Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Review of the Jamaican Cybercrime Act of 2010

2,026 views

Published on

In this talk, I give my review comments of the Jamaican CyberCrime Act

Published in: Technology
  • Be the first to comment

Review of the Jamaican Cybercrime Act of 2010

  1. 1. Jamaican Cybercrime Act of 2010 Review Comments by Dr. Tyrone W A Grandison (CEO, Proficiency Labs) Presentation toThe Joint Select Committee of the Jamaican Parliament on the Cybercrimes Act On March 7th, 2013
  2. 2. Introduction: Proficiency Labs Small startup founded in 2012 based in Ashland, Oregon. Specializes in building, evaluating and repairing privacy and security solutions for cyber systems. Services offered: IT Consulting, Systems Development, Data Extraction & Expert Witness Services for Legal Cases, Legislative Compliance Education & Outreach. 2
  3. 3. Introduction - Tyrone• Born & Bred in Kingston, Jamaica. • Recognition:• Over 20 years experience in the • Distinguished Engineer of the Association of Computing Machinery Computer Science field. (ACM),• The last decade has been spent • Senior Member of the Institute of reading & evaluating law; then Electrical and Electronics Engineers implementing solutions (IEEE), (administrative, physical & technical) • IEEE Technical Achievement Award in that ensure compliance. 2010 for ‖Pioneering contributions to Secure and Private Data Management‖,• Over 90 academic peer-reviewed • IBM Master Inventor, papers in the spaces of computer and • Fellow of the British Computer Society data security and privacy. (BCS),• Over 30 patents in the computer • Pioneer of the Year (2009), National science. Society of Black Engineers. 3
  4. 4. Flow of the Talk State my Motivation / Agenda Provide Summary Page by Page Analysis of the current Act Immediate Improvements Next Steps Guidance– Process-Wise Suggestions on Missing Elements Suggestion on Legislative Principles Close 4
  5. 5. Motivation The Jamaican Public The Caribbean Academic Community Personal Gratitude 5
  6. 6. Review Summary The Act needs to be tightened. Currently, it onlyfocuses on unauthorized access. In its current form, the Act has limits in its scope & coverage and it is far too general in many other parts; with potentially devastating implications to the local Computer Science community (Research and Development). 6
  7. 7. ―obtains access‖ Definition stated on Page 3 – 2.(2) It seems the intent of this definition is to define deviant and undesired behavior. Is this assumption correct? The reality is that every single user of a computer system falls under the purview of this definition. For example:  Simple: Minister Robinson uses MS Powerpoint to open a ministerial presentation, edit it and store it on my machine.  Under all the conditions cited in the Act, (a) through (e), Minister Robinson ―obtains access‖. Is this the intent?  Is everyone using a computer or computing device (which includes mobile phones) supposed to be in this group of people who ―obtain access‖ under the Cybercrime Act? I can also see scenarios where less than scrupulous elements could use this definition to unfairly persecute others. Recommendation: This definition needs to be sharpened to align with its true intent. 7
  8. 8. ―entitled‖ Mentioned on Page 3 – 2.(4)(a) ―entitled‖ and ―entitlement‖ should be defined. Technically, a person may not be entitled to data (depending on definition), but it may be a function of their job.  Example: Is a CFO entitled to see client data, even though he is several levels above the actual person who has data access rights? When you have separation of duties scenarios, how does that interact with "entitlement"? Recommendation: 2.4.(a) should be removed, rephrased or a section on "entitlement" included. 8
  9. 9. ―consent‖ Mentioned on Page 3 – 2.(4)(b) ―consent‖ should be defined. ―consent‖ should be documented and retained in order to prove compliance.  What are acceptable forms of documenting ―consent‖? Recommendation: 2.4.(b) should be removed, rephrased or a section on ‖consent" included. 9
  10. 10. ―unauthorised‖ Defined by Page 3 – 2.(4) Current definition is limited. Hypothetical Legal Scenario:  Someone who accidentally gains access rights to valuable data through software malfunction.  Could soundly argue that access is authorised under the Cybercrime Act because the software is a proxy for him and the software is entitled.  Thus, his activity is not covered under the Act. Recommendation: Use established definition of Unauthorized Access - when a person who does not have permission to connect to or use a system or data gains entry in a manner 10 unintended by the system owner.
  11. 11. ―commits an offence‖ Mentioned on Page 5 - Part II. 3 (1) Covers only unauthorised access of software or data. Deloitte & Touche’s ―Cyber Security Watch‖ survey (2011)  Forty-six (46) percent of respondents said insider attacks were more costly to their organization than external attacks.  Thus, insider attack (i.e. attack from people within the company who are probably authorised) should be included. Recommendation: Address the case where the person has authorized access and chooses to pass on (confidential or private) information to another person/entity/computer for monetary or other gain/purpose, via electronic or other means (e.g. showing someone onscreen, taking a screenshot and sharing it, printing material and passing it on) 11
