Jamaican Cybercrime Act of 2010

Review Comments by Dr. Tyrone W A Grandison(CEO, Proficiency Labs)

Presentation to The Joint Select Committee of the Jamaican Parliament on the

Cybercrimes ActOn March 7th, 2013

2

Introduction:Proficiency Labs

Small startup founded in 2012 based in Ashland, Oregon.

Specializes in building, evaluating and repairing privacy and security solutions for cyber systems.

Services offered: IT Consulting, Systems Development, Data Extraction & Expert Witness Services for Legal Cases, Legislative Compliance Education & Outreach.

3

Introduction - Tyrone

• Born & Bred in Kingston, Jamaica.

• Over 20 years experience in the Computer Science field.

• The last decade has been spent reading & evaluating law; then implementing solutions (administrative, physical & technical) that ensure compliance.

• Over 90 academic peer-reviewed papers in the spaces of computer and data security and privacy.

• Over 30 patents in the computer science.

• Recognition:

• Distinguished Engineer of the Association of Computing Machinery (ACM),

• Senior Member of the Institute of Electrical and Electronics Engineers (IEEE),

• IEEE Technical Achievement Award in 2010 for ”Pioneering contributions to Secure and Private Data Management”,

• IBM Master Inventor,

• Fellow of the British Computer Society (BCS),

• Pioneer of the Year (2009), National Society of Black Engineers.

4

Flow of the Talk State my Motivation / Agenda Provide Summary Page by Page Analysis of the current Act Immediate Improvements Next Steps Guidance– Process-Wise Suggestions on Missing Elements Suggestion on Legislative Principles Close

5

Motivation

The Jamaican Public

The Caribbean Academic Community

Personal Gratitude

6

Review SummaryThe Act needs to be tightened. Currently, it only focuses on unauthorized access. In its

current form, the Act has limits in its scope & coverage and it is far too general in many other parts; with potentially devastating

implications to the local Computer Science community (Research and Development).

7

“obtains access” Definition stated on Page 3 – 2.(2) It seems the intent of this definition is to define deviant and

undesired behavior. Is this assumption correct? The reality is that every single user of a computer system

falls under the purview of this definition. For example: Simple: Minister Robinson uses MS Powerpoint to open a

ministerial presentation, edit it and store it on my machine. Under all the conditions cited in the Act, (a) through (e),

Minister Robinson “obtains access”. Is this the intent? Is everyone using a computer or computing device (which

includes mobile phones) supposed to be in this group of people who “obtain access” under the Cybercrime Act?

I can also see scenarios where less than scrupulous elements could use this definition to unfairly persecute others.

Recommendation: This definition needs to be sharpened to align with its true intent.

8

“entitled” Mentioned on Page 3 – 2.(4)(a) “entitled” and “entitlement” should be defined. Technically, a person may not be entitled to data

(depending on definition), but it may be a function of their job. Example: Is a CFO entitled to see client data, even

though he is several levels above the actual person who has data access rights?

When you have separation of duties scenarios, how does that interact with "entitlement"?

Recommendation: 2.4.(a) should be removed, rephrased or a section on "entitlement" included.

9

“consent” Mentioned on Page 3 – 2.(4)(b) “consent” should be defined. “consent” should be documented and

retained in order to prove compliance. What are acceptable forms of documenting

“consent”?

Recommendation: 2.4.(b) should be removed, rephrased or a section on ”consent" included.

10

“unauthorised” Defined by Page 3 – 2.(4)

Current definition is limited.

Hypothetical Legal Scenario: Someone who accidentally gains access rights to valuable data

through software malfunction.

Could soundly argue that access is authorised under the Cybercrime Act because the software is a proxy for him and the software is entitled.

Thus, his activity is not covered under the Act.

Recommendation: Use established definition of Unauthorized Access - when a person who does not have permission to connect to or use a system or data gains entry in a manner unintended by the system owner.

11

“commits an offence” Mentioned on Page 5 - Part II. 3 (1)

Covers only unauthorised access of software or data.

Deloitte & Touche’s “Cyber Security Watch” survey (2011)

Forty-six (46) percent of respondents said insider attacks were more costly to their organization than external attacks.

Thus, insider attack (i.e. attack from people within the company who are probably authorised) should be included.

Recommendation: Address the case where the person has authorized access and chooses to pass on (confidential or private) information to another person/entity/computer for monetary or other gain/purpose, via electronic or other means (e.g. showing someone onscreen, taking a screenshot and sharing it, printing material and passing it on)

12

“offence” Mentioned in Page 6 - 4 (1) through 4 (4)

The definition of offence is too narrow.

