Review Comments by
Dr. Tyrone W A Grandison
(CEO, Proficiency Labs)
The Joint Select Committee of the Jamaican Parliament on the Cybercrimes Act
On March 7th, 2013
Small startup founded in 2012 based in Ashland,
Specializes in building, evaluating and repairing
privacy and security solutions for cyber systems.
Services offered: IT Consulting, Systems
Development, Data Extraction & Expert Witness
Services for Legal Cases, Legislative Compliance
Education & Outreach.
Introduction - Tyrone
• Born & Bred in Kingston, Jamaica. • Recognition:
• Over 20 years experience in the • Distinguished Engineer of the
Association of Computing Machinery
Computer Science field. (ACM),
• The last decade has been spent • Senior Member of the Institute of
reading & evaluating law; then Electrical and Electronics Engineers
implementing solutions (IEEE),
(administrative, physical & technical) • IEEE Technical Achievement Award in
that ensure compliance. 2010 for ‖Pioneering contributions to
Secure and Private Data Management‖,
• Over 90 academic peer-reviewed • IBM Master Inventor,
papers in the spaces of computer and
• Fellow of the British Computer Society
data security and privacy. (BCS),
• Over 30 patents in the computer • Pioneer of the Year (2009), National
science. Society of Black Engineers.
Flow of the Talk
State my Motivation / Agenda
Page by Page Analysis of the current Act
Next Steps Guidance– Process-Wise
Suggestions on Missing Elements
Suggestion on Legislative Principles
The Act needs to be tightened. Currently, it only
focuses on unauthorized access. In its current form,
the Act has limits in its scope & coverage and it is
far too general in many other parts; with potentially
devastating implications to the local Computer
Science community (Research and Development).
Definition stated on Page 3 – 2.(2)
It seems the intent of this definition is to define deviant and
undesired behavior. Is this assumption correct?
The reality is that every single user of a computer system falls
under the purview of this definition. For example:
Simple: Minister Robinson uses MS Powerpoint to open a
ministerial presentation, edit it and store it on my machine.
Under all the conditions cited in the Act, (a) through (e),
Minister Robinson ―obtains access‖. Is this the intent?
Is everyone using a computer or computing device (which
includes mobile phones) supposed to be in this group of
people who ―obtain access‖ under the Cybercrime Act?
I can also see scenarios where less than scrupulous elements could
use this definition to unfairly persecute others.
Recommendation: This definition needs to be sharpened to
align with its true intent.
Mentioned on Page 3 – 2.(4)(a)
―entitled‖ and ―entitlement‖ should be defined.
Technically, a person may not be entitled to data
(depending on definition), but it may be a function of their
Example: Is a CFO entitled to see client data, even though
he is several levels above the actual person who has data
When you have separation of duties scenarios, how does
that interact with "entitlement"?
Recommendation: 2.4.(a) should be removed, rephrased
or a section on "entitlement" included.
Mentioned on Page 3 – 2.(4)(b)
―consent‖ should be defined.
―consent‖ should be documented and retained in
order to prove compliance.
What are acceptable forms of documenting
Recommendation: 2.4.(b) should be removed,
rephrased or a section on ‖consent" included.
Defined by Page 3 – 2.(4)
Current definition is limited.
Hypothetical Legal Scenario:
Someone who accidentally gains access rights to valuable data
through software malfunction.
Could soundly argue that access is authorised under the
Cybercrime Act because the software is a proxy for him and the
software is entitled.
Thus, his activity is not covered under the Act.
Recommendation: Use established definition of Unauthorized
Access - when a person who does not have permission to
connect to or use a system or data gains entry in a manner
unintended by the system owner.
―commits an offence‖
Mentioned on Page 5 - Part II. 3 (1)
Covers only unauthorised access of software or data.
Deloitte & Touche’s ―Cyber Security Watch‖ survey (2011)
Forty-six (46) percent of respondents said insider attacks were
more costly to their organization than external attacks.
Thus, insider attack (i.e. attack from people within the
company who are probably authorised) should be included.
Recommendation: Address the case where the person has
authorized access and chooses to pass on (confidential or private)
information to another person/entity/computer for monetary or
other gain/purpose, via electronic or other means (e.g. showing
someone onscreen, taking a screenshot and sharing it, printing
material and passing it on)
Mentioned in Page 6 - 4 (1) through 4 (4)
The definition of offence is too narrow.
