A technologist’s view of the cybercrime bill

Reading Time: 8 minutes

Above: Digital illusrtation by Andreus/DepositPhotos

I like the spirit of the bill. My own personal background in technology is public knowledge; my LinkedIn profile will demonstrate that I have worked with companies that have been sensitive to ‘cybercrime’.  As an author on technology (virtual worlds and more), as someone who has earned media mention (BBC, New York Times), as someone who has been active in technology circles in the region (CARDICIS, LACNIC) and outside (the 1st Mobile Convergence, among others) and as someone who has spent over two decades of his life in software engineering, I submit the following comment:

Clause 4:

““electronic mail message” means an unsolicited data message, including electronic mail and an instant message;”

While these messages can be unsolicited, they can also be solicited. I think the use of the word ‘unsolicited’ should be reserved for what is popularly known as SPAM.

“hinder” in relation to a computer system, includes—
(a) disconnecting the electricity supply to a computer system;
(b) causing electromagnetic interference to a computer system;
(c) corrupting a computer system; or
(d) inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data;

Item (d) is problematic because it is contextual and no context is provided. It describes functions that can be perfectly legitimate in designed use of systems. Further, I would like to point out that the undesigned use of systems is what is called ‘disruptive’; that ‘disruptive’ in this context is about innovation, and that innovation is of particular importance to a developing economy. To stifle innovation is to stifle the economy and culture of the nation.

For example, no one expected ‘apps’ to become popular on phones, and installing ‘apps’ on a phone can have an adverse impact on performance.

The question then becomes how much is adverse, and we enter a realm of subjectivity in a world where Moore’s Law advances faster than amendments to Acts. This is why computer software has ‘System Requirements’ as far as operating system and hardware.

Further, there are ways of altering data that are not direct, and as such, defining the methods of altering data limits the Act. Since this is a public comment, I shall not divulge further.

I suggest the following:

““hinder” in relation to a computer system, includes—

(d) Affecting computer data or software in such a way that overall performance and use of the system is adversely affected to the degree that a system cannot perform it’s functionality when all documented system requirements are within normal limits.

(e) Rendering the data on a computer system to be unusable for it’s operation.”

Clause 10:

It should also be worthy noting that the critical infrastructure also entails the entire Domestic Communication Infrastructure (DCI), which has crossover to the Telecommunications Act (Section 69). This is increasingly important since Session Initiation Protocol (SIP) trunking is  increasingly used for telecommunications (Voice over IP (VoIP)).

Businesses also are concerned when it comes to critical infrastructure; they have their own. Examples include banking systems, medical systems (should we get some in use), etc. While not directly critical infrastructure, havoc can be created by bringing down these systems. I suggest allowing businesses the concept of their own ‘critical infrastructure’ within the bill. It would be open to interpretation by the Court.

As an example, when I worked for Emergency Communications Network in Ormond Beach, Florida, the business was to make people aware of emergencies by phone (telephony), text (SMS), email, and social media according to contract. We did this at the Town, City, County, State and Federal Levels. Our security was therefore required to be as good as or better than these systems, but we were not considered a part of the DCI. However, we had to perform security audits.

Clause 16:

Consent can be as fluid as a relationship, and the storing of the image(s) does not mean that they actually took the images; they may have been sent by the offended party. A scenario of a bad breakup might be immediately followed by an accusation of such images existing on someone’s computer system (phone, computer, etc.) and suddenly, what were once consensual intimate images become reason for the upheaval of the accused’s life. That seems a bit extreme, and seems like an aspect of the system very open to abuse.

Sharing the images without written and signed consent, on the other hand, is without question an offense.

General Notes

(1) There is a lot of authority to decide given to Magistrates and Police who may not understand the technologies that they are dealing with. This brings up potential appeals that can clutter the Court(s) further; there is no mention of prerequisite training and continued education in these aspects of Law. This legislation may not be the place for such things, but as a layperson all I can suggest is that it should exist somewhere.

(2) There are potentially cases where trained professionals can be accused of doing illegal things when, in fact, they communicated what they were doing clearly with the person or legal entity that they were doing work for. This highlights the importance of appropriate contractual documentation, and this needs to be highlighted to professionals and their clients such that all understand it.

It would be good to see that level of professionalism become the norm.

(3) Separate from (2): Sometimes bad things happen when troubleshooting or installing a system, and professionals can be put at risk by this legislation. This is, sadly, quite common – ask any Doctor. Systems are increasingly complex and while attempting to fix something that is the focus of a contract, it is possible to break something else – particularly when the lowest bidder gets the work by not billing for appropriate documentation.

