E-Commerce and Related Crimes - Term Paper Example

 «E-Commerce and Related Crimes» Thesis Statement The Computer Misuse Act 1990 is hopelessly outdated and unable to deal with computer crimes that are committed in the 21st century. The increase in the level of e-commerce fraud means that the general public are in need of new legislation in order to be properly protected. Introduction When we discuss the Computer Misuse Act 1990, we have to understand that computer technology is a rapidly changing and improving technology. Also, when e-commerce is under focus, understanding Internet deserves importance because today, e-commerce is heavily Internet based. Internet has rapidly evolved from ARPANET and changed the course of computer technology forever. The demand for a network which could synchronise diverse smaller networks to commence data communication worldwide led to the invention of Internet. ARPANET was a centralised and platform based networking technology that was developed under the patronage of US defence. But it eventually did not remain the property of a single organisation and now it prevails all over the global information exchange in the form of global Internet. Increasingly we are becoming dependent on the computer systems and the mighty Internet to carry out the monetary and other forms of business transactions. Computer systems have changed all the more in the wake of the 21st century and Internet has evolved as the conglomeration of research, academic and government networks, combined with the ARPANET core network1. E-commerce, in this context, is rapidly changing all and becoming more powerful in the 21st century all over the world and the Computer Misuse Act 1990 should be adjusted /amended accordingly. About E-Commerce and Related Crimes Electronic Commerce (also called e-business, eCommerce or e-commerce) mainly comprise selling and buying of services and/or products over the electronic systems like the computer networks such as the Internet. The quantity of electronically conducted trade has grown extravagantly with the widespread use of Internet. Utilisation of commerce and trade in this method involves innovations in Electronic Data Interchange (EDI), processing of online transaction, Internet marketing, management of supply chain, electronic fund transfer and inventory management operations together with systems devised for automatic data collection. The modern e-commerce utilises World Wide Web at least at a single point of the lifecycle of the transaction. It encompasses a wide range of techniques and methods like e-mailing as well. E-commerce involves concepts of marketing, economics, IS/IT privacy and intellectual property too2. It deals in several legal aspects of transaction behaviour and explicitly count the security issues as well. A considerable percentage of e-commerce is carried out totally electronically for the virtual items like access to the premium and protected content on an Internet website. However, e-commerce involves transportation of several physical items as well. Online retailing has thus become prevalent. Almost all the big retailers in the world have e-commerce presence on the World Wide Web. E-commerce thus can be viewed as a platform for integrated marketing3. In retailing; amazon.com can be regarded as a good example. Also, in online auction and sale of second hand goods, ebay.com can be regarded as a good illustration. E-commerce an also be Business to Business (B2B) AND Business to Consumer (B2C). Security becomes an important issue in the sphere of e-commerce. As the realm of e-commerce is expanding day in and day out, fraudulent operations are also becoming frequent. According to the statistics of the website consumerfraudreporting.org, the majority of reported perpetrations (66.1%) were from the US in the year 2008. But a significant number of perpetrators were from the UK too. Email (74.0%) and web-pages (28.9%) were the two major mechanisms through which fake contacts took place. In the year 2008, some of the top ten IC3 complaint categories were action fraud (25.5%), credit/debit card fraud (9%), check fraud (5.4%) and financial institutions fraud (2.2%)4. Needless to say, this proportion of fraud can make e-commerce a dangerous business to do. The fabricators direct the transactions to wrong destinations by most sophisticated methods. By using most advanced technologies, they are challenging the law in innovative ways. In such a state of affair, the existing laws are becoming fragile and unreliable in regards of customer and client protection at large. Therefore, we must look into the security issues regarding e-commerce more deeply. First of all, a security plan should be developed at both the technological and legal levels. The security system should be layered so that there are multiple protection and prosecution methods. By enforcing intellectual property rules and innovative copyright methods, common website security measures can be strengthened5. Background of the Computer Misuse Act 1990 Maintaining a secured computer system is not a very easy task. Especially, when the computer is online, it can be easily targeted by hackers and infiltrated with malware and viruses. Computer security is a multifaceted job. Securing a computer from different misuses must involve not only technology but also law. In the case the security methods to prevent computer misuse are trespassed, law will prevent computer further damage with adequate provisions for defining the crime and subsequent punishment. The security measures for preventing computer related crimes must include proper documentation of the criminal activities. Profiling the computer criminal, seizing computerised evidence, understanding legal considerations, charging computer crimes using specialised detection techniques, etc. are the ways of prevention of this hi-tech variety of crimes6. If we compare the history of British Law with that of e-commerce, we would find that e-commerce has arrived very, very recently in our world while the Law is a time tested concept. Therefore, Law needs to adapt with the changing world, particularly