Recommendation: The definition needs to be
Statistically, the bigger security risk/threat has been
proven to be ―the insider threat‖, i.e. existing
employees, disgruntled soon-to-be ex-employees,
i.e. most likely people who are authorized.
Mentioned in Page 7 - 5 (1) through 5 (3)
In-house IT departments are normally authorized to
modify their parent company’s system and data. Any
crime committed by someone in these departments
may argue that they are not covered under this Act.
Realistically, this clause will likely only apply to
computer hobbyists, professional hackers and
security academics who are outside a corporate
entity (with no consent.)
Recommendation: Rephrase to include modification
with authorization but not for the intended purpose.
Mentioned on Page 8 – 6 (1) (b)
The current wording is awkward. Currently, the effect of this is: Anyone who
happens to listen in network traffic is committing an offence.
Example: The network goes down and the traffic on the network is dumped into a
file that a network engineer must view to troubleshoot the problem. From the
current definition, it can be interpreted as: They have committed an offence by
indirectly intercepting. ???
Also, what about network protocol/security students writing assignment code that
It would also encapsulate a number of other valid scenarios where interception is
necessary and or a business function, e.g. deep packet inspection.
With the current wording, one eliminates the possibility of legitimate
interception happening in industry or academia.
Recommendation: Determine function of clause and rewrite.
―lawful justification or excuse‖
Mentioned on Page 9 - (7) (1)
Define ―lawful justification or excuse.‖
Under the current phrasing, the following are prosecutable:
Intentional software updates/upgrades, i.e. if the updates
cause a memory leak, system failure etc.
Beginning computer students who write horrible code with
unintended consequences to the computer or network.
(Computer) Security professional and students in the course
of their duties.
What authorisation is acceptable here?
Would the acceptance of a software update, the permission of
a lecturer/teacher, etc. constitute authorization and thus
exempt these scenarios from prosecution?
Recommendation: Rephrase to meet intent.
In (8) (1) (a) either:
1) redefine computer to be broader or
2) replace it with ―code, program, software, computer
or equivalent electronic (and non-electronic) artifact.‖
In (8) (1) (b) the phrase ―any access code or
password‖ is contemporary and too specific.
I suggest using ―any authentication or authorization
token, such as access codes & password, biometric
identifiers, gesture passwords‖ in order to predict for
future technology and to capture more current
Mentioned on Page 11 – 9 (1) and 9 (2)
―the offender knows, or ought reasonably to know‖ puts the
burden/responsibility on the offender and offers a potential loophole.
It is possible for an offender to skirt this Law by suggesting that they did
not know and that it could not be reasonably determined that a computer
I suggest that an additional policy step be taken to avoid this scenario:
All protected computers be clearly and visibly tagged/labeled as such.
The inclusion of 9 (2)(c) through 9 (2) (e) makes this very broad and
potentially detrimental, e.g. loss of laptops by emergency service. The
scenarios are endless.
Either remove them, clarify the offences or ensure ALL equipment is
labeled ―Protected Computer‖.
Mentioned on Page 12. 10 (a) and 10 (b)
A ―very smart‖ disgruntled ex-employee who commits
an unauthorized access may request that his boss or
whoever incited him to action be charged as well.
Recommendation: I suggest removing ―incites,
attempts‖ from 10
Page 13 – 12 (1)
Defined ―suffered loss‖
―suffered loss‖ should be tied to something tangible
and or capped.
In order to dissuade people from making frivolous
14 & 15
14 (1) (a) Define the grounds upon which
―reasonably required‖ is based.
14 (1) (b) Define the evidence upon which
―reasonable grounds‖ is based.
14 (1) What happens when an offender has
automated tamper-resistant or tamper-proof
software on their system?
(15) (1) Define ―reasonable grounds‖.
17 & 18
The term ―key‖ is being used without
definition in 17 (3) (b) and 18 (9) (a)
Define ―key‖ such that it includes current
cryptographic mechanisms and so that there is
room for future technologies.
A smart lawyer could argue that hashed data is
intelligible to someone with the hash algorithm.
Update with precise definitions of unclear
Include ―authorised access‖ measures – to address
Modify language to ensure that domestic
Computing professionals and academia are not
suffocated by the Act.