  12. 12. ―offence‖ Mentioned in Page 6 - 4 (1) through 4 (4) The definition of offence is too narrow. Recommendation: The definition needs to be broadened.  Statistically, the bigger security risk/threat has been proven to be ―the insider threat‖, i.e. existing employees, disgruntled soon-to-be ex-employees, i.e. most likely people who are authorized. 12
  13. 13. ―unauthorised modification‖  Mentioned in Page 7 - 5 (1) through 5 (3)  Limited Applicability:  In-house IT departments are normally authorized to modify their parent company’s system and data. Any crime committed by someone in these departments may argue that they are not covered under this Act.  Realistically, this clause will likely only apply to computer hobbyists, professional hackers and security academics who are outside a corporate entity (with no consent.)  Recommendation: Rephrase to include modification with authorization but not for the intended purpose. 13
  14. 14. ―intercepts‖ Mentioned on Page 8 – 6 (1) (b) Define ―intercepts‖. The current wording is awkward. Currently, the effect of this is: Anyone who happens to listen in network traffic is committing an offence.  Example: The network goes down and the traffic on the network is dumped into a file that a network engineer must view to troubleshoot the problem. From the current definition, it can be interpreted as: They have committed an offence by indirectly intercepting. ???  Also, what about network protocol/security students writing assignment code that requires interception?  It would also encapsulate a number of other valid scenarios where interception is necessary and or a business function, e.g. deep packet inspection. With the current wording, one eliminates the possibility of legitimate interception happening in industry or academia. Recommendation: Determine function of clause and rewrite. 14
  15. 15. ―lawful justification or excuse‖  Mentioned on Page 9 - (7) (1)  Define ―lawful justification or excuse.‖  Under the current phrasing, the following are prosecutable:  Intentional software updates/upgrades, i.e. if the updates cause a memory leak, system failure etc.  Beginning computer students who write horrible code with unintended consequences to the computer or network.  (Computer) Security professional and students in the course of their duties.  What authorisation is acceptable here?  Would the acceptance of a software update, the permission of a lecturer/teacher, etc. constitute authorization and thus exempt these scenarios from prosecution?  Recommendation: Rephrase to meet intent. 15
  16. 16. 8 (1) In (8) (1) (a) either:  1) redefine computer to be broader or  2) replace it with ―code, program, software, computer or equivalent electronic (and non-electronic) artifact.‖ In (8) (1) (b) the phrase ―any access code or password‖ is contemporary and too specific.  I suggest using ―any authentication or authorization token, such as access codes & password, biometric identifiers, gesture passwords‖ in order to predict for future technology and to capture more current mechanisms. 16
  17. 17. ―protected computer‖ Mentioned on Page 11 – 9 (1) and 9 (2) ―the offender knows, or ought reasonably to know‖ puts the burden/responsibility on the offender and offers a potential loophole.  It is possible for an offender to skirt this Law by suggesting that they did not know and that it could not be reasonably determined that a computer was protected. I suggest that an additional policy step be taken to avoid this scenario:  All protected computers be clearly and visibly tagged/labeled as such. The inclusion of 9 (2)(c) through 9 (2) (e) makes this very broad and potentially detrimental, e.g. loss of laptops by emergency service. The scenarios are endless.  Either remove them, clarify the offences or ensure ALL equipment is labeled ―Protected Computer‖. 17
  18. 18. ―incites‖ Mentioned on Page 12. 10 (a) and 10 (b) Define ―incites‖ Creative Scenario:  A ―very smart‖ disgruntled ex-employee who commits an unauthorized access may request that his boss or whoever incited him to action be charged as well. Recommendation: I suggest removing ―incites, attempts‖ from 10 18
  19. 19. ―suffered loss‖ Page 13 – 12 (1) Defined ―suffered loss‖ ―suffered loss‖ should be tied to something tangible and or capped.  In order to dissuade people from making frivolous claims. 19
  20. 20. 14 & 15 14 (1) (a) Define the grounds upon which ―reasonably required‖ is based. 14 (1) (b) Define the evidence upon which ―reasonable grounds‖ is based. 14 (1) What happens when an offender has automated tamper-resistant or tamper-proof software on their system? (15) (1) Define ―reasonable grounds‖. 20
  21. 21. 17 & 18 The term ―key‖ is being used without definition in 17 (3) (b) and 18 (9) (a)  Define ―key‖ such that it includes current cryptographic mechanisms and so that there is room for future technologies. Define ―intelligible‖  A smart lawyer could argue that hashed data is intelligible to someone with the hash algorithm. 21
  22. 22. Immediate Improvements terms. Update with precise definitions of unclear Include ―authorised access‖ measures – to address insider threat. Modify language to ensure that domestic Computing professionals and academia are not suffocated by the Act. Bolster Act with policy actions that improve enforcement. Increase penalties to be true disincentives. 22
