Computer Crimes Act is now operational - ICTA

The Computer Crimes Act No. 24 of 2007 has been brought into operation with effect from 15th July 2008, by an order made under Section 1 by the Minister of Justice and Law Reforms (Gazette Extraordinary No. 1559/41 dated 25th July 2008), the Ministry of Justice announced recently.

This legislation gives more power to law enforcement to address computer crimes.

"The Basis of the Computer Crimes Bill is to criminalise attempts at unauthorised access to a computer, computer programme, data or information," Director and Legal Advisor, ICT Agency (ICTA) Jayantha Fernando, said.

Any unauthorised copying, modification, alteration or deletion of information, denial of service and causing damage or harm to the computer by the introduction of viruses and logic bombs are considered offences under the Act.

"It also contains a provision to deal with unauthorized use of computers regardless of whether the offender had authority to access the computer," Fernando added. Features of the Computer Crimes Act

The Computer Crimes Act No. 24 of 2007, primarily addresses Computer Related crimes (i.e. where Computers are used as a tool for criminal activity such as theft, fraud etc) and Hacking offences (affecting integrity, availability and confidentiality of a computer system or network and the introduction of viruses, worms etc).

Content related offences although partially covered under the Act, are being addressed through a series of changes to the Penal Code and other statutory provisions.

The first class of offences in the Computer Crimes Act criminalises attempts at unauthorised access to (a) computer or (b) any information held in any computer (Vide Section 3) and doing same for the commission of any other offence (Vide Section 4).

The explanatory note to Section 3 and 4 states the following:-

(a) for the purpose of authorised access to the computer, the mere turning on of a computer is sufficient for the commission of the offence.

(b) For the commission of unauthorised access to any information held in any Computer, there should be an intention to secure any programme or data held in any Computer and the access intended to be secured, should be unauthorized.

The explanatory also suggests and that it is not necessary to have access directed at any particular programme, data or computer to commit the offence of unauthorised access to any information held in any computer.

Section 5 of Act states that any person who intentionally or without lawful authority carries out a function which has the effect of modification or damage or potential damage to any computer or computer system or computer programme shall be guilty of an offence.

The Illustrations given in the Act states that for any unauthorised modification or damage or potential damage to take place, any one of the following should occur -

(a) impairing the operation of any computer, computer system or the reliability of any data or information held in any computer; or

(b) destroying, deleting or corrupting or adding, moving or altering any information held in any computer;

(c) making use of a computer service involving computer time and data processing for the storage or retrieval of data;

(d) introducing a computer programme which will have the effect of malfunctioning of a computer or falsifies the data or any information held in any computer or computer system (eg:- viruses, worms etc).

Other offences sought to be created include, unauthorised obtaining of information from a computer or a storage medium; unauthorised use of computer service and interception of data; selling, importing or distributing any device or computer access code or password for the commission of offences under the Act; providing access information to a service without authority or in breach of a contract.

New regime for investigation of offences

The New Act introduces a new regime for the investigation of offences. The value of legislating on this subject will be of no effect unless investigations can be done efficiently and effectively.

To achieve this objective, a provision has been included enabling a panel of 'Experts' to assist the Police in the investigation of computer crime offences.

In terms of the role envisaged for "experts" they will assume jurisdiction only when their assistance is called for.

The Act empowers the experts with specific powers, such as visiting the scene of crime for purposes of investigation, to access and examine computer systems, data or information held in a computer etc.

The Act also provides for the retention and preservation of information required from computer devices for the purpose of carrying out investigations. In carrying out investigations the law prescribes that legitimate business activity using computers should not be hindered and that strict confidentiality should be maintained in respect of data and information.

The introduction of the concept of 'experts' to the act together with other provisions was necessary to ensure that the skilled task of accessing a computer is done only by a person who has the competence to perform an efficient detection while at the same time ensuring that the computer hardware and software is not damaged.

Addressing enforcement needs

Consequent to a decision of the Cabinet of Ministers, the ICT Agency of Sri Lanka (ICTA) has identified and commenced a program of work to develop capacity in the Police Department so that Police personnel would be well equipped to investigate Computer Crime.

The development of digital forensic lab and the setting up of the Computer Crimes Unit is also envisaged.