Bolster Act with policy actions that improve
Increase penalties to be true disincentives.
Determine the technical and business activities and threats that
should be covered on this Act.
There are several broad (technical) cyber threat categories:
Eavesdropping or Sniffing
Authentication/Authorization System Attack
Denial of Service
Security system Attack
Operating System exploits
Each of these categories have a complementary, well-defined,
legitimate function. 23
Determine how the new provisions/clauses/rules will
impact all the stakeholders.
Request stakeholder input.
Weigh stakeholder input based on their established biases
and business functions.
Engage impartial entity (or entities) in collating new
proposed rules with stakeholder input and public interest.
What is Missing?
Personal Data Protection
OECD Data Protection Directive can be used as a model. The seven
principles governing the OECD’s recommendations for protection of
personal data were:
Notice—data subjects should be given notice when their data is being
Purpose—data should only be used for the purpose stated and not for
any other purposes;
Consent—data should not be disclosed without the data subject’s
Security—collected data should be kept secure from any potential
Disclosure—data subjects should be informed as to who is collecting
Access—data subjects should be allowed to access their data and make
corrections to any inaccurate data;
Accountability—data subjects should have a method available to them to
What is Missing?
Identity Theft (both online and traditional)
―The intentional acquisition, use, misuse, transfer, possession,
alteration or deletion of identifying information belonging to
another, whether natural or juridical, without right.‖
Multiple approaches across the world.
Normally focused on traditional identity theft.
Canada : sections 402.2 and 403 of the Criminal Code of
US : Identity Theft and Assumption Deterrence Act of 1998
Philippines: section 4 (b)(3) of the Cybercrime Prevention Act
What is Missing?
―When a cyber breach occurs, inform in a timely manner,
in multiple media, and ensure compromised data owners
are compensated and protected from ongoing malicious
Organizations may also be fined for the breach.
In US, Laws vary by state. See here. California was 1st.
EU General Data Protection Regulation Proposal (July 1,
2013) introduces breach notification requirement.
Useful Reference Material:
―Dealing with data breaches in Europe and beyond‖ by
Ann Bevitt, Karin Retzer and Joanna Łopatowska
(Morrison & Foerster LLC), 2013.
California Database Breach Act (SB 1386) 27
What is Missing?
Illegal Cyber Actions
Unsolicited Commercial Communications — The transmission of
commercial electronic communication with the use of computer
system which seek to advertise, sell, or offer for sale products and
Cyber-squatting – The acquisition of a domain name over the
internet in bad faith to profit, mislead, destroy reputation, and
deprive others from registering the same.
Cyber Fraud – The deliberate deception for unfair or unlawful gain
that occurs online.
Cyber Extortion – The attack or threat of attack against an entity
(person or company), coupled with a demand for money to avert or
stop the attack.
Cyber Spying or Espionage – The act or practice of obtaining
secrets (personal, sensitive, classified or proprietary data) without
the permission of the holder of the information.
“Good Stewardship” - Companies that collect, collate or
utilize data on individuals in any way are stewards of this
It is expected that companies will be good ―data‖ stewards,
which looks like:
Asking for consent when using an individual’s data.
Respect the individual’s wishes/preferences with regards to how
they want their data to be used or not used.
Compensating individual’s for any damage or harm done to the
individual when the steward or its agents perform or enable
some act that is detrimental to the individual.
Offering compensation to the individual(s) when data is used in
a manner that leads the company to gain revenue from data
use or processing.
Making all actions taking with regards to data, transparent and
visible to the data owner(s).
Data use is purpose-driven.
“Data Ownership” - Data about or concerning a particular
individual is owned by that individual.
Thus, giving individuals ownership rights over their data and
the actions performed on it.
“Private and Secure by Default” - Data stewards should
ensure that there are process, technology and social
safeguards in place to ensure that the data owner’s privacy
It should be assumed that data is secure and private by
Data should remain in a privacy-preserving and secure state
until it is no longer needed (i.e. used for its purpose) and it is
Legal recourse for victims of cybercrime. 30
There is a lot of work to be done to protect the
Jamaican people, the Jamaican business
community and the Jamaica academic community.
