In compliance with the Budapest Convention, the CCA has recognised almost all the cyber-crime offences that are provided in the convention. Mere fact that the legal system recognises certain cyber-offences or that it provides a special mechanism to conduct investigations does not render the legislative framework effective. For the legislative framework to be considered effective, it should be capable of achieving the objective for which it was established. Accordingly, the effectiveness of the contemporary legislative framework shall be assessed based on its success in identifying and preventing cyber-crimes, conducting investigations, enforcing the enacted laws and in protecting human rights and liberties which are the objectives behind the enforcement of the cyber-crime legislative framework.
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
EFFECTIVENESS OF THE EXISTING LEGAL FRAMEWORK GOVERNING CYBER-CRIMES IN SRI LANKA
1. EFFECTIVENESS OF THE EXISTING LEGAL FRAMEWORK GOVERNING CYBER-
CRIMES IN SRI LANKA
By
Vishni Lakna Ganepola
Attorney-at-Law
LLB (Hons)(London), LLM (London)
Introduction
In compliance with the Budapest Convention, the CCA has recognised almost all the cyber-
crime offences that are provided in the convention. Mere fact that the legal system recognises
certain cyber-offences or that it provides a special mechanism to conduct investigations does
not render the legislative framework effective. For the legislative framework to be considered
effective, it should be capable of achieving the objective for which it was established.
Accordingly, the effectiveness of the contemporary legislative framework shall be assessed
based on its success in identifying and preventing cyber-crimes, conducting investigations,
enforcing the enacted laws and in protecting human rights and liberties which are the
objectives behind the enforcement of the cyber-crime legislative framework.
Identification of Cyber-Crimes
The preamble to an act states the objectives behind the introduction of the particular act. So
does the preamble of the CCA and the other legislative enactments that were discussed.
According to the preamble of the CCA, one of the main objectives behind the introduction of
the act was for the identification of cyber-crimes.1 Identification of cyber-crimes was given
much consideration under the acts, since the law on cyber-crimes was a novel, untouched
area of law. Since most of the offences were new to the framework and the subsistent
framework didn’t provide for identification of many offences, considerable attention had to
be paid on achieving the objective of identification of offences. In pursuance with the above
objective the CCA in its Part I identifies eleven unique offences while some other enactments
such as IPA, SLTA, OPO too recognise various other cyber-crimes that didn’t fall under the
1
Computer Crimes Act No.24 of 2007, Preamble
2. purview of the CCA. The contemporary legislative framework recognises almost all the
offences that were provided measures to be taken at national level under the Convention on
Cyber-Crimes.2
Eventhough, the enactments had made a considerable effort in identification of the offences,
there exist certain loopholes. These loopholes are not identified in many literature and
therefore an information gap exist for discussion on the effectiveness of the legislative
framework on cyber-crimes. The offence, computer cracking i.e. unauthorised access to
commit an offence, is identified in the CCA. The term “offence” refers to any offence
recognised under the CCA or under any other provision.3 Therefore, a person who commits
offences such as theft of information, identity theft, computer-related fraud and forgery shall
be punished under the section 3 of the CCA. However, there exist an issue as to whether these
elements of the “offences described under other provisions” are sufficiently described to fall
under the scope of a cyber-crime. For example, when the offence theft is considered, the PC
provides that only movable property can be stolen.4 The term “movable property” is defined
in the PC as follows;
“corporeal property of every description, except land and things attached to the earth
or permanently fastened to anything which is attached to earth”5
A close examination of the above definition and the rest of the chapter relating to offences
against property, may reflect that in most instances, offences are confined to include only
tangible and movable property.6 Further, attempts to expand the meaning of the term
“movable property” to include intangible property in past had also failed. In the popular case
of Nagaiya v. Jayasekara7, limiting the scope section 20 held that the offence theft was limited
to movable property which didn’t include intangible property such as electricity. The above
decision had not been overturned by any subsequent judgement for the last 90 years.8
2
Jayantha Fernando, 'THE IMPACT OF THE BUDAPEST CYBERCRIME CONVENTION ON SRI
LANKAN LEGAL SYSTEM' (2016)
<http://www.apbsrilanka.org/articales/28_ann_2016/7_28th_conv_a_Jayantha_Fernando.pdf> accessed 19
March 2017
3
Computer Crimes Act No.24 of 2007, section 4
4
Penal Code, section 366
5
Penal Code, section 20
6
See also: Kalinga Indatissa, The Law Relating To Computer Crimes And Credit Card Frauds (1st edn, Kalinga
Indatissa 2005) 66
7
Nagaiya v Jayasekara 28 NLR 467
8
Kalinga Indatissa, The Law Relating To Computer Crimes And Credit Card Frauds (1st edn, Kalinga Indatissa
2005)
3. Therefore in the view of this restrictive interpretation, it is highly improbable that a theft
conducted with the intervention of computer would be considered an offence, especially,
when the property is “identity” or “information”. Therefore, it can be submitted that offences
such as identity theft and theft of information which are considered to be two major cyber-
crimes needs a specific interpretation.