Further, operating systems and hardware are fluid. Unlike medicine, where the human body generally follows certain anatomy and physiology, computer systems by and large are made up of various permutations of software and hardware that may or may not be up to date, making it a very difficult thing to protect against. There is no certification that covers everything, there is no degree that is current with technology and there is no way to know everything about a system when troubleshooting it.

Thus, actual criminal intent needs to be required in all of this. After all, lawyers are not held accountable for losing cases (even when they do everything correctly) by means of fines or jail time. To put this burden on the shoulders of other professions seems unethical.

(4) It bothers me that the opportunity to protect the privacy of individuals is not highlighted in this Bill. While individual privacy has been protected by copyright in the past in other nations (I do not know about here), there are larger concerns.

For example, asking me for a digital copy of my National ID opens me up to identification theft. I do not have laws that protect MY information once it gets into government systems – until Clause 15 is enacted, and even then, I have no assurances other than someone will get prosecuted. That hardly makes me feel secure. This leads to security audits in Government offices, which are not mentioned at all in this legislation (see (6)).

(5) There should be different criteria for first time offenders and repeat offenders, as well as with minors and adults. We might end up making criminals of children before they begin thinking of adulthood. We need to be very careful here not to limit young curious minds because ignorance of appropriate technology etiquette. These could be teaching moments.

Repeat offenders, on the other hand, may need Court orders that limit their access to technology as is done in other parts of the world.

(6) There is no mention of the requirement of 3rd party audits on Government computer systems (critical infrastructure and otherwise) to assure that national security and privacy of information of citizenry is maintained at the highest levels by the government. This, in my eyes, is a serious flaw.

Conclusion

I observe local IT professionals, and more often amateurs and amateurs in professional’s clothing, putting themselves into positions where they could be wrongfully accused of things that they themselves were contracted to do.

Certifications and Degrees do not make someone responsible.

The public needs to be better educated on this Bill in this regard, particularly since companies are notorious for hiring someone who they know instead of who knows what they are doing. There is public speculation on Government doing this as well, which I know little enough to comment on but have heard enough to make comment.

The Bill implicitly pushes forward best practices in the IT field, where contracts would have to be in writing and agreed upon, where documentation should be provided on the work to be done as well as the work done. I would suggest some degree of indemnification when it comes to troubleshooting and repairing systems to give guidelines in the readings of the Act by Magistrates.

The Act should codify requirements of critical infrastructure to be audited to assure security of information. This is the main thrust of the legislation, and yet there are no preventive measures to be found in this Bill that provide for that and no responsibility communicated that makes the Government responsible for critical systems.

Certainly, securing systems is of interest enough to create a Bill like this – it should also be of enough interest to assure that government computer and network systems, as well as those that use them, are independently audited on at least an annual basis. Failure in this regard makes this Bill moot.

Taran Rampersad

Taran Rampersad has over three decades of experience working with technology, the majority of which was as a software engineer. He is a published author on virtual worlds and was part of the team of writers at WorldChanging.com that won the Utne Award.

He is an outspoken advocate of simplifying processes and bending technology’s use to society’s needs. 

His volunteer work related to technology and disasters has been mentioned by the media (BBC), and is one of the plank-owners of combining culture with ICT in the Caribbean (ICT) through CARDICIS and has volunteered time towards those ends.

As an amateur photographer, he has been published in educational books, magazines, websites and NASA’s ‘Sensing The Planet’.

He presently is doing personal land management, agricultural, writing and technology projects and is focusing on agriculture and land management.

A rare sight in cities, you’ll most likely find him offroad somewhere on a hill in his 4×4 writing or taking pictures.  You can contact him via email.

  • Kwesi Prescod

    While an interesting discourse, the author seems to want legislation to treat with things/ matters which are outside the scope of legislation. legislation is not a strategic plan…so expecting legislation to treat with things which are operational and administrative concerns (training of staff, scheduling audits) may lead to constant disappointment.

    Also, he should be more cognisant of context. As an example, on his first point about the definition of electonic mail message – the definition is intended to treat with spam exclusively. Read the clauses where the term is used, and that becomes evident.

    Also, on the comment about protecting user information when submitted to government? That’s not the Cybercrime law. That’s the Data Protection Act. Already passed into law and binding to public authorities.