The culture of paper in Jamaica is moving into the
electronic age. You cannot pull skeptical people into
the 21st century, without some kind of surety that
you are protecting their interests.
A corporation’s bottom line is only as good as the
people who work for it and buys its goods &
A protected citizen is a confident consumer.
Dr. Tyrone W A Grandison
Tightened – key terms defined, semantics clarified e.g. what is the substantive difference between “the misuse of computer systems or data” and “the abuse of electronic means of completing transactions”Technically, “the misuse of computer systems or data” encompasses “the abuse of electronic means of completing”
Separation of Duty: A person with multiple functional roles has the opportunity to abuse those powers. Example: The person who requisitions the purchase of goods or services should not be the person who approves the purchase. The person who approves the purchase of goods or services should not be the person who reconciles the monthly financial reports“entitlements” is where loopholes can be created. Entitlement versus Visbility
Currently “unauthorised” defined as 1) when a person who is not entitled to access (etc), 2) does not consent to access (etc) or 3) is not acting under the Cybercrime Act or the Interception of Communication Acts
Example, Online Banking. Bank rolls out update that inadvertently exposes customer data, What recourse for customer?
??? – or has he? Another point, whose authorization would the network engineer need to see traffic? Everyone on the network at the time? The CEO?Call bank: All calls recorded.
How much information does each of services have on each computer? Why is this not limited, if it is vast?
Eavesdropping In general, the majority of network communications occur in an unsecured or "cleartext" format, which allows an attacker who has gained access to data paths in your network to "listen in" or interpret (read) the traffic. When an attacker is eavesdropping on your communications, it is referred to as sniffing or snooping. The ability of an eavesdropper to monitor the network is generally the biggest security problem that administrators face in an enterprise. Without strong encryption services that are based on cryptography, your data can be read by others as it traverses the network.A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless they are encrypted and the attacker does not have access to the key.Using a sniffer, an attacker can do any of the following:Analyze your network and gain information to eventually cause your network to crash or to become corrupted.Data ModificationAfter an attacker has read your data, the next logical step is to alter it. An attacker can modify the data in the packet without the knowledge of the sender or receiver. Even if you do not require confidentiality for all communications, you do not want any of your messages to be modified in transit. For example, if you are exchanging purchase requisitions, you do not want the items, amounts, or billing information to be modified. Identity Spoofing (IP Address Spoofing)Most networks and operating systems use the IP address of a computer to identify a valid entity. In certain cases, it is possible for an IP address to be falsely assumed— identity spoofing. An attacker might also use special programs to construct IP packets that appear to originate from valid addresses inside the corporate intranet.After gaining access to the network with a valid IP address, the attacker can modify, reroute, or delete your data. The attacker can also conduct other types of attacks, as described in the following sections.Authentication/Authorization System AttacksA common denominator of most operating system and network security plans is password-based access control. This means your access rights to a computer and network resources are determined by who you are, that is, your user name and your password. Older applications do not always protect identity information as it is passed through the network for validation. This might allow an eavesdropper to gain access to the network by posing as a valid user. When an attacker finds a valid user account, the attacker has the same rights as the real user. Therefore, if the user has administrator-level rights, the attacker also can create accounts for subsequent access at a later time.After gaining access to your network with a valid account, an attacker can do any of the following:Obtain lists of valid user and computer names and network information. Modify server and network configurations, including access controls and routing tables.Modify, reroute, or delete your data. Denial-of-Service AttackUnlike a password-based attack, the denial-of-service attack prevents normal use of your computer or network by valid users.After gaining access to your network, the attacker can do any of the following:Randomize the attention of your internal Information Systems staff so that they do not see the intrusion immediately, which allows the attacker to make more attacks during the diversion.Send invalid data to applications or network services, which causes abnormal termination or behavior of the applications or services.Flood a computer or the entire network with traffic until a shutdown occurs because of the overload.Block traffic, which results in a loss of access to network resources by authorized users.Man-in-the-Middle AttackAs the name indicates, a man-in-the-middle attack occurs when someone between you and the person with whom you are communicating is actively monitoring, capturing, and controlling your communication transparently. For example, the attacker can re-route a data exchange. When computers are communicating at low levels of the network layer, the computers might not be able to determine with whom they are exchanging data. Man-in-the-middle attacks are like someone assuming your identity in order to read your message. The person on the other end might believe it is you because the attacker might be actively replying as you to keep the exchange going and gain more information. This attack is capable of the same damage as an application-layer attack, described later in this section.Security system AttackA key is a secret code or number necessary to interpret secured information. Although obtaining a key is a difficult and resource-intensive process for an attacker, it is possible. After an attacker obtains a key, that key is referred to as a compromised key.An attacker uses the compromised key to gain access to a secured communication without the sender or receiver being aware of the attack. With the compromised key, the attacker can decrypt or modify data, and try to use the compromised key to compute additional keys, which might allow the attacker access to other secured communications.Application-Layer Attack & Operation System exploitsAn application-layer attack targets application servers by deliberately causing a fault in a server's operating system or applications. This results in the attacker gaining the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of your application, system, or network, and can do any of the following:Read, add, delete, or modify your data or operating system.Introduce a virus program that uses your computers and software applications to copy viruses throughout your network.Introduce a sniffer program to analyze your network and gain information that can eventually be used to crash or to corrupt your systems and network.Abnormally terminate your data applications or operating systems.Disable other security controls to enable future attacks.