Under the aspect of computer-related crimes the most prevalent types of cyber-crimes are
computer-related fraud and forgery. An accused to be convicted of forgery, it is essential that
the offence committed falls within the definition of “documents”. Term “documents” is
defined in the PC as follows;
“any matter expressed or described upon any substance by means of letters, figures,
or marks or by more than one of those means, intended to be used, or which may be
used, as evidence of that matter.”9
Accordingly, it has to be considered whether information stored in a computer system would
fall within the ambit of the above interpretation. In the case of Benwell v. Republic of Sri
Lanka10, where an Australian national was found to have committed the above by altering
information stored in a computer, court held that information stored in any magnetic medium
didn’t fall within the purview of section 452 of the PC. The restrictive approach adopted in
the above case illustrates that a person charged with computer-related forgery might not get
convicted of the offence under the PC or under section 4 of CCA.
Further, the offence fraud has not been specifically identified under the PC. However, the PC
has recognised offences cheating11 as punishable offences. The main ingredient which
constitute the offence of cheating is “deceiving a person”. If cheating is committed as a cyber-
crime i.e. using a computer, then a person is not deceived. It is the computer that is deceived.
Therefore, a person who commits cheating through unauthorised access, might easily get
acquitted due to the loopholes in the contemporary legislative framework.12
9
Penal Code, section 27
10
(1978-1979) 2 SLR 178
11
Penal Code, section 398
12
See also: Sunil D. B Abeyaratne, Introduction To Information And Communication Technology Law (1st ed,
Sunil D, B. Abeyaratne 2008) 91
4. All above-mentioned offences are identified under the Penal Code, yet, their definition is not
broad enough to constitute a cyber-crime. However, there are also cyber-crimes which are
not even identified under any legislative enactment. Some of them are cyber-defamation,
cyber-bullying and cyber-stalking. Unrecognition of cyber-defamation can be justified, since
the offence defamation itself has not been recognised under any statute and the law in that
relation is governed through common law. Yet, with the lack of statutory instrument
recognising cyber-defamation as an offence, the investigators become helpless in front of the
complainants. Half of the cases reported to the Computer Crime Unit are cyber-defamation
cases, but all that complaints have to be sent back, since the current legal framework doesn’t
recognise an offence called cyber-defamation.13 Further, SLCERT has identified cyber-bullying
and cyber-stalking as two of the most prevalent offence in Sri Lanka.14 Yet it is very
unfortunate that the above two offences are not given a proper identification.15
In conclusion, it can be said that the existing legal framework had succeeded in identifying
almost all the cyber-crimes that are required to be identified under the Convention on Cyber-
Crimes and definition of most of the recognised offences are specific. Therefore, in that
relation the existing legal framework is effective. Yet, the above discussed issues hinders the
existing legal framework being identified a perfectly effective legal framework.
