Tuesday, 27 February 2007

CYBERCRIME: LOCATING AND PENALIZING THE DIGITAL OFFENDER

part 4

Several theories have been advances as to when access becomes unauthorized. Before the advent of legislation, computer crimes involving unauthorized access were essentially absorbed by other common crimes like theft and burglary. This eventually proved to be insufficient as both crimes involved actual prejudice to property interests, where such could not be proven in crimes involving computers. The net result was a body of jurisprudence where the scope of the crime became very large and where proof of the actual property loss became very difficult, a combination that severely weakened enforcement. Thus:

Although not fully articulated at the time, the harm of misuse was that it interfered with the intended function of computers by either exceeding or denying intended privileges. The intrusion itself seemed worth prohibiting, much like a burglary or a trespass. Traditional property crime laws could address computer misuse only when the misuse triggered a consequential harm, however. As a result, the existing law had no clear remedy for many instances of misuse. Although commentators did not have a specific sense of where the line should be drawn, they tended to agree that misuse alone should be a new trigger of criminal liability.

Statutes were later enacted to remedy the initial disparity between traditional law and computer crimes but these proved to be insufficient inasmuch as the conceptual assumptions remained grounded in the old regime of anti-theft and burglary laws, resulting in statutes that are unnecessarily broad

Any standard for the punishment of crime must necessarily be strictly drawn in order not to unduly infringe upon the rights of individuals. In this respect, the functional definition of unauthorized access must set an absolute threshold. It may be as simple as the violation of password-protected files inside a computer. This example meets both the stringent threshold for criminal legislation and the broad need for protection by ordinary computer users.

Substantially the same standards and criticism apply to any access which is expressly unauthorized. In this case, however, the criminal act is much more patent inasmuch as the express lack of authority clearly delineates the crime. The more relevant issue in this instance is evidentiary in character: whether the intrusion has been monitored electronically and whether such electronic evidence is sufficient to produce a conviction.

Responses to Cybercrime

The basic issue for dealing with cybercrime can be summarized thus:
Cybercrime presents a conundrum that taps into the larger issue of how the law handles new technologies. Occasionally, the law singles out crimes that use more efficient means as deserving of special punishment (e.g., wire and mail fraud), and other times it does not (e.g., crimes performed with an automobile). The relationship between technology and law is an ever-evolving one, where innovations that benefit consumers frequently prove a boon to offenders as well. Cybercrime forces us to confront the role of criminal law and the limitations of public enforcement, just as the criminal law forces us to rethink the role of technology and the advancement of a heretofore largely unregulated marketplace.

by nestor gadrinab

Monday, 26 February 2007

CYBERCRIME: LOCATING AND PENALIZING THE DIGITAL OFFENDER

(part 3)

An example of this is child pornography, which is proscribed in most jurisdictions. That the pornographic images are digital i.e. stored in a computer, does not alter the basic elements of the crime. The basic change in this case is merely procedural in character, whether or not digital evidence is sufficient to produce a conviction. Sec. 33 (b) of the E-Commerce Act, insofar as penalized intellectual property violations with the use of a computer, belongs to this category. In this respect, O’Neill’s observation holds, inter alia:

Cybercrime is unique only to the extent that it is often a more efficient means by which to commit certain types of offenses. In particular, the Internet fosters certain efficiencies that may make detection and subsequent prosecution considerably more difficult. Identity on the Internet, for example, is more easily cloaked, thus making detection more challenging. Computers also may increase the expected return from criminal conduct and decrease the fixed costs of undertaking the criminal activity, thereby making cybercrime more attractive to potential offenders.
It would appear, therefore, that the conceptual blur occurs between the confines of the second category, where the computer is the subject of the offense. The core criminal activity which clearly comes into the fore in this are is “hacking” or “cracking” Under Philippine law, the set of acts constitutive of either are enumerated:

a) Hacking or cracking which refers to unauthorized access into or interference in a computer system/server or information and communication system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information and communication system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data messages or electronic documents shall be punished by a minimum fine of One hundred thousand pesos (P100,000.00) and a maximum commensurate to the damage incurred and a mandatory imprisonment of six (6) months to three (3) years;

Broken down into elements, two crimes are provided for under the said provision of law, i.e.: i) unauthorized access ii) any access without the knowledge or consent of the owner resulting in the specified damage or injury.