Disclosure Example: Digicel online customer care – is a third party you are disclosing your credit card info toNow that Credit Reporting is online in Jamaica, this not being in place is a disaster waiting to happen.Define ProtectionLegal Recourse for cybercrime victims.
Under section 402.2 of the Criminal Code of Canada,“ Everyone commits an offence who knowingly obtains or possesses another person’s identity information in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence. is guilty of an indictable offence and liable to imprisonment for a term of not more than five years; or is guilty of an offence punishable on summary conviction.” Under section 403 of the Criminal Code of Canada,“ (1) Everyone commits an offence who fraudulently personates another person, living or dead, (a) with intent to gain advantage for themselves or another person; (b) with intent to obtain any property or an interest in any property; (c) with intent to cause disadvantage to the person being personated or another person; or (d) with intent to avoid arrest or prosecution or to obstruct, pervert or defeat the course of justice. is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years; or guilty of an offence punishable on summary convictionsection 4 (b)(3) of the Cybercrime Prevention Act of 2010.(3) Computer-related Identity Theft. – The intentional acquisition, use, misuse, transfer, possession, alteration or deletion of identifying information belonging to another, whether natural or juridical, without right: Provided, That if no damage has yet been caused, the penalty imposable shall be one (1) degree lower.Interesting note on Philippines - known as the 10th heavy users of Facebook and other social networking sites such as Twitter, Multiply and Tumblr has been known as source to various identity theft problems. Identity of those people who carelessly put personal information on their profiles can easily be stolen just by simple browsing.
The General Data Protection Regulation Proposal introduces a broad breach notification requirement for any personal data breach similar to that set out in the amended ePrivacy Directive: Trigger and Timing. Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal datatransmitted, stored or otherwise processed must be notified to the local data protection authority without undue delay and no later than 24 hours after the controller becomes aware of the breach. A delay in notification is possible, butthe controller must make a reasoned justification for taking longer than 24 hours to notify. Individuals must be notified without undue delay after the controller has notified the authorities, where the breach is likely to adversely affect the protection of an individual’s personal data or privacy. Importantly, the Regulation explicitly mandates processors to notify controllers immediately about a breach on their side. Content.Notification must include the nature of the breach including the types of data and individuals concerned, possible consequences, contact details, measures taken to mitigate potential adverse effects and measures taken by the organisation. Exemptions. Notification to individuals is not required where the organisation can demonstrate that it applied appropriate protection measures to protect the data. As a result, an exemption from notification to individuals seems to be available where encryption technology is applied.Sanctions.Failure to report a breach is sanctioned by administrative penalties of up to 2% of an organisation’s annual global turnover. For a first and unintentional breach (non-compliance with the Regulation), no sanction is imposed, only a written warning issued, where, for example, a company with fewer than 250 employees is processing data only as an activity ancillary to its main activities
Left out :- Cyber Vandalism/Defacement - Hacktivism - Cybersex
Data use is purpose-driven, where purpose-driven refers to the fact that data should only be used for the intended purpose it was created/supplied/generated for, the purpose should be communicated to the data owner, their consent received for using their data for that purpose, and once it has fulfilled the purpose the data must be destroyed.