Prevention of Cyber-Crimes
One main purpose behind the introduction of a legislative framework is to build up a peaceful
society with law and order well maintained. One way of achieving the above is by
implementing measures that would prevent the commission of crimes. The existing legislative
framework can be considered to be an effective one, only if the implemented laws and
measures had succeeded in preventing the commission of cyber-crimes and thereby had
13
The above fact was revealed by an Investigating Officer of the Computer Crimes Division, Crime
Investigation Department, at the Interview conducted on the 24th
March 2017 at Colombo
14
Sri Lanka CERT, 'Sri Lanka CERT Cyber Security Awareness Survey, 2015' (Sri Lanka CERT 2015)
<http://www.slcert.gov.lk/Downloads/Survey.pdf> accessed 21 March 2017
In the survey conducted in 2015, 14 cases on cyber-bullying and 11 cases on cyber-stalking were reported. This
is a considerable increase compared to the previous years.
15
See also: Randima Attygalle, 'How Ready Are We To Combat Cyber Crime?' The Island (2014)
<http://www.island.lk/index.php?page_cat=article-details&page=article-details&code_title=109816> accessed
22 March 2017
Mr. Sunil Abeyratne, Attorney-at-law expresses his opinion in this relation stating that the offences cyber-
bullying and cyber-stalking should be specifically identified as punishable offences under legal provisions
5. reduced the cyber-crime rate. SLCERT and Sri Lanka Police has taken various preventive
measures to control cyber-crimes. Yet, the recent reports suggest that the enacted laws and
regulations had failed in achieving their objective. This is because, when compared with the
past the cyber-crime rate has significantly increased while new types of cyber-crimes been
added to the list of cases reported. The following figure 1 which illustrates the data collected
in 2014 is a good example which proves the above statement.16
Figure 1
From the above statistics, it is visible that the cyber-crime incidents reported had increased
at a rate of 85% in 2014 compared to 2013.
16
See also: Nushka Nafeel, 'New Laws To Curb Cyber Crimes' Daily News (2015)
<http://dailynews.lk/2015/11/05/features/new-laws-curb-cyber-crimes-0> accessed 21 March 2017.
6. As per Cyber Security Awareness Survey, 2015 conducted by CERT 602 online victimizations
were reported. The figure 2 below graphically illustrates the results of the above survey.17
Figure 2
Accordingly, the most common type of cyber-crime reported in Sri Lanka is computer viruses
i.e. 67%. According to the SLCERT statistics published in 2007, only 17 cases were reported
out of which 41% cases were sexual harassment cases. When the statistics of the two years
are analysed, it is evident that there is a drastic increase in the number of cyber-crime cases
reported.
Does this mean the existing legal framework had succeeded in combatting the cyber-crimes?
Or had it had no impact on combatting the cyber-crimes? After evaluating the issues pointed
above, it can be submitted that the effectiveness of the existing framework in relation to
preventing crimes is at an unfortunate state.
Provide for an Investigating Procedure
The need for a new set of rules to govern the law relating to cyber-crimes arose due to
improvements in the technology. With these improvements, the criminal minds began to
constantly use the computer systems as a weapon to commit crime. In order to provide an
effective investigating procedure to inspect into cyber-crime matters, in addition to the CPC,
the CCA introduced few special provisions.
17
See also: Sri Lanka CERT, 'Sri Lanka CERT Cyber Security Awareness Survey, 2015' (Sri Lanka CERT
2015) <http://www.slcert.gov.lk/Downloads/Survey.pdf> accessed 21 March 2017
7. Provisions in relation to the appoint of the panel of experts attracted the attention of many.
In order to carry out an investigation on a cyber-crime, it is essential that the investigator
possess a good knowledge and experience on information technology. Since the police
officers who generally carry out the investigations lack the required knowledge, the
appointment of the experts had made the process much easier. Further, a major challenge
faced by the legal system is the lack of reporting of cyber-crimes. Main causes behind lack of
reporting is that the victims fear that their data might get destroyed or they might lose the
confidentiality of their private data. Since, now with the new regulations enacted by the CCA,
the reporting rates have increased. Through these special provisions the law enforcing bodies
ensures that the victimised data and devices are at safe hands and the confidentiality of the
data are well protected. The special powers rendered to the experts to enter any premises
along with a SIP, to access and perform any function on data and computer systems, to search
and seize any information, to intercept any wire or electronic communication at any stage of
communication and especially the immunity given to the experts from legal proceedings
make the duty of the panel much easier. Further, the provisions on preservation of
information and normal use of computer not to be hampered have made the investigating
procedure more effective.18
Even with such a set of effective rules, there are few practical problems that are faced by the
investigators in conducting an investigation. Eventhough the investigators are capable of
seeking the assistance of the experts, most of the experts are unwillingly to get involved in
the investigations. This is mostly because of the harsh cross-examinations they are subjected
to. The cost of obtaining the assistance of the experts is extremely high and the Police
Department lack funds to conduct such expensive investigations. When the cases are
instituted in the MC, the maximum penalty that can be imposed on a convicted is Rs.1500.
