Response to Criticism on Prevention of E-Crimes Bill 2007

By:

M. Faisal Naqvi

CISSP

MFNaqvi@hotmail.com

2/20

Definition of electronicCriticism:

“Wrong. Electronic means much more. There is no need to define electronic. What needs to be defined is electronic. Also note ETO 2002 does not define electronic nor does any law or model law define this internationally…”

Response:• Same definition is given in ETO 2002 under section 2 (ℓ)• Moreover electronic is defined in:

– Canada - Electronic Transactions Act 2001

– Canada - Uniform Electronic Commerce Act

– Canada - The Electronic Commerce And Information, Consumer Protection Amendment And Manitoba Evidence Amendment Act

– Ireland - E-Commerce Act, 2000

– India - IT Act 2000 u/s. 2 (r)

– Turks and CAICOS Islands - Electronic Transactions Ordinance 2000

– Bermuda The Electronic Transactions Act 1999

3/20

Data / System DamageCriticism:

“any interference with Data should be the focus”

Response:

Interference even includes:• Prying• Intrusion• Modification• Deletion etc.

Damage includes only Active Attacks like:

Modification, Deletion, Obstruction etc.

Passive Attacks – Criminal Access = 2 yrs. punishment

Active Attacks = 3 yrs. punishment

4/20

Data / System Damage (Cont…)Criticism:

“Do I damage a system if I don’t interrupts any normal processing, nor obstruct the functioning or reliability or usefulness of an electronic system, yet take control of the system? If the answer is yes how does clause 7 address it.”

Response:• answer is No!• You are just accessing the system which is punishable

under clause 3 i.e. Criminal Access.• 1st level = Access, 2nd level = Damage• Access and Damage are treated separately• Interference treats both equally

5/20

Data / System Damage (Cont…)• United States Code § 1030 (e)(8) define damge as:

‘the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information;’

• Data will be damaged, even with a single bit change• If the word “Destroy” would used be then criticism may be

valid.• Almost All Budapest Convention Signatories have treated

Access and Damage separately• Almost every Signatory used a different title and definition• Many of Budapest Convention Signatories have used word

“Damage” including Switzerland• Have a look at leaders (UK, France, Germany &

Switzerland)…

6/20

Budapest Signatories ComparisonCrime Switzerland UK Germany France

Penal Code Computer Misuse Act Penal Code Penal Code

Criminal Access

Unauthorized access to data processing system

Unauthorised access to computer material.

Data Espionage

Fraudulent accessing

Data Damage Damage to data

Unauthorised modification of computer material

Alteration of Data

Fraudulent introduction of data

System Damage

Unauthorised access with intent to commit or facilitate commission of further offences

Computer Sabotage

Obstruction or interference

7/20

Electronic FraudDraft:

“Whoever for gain interferes with data or electronic system…”

Criticism:• “What about automated transactions that require no inducement

of person?...”• “…important element of economic gain in the section which is

wholly missing in the Draft law.”

Response:• E-System is mentioned, Gain is mentioned• A 50 yrs. old man in UK deceives a 20 yrs. girl in Pakistan and

marry her, there is gain, but gain is not economic, will this not be a fraud?(Real world case not hypothetical)

8/20

Electronic ForgeryDraft:

“Whoever for gain interferes with data or electronic system…”

Criticism:• “what about for no gain? A cracker just out there interested

in checking to see what systems can be compromised.”

Response:• Again it is Criminal Access not Electronic Forgery

9/20

Malicious codeDraft:

“Whoever willfully writes, offers, makes available, distributes or transmits malicious code …”

Criticism:• “Indeed. Malicious code may be used for research,

investigatory or counter offensive purposes.”• “Code performing functions unintended or unauthorized

functions”

Response:• counter offensive malicious code, will be Taking law in

your hand• Willfully means intended and if a genuine code is

malfunctioning unintended, this will not be the crime.

10/20

Cyber StalkingCriticism:• Obscene, immoral and harm?Response:• Definition of Obscene:- “The term is most often used in a

legal context to describe expressions (words, images, actions) that offend the prevalent sexual morality of the time.”