On the one hand, the phrase “unauthorized access” as it appears in Sec. 33(a) of the E-Commerce Act has been subject to much controversy. Kerr observes that:

What does it mean to "access" a computer? Under what circumstances does access become "unauthorized?" The few courts that have reached these questions have offered inconsistent interpretations. Commentators have ignored these questions entirely. The result is an odd situation in which nearly every Anglo-American jurisdiction has an unauthorized access statute that carries serious felony penalties, but no one seems to know what these new laws cover. (emphasis supplied)


One might as well include Philippine jurisdiction in the latter category. No formal definition has been provided in the E-Commerce Act itself. The hiatus cannot be filled with “persuasive” American jurisprudence, since the state decisions have themselves been the source of much confusion.

-by Nestor Gadrinab

Saturday, 24 February 2007

CYBERCRIME: LOCATING AND PENALIZING THE DIGITAL OFFENDER

part 2
Cybercrime: Conceptual Problems

An conceptual stumbling block in the legal analysis of cybercrime is the absence of any definition which commands consensus. Domestically, Congress has not adopted a formal definition for cybercrime. Instead, it has opted for an enumeration of acts constitutive of cybercrime. The enumeration is found in the penal provisions of the E-commerce Act.

Elsewhere, the US Department of Justice broadly defines computer crime as "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution." A narrower definition has not been found feasible. On the contrary, it has been observed that:

Because of the diversity of computer-related offenses, a narrower definition would not be adequate. While the term "computer crime" includes traditional crimes committed with the use of a computer, the rapid emergence of computer technologies and the exponential expansion of the Internet have spawned a variety of new, technology-specific criminal behaviors that must also be included in the category of "computer crimes." As a result, there has been a dramatic increase in specialized legislation to combat these new criminal behaviors.
O’Neill makes a rather graphic characterization:

Although the fundamental nature of offenses being committed in this manner are really no different from garden variety thefts, copyright violations, securities frauds, or invasions of privacy, what makes cybercrime unique is that the means of undertaking the criminal conduct is substantially different from dropping into the local liquor store, hitting the proprietor over the head, and running away with the till…

In lieu of a formal definition, three distinct categories have been adopted to classify acts which constitute cybercrime. These categories either treat the computer as the object of a crime, the subject of a crime or an instrumentality to commit a crime.
In the first category, the computer’s hardware or software is the subject of the offense. In most instances, it involves the theft of the unit itself or the data stored within the unit. Under Philippine law, the actual taking of the unit may either be robbery or theft depending upon the circumstances surrounding the taking. Thus, it comes outside the purview of cybercrime and is properly a felony under the Revised Penal Code. This aspect fits the traditional notion of crime and presents few new issues for criminal law.
The same line of analysis could very well be applied to the third category, where the computer is used as an instrumentality of a crime. The issues remain basically the same and it readily appears to be immaterial that the crime was committed using a computer.
posted by n. gadrinab

CYBERCRIME: LOCATING AND PENALIZING THE DIGITAL OFFENDER

(the following is an article written by Nestor Gadrinab, to be published in parts)
Introduction:

The growth of technology, particularly computers, has altered the very face of and conception of reality. It is a wave of change that goes well beyond technological innovation. Computers, in particular, have made information the veritable new medium of exchange. Such phenomenon encompasses the social, economic, political and cultural spheres. Its pervasiveness and impact upon everyday life inevitably makes its encounter with the law a difficult one. For one, technological change is characterized by extraordinary speed. In less than two decades, it has managed to reduce the world into a “global village”, emphasizing connectivity. On the other hand, legal development has always been, to put matters lightly, slow. This has often been justified on the ground of stability and the relatively slow pace of the agricultural and industrial eras has made it a virtue on the part of the law. In the information age, however, this stability has made the law lag behind. The growing disparity between the law and technological development makes the former unresponsive. This disparity shall be explored in this paper in the area of penal legislation vis-à-vis cyberspace, an area which for the nonce shall be designated as cybercrime.