Yet, the cost of investigation is more than ten times the penalty which results in a wastage of
government funds.19
18
See also: Saptha Wanniarachchi, 'Sri Lanka Computer Crime And Criminal Procedure'
<http://www.saptha.com/blog/random/sri-lanka-computer-crime-and-criminal-procedure/> accessed 22 March
2017
19
The above ideas were expressed by an Investigating Officer of the Computer Crimes Division, Crime
Investigation Department, at the Interview conducted on the 24th
March 2017 at Colombo
8. Further, due to the extraterritorial nature of the cyber-crimes, the investigators have to seek
the assistance of the international organizations such as INTERPOL. These international
organizations are not very much keen on providing their assistance in these minor cyber-
crime matters. Therefore, the investigation procedure takes a long time to get completed or
the investigations get stuck in the midway. Further, when cases associated with social media
such as Facebook are reported, investigators are unable to conduct investigations, since these
organizations unwilling to disclose information, such as IP addresses, required to conduct an
effective investigation.20 However, with Sri Lanka’s accession to the Convention on Cyber-
Crimes, there are slight improvements in the investigations, since the investigators are now
capable of seeking the assistance of the mutual legal assistance. Further, the Police
Department is now in the process of establishing a digital forensic lab to provide the victims
with a speedy investigation and the department is also conducting training programmes to
train officers on conducting cyber-crime investigations.21 Yet, under the legal provisions, only
evidence admissible in relation cyber-crimes are the reports of the panel of experts.22
There is hardly anything exists to state the current investigation procedure is ineffective. Even
then the effectiveness of this investigation procedure could be enhanced further by providing
the experts a proper training before they are put into the field of investigation and by
increasing awareness among the public about the merits of the investigation procedure.
Today, Sri Lanka’s prime issue is whether the law is equal to all. If the investigators will be
competent enough to provide a positive answer to the above issue, that would further enrich
the effectiveness of the system, because, success of the legal framework mostly depends on
the effectiveness of the investigating team.
Enforcement of the Enacted Cyber-Crime Legislative Framework
The law enforcement procedure is the end result of the identification of offences and the
investigation procedure. Therefore, the effectiveness of the law enforcement procedure
depends on the success of the above two procedures.
20
The above ideas were expressed by an Investigating Officer of the Computer Crimes Division, Crime
Investigation Department, at the Interview conducted on the 24th
March 2017 at Colombo
21
The above ideas were expressed by an Investigating Officer of the Computer Crimes Division, Crime
Investigation Department, at the Interview conducted on the 24th
March 2017 at Colombo
22
See also: Nushka Nafeel, 'New Laws To Curb Cyber Crimes' Daily News (2015)
<http://dailynews.lk/2015/11/05/features/new-laws-curb-cyber-crimes-0> accessed 21 March 2017.
9. In order to enhance the law enforcement in relation cyber-crimes, with the interference of
the government, few institutions had been established namely, Computer Crime Division of
the Police Department and SLCERT. The above institutions render an immense service in order
to provide the Sri Lankans a just and an effective legal framework on cyber-crimes.
Computer Crime Division was recently established and currently, the division conducts
number of investigations.23 To further enhance their scope of service, the department is in
the process of instituting a digital forensic lab.24 Since it was established, the department is
facing certain difficulties in performing their duties with the lack of human resources and
expertise. However, now measures have been taken to train officers on how to conduct cyber-
crime offences and to institute labs with standardised equipment.25 SLCERT is not a law
enforcing body. Yet, the institution provides the victims with technical assistance at the
instances where the law is silent on providing them with a relief. The responding service
provided by SLCERT identify unusual events in the computer systems and advice the victims
on how to eradicate such situations.26 Apart from the responding services, SLCERT also
provide consultancy and awareness services as well.
