In this talk, I give my review comments of the Jamaican CyberCrime Act

1. Jamaican
Cybercrime Act
of 2010
Review Comments by
Dr. Tyrone W A Grandison
(CEO, Proficiency Labs)
Presentation to
The Joint Select Committee of the Jamaican Parliament on the Cybercrimes Act
On March 7th, 2013

2. Introduction:
Proficiency Labs
 Small startup founded in 2012 based in Ashland,
Oregon.
 Specializes in building, evaluating and repairing
privacy and security solutions for cyber systems.
 Services offered: IT Consulting, Systems
Development, Data Extraction & Expert Witness
Services for Legal Cases, Legislative Compliance
Education & Outreach.
2

3. Introduction - Tyrone
• Born & Bred in Kingston, Jamaica. • Recognition:
• Over 20 years experience in the • Distinguished Engineer of the
Association of Computing Machinery
Computer Science field. (ACM),
• The last decade has been spent • Senior Member of the Institute of
reading & evaluating law; then Electrical and Electronics Engineers
implementing solutions (IEEE),
(administrative, physical & technical) • IEEE Technical Achievement Award in
that ensure compliance. 2010 for ‖Pioneering contributions to
Secure and Private Data Management‖,
• Over 90 academic peer-reviewed • IBM Master Inventor,
papers in the spaces of computer and
• Fellow of the British Computer Society
data security and privacy. (BCS),
• Over 30 patents in the computer • Pioneer of the Year (2009), National
science. Society of Black Engineers.
3

4. Flow of the Talk
 State my Motivation / Agenda
 Provide Summary
 Page by Page Analysis of the current Act
 Immediate Improvements
 Next Steps Guidance– Process-Wise
 Suggestions on Missing Elements
 Suggestion on Legislative Principles
 Close
4

5. Motivation
 The Jamaican Public
 The Caribbean Academic
Community
 Personal Gratitude
5

6. Review Summary
The Act needs to be tightened. Currently, it only
focuses on unauthorized access. In its current form,
the Act has limits in its scope & coverage and it is
far too general in many other parts; with potentially
devastating implications to the local Computer
Science community (Research and Development).
6

7. ―obtains access‖
 Definition stated on Page 3 – 2.(2)
 It seems the intent of this definition is to define deviant and
undesired behavior. Is this assumption correct?
 The reality is that every single user of a computer system falls
under the purview of this definition. For example:
 Simple: Minister Robinson uses MS Powerpoint to open a
ministerial presentation, edit it and store it on my machine.
 Under all the conditions cited in the Act, (a) through (e),
Minister Robinson ―obtains access‖. Is this the intent?
 Is everyone using a computer or computing device (which
includes mobile phones) supposed to be in this group of
people who ―obtain access‖ under the Cybercrime Act?
I can also see scenarios where less than scrupulous elements could
use this definition to unfairly persecute others.
 Recommendation: This definition needs to be sharpened to
align with its true intent.
7

8. ―entitled‖
 Mentioned on Page 3 – 2.(4)(a)
 ―entitled‖ and ―entitlement‖ should be defined.
 Technically, a person may not be entitled to data
(depending on definition), but it may be a function of their
job.
 Example: Is a CFO entitled to see client data, even though
he is several levels above the actual person who has data
access rights?
 When you have separation of duties scenarios, how does
that interact with "entitlement"?
 Recommendation: 2.4.(a) should be removed, rephrased
or a section on "entitlement" included.
8

9. ―consent‖
 Mentioned on Page 3 – 2.(4)(b)
 ―consent‖ should be defined.
 ―consent‖ should be documented and retained in
order to prove compliance.
 What are acceptable forms of documenting
―consent‖?
 Recommendation: 2.4.(b) should be removed,
rephrased or a section on ‖consent" included.
9

10. ―unauthorised‖
 Defined by Page 3 – 2.(4)
 Current definition is limited.
 Hypothetical Legal Scenario:
 Someone who accidentally gains access rights to valuable data
through software malfunction.
 Could soundly argue that access is authorised under the
Cybercrime Act because the software is a proxy for him and the
software is entitled.
 Thus, his activity is not covered under the Act.
 Recommendation: Use established definition of Unauthorized
Access - when a person who does not have permission to
connect to or use a system or data gains entry in a manner
10
unintended by the system owner.