Criminal Law, Realspace and Cyberspace


Philippine criminal law has three main characteristics: general, territorial and prospective. Of the three attributes, two are pertinent viz cybercrime. One is generality and the other, territoriality. Generality is defined in relation to the Civil Law in that Philippine Criminal Law is binding on all persons who live or sojourn in Philippine territory. Territoriality is expressed in the Revised Penal Code, where the provisions of the said code shall be enforced within the Philippine Archipelago, including its atmosphere, its interior waters and its maritime zone.

The traditional scope of criminal law occurs in realspace as opposed to the criminal acts perpetrated in cyberspace typically designated as cyberspace. The designation, however, appears to be arbitrary inasmuch as the operative acts constituting cybercrime can occur in either category. In the context of this paper, locating the offender is both conceptual and real. In the former sense, the offender must be formally defined under the law. This will entail the identification of conceptual blurs and its clarification. In the latter sense, the effectivity of criminal legislation would depend upon whether the offender could be actually apprehended: essentially a matter of criminal procedure.

Wednesday, 21 February 2007

Internet Mafia

(Internet Extortion continued)

In an earlier post I had made, I pointed out the burgeoning underground internet extortion (utilizing the dreaded Denial Of Service, or DOS, attacks) that has become more and more prevalent, especially with the online sports betting industry. In this post, I’d like to detail the modus operandi of the online mob.

A typical internet extortion would usually involve four stages. The first stage would be the “stake-out” or a reconnaissance of the online sports betting websites. At this stage the hacking syndicate would determine the probable finances (revenues, expenses, profits and the like), peak seasons, vulnerabilities, estimated duration and cost in loss of revenues of downtime and costs to repair the server system (that is, the going rate of the IT security advisory firms) of the website. This way the hacking syndicate knows just which ones to attack, how to attack, when to attack and just how much it would price the “blood money” (usually a figure below the cost of repairing the system).

The second stage would involve giving the online sports betting firm a sample of what would happen if the “blood money” is not paid, a “drive-by” of sorts. This would involve a temporary and controlled attack on the system which can be followed by several other similar attacks, usually increasing in severity, as needed.

The third stage would be the “blackmail”, where an e-mail is sent to the owner/operator of an online sports betting firm, with threats for more attacks and the demand for blood money, as well as the instructions on how to make the pay-off. The second and third stages could be repeated until a decision is made by the online sports betting firm and the latter sticks to it. This would then lead to the fourth stage.

The fourth stage could either be a “whacking”, a “tip-off” or a “pay-off”. In a whacking the online sports betting firm would refuse to pay and would try to fight off the attack, usually by employing the expertise of IT security firms. This often translates to considerable costs in downtime (thus lost revenues from bettors) and the fees of the IT experts brought in.

A tip-off would involve bringing in the law enforcement authorities. It may or may not involve bringing IT experts to help defend against the attack and also, may or may not involve a pay-off intended to entrap the extortionists. This will probably lead to retaliatory attacks and might alert and scare off bettors.

The third option, a pay-off, would usually be the best solution in terms of damage control and usually would mean that that particular hacking syndicate would not attack the paying firm for some time, though there is no guarantee to this.

-by Stanley Cabrera

Wednesday, 7 February 2007

Internet Extortion

For the past decade or so, the internet has been the place to make enormous sums of money for the smallest of investments. It used to be through the setting up of internet firms which promised the stars, sending the stock market a frenzy with hyped up business models and IPOs. When the IT economy began to slow down, online entrepreneurs and innovators shifted from one idea to the other, from variations of retailing to advertising to outsourcing and even to networking, each time creating hefty profits. Though the “tech bubble” had burst, the internet still created money, Big Money, in fact. And where Big Money can be made, Big Crime can be too.