The CCA has an extradition applicability. Through extradition, the law enforcement in relation
to cyber-crimes get more effective since, this allows the law enforcing bodies to enforce law
against any person who commits the cyber-crime within or outside Sri Lanka. However, in
reality, the law-enforcing bodies find it impractical to take actions against the persons who
commits crime outside Sri Lanka. Main reason behind this impracticality is the disinclined
nature of the international organizations in providing their assistance. In the eyes of the
international criminal justice system, these cyber-crime matters are inconsiderable.
Therefore, less significance and less assistance is given by the international organizations such
as INTERPOL, in capturing the culprits and enforcing law against them. However, the situation
has quite changed for the better with the increase in the world-wide cyber-crime rate and
23
The division has investigated over 100 cyber-crimes, including 50 complaint on cyber defamation, 21 on
cases related to obscene publication, and 22 related to email hacking in 2015.
See also: Nushka Nafeel, 'New Laws To Curb Cyber Crimes' Daily News (2015)
<http://dailynews.lk/2015/11/05/features/new-laws-curb-cyber-crimes-0> accessed 21 March 2017.
24
The above fact was revealed by an Investigating Officer of the Computer Crimes Division, Crime
Investigation Department, at the Interview conducted on the 24th
March 2017 at Colombo
25
Nushka Nafeel, 'New Laws To Curb Cyber Crimes' Daily News (2015)
<http://dailynews.lk/2015/11/05/features/new-laws-curb-cyber-crimes-0> accessed 21 March 2017.
26
The above fact was revealed by an expert in the area of Information Security Engineering at the Key
Informant Interview conducted on the 27th
March 2017 at Colombo
10. due to Sri Lanka’s accession to the Budapest Convention. In compliance with the Budapest
Convention the parties to the convention are facilitated with the opportunity of mutual legal
assistance of the other countries. Accordingly, now the countries show much keenness in
providing assistance to the LEA in conducting an effective extradition investigation.
One of the main drawbacks in the existing legal framework on cyber-crimes is that lack of case
law. A limited number of cases are brought before the courts for hearing and there are no
decided cases reported on cyber-crimes.27 All the matters are mostly solved at the lower
courts. Currently, the Colombo High Court is hearing 10 cases28, but the SLCERT reports
suggest that in 2015, 602 cases were reported.29 This gap is mainly due to the various
loopholes that exist in the existing legal framework in identification of offences and in
conducting investigations. Further, since the IT literacy of the individuals are at a low level,
most of the individuals are not aware that they are victims of cyber-crimes. Some individuals
are not aware about the legal reliefs available to the cyber-crime victims. Therefore, only a
few number of cases are reported to the courts and the judges don’t get an opportunity to
administer law against the offenders. Even where cases are brought before the courts for
hearing, the law does not provide sufficient reported case law for the judges to address issues
based on the stare decisis concept. Accordingly, it can be submitted that the lack of awareness
and case law has largely contributed towards the ineffectiveness of the legislative framework
on cyber-crimes.
CCA has provisions to award compensation to the victims of cyber-crimes, where they have
incurred a loss or damage or where a monetary gain is accrued by the offender.30 The
provision has enhanced the effectiveness of the existing framework by providing the victims
with reliefs where they have suffered a loss. Yet, this provision has also given rise to many __
27
Sunil Abeyratne in an interview published in the “The Island” newspaper on 6th
September 2016 states that a
case on a cyber-crime matter is pending at the Court of Appeal. The respondent had been indicted for
distributing child pornography using the internet. At the High Court, the prosecutors had failed to prove the case
beyond reasonable doubt since the investigators of the National Child Protection Authority failed to conduct a
proper investigation. The Hon. Attorney General has appealed against the decision of the High Court and the
judgement is pending.
See also: Randima Attygalle, 'How Ready Are We To Combat Cyber Crime?' The Island (2014)
<http://www.island.lk/index.php?page_cat=article-details&page=article-details&code_title=109816> accessed
22nd
March 2017
28
The above fact was revealed by an expert in the field of law at the Key Informant Interview conducted on the
20th
March 2017 at Gampaha.
