Last week, news broke worldwide of a new computer virus discovered known as the “Heartbleed” computer bug, which allows hackers to manipulate the OpenSSL encryption software used by most websites, giving them access to stored data such as credit card information, passwords, and other personal details. Internet giants such as Google, Microsoft and LinkedIn went into an unsurprising panic, encouraging users to change their passwords. After all, it was not very long ago that social media website LinkedIn was hacked, compromising all users’ passwords, many of which were cracked and posted online.
Offences such as these are not new. Hacking and other internet-based offences have been around since the advent of the World Wide Web. However, their rapid proliferation is a growing cause for concern. Developing countries, such as Jamaica, are especially susceptible, since we are only now developing the sophistication to identify and deal with these technology-driven crimes. In fact, it was only a few years ago that these activities became susceptible to Jamaican law, with the passage in 2010 of the Cybercrimes Act.
The long title describes the legislation as “an Act to provide criminal sanctions for the misuse of computer systems or data and the abuse of electronic means of completing transactions and to facilitate the investigation and prosecution of cybercrimes.” Cybercrime is not defined in the Act, but is generally regarded as the use of a computer or network in the commission of a crime or as the target of a crime.
The Act proscribes several offences, including: the unauthorised access to any program or data held in a computer; the unauthorised modification of the contents of any computer; the unauthorised access to any computer for the purpose of obtaining, directly, or indirectly, any computer service; or the unauthorised interception of any function of a computer; the unauthorised obstruction of the operation of a computer, and unlawfully making devices available for the commission of an offence. The lack of specificity of the offences under the Act and the absence of jurisprudence make it difficult to determine exactly what activities are covered by each offence. The Act perhaps would have been more comprehensible if identifiable names of the offences were used, such as “hacking” with a definition being provided in the interpretation section, rather than describing each offence, without naming it, as is currently done.
ts unclear scope and lack of reader-friendliness are some of the recognised deficiencies of the Act. They are also likely to be factors contributing to the low levels of prosecution that have been achieved by the specially established Communication Forensic and Cyber Unit (CFCU) that falls within the ambit of the Organised Crime Investigation Division of the Jamaica Constabulary Force.
In fact, when a Joint Select Committee of Parliament reviewed the Act last year, there had only been one prosecution so far. This is despite the fact that approximately 43 persons had been charged with various offences under the Act, leaving the CFCU to lament that notwithstanding the passage of legislation, significant legal loopholes remain. The Joint Select Committee has since recommended, among other amendments, that offences such as forgery, fraud and malicious communication, be brought under the Act, as well as for the introduction of stiffer penalties.
It is unfortunate that such offences were not originally included as despite the seemingly wide nature of the provisions under the Act, it was unable to capture the prevalent offences related to the lotto scam. That lacuna necessitated Parliament passing yet another Act–the Law Reform (Fraudulent Transactions) (Special Provisions) Act, 2013— to cover those offences. Our draftsmen may then well want to consider, when amending the Act, whether to compound both pieces of legislation as well others which deal with digital media, such as the Interception of Communication Act and the Data Protection Act into one omnibus legislation.
In addition to those offences recommended by the Joint Select Committee, it may also be necessary for us to widen our conception of cybercrime to ensure that offences such as identity theft and obscene publications are also included. Certainly, offences such as these ought to be considered, given their widespread nature and to ensure that offenders do not go unpunished.
The law on cybercrime presents novel issues, such as how to deal with transborder cybercrime and the ubiquitous nature of the internet. The Act must therefore be all-encompassing. The disgruntled employee who maliciously plants a virus or otherwise interferes with his work computer, the bank employee who uses his access to the customer database to commit an offence, the individual who sells email addresses and other personal data to spammers or scammers, the online bully who uses the internet to assault or harass another person, or the depraved individual that circulates obscene images or videos of others without their consent must all fall within the purview of the Act. No doubt these offences will present challenges for law enforcement in addressing how to identify and prosecute offenders. Nevertheless, it is imperative that the law is responsive to the digital age, ensuring that offenders do not have a world of immunity in the World Wide Web.