  23. 23. Stepping Back Determine the technical and business activities and threats that should be covered on this Act.  There are several broad (technical) cyber threat categories:  Eavesdropping or Sniffing  Data Modification  Identity Spoofing  Authentication/Authorization System Attack  Denial of Service  Man-in-the-Middle  Security system Attack  Operating System exploits  Application-Layer attacks  Each of these categories have a complementary, well-defined, legitimate function. 23
  24. 24. Then Impact analysis  Determine how the new provisions/clauses/rules will impact all the stakeholders. Collaborative rule-making  Request stakeholder input.  Weigh stakeholder input based on their established biases and business functions.  Engage impartial entity (or entities) in collating new proposed rules with stakeholder input and public interest. Enable Enforcement 24
  25. 25. What is Missing? Personal Data Protection  OECD Data Protection Directive can be used as a model. The seven principles governing the OECD’s recommendations for protection of personal data were:  Notice—data subjects should be given notice when their data is being collected;  Purpose—data should only be used for the purpose stated and not for any other purposes;  Consent—data should not be disclosed without the data subject’s consent;  Security—collected data should be kept secure from any potential abuses;  Disclosure—data subjects should be informed as to who is collecting their data;  Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; 25  Accountability—data subjects should have a method available to them to
  26. 26. What is Missing? Identity Theft (both online and traditional)  ―The intentional acquisition, use, misuse, transfer, possession, alteration or deletion of identifying information belonging to another, whether natural or juridical, without right.‖  Multiple approaches across the world.  Normally focused on traditional identity theft.  Approaches:  Canada : sections 402.2 and 403 of the Criminal Code of Canada  US : Identity Theft and Assumption Deterrence Act of 1998  Philippines: section 4 (b)(3) of the Cybercrime Prevention Act of 2010. 26
  27. 27. What is Missing? Breach Notification  ―When a cyber breach occurs, inform in a timely manner, in multiple media, and ensure compromised data owners are compensated and protected from ongoing malicious activity.‖  Organizations may also be fined for the breach.  In US, Laws vary by state. See here. California was 1st.  EU General Data Protection Regulation Proposal (July 1, 2013) introduces breach notification requirement. Useful Reference Material:  ―Dealing with data breaches in Europe and beyond‖ by Ann Bevitt, Karin Retzer and Joanna Łopatowska (Morrison & Foerster LLC), 2013.  California Database Breach Act (SB 1386) 27
  28. 28. What is Missing? Illegal Cyber Actions  Unsolicited Commercial Communications — The transmission of commercial electronic communication with the use of computer system which seek to advertise, sell, or offer for sale products and services.  Cyber-squatting – The acquisition of a domain name over the internet in bad faith to profit, mislead, destroy reputation, and deprive others from registering the same.  Cyber Fraud – The deliberate deception for unfair or unlawful gain that occurs online.  Cyber Extortion – The attack or threat of attack against an entity (person or company), coupled with a demand for money to avert or stop the attack.  Cyber Spying or Espionage – The act or practice of obtaining secrets (personal, sensitive, classified or proprietary data) without the permission of the holder of the information. 28
  29. 29. Principles “Good Stewardship” - Companies that collect, collate or utilize data on individuals in any way are stewards of this data.  It is expected that companies will be good ―data‖ stewards, which looks like:  Asking for consent when using an individual’s data.  Respect the individual’s wishes/preferences with regards to how they want their data to be used or not used.  Compensating individual’s for any damage or harm done to the individual when the steward or its agents perform or enable some act that is detrimental to the individual.  Offering compensation to the individual(s) when data is used in a manner that leads the company to gain revenue from data use or processing.  Making all actions taking with regards to data, transparent and visible to the data owner(s).  Data use is purpose-driven. 29
  30. 30. Principles “Data Ownership” - Data about or concerning a particular individual is owned by that individual.  Thus, giving individuals ownership rights over their data and the actions performed on it. “Private and Secure by Default” - Data stewards should ensure that there are process, technology and social safeguards in place to ensure that the data owner’s privacy is protected.  It should be assumed that data is secure and private by default.  Data should remain in a privacy-preserving and secure state until it is no longer needed (i.e. used for its purpose) and it is securely destroyed.  Legal recourse for victims of cybercrime. 30
  31. 31. Concluding Remarks There is a lot of work to be done to protect the Jamaican people, the Jamaican business community and the Jamaica academic community. The culture of paper in Jamaica is moving into the electronic age. You cannot pull skeptical people into the 21st century, without some kind of surety that you are protecting their interests. A corporation’s bottom line is only as good as the people who work for it and buys its goods & services. A protected citizen is a confident consumer. 31
  32. 32. Questions Dr. Tyrone W A Grandison @tyrgrtgrandison@proficiencylabs.com 32

×