One of the ideas which was successfully made into a reality was the creation of online casinos, particularly those which specialize on sports betting. The latter became very popular as bettors felt it more secure (i.e. the website operators had less control) to bet on the outcome of actual sporting events, such as the winner of the Wimbledon or the World Cup, as opposed to betting on simulated roulette machines. Another reason for the popularity is that the prices are much larger due to the volume of bets being placed on actual sporting events which have a following. As a result, online sports betting firms attracted millions of bettors and their billions of dollars of bets. Indeed, some online sports betting firms gross $2 billion in revenues a year. Considering that these firms don’t have the staggering capital and maintenance costs involved in running actual casinos, the net profits can easily run into the hundreds of millions for the biggest outfits. This, in turn, attracted the attention of criminal minds who wanted a piece of the action. Thus the cyber-mob was born.

Just as bogus start-ups cropped up by the hundreds and gobbled the “investments” of unwary pensioners and brokers alike during the days before the tech bubble burst, as early as 1999 cyber-mobs and their affiliated hacking syndicates have begun to proliferate with the prospect of earning tons of pay-offs from shakedown activities conducted on e-commerce websites, most notably the aforesaid sports betting firms. In true Mafioso style, those who don’t pony up the “blood money” get “whacked”.

The latter is an example of the continuing evolution of cybercrime, which is itself an evolution of crime (as caused by the evolution of technology). It is imperative, therefore, for anti-cybercrime law and enforcement to have its own evolution, if not revolution, in order to keep up with the times, lest the cyber-mob gives a drive-by.

posted by stanley cabrera

Thursday, 1 February 2007

Texting – What’s Next? (part 1)

Just as texting revolutionized the way we communicate with each other, the development of prepaid cards, and some time later, E-load, revolutionized just how often we communicate with each other.

A decade ago, cellular phones were still postpaid, one had to register for a line and as such provide certain information and wait for his or her application to be approved. The costs involved were quite high, and as such having a cellphone back then often meant that either your rich or the company your working for is. Also, having a bill in the tens of thousands happened to some individuals, executives who really had to be in touch with their staff 24/7 wherever they are (or at least wherever there’s a cellsite).

And then came texting, which at the start was offered for free and as such became a craze. People were hooked and for a time the telcos (Smart and Globe) fought out the interconnection battle between themselves. Texting lowered the cellphone bills since it allowed for a free alternative to making calls (which were billed) and the telcos noticed this fact. More importantly, the telcos noticed that texting was becoming more and more prevalent and represented a tremendous volume of messages which, they figured, could be translated to tremendous revenues as well.

Of course, the telcos stated that the massive texting services had to be billed since it added to their costs and strained their facilities therefore forcing them to upgrade. As such, people suddenly had to pay for something they had gotten for free. But it worked out very well for the telcos. People found it worth their money to pay for texting. In any case, it was still much cheaper than making a call.

Some people argue that texting wouldn’t have been such a success if it weren’t for the fact that it was initially offered for free and for such reason it had hooked a lot of people early on. Stated in the negative, it wouldn’t have clicked had it been a billed service from the start. It’s like getting hooked on the samples they give away at the grocery (those meats and what have you on toothpicks which they offer to shoppers, usually the moms, who do the grocery, and the kids, who nag mom what groceries to buy) and then eventually liking it so much that purchases are made. But in the case of texting, it’s like the meats got sold out, what with the addiction of our people to it. Of course, the telcos say it wasn’t on purpose (in fairness to them, it seems clear that nobody ever expected texting o be such a good hit).

Then of course came the prepaid cards, which allowed easier ownership and maintenance of cellphones, and the now ubiquitous e-load stations, which gives each and everyone of us access to load practically anywhere we go. With all these innovations, the question arises, what’s next for texting?

-by Stanley Cabrera