    • Taran Rampersad

      Legislation is an integral of things. You should not legislate things if they themselves aren’t properly done. Legislation should ENFORCE things being done, which it does not. That’s common practice.

      While you say that the definition of an electronic email message is to deal with spam exclusively, I would not have commented on it if it were defined as spam. If you go through the Bill, you might realize that spam is never mentioned.

      And as far as the Data Protection Act – exactly. Yes. And where is that line drawn? And better, where is it actually enforced? How is it enforced? Are there audits?

      It all comes full circle because a lot of things have not yet been dealt with, and they should be. If the citizenry are to be accountable, if IT professionals are to be accountable, there should be accountability of the government that requires it of everyone else.

      Thanks for your thoughts.

      • Kwesi Prescod

        Taran,
        “spam” is never mentioned because the term “electronic mail message” in this bill refers to spam exclusively. Now read the bill again, where “electconic mail message” appears, replace it with the word “spam”, and then you will recognise that the provisions are particularly targeted. You may find some other point to comment on, true, but then the comment would be more targeted to the objectives of the bill.

        the line is CLEARLY drawn in the Data Protection Act. The Act establishes a Public Body responsible for ensuring enforcement from the TTPS, sector regulators (CBTT, TATT, etc.) and provisions for how enfrcement in the public and private sectors will take place, including audits. Implementation of the Act is delayed (as is most things in T&T) as they wait to appoint people to particular positions. A criticism on that delay is legit. however, it is not really a point of critique to ask the Cybercrime bill to deal with things already covered in the Data Protection Act.
        I agree that things have to be dealt with, but we must also be pointed in our critique, otherwise we won’t gain the benefits we seek.
        Good thoughts.

        • Taran Rampersad

          Kwesi,

          If ALL email messages are defined so, they are going to be incompatible with the actual real world definitions – and that’s problematic, as our discourse demonstrates. Which, really, is the point.

          If you’re going to be accurate, be accurate. Don’t redefine words for convenience, particularly when Spam could have been defined properly. If that’s a sticking point for you, that’s a sticking point for you. I’ve found throughout the decades that by having poorly labeled definitions – and in the Bill, that’s a global definition by programming standards – it demonstrates a lack of concern for the actual stakeholders.

          Shouldn’t the stakeholders be able to glance at a Bill and realize what is being talked about or not? Or are you of the opinion that things should be obfuscated?

          I’ll assume obfuscation from your response, so we can summarily dismiss your criticism of my criticism as a style issue with long term consequences I am interested in – but you are not.

          Moving along:

          The Data Protection Act is not where the line is clearly drawn, and to say that is to dismiss a lot of policy that is not Law – which is exactly my point. Making something illegal does not harden a system.

          Audits, audits, audits.

          Being pointed on criticisms is a wonderful thing. I hope you took as much trouble for your public comments. I can stand criticism of what I wrote, which should be apparent. My role is not to necessarily make you happy, but to express my opinions. If my opinion makes you unhappy, so be it.

          I’m not running for public office. I’m pointing out that unless systems are hardened, the bill is worth nothing. Zero. Zip. Nada. Bupkis.

          If that’s not pointed in my critique, I’ll be sure to write with a sledgehammer at hand next time.

          Stay dry, Kwesi.

          • Kwesi Prescod

            All e-mails aren’t defined so. Only spam. The point of a definition section in a law is to define terms as they are used in that law and possibly related law. The point is NOT to be a dictionary.

            Stakeholders have sight of the bill now. Paticukar subsets had sight earlier during consultations.

            So we agree that making laws don’t harden systems. And the cybercrime bill and Data Protectuon Act do not claim to harden systems. What they are supposed to do is provide a framework for law enforcement to treat with malcontents. The hardening of systems is the responsibility of the system owner/ administrator.

            I do not endorse obfuscation, so I don’t understand the attack. I actually have experience in drafting laws and thought sharing some insight would be helpful to the discussions so critique could be more pointed. But if you think that you’re above getter by such advice because of your experience in the blogosphere, more power to you.

          • Taran Rampersad

            That your argument, summarized, is that Law is supposed to be disconnected from what it is supposed to be codified policy for simply flies in the face of common sense.

            You have lost my interest. Clearly, I have not lost yours, but I’m sure you’ll get along fine without me. As it is, you are – you’ve picked the weakest point you had and are making a stand on it.

            Be well, Kwesi.

  • Pingback: Lessons from Bret - A Tech post-mortem - Tech News TT()