the dynamics of new subjects like e-commerce. Prior to the developments in the 1990s, computer related crimes were dealt under various rules and statutes. There was no definite design to handle the bully of crimes in regards of e-commerce, mainly because e-commerce was less prevalent then. Crimes would be dealt with under the Wireless Telegraphy Act, Interception of Communications Act, etc.7 These sorts of Acts provided a framework to handle the sophisticated crimes, although the framework was a fragile one. Also, regulations structured to protect literary works, musical works, dramatic works, etc. would be utilised to prevent computer crimes and intellectual property rights violation8. However, in the 1990s, the situation changed rather dramatically. This was mainly due to the fact that changes took place in the realm of tools and technology too. Case based studies helped in structuring to develop a framework that could prevent computer crimes9. In discussing the backdrop of the Computer Misuse Act 1990, the case R v Gold & Schifreen should be mentioned. In the late 1984 and during early 1985, Stephen Gold and Robert Schifree got unauthorised access to the Prestel Interactive Viewdata service of British Telecom (BT). In doing so, they used conventional modems and home computers. Schifreen had actually discovered the password and username of a Prestel engineer. The password was 1234 while the username was 22222222. Subsequently, BT was accused that they had not taken the issue of security very seriously. The information helped the pair of intruders explore the very system. Even, they got access of the personal mail of Prince Philip. The Prestel computer network worked through a distributed process. It was supposed to act a crucial standby in the case the UK got involved in a nuclear war. Prestel network was designed to operate the nuclear missiles of UK in the case military computer systems were down. However, Gold and Schifreen did not know about this. Following critical discussions with MI6 and GCHQ, Gold and Schifreen’s activities were now closely scrutinised. Under the auspices of GCHQ, the investigation against the pair of intruders continued and Prestel closely examined their computer systems. After apprehending the degree of sensitivity of the information obtained by Gold and Schifreen, it was decided that they would be arrested. Gold and Schifreen were now prosecuted under Forgery and Counterfeiting Act 1981, Section 1. They were alleged of defrauding BT. They were prosecuted for using false instrument and obtaining crucial data about the internal condition of the company. The two persons were tried at the Southwark Crown Court and they were convicted and fined. Gold and Schifreen consequently appealed to the Criminal Division of the Court of Appeal. In the course of the lawsuit, it was argued that the Forgery and Counterfeiting Act had been incorrectly applied to the case. Lord Justice Lane acquitted the two persons in the Court of Appeal, but the prosecution now moved to the House of Lords. In 1988, the House of Lords held the acquittal to be right decision. Lord David Brennan said that the persons involved in the case had not done any crime under the existing definitions by law. The defendants had actually accessed the data bank of Prestel by trick. The nature of this activity was to be ascertained by the legislature and not by the courts10. So, in the days that followed, it was understood that the rules and regulations which existed those days were too weak to prevent or prosecute the computer crimes like hacking. Hence, the English Law Commission (ELC) considered the matter and expresses that a new law was necessary to handle these sorts of activities. Finally, under the recommendations of ELC, a Private Member’s Bill was brought to the parliament and with government support; the Computer Misuse Act 1990 came into existence. Case Examples of the Computer Misuse Act 1990 The Computer Misuse Act 1990 has proven to be not enough in several cases. In today’s world, the statute sometimes fails even to define the crime. The provisions of the Act allow for only modest punishments. Case examples in regards of this statute can make the picture clearer. Bedworth was a teenager hacker and he started hacking in the year 1987. He hacked under pseudonyms via electronic bulletin board. He hacked computer systems of Financial Times, a research institute in Brussels, European Commission offices in Luxembourg, etc. and caused significant financial losses. Although he was arrested in 1991 along with his fellow hackers, the Jury acquitted him on the plea of compulsive behaviour11. In this context, it must be mentioned that the US have been a forerunner in enacting a law to try the cases of computer hacking. The US Computer Fraud and Abuse Act 1986 (18 USC Article 1030) could have provided an ample framework for the kind and structure of the required act in the UK. The website Computer Evidence – Michael J L Turner – Expert Evidence provides us with a detailed list of case examples under the Computer Misuse Act 1990. We can check these case examples with special attention on the cases related to e-commerce. R v David Lennon at the Wimbledon Youth Court involved unauthorised modifications as per the Act under discussion. The teenager convicted in this case was alleged to have bombarded his ex-employer’s mail server with 5000000 emails. He was punished with only two month curfew and electronic tagging12. R v Scott Gesthorpe and Jeremy Young at the Southbank Crown Court in the year 2007 was an example of unauthorised modification coupled with conspiracy. The culprits were running a private investigation firm called Hackers and Us. They hacked into the computers of their wealthy clients and caused considerable financial damage. They were sentenced for only 27 months in jail13. Another case concerned with unauthorised modification was the case of R v Raphael Gray heard at Swansea Crown Court in the year 2001. The teenage hacker aka Curador demonstrated security weaknesses in e-commerce websites and accessed 23000 credit card records with some