11. ―commits an offence‖
 Mentioned on Page 5 - Part II. 3 (1)
 Covers only unauthorised access of software or data.
 Deloitte & Touche’s ―Cyber Security Watch‖ survey (2011)
 Forty-six (46) percent of respondents said insider attacks were
more costly to their organization than external attacks.
 Thus, insider attack (i.e. attack from people within the
company who are probably authorised) should be included.
 Recommendation: Address the case where the person has
authorized access and chooses to pass on (confidential or private)
information to another person/entity/computer for monetary or
other gain/purpose, via electronic or other means (e.g. showing
someone onscreen, taking a screenshot and sharing it, printing
material and passing it on)
11

12. ―offence‖
 Mentioned in Page 6 - 4 (1) through 4 (4)
 The definition of offence is too narrow.
 Recommendation: The definition needs to be
broadened.
 Statistically, the bigger security risk/threat has been
proven to be ―the insider threat‖, i.e. existing
employees, disgruntled soon-to-be ex-employees,
i.e. most likely people who are authorized.
12

13. ―unauthorised modification‖
 Mentioned in Page 7 - 5 (1) through 5 (3)
 Limited Applicability:
 In-house IT departments are normally authorized to
modify their parent company’s system and data. Any
crime committed by someone in these departments
may argue that they are not covered under this Act.
 Realistically, this clause will likely only apply to
computer hobbyists, professional hackers and
security academics who are outside a corporate
entity (with no consent.)
 Recommendation: Rephrase to include modification
with authorization but not for the intended purpose.
13

14. ―intercepts‖
 Mentioned on Page 8 – 6 (1) (b)
 Define ―intercepts‖.
 The current wording is awkward. Currently, the effect of this is: Anyone who
happens to listen in network traffic is committing an offence.
 Example: The network goes down and the traffic on the network is dumped into a
file that a network engineer must view to troubleshoot the problem. From the
current definition, it can be interpreted as: They have committed an offence by
indirectly intercepting. ???
 Also, what about network protocol/security students writing assignment code that
requires interception?
 It would also encapsulate a number of other valid scenarios where interception is
necessary and or a business function, e.g. deep packet inspection.
 With the current wording, one eliminates the possibility of legitimate
interception happening in industry or academia.
 Recommendation: Determine function of clause and rewrite.
14

15. ―lawful justification or excuse‖
 Mentioned on Page 9 - (7) (1)
 Define ―lawful justification or excuse.‖
 Under the current phrasing, the following are prosecutable:
 Intentional software updates/upgrades, i.e. if the updates
cause a memory leak, system failure etc.
 Beginning computer students who write horrible code with
unintended consequences to the computer or network.
 (Computer) Security professional and students in the course
of their duties.
 What authorisation is acceptable here?
 Would the acceptance of a software update, the permission of
a lecturer/teacher, etc. constitute authorization and thus
exempt these scenarios from prosecution?
 Recommendation: Rephrase to meet intent.
15

16. 8 (1)
 In (8) (1) (a) either:
 1) redefine computer to be broader or
 2) replace it with ―code, program, software, computer
or equivalent electronic (and non-electronic) artifact.‖
 In (8) (1) (b) the phrase ―any access code or
password‖ is contemporary and too specific.
 I suggest using ―any authentication or authorization
token, such as access codes & password, biometric
identifiers, gesture passwords‖ in order to predict for
future technology and to capture more current
mechanisms.
16

17. ―protected computer‖
 Mentioned on Page 11 – 9 (1) and 9 (2)
 ―the offender knows, or ought reasonably to know‖ puts the
burden/responsibility on the offender and offers a potential loophole.
 It is possible for an offender to skirt this Law by suggesting that they did
not know and that it could not be reasonably determined that a computer
was protected.
 I suggest that an additional policy step be taken to avoid this scenario:
 All protected computers be clearly and visibly tagged/labeled as such.
 The inclusion of 9 (2)(c) through 9 (2) (e) makes this very broad and
potentially detrimental, e.g. loss of laptops by emergency service. The
scenarios are endless.
 Either remove them, clarify the offences or ensure ALL equipment is
labeled ―Protected Computer‖.
17

18. ―incites‖
 Mentioned on Page 12. 10 (a) and 10 (b)
 Define ―incites‖
 Creative Scenario:
 A ―very smart‖ disgruntled ex-employee who commits
an unauthorized access may request that his boss or
whoever incited him to action be charged as well.
 Recommendation: I suggest removing ―incites,
attempts‖ from 10
18

19. ―suffered loss‖
 Page 13 – 12 (1)
 Defined ―suffered loss‖
 ―suffered loss‖ should be tied to something tangible
and or capped.
 In order to dissuade people from making frivolous
claims.
19

20. 14 & 15
 14 (1) (a) Define the grounds upon which
―reasonably required‖ is based.
 14 (1) (b) Define the evidence upon which
―reasonable grounds‖ is based.
 14 (1) What happens when an offender has
automated tamper-resistant or tamper-proof
software on their system?
 (15) (1) Define ―reasonable grounds‖.
20

21. 17 & 18
 The term ―key‖ is being used without
definition in 17 (3) (b) and 18 (9) (a)
 Define ―key‖ such that it includes current
cryptographic mechanisms and so that there is
room for future technologies.
 Define ―intelligible‖
 A smart lawyer could argue that hashed data is
intelligible to someone with the hash algorithm.
21

22. Immediate

Improvements terms.
Update with precise definitions of unclear
 Include ―authorised access‖ measures – to address
insider threat.
 Modify language to ensure that domestic
Computing professionals and academia are not
suffocated by the Act.
 Bolster Act with policy actions that improve
enforcement.
 Increase penalties to be true disincentives.
22