• Use of words “Obscene”, “Moral” and “Harm”– USA - Child Online Protection Act (47 U.S.C. § 231):

“Material that is harmful to minors means any communication, picture, image, graphic image file, article, recording, writing, or other matter of any kind that is obscene”

– Germany (Budapest Signatory) Amendment of the Act on the Dissemination of Publications Morally Harmful to Youth

– India - Obscene Publications Act 1973– Bermuda - Obscene Publications Act

11/20

Cyber Stalking (Cont…)Criticism:• Pictures distribution?Response:• Pictures Distribution is crime in:• United States Code § 223 (1)(a)(ii) “initiates the

transmission of, any comment, request, suggestion, proposal, image, or other communication which is obscene or child pornography, with intent to annoy, abuse, threaten, or harass another person;”

• Spain (Budapest Signatory) Penal Code CHAPTER I Article 197 (3):“…the images captured, as indicated in the proceeding paragraphs, are divulged, revealed or transferred to third parties. Punishment consisting of imprisonment from between one and three years…”

12/20

SpoofingDraft:• “Whoever establishes a website, or sends an electronic

message with a counterfeit source intended to be believed by the recipient or visitor or its electronic system to be an authentic source…”

Criticism:• “This is phishing! The definition is completely off the mark

technically and demonstrates the dire need for this Draft to be discussed line by line with industry face to face…”

Response:• Phishing includes three steps which are:

1. Counterfeit Source e.g. e-mail/web = Spoofing2. Induces user to surrender private information = Fraud3. Use of private Info. to make any illegal claim or title = Forgery

• Phishing is dealt at every step individually

13/20

Spoofing (Cont…)Response (Cont…):• Very comprehensive definition, covers:

– Identity Theft

– E-Mail Spoofing

– Domain Name Spoofing (Multilingual – Μicrosoft <> Microsoft)

– IP Spoofing (• Session Hijacking• SYN Flooding mostly used for simple DOS attack• ICMP flood• UDP flood• Man-in-the-middle attack• Source routing• DNS Poisoning• Smurf Attack• Fraggle Attack• Blind spoofing

– And partially Phishing as well

14/20

Denial of Service (DOS) Attack• Violates Availability• Two Major Types of DOS Attack:

– Spoofed Flooding (Covered under Spoofing and System Damage)– Distributed Denial of Service (D-DOS) Attack Covered at each

step i.e. :• Spreading of code. covered under Malicious Code

• Executing Attack remotely. covered under Criminal Access

• Denial of Service. covered under System Damage

15/20

Retention of traffic dataCriticism:• All the data is required to be retained, which is impossibleResponse:Not the whole data is required to be retained by an ISP• Just header information is required to be retained i.e.:

– Communication’s origin– Destination– Route– Time– Date– Size– Duration– Type of underlying service

• Above is Defined under section 2 (w) “traffic data”

16/20

SpammingDraft 2004:• “Whoever transmits, without the express permission of the

recipient, unsolicited electronic messages in bulk…”

Old Criticism:• “Very bad clause – Will hurt Off-shore marketing and other

efforts. Legal spamming should be allowed…”

Draft 2007:• “Whoever transmits harmful, fraudulent , misleading, or illegal

unsolicited electronic messages in bulk to any person without the express permission of the recipient…”

Latest Criticism:• “NOT COMPATIBLE WITH INT’L DEFINITIONS”

Response:• That’s why some of definitions are not Compatible with Int’l

Definitions

17/20

Cyber TerrorismCriticism:• “The word TERRORISTIC is without doubt a figment of their

imagination vocabulary”Response:• New Hamlyn Encyclopedic Word Dictionary

– Terroristic

Denoting or pertaining to Terrorist or their methods• American Heritage Dictionary of the English Language

– TerroristOTHER FORMS: terror·istic —ADJECTIVE

• Collins English dictionary Terrorist terroristic adj

• The Merriam-Webster dictionaryMain Entry: ter·ror·ism – ter·ror·is·tic /"ter-&r-'is-tik/ adjective

18/20

Investigation Procedures• Detailed Procedures for:

– Evidence– Chain of custody– Investigation

• Will be drafted as rules/regulations subsequently.

19/20

?MFNaqvi@hotmail.com

20/20

Thank You