29
See also: See also: Sri Lanka CERT, 'Sri Lanka CERT Cyber Security Awareness Survey, 2015' (Sri Lanka
CERT 2015) <http://www.slcert.gov.lk/Downloads/Survey.pdf> accessed 21 March 2017
30
Computer Crime Act No.24of 2007, section 14
11. that lead towards the ineffectiveness of the system. Since aggrieved parties are capable of
recovering their damage by way of compensation through a civil matter, most of the parties
opt to institute a civil matter to recover the losses. Further, most of the corporations opt a
civil matter and recover damages, in order to avoid the negative publicity that would cause
their brand image to get tarnished. Therefore, no formal complaints are made to the Police
neither they receive information regarding cyber-crimes and thereby no cyber-crime cases
are reported before the courts for hearing.31
Few major issues exist in relation to admissibility of electronic evidence in case of a cyber-
crime. With the recent development in relation to admissibility of electronic evidence,
computer generated evidence is now accepted to be admissible. Yet, there are few restriction
imposed by law with regard to acceptance of electronic evidence. These restrictions have
been slightly relaxed with the implementation of the ETA. However, the provisions of the ETA
are applicable in relation to commercial transactions only and where cyber-crime occur in the
course non-commercial transactions, only the Evidence (Special Provision) Act is applied.
Further, law doesn’t provide for the admissibility of evidence produced by certain
international organizations, digital forensic labs of the computer crime unit or for the
admissibility of evidence obtained through the mutual legal assistance process. Due to these
irregularities, the law enforcing officers have to face various issues in proving their case
beyond reasonable doubt ultimately leading towards the ineffectiveness of the overall
legislative framework.
Once all above-mentioned prospects and challenges of the system are considered, it can be
submitted that the legislative framework has much scope for improvement in enhancing its
effectiveness in relation to law enforcement.
Protection of Human Rights and Liberties
One purpose of the introduction of a new legislative framework on cyber-crimes, is to protect
the rights and liberties of the individuals. Once a person becomes a victim of a cyber-crime,
most of his human rights are affected. For example, in case of cyber-defamation, a person’s
right to privacy, right to equality, freedom from mental torture and even sometimes his
31
The above fact was revealed by an expert in the field of law at the Key Informant Interview conducted on the
20th
March 2017 at Gampaha.
12. intellectual property rights are affected. If law is enforced against the offender, his freedom
of expression of the offender is affected. Eventhough many human rights are affected through
the commission of a crime, the main concern is victim’s privacy. Therefore, the CCA has
introduced a provision in order to protect the confidentiality of the victimised information.
Eventhough the victim’s right to privacy may get affected during commission of the cyber-
crime, steps have been taken to ensure that during the investigation no such right is affected.
Further, the Constitution of Sri Lanka32 and Universal Declaration of Human Rights provide for
the protection of a wide range of human rights and liberties and under those provisions rest
of the human rights can be protected. CCA provides only for the protection of the rights in
course of investigation. Accordingly, it can be submitted that the existing law provide for an
effective legislative framework on the protection of human rights and liberties related with
cyber-crimes
Summary
Effectiveness of the existing legislative framework on cyber-crimes can be assessed based on
its success at achieving the objectives behind its implementation. Accordingly, the
effectiveness of the legal framework was analysed in relation to identification and prevention
of cyber-crimes, provision of an efficient investigating procedure, enforcement of the enacted
laws and in relation to protection of human rights and liberties. Since the current legal
framework on cyber-crimes recognise most of the computer crimes, provide an effective
mechanism to deal with such computer crimes with the assistance of a panel of experts and
since the court have a wide jurisdiction to attend the matters irrespective of whether the
person resides, the crime was committed or the damage was caused a person or corporation
within or outside Sri Lanka and since measures have been implemented for the protection of
information and rights of the individuals, in one aspect it can be submitted that the existing
legal framework is effective. Yet, due to certain practical issues faced by the investigators,
non-identification of certain prominent cyber-crime offences, lack of reporting by victims,
shortage of resources, expertise and experience, irregularities in law enforcement due to
transnational nature of cyber-crimes and due to significant challenges faced by LEAs in
32
Constitution of