23. Stepping Back
 Determine the technical and business activities and threats that
should be covered on this Act.
 There are several broad (technical) cyber threat categories:
 Eavesdropping or Sniffing
 Data Modification
 Identity Spoofing
 Authentication/Authorization System Attack
 Denial of Service
 Man-in-the-Middle
 Security system Attack
 Operating System exploits
 Application-Layer attacks
 Each of these categories have a complementary, well-defined,
legitimate function. 23

24. Then
 Impact analysis
 Determine how the new provisions/clauses/rules will
impact all the stakeholders.
 Collaborative rule-making
 Request stakeholder input.
 Weigh stakeholder input based on their established biases
and business functions.
 Engage impartial entity (or entities) in collating new
proposed rules with stakeholder input and public interest.
 Enable Enforcement
24

25. What is Missing?
 Personal Data Protection
 OECD Data Protection Directive can be used as a model. The seven
principles governing the OECD’s recommendations for protection of
personal data were:
 Notice—data subjects should be given notice when their data is being
collected;
 Purpose—data should only be used for the purpose stated and not for
any other purposes;
 Consent—data should not be disclosed without the data subject’s
consent;
 Security—collected data should be kept secure from any potential
abuses;
 Disclosure—data subjects should be informed as to who is collecting
their data;
 Access—data subjects should be allowed to access their data and make
corrections to any inaccurate data;
25
 Accountability—data subjects should have a method available to them to

26. What is Missing?
 Identity Theft (both online and traditional)
 ―The intentional acquisition, use, misuse, transfer, possession,
alteration or deletion of identifying information belonging to
another, whether natural or juridical, without right.‖
 Multiple approaches across the world.
 Normally focused on traditional identity theft.
 Approaches:
 Canada : sections 402.2 and 403 of the Criminal Code of
Canada
 US : Identity Theft and Assumption Deterrence Act of 1998
 Philippines: section 4 (b)(3) of the Cybercrime Prevention Act
of 2010.
26

27. What is Missing?
 Breach Notification
 ―When a cyber breach occurs, inform in a timely manner,
in multiple media, and ensure compromised data owners
are compensated and protected from ongoing malicious
activity.‖
 Organizations may also be fined for the breach.
 In US, Laws vary by state. See here. California was 1st.
 EU General Data Protection Regulation Proposal (July 1,
2013) introduces breach notification requirement.
 Useful Reference Material:
 ―Dealing with data breaches in Europe and beyond‖ by
Ann Bevitt, Karin Retzer and Joanna Łopatowska
(Morrison & Foerster LLC), 2013.
 California Database Breach Act (SB 1386) 27

28. What is Missing?
 Illegal Cyber Actions
 Unsolicited Commercial Communications — The transmission of
commercial electronic communication with the use of computer
system which seek to advertise, sell, or offer for sale products and
services.
 Cyber-squatting – The acquisition of a domain name over the
internet in bad faith to profit, mislead, destroy reputation, and
deprive others from registering the same.
 Cyber Fraud – The deliberate deception for unfair or unlawful gain
that occurs online.
 Cyber Extortion – The attack or threat of attack against an entity
(person or company), coupled with a demand for money to avert or
stop the attack.
 Cyber Spying or Espionage – The act or practice of obtaining
secrets (personal, sensitive, classified or proprietary data) without
the permission of the holder of the information.
28

29. Principles
 “Good Stewardship” - Companies that collect, collate or
utilize data on individuals in any way are stewards of this
data.
 It is expected that companies will be good ―data‖ stewards,
which looks like:
 Asking for consent when using an individual’s data.
 Respect the individual’s wishes/preferences with regards to how
they want their data to be used or not used.
 Compensating individual’s for any damage or harm done to the
individual when the steward or its agents perform or enable
some act that is detrimental to the individual.
 Offering compensation to the individual(s) when data is used in
a manner that leads the company to gain revenue from data
use or processing.
 Making all actions taking with regards to data, transparent and
visible to the data owner(s).
 Data use is purpose-driven.
29

30. Principles
 “Data Ownership” - Data about or concerning a particular
individual is owned by that individual.
 Thus, giving individuals ownership rights over their data and
the actions performed on it.
 “Private and Secure by Default” - Data stewards should
ensure that there are process, technology and social
safeguards in place to ensure that the data owner’s privacy
is protected.
 It should be assumed that data is secure and private by
default.
 Data should remain in a privacy-preserving and secure state
until it is no longer needed (i.e. used for its purpose) and it is
securely destroyed.
 Legal recourse for victims of cybercrime. 30

31. Concluding Remarks
 There is a lot of work to be done to protect the
Jamaican people, the Jamaican business
community and the Jamaica academic community.
 The culture of paper in Jamaica is moving into the
electronic age. You cannot pull skeptical people into
the 21st century, without some kind of surety that
you are protecting their interests.
 A corporation’s bottom line is only as good as the
people who work for it and buys its goods &
services.
 A protected citizen is a confident consumer.
31

32. Questions
Dr. Tyrone W A Grandison
@tyrgr
tgrandison@proficiencylabs.com
32