Recommendation: The definition needs to be broadened. Statistically, the bigger security risk/threat has

been proven to be “the insider threat”, i.e. existing employees, disgruntled soon-to-be ex-employees, i.e. most likely people who are authorized.

13

“unauthorised modification”

Mentioned in Page 7 - 5 (1) through 5 (3)

Limited Applicability: In-house IT departments are normally authorized to

modify their parent company’s system and data. Any crime committed by someone in these departments may argue that they are not covered under this Act.

Realistically, this clause will likely only apply to computer hobbyists, professional hackers and security academics who are outside a corporate entity (with no consent.)

Recommendation: Rephrase to include modification with authorization but not for the intended purpose.

14

“intercepts” Mentioned on Page 8 – 6 (1) (b)

Define “intercepts”.

The current wording is awkward. Currently, the effect of this is: Anyone who happens to listen in network traffic is committing an offence. Example: The network goes down and the traffic on the network is

dumped into a file that a network engineer must view to troubleshoot the problem. From the current definition, it can be interpreted as: They have committed an offence by indirectly intercepting. ???

Also, what about network protocol/security students writing assignment code that requires interception?

It would also encapsulate a number of other valid scenarios where interception is necessary and or a business function, e.g. deep packet inspection.

With the current wording, one eliminates the possibility of legitimate interception happening in industry or academia.

Recommendation: Determine function of clause and rewrite.

15

“lawful justification or excuse”

Mentioned on Page 9 - (7) (1) Define “lawful justification or excuse.” Under the current phrasing, the following are

prosecutable: Intentional software updates/upgrades, i.e. if the updates

cause a memory leak, system failure etc. Beginning computer students who write horrible code with

unintended consequences to the computer or network. (Computer) Security professional and students in the

course of their duties.

What authorisation is acceptable here? Would the acceptance of a software update, the permission

of a lecturer/teacher, etc. constitute authorization and thus exempt these scenarios from prosecution?

Recommendation: Rephrase to meet intent.

16

8 (1)

In (8) (1) (a) either: 1) redefine computer to be broader or

2) replace it with “code, program, software, computer or equivalent electronic (and non-electronic) artifact.”

In (8) (1) (b) the phrase “any access code or password” is contemporary and too specific. I suggest using “any authentication or

authorization token, such as access codes & password, biometric identifiers, gesture passwords” in order to predict for future technology and to capture more current mechanisms.

17

“protected computer”

Mentioned on Page 11 – 9 (1) and 9 (2)

“the offender knows, or ought reasonably to know” puts the burden/responsibility on the offender and offers a potential loophole. It is possible for an offender to skirt this Law by suggesting that

they did not know and that it could not be reasonably determined that a computer was protected.

I suggest that an additional policy step be taken to avoid this scenario: All protected computers be clearly and visibly tagged/labeled as

such.

The inclusion of 9 (2)(c) through 9 (2) (e) makes this very broad and potentially detrimental, e.g. loss of laptops by emergency service. The scenarios are endless. Either remove them, clarify the offences or ensure ALL

equipment is labeled “Protected Computer”.

18

“incites” Mentioned on Page 12. 10 (a) and 10 (b)

Define “incites”

Creative Scenario: A “very smart” disgruntled ex-employee who

commits an unauthorized access may request that his boss or whoever incited him to action be charged as well.

Recommendation: I suggest removing “incites, attempts” from 10

19

“suffered loss” Page 13 – 12 (1)

Defined “suffered loss”

“suffered loss” should be tied to something tangible and or capped. In order to dissuade people from making

frivolous claims.

20

14 & 15 14 (1) (a) Define the grounds upon

which “reasonably required” is based. 14 (1) (b) Define the evidence upon

which “reasonable grounds” is based. 14 (1) What happens when an offender

has automated tamper-resistant or tamper-proof software on their system?

(15) (1) Define “reasonable grounds”.

21

17 & 18 The term “key” is being used without

definition in 17 (3) (b) and 18 (9) (a) Define “key” such that it includes current

cryptographic mechanisms and so that there is room for future technologies.

Define “intelligible” A smart lawyer could argue that hashed

data is intelligible to someone with the hash algorithm.

22

Immediate Improvements

Update with precise definitions of unclear terms.

Include “authorised access” measures – to address insider threat.

Modify language to ensure that domestic Computing professionals and academia are not suffocated by the Act.

Bolster Act with policy actions that improve enforcement.

Increase penalties to be true disincentives.

