is the main universal arrangement on cybercrimes all inclusive.”

“The advantage of this convention is that all will be constrained to obey to the privacy guard and information security. Privacy acts are the most critical one where the stockholders from Europe or different nations will consider before investing in Sri Lanka, how their data are protected.”

(Nafeel, 2015)

Comparing Sri Lankan laws with different country laws is a good way of evaluating strengths and weakness of the laws in Sri Lanka.

Information Technology (Amendment) Act, 2008 (India)

Sri Lanka and India have very much in common, both are Asian countries (closest countries), both are democratic countries. Sri Lanka and India are the members of South Asian Association for Regional Cooperation (SAARC). Sri Lankan culture and Indian culture are pretty much similar. Therefore, the Indian law has been used for the comparison.

India has an act called “Information Technology Act, 2008” to prevent computer crimes happening and provide guidelines to follow if such incident occurs. This act is an amendment of Information Technology Act, 2000.

The offences and punishments mentioned in the act are listed in a simple table format below: And / Or

Table 2 – Offences and Penalties in the Information Technology Act, 2008

(Ministry of Electronics and Information Technology, n.d.)

Table 3 – Comparison common laws between Sri Lanka and India

Let us compare 2 similar cases from both countries and compare the punishments given each by the government.

For the comparison hacking case have been taken from both countries.

Sri Lanka

“A 17-year-old schoolboy from Kadugannawa and a twenty-seven-year old man from Moratuwa were arrested on 29 Aug 2016, for building the hack on President Maithripala Sirisena’s site.”

“President Sirisena’s legitimate site http://www.president.gov.lk went under assault on 26 Aug 2016, when the site was brought down and a letter posted in Sinhalese, stating the disappointment of a group of hackers calling themselves “The Sri Lanka Youth“, at the Sri Lankan administration having planned the Advanced Level examination for April, amid the conventional Sinhala and Tamil New Year.”

The letter was evacuated in a few minutes and a note informing clients that the site would down for “scheduled maintenance“, set up. The President’s site was back online a couple of hours after the fact.

“The website was hacked one more time, the following day (27 Aug 2016), with the resulting note posted in English:”

(DailyNews, 2016)

“The Crimes Investigation Department (CID) performed the arrest.”

“According to Daily News (2016) statement, the man was accused of 300,000 LKR and up to three years in prison and since the kid is minor, he ended up in probation. This is the 1^st time in the Sri Lankan history a young person has been arrested under 2007 Computer Crimes Act.”

India

“Mumbai police have captured twenty-three-years-old hacker for trespassing into an economic site. Despite the fact that the hacker could not get into the primary server of the economic website, which was all around secured by the organization. The hacker made some option to the landing page of the economic site and has added a string of content to the news section of the landing page of the site. Police could break the case by taking after the follow left by the offender on the web server of the economic website. The organization has kept up a different server for money related online exchanges, for which most extreme security has been taken by the organization. The site was facilitated on an alternate server, which relatively had lesser security.”

“The intruder was a tenth pass youth. He has completed IT courses like MCSE, CCNA and so on. He had an addiction to computers. He sits in front the PC for very nearly sixteen to twenty times every day. He was using the ready-made hacking devices, to hack into any site. He goes to a specific site on the web, which encourages him to see the whole catalog structure of that site. At that point utilizing different strategies, for example, getting a passcode record, he gets into the director’s shoes and hacks the site.”

“A case was enrolled against the intruder under area 67 of Information Technology Act – 2000 and under different areas of Indian Penal Code.”

(CyberCrimeInvestigationCell, 2005)

Result

The Sri Lankan government has charged the victim with 300,000 LKR and up to 3 years in prison. The Indian government has charged the victim with 1,000,000 Indian Rupee and up to 5 years in prison. Compare to the severity, Indian hacker just hacked the economic site, but the Sri Lankan hacker hacked the Sri Lankan Present’s website which is highly punishable. The punishment that the government gives will be a lesson and the threat for those who try to commit crimes. In that case, Sri Lanka has failed to give a higher penalty.

When the group of people, including a 17-year-old boy hacked, president Mr. Sirisena’s website (Page 13), in everyone’s mind a question will raise. Is the preventive move made by Sri Lankan Government to battle against computer crime is adequate?

I would say NO. As per the SLCERT’s report (Figure 2) and the officers’ statements (Page 5, Page 6) the computer crime rates keep increasing every year, So, the preventive action taken by the government is not sufficient enough.

Suggestions

Severe punishments will discourage the offenders committing a crime. Compared to the Indian laws, Sri Lanka laws provide less severe punishments (Table 1, Table 2, Table 3) for the offender. So, increasing the fine amount and impressment period given to each crime is a better way of reducing or stopping crimes happening.   

Mr. Jayantha stated that currently, Sri Lanka does not have any specific acts on Internet privacy (Page 5) and an inquiry officer of the Computer Crimes Division expressed that with current Sri Lankan laws it is hard to take an action on the offender. So, introducing more laws, more specific acts on Internet privacy will help to combat against these computer crimes, Especially, sections like 66E, 67, 67A, 67B introduced Information Technology Act, 2008 India (Table 2), since the rapid growth of fake accounts and social media crimes in Sri Lanka.

Mr. Roshan said that the reasons for these crimes are not enough awareness about computer crimes in the society. People are not aware of where to file a complaint (Page 5). This is the main reason; the culprits are out there committing more and more crimes. Spreading the awareness about computer crimes through television, radio and social media will reach a lot of people and help reduce crimes.

Provide enough equipment, facilities, human resource and training for the Police department and the Computer Crimes Division of CID to do their work without any interruptions.

According to Mr. Manoj’s research, the majority of the victims of computer crime are teenagers. I suggest the education department introduce “Computer Crimes” as a subject in schools. This prevents the younger generation from falling into trouble or pushing someone into. Today’s generation, tomorrow’s future.