• Like
Response To Criticism On E Crime Law
Upcoming SlideShare
Loading in...5

Response To Criticism On E Crime Law

Uploaded on

Response to the Criticism on Prevention of Electronic Crimes Law of Pakistan

Response to the Criticism on Prevention of Electronic Crimes Law of Pakistan

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Response to Criticism on Prevention of E-Crimes Bill 2007 By: M. Faisal Naqvi CISSP [email_address]
  • 2. Definition of electronic
    • Criticism:
    • “ Wrong. Electronic means much more. There is no need to define electronic. What needs to be defined is electronic. Also note ETO 2002 does not define electronic nor does any law or model law define this internationally…”
    • Response:
    • Same definition is given in ETO 2002 under section 2 (ℓ)
    • Moreover electronic is defined in:
      • Canada - Electronic Transactions Act 2001
      • Canada - Uniform Electronic Commerce Act
      • Canada - The Electronic Commerce And Information, Consumer Protection Amendment And Manitoba Evidence Amendment Act
      • Ireland - E-Commerce Act, 2000
      • India - IT Act 2000 u/s. 2 (r)
      • Turks and CAICOS Islands - Electronic Transactions Ordinance 2000
      • Bermuda The Electronic Transactions Act 1999
  • 3. Data / System Damage
    • Criticism:
    • “ any interference with Data should be the focus”
    • Response:
    • Interference even includes:
    • Prying
    • Intrusion
    • Modification
    • Deletion etc.
    • Damage includes only Active Attacks like:
    • Modification, Deletion, Obstruction etc.
    Passive Attacks – Criminal Access = 2 yrs. punishment Active Attacks = 3 yrs. punishment
  • 4. Data / System Damage (Cont…)
    • Criticism:
    • “ Do I damage a system if I don’t interrupts any normal processing, nor obstruct the functioning or reliability or usefulness of an electronic system, yet take control of the system? If the answer is yes how does clause 7 address it.”
    • Response:
    • answer is No!
    • You are just accessing the system which is punishable under clause 3 i.e. Criminal Access.
    • 1 st level = Access, 2 nd level = Damage
    • Access and Damage are treated separately
    • Interference treats both equally
  • 5. Data / System Damage (Cont…)
    • United States Code § 1030 (e)(8) define damge as:
    • ‘ the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information;’
    • Data will be damaged, even with a single bit change
    • If the word “Destroy” would used be then criticism may be valid.
    • Almost All Budapest Convention Signatories have treated Access and Damage separately
    • Almost every Signatory used a different title and definition
    • Many of Budapest Convention Signatories have used word “Damage” including Switzerland
    • Have a look at leaders (UK, France, Germany & Switzerland)…
  • 6. Budapest Signatories Comparison Computer Sabotage Alteration of Data Data Espionage Penal Code Germany Damage to data Unauthorized access to data processing system Penal Code Switzerland Obstruction or interference Unauthorised access with intent to commit or facilitate commission of further offences System Damage Fraudulent introduction of data Unauthorised modification of computer material Data Damage Fraudulent accessing Unauthorised access to computer material. Criminal Access Penal Code Computer Misuse Act France UK Crime
  • 7. Electronic Fraud
    • Draft:
    • “ Whoever for gain interferes with data or electronic system …”
    • Criticism:
    • “ What about automated transactions that require no inducement of person?...”
    • “… important element of economic gain in the section which is wholly missing in the Draft law.”
    • Response:
    • E-System is mentioned, Gain is mentioned
    • A 50 yrs. old man in UK deceives a 20 yrs. girl in Pakistan and marry her, there is gain , but gain is not economic , will this not be a fraud? (Real world case not hypothetical)
  • 8. Electronic Forgery
    • Draft:
    • “ Whoever for gain interferes with data or electronic system…”
    • Criticism:
    • “ what about for no gain? A cracker just out there interested in checking to see what systems can be compromised.”
    • Response:
    • Again it is Criminal Access not Electronic Forgery
  • 9. Malicious code
    • Draft:
    • “ Whoever willfully writes, offers, makes available, distributes or transmits malicious code …”
    • Criticism:
    • “ Indeed. Malicious code may be used for research, investigatory or counter offensive purposes .”
    • “ Code performing functions unintended or unauthorized functions”
    • Response:
    • counter offensive malicious code, will be Taking law in your hand
    • Willfully means intended and if a genuine code is malfunctioning unintended, this will not be the crime.
  • 10. Cyber Stalking
    • Criticism:
    • Obscene, immoral and harm?
    • Response:
    • Definition of Obscene:- “The term is most often used in a legal context to describe expressions (words, images, actions) that offend the prevalent sexual morality of the time.”
    • Use of words “Obscene”, “Moral” and “Harm”
      • USA - Child Online Protection Act (47 U.S.C. § 231):
      • “ Material that is harmful to minors means any communication, picture, image, graphic image file, article, recording, writing, or other matter of any kind that is obscene ”
      • Germany (Budapest Signatory) Amendment of the Act on the Dissemination of Publications Morally Harmful to Youth
      • India - Obscene Publications Act 1973
      • Bermuda - Obscene Publications Act
  • 11. Cyber Stalking (Cont…)
    • Criticism:
    • Pictures distribution?
    • Response:
    • Pictures Distribution is crime in:
    • United States Code § 223 (1)(a)(ii) “initiates the transmission of, any comment, request, suggestion, proposal, image , or other communication which is obscene or child pornography, with intent to annoy, abuse, threaten, or harass another person;”
    • Spain ( Budapest Signatory) Penal Code CHAPTER I Article 197 (3):
    • “… the images captured, as indicated in the proceeding paragraphs, are divulged, revealed or transferred to third parties. Punishment consisting of imprisonment from between one and three years…”
  • 12. Spoofing
    • Draft:
    • “ Whoever establishes a website, or sends an electronic message with a counterfeit source intended to be believed by the recipient or visitor or its electronic system to be an authentic source…”
    • Criticism:
    • “ This is phishing! The definition is completely off the mark technically and demonstrates the dire need for this Draft to be discussed line by line with industry face to face…”
    • Response:
    • Phishing includes three steps which are:
      • Counterfeit Source e.g. e-mail/web = Spoofing
      • Induces user to surrender private information = Fraud
      • Use of private Info. to make any illegal claim or title = Forgery
    • Phishing is dealt at every step individually
  • 13. Spoofing (Cont…)
    • Response (Cont…):
    • Very comprehensive definition, covers:
      • Identity Theft
      • E-Mail Spoofing
      • Domain Name Spoofing (Multilingual – Μicrosoft <> Microsoft)
      • IP Spoofing (
        • Session Hijacking
        • SYN Flooding mostly used for simple DOS attack
        • ICMP flood
        • UDP flood
        • Man-in-the-middle attack
        • Source routing
        • DNS Poisoning
        • Smurf Attack
        • Fraggle Attack
        • Blind spoofing
      • And partially Phishing as well
  • 14. Denial of Service (DOS) Attack
    • Violates Availability
    • Two Major Types of DOS Attack:
      • Spoofed Flooding (Covered under Spoofing and System Damage)
      • Distributed Denial of Service (D-DOS) Attack Covered at each step i.e. :
        • Spreading of code. covered under Malicious Code
        • Executing Attack remotely. covered under Criminal Access
        • Denial of Service. covered under System Damage
  • 15. Retention of traffic data
    • Criticism:
    • All the data is required to be retained, which is impossible
    • Response:
    • Not the whole data is required to be retained by an ISP
    • Just header information is required to be retained i.e.:
      • Communication’s origin
      • Destination
      • Route
      • Time
      • Date
      • Size
      • Duration
      • Type of underlying service
    • Above is Defined under section 2 (w) “traffic data”
  • 16. Spamming
    • Draft 2004:
    • “ Whoever transmits, without the express permission of the recipient, unsolicited electronic messages in bulk…”
    • Old Criticism:
    • “ Very bad clause – Will hurt Off-shore marketing and other efforts. Legal spamming should be allowed…”
    • Draft 2007:
    • “ Whoever transmits harmful, fraudulent , misleading, or illegal unsolicited electronic messages in bulk to any person without the express permission of the recipient…”
    • Latest Criticism:
    • Response:
    • That’s why some of definitions are not Compatible with Int’l Definitions
  • 17. Cyber Terrorism
    • Criticism:
    • “ The word TERRORISTIC is without doubt a figment of their imagination vocabulary”
    • Response:
    • New Hamlyn Encyclopedic Word Dictionary
      • Terroristic
      • Denoting or pertaining to Terrorist or their methods
    • American Heritage Dictionary of the English Language
      • Terrorist
      • OTHER FORMS: terror·istic —ADJECTIVE
    • Collins English dictionary
    • Terrorist
      • terroristic adj
    • The Merriam-Webster dictionary
      • Main Entry: ter·ror·ism
      • ter·ror·is·tic /&quot;ter-&r-'is-tik/ adjective
  • 18. Investigation Procedures
    • Detailed Procedures for:
      • Evidence
      • Chain of custody
      • Investigation
    • Will be drafted as rules/regulations subsequently.
  • 19.
    • ?
    • [email_address]
  • 20.
    • Thank You