23

Stepping Back Determine the technical and business activities and

threats that should be covered on this Act. There are several broad (technical) cyber threat categories:

Eavesdropping or Sniffing

Data Modification

Identity Spoofing

Authentication/Authorization System Attack

Denial of Service

Man-in-the-Middle

Security system Attack

Operating System exploits

Application-Layer attacks

Each of these categories have a complementary, well-defined, legitimate function.

24

Then Impact analysis

Determine how the new provisions/clauses/rules will impact all the stakeholders.

Collaborative rule-making Request stakeholder input.

Weigh stakeholder input based on their established biases and business functions.

Engage impartial entity (or entities) in collating new proposed rules with stakeholder input and public interest.

Enable Enforcement

25

What is Missing? Personal Data Protection

OECD Data Protection Directive can be used as a model. The seven principles governing the OECD’s recommendations for protection of personal data were:

Notice—data subjects should be given notice when their data is being collected;

Purpose—data should only be used for the purpose stated and not for any other purposes;

Consent—data should not be disclosed without the data subject’s consent;

Security—collected data should be kept secure from any potential abuses;

Disclosure—data subjects should be informed as to who is collecting their data;

Access—data subjects should be allowed to access their data and make corrections to any inaccurate data;

Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principles.

26

What is Missing? Identity Theft (both online and traditional)

“The intentional acquisition, use, misuse, transfer, possession, alteration or deletion of identifying information belonging to another, whether natural or juridical, without right.”

Multiple approaches across the world.

Normally focused on traditional identity theft.

Approaches:

Canada : sections 402.2 and 403 of the Criminal Code of Canada

US : Identity Theft and Assumption Deterrence Act of 1998

Philippines: section 4 (b)(3) of the Cybercrime Prevention Act of 2010.

27

What is Missing? Breach Notification

“When a cyber breach occurs, inform in a timely manner, in multiple media, and ensure compromised data owners are compensated and protected from ongoing malicious activity.”

Organizations may also be fined for the breach.

In US, Laws vary by state. See here. California was 1st.

EU General Data Protection Regulation Proposal (July 1, 2013) introduces breach notification requirement.

Useful Reference Material: “Dealing with data breaches in Europe and beyond” by

Ann Bevitt, Karin Retzer and Joanna Łopatowska (Morrison & Foerster LLC), 2013.

California Database Breach Act (SB 1386)

28

What is Missing? Illegal Cyber Actions

Unsolicited Commercial Communications — The transmission of commercial electronic communication with the use of computer system which seek to advertise, sell, or offer for sale products and services.

Cyber-squatting – The acquisition of a domain name over the internet in bad faith to profit, mislead, destroy reputation, and deprive others from registering the same.

Cyber Fraud – The deliberate deception for unfair or unlawful gain that occurs online.

Cyber Extortion – The attack or threat of attack against an entity (person or company), coupled with a demand for money to avert or stop the attack.

Cyber Spying or Espionage – The act or practice of obtaining secrets (personal, sensitive, classified or proprietary data) without the permission of the holder of the information.

29

Principles “Good Stewardship” - Companies that collect, collate or

utilize data on individuals in any way are stewards of this data. It is expected that companies will be good “data” stewards,

which looks like: Asking for consent when using an individual’s data.

Respect the individual’s wishes/preferences with regards to how they want their data to be used or not used.

Compensating individual’s for any damage or harm done to the individual when the steward or its agents perform or enable some act that is detrimental to the individual.

Offering compensation to the individual(s) when data is used in a manner that leads the company to gain revenue from data use or processing.

Making all actions taking with regards to data, transparent and visible to the data owner(s).

Data use is purpose-driven.

30

Principles “Data Ownership” - Data about or concerning a

particular individual is owned by that individual. Thus, giving individuals ownership rights over their data

and the actions performed on it.

“Private and Secure by Default” - Data stewards should ensure that there are process, technology and social safeguards in place to ensure that the data owner’s privacy is protected. It should be assumed that data is secure and private by

default. Data should remain in a privacy-preserving and secure

state until it is no longer needed (i.e. used for its purpose) and it is securely destroyed.

Legal recourse for victims of cybercrime.

31

Concluding Remarks There is a lot of work to be done to protect the

Jamaican people, the Jamaican business community and the Jamaica academic community.

The culture of paper in Jamaica is moving into the electronic age. You cannot pull skeptical people into the 21st century, without some kind of surety that you are protecting their interests.

A corporation’s bottom line is only as good as the people who work for it and buys its goods & services.

A protected citizen is a confident consumer.

32

QuestionsDr. Tyrone W A Grandison

@tyrgrtgrandison@proficiencylabs.com