posted in his website. Viagra was sent to Bill Gates using his credit card. Pleaded guilty – the defendant was convicted and sentenced to three years probation and medical treatment for obsessive mental disorder14. R v Bow Street Magistrates Court and Allison ex part Government of USA was heard at the House of Lords in the year 1999. The charges were brought under Computer Misuse Act 1990 ss 1, 2, 15, 17(5). The case involved unauthorised access, control, conspiracy and extradition. Authorised US American Express credit analyst gained access to unauthorised credit card accounts and PINs. Accomplice Allison used forged American Express cards in London ATMs. It was a US$ 1 million fraud. Comments of House of Lords in R v Bignell on the meaning of “control access” in the Computer Misuse Act 1990 s-17(5) was distinguished in the context of this case. Habeas Corpus was denied15.16 In most of the cases tried under the Act, we have seen that there was difficulty and sometimes confusion in defining the crime and punishing the criminal. Also, the punishments were generally modest. The scarcity of appropriate sections in the law is discernable in this context. Particularly, the cases in regards of e-commerce appear to have less stringently tried. Analysis and the Current Situation It is an intelligent practice in e-commerce if penetration tests are accompanied by appropriate paperwork. Prevention of fabrication of web pages and hacking is a highly technical issue; supplementary paperwork can help in obtaining better understanding of the legal aspects of a given intrusion crime. Even good lawyers might not be familiar with computer security17. There are several problems with gaining prosecutions under the Computer Misuse Act. In order to prosecute someone under the Act, the police would need to prove that the intruders did the misuse deliberately. In other words, the person committing the crime knew what they were doing and knew it was wrong to do18. The following part of the research paper has been written on the Computer Misuse Act 1990 with reference to the Office of Public Sector Information. The important sections of the Act focussed to determine the definition and nature of unauthorised access to computer material are being discussed hereby. Section 1 of the Act throws light on the nature of unauthorised access to computer material and elucidates definitions related to it. A person is guilty of an offence under this Section if he causes a computer to perform any function with intent to obtain access to any program or data held in any computer. Also, the access he intents to secure is unauthorised. Moreover, he must be aware of the unauthorised nature of his activity. Here is the point where detection of cybercrime becomes very difficult. It is really very difficult to comprehend with proof that the intruder has the knowledge of illegal nature of the activity he has undertaken. Also, under Section 1, the intent to commit an offence of the said crime need not to be directed at any particular program of data; a program or data of any particular kind; or a program or data in any particular computer. Also, the section has provisions for imprisonment for a term not exceeding six months or for a fine not exceeding level 5 on the standard scale or both. Clearly, this sort of punishment is modest. Section 2 is about unauthorised access with intent to commit or facilitate commission of further offences. This section is relevant when the person commits the offence with intent to commit an offence to which this section applies; or to facilitate the commission of such an offence whether by himself or by any other person. This Section also brings the Act in compliance with the Magistrates’ Courts Act 1980. The Section also examines the possibility of committing a “further offence”, which can take place in continuity with a previous offence under Section 1. This Section is a constructive one. However, again the punishments prescribed under this Section are modest. On summary of conviction, imprisonment for a term not exceeding six months or a fine not exceeding the statutory maximum or both has been prescribed. Section 3 is about unauthorised modification of computer material. A person is guilty of an offence under this Section if he does any act which causes an unauthorised modification of the contents of any computer and at the time when he does the act he has the requisite intent and the requisite knowledge. This is again a very difficult thing to prove for the law-keepers. However, the Subsection 2 gives this Section a wider applicability. Impairing the operation of any computer, hindering access to any program or data held in any computer and impairing the operation of any such program or the reliability of any such data have been covered under this Subsection. The Section 3, like Section 2, surpasses any scope for any particular implication and develops general applicability to all computers, data, programs and related modifications. It doesn’t matter that whether the damage or modification caused is of permanent or temporary nature; the Section 3 remains valid. It is also specified for the purposes of the Criminal Damage Act 1971 where a modification of the contents of a computer will not be regarded as damaging any computer or computer storage medium unless its effect on that computer or computer storage medium impairs its physical condition. This provision, however, provides for a technical weakness of the Section since impairments at the level of software applications cannot always be regarded as the physical damages. Moreover, like the first two Sections, the punishments prescribed under this Section also appear to be very modest19. Analysis of these three sections of the act shows that the act has basically created three offences: 1. To knowingly use a computer to obtain unauthorised access to any program or data held in the computer. 2. To use this unauthorised access to commit one or more offences. 3. To carry out unauthorised modification of any computer material. Punishments for the offences include fine and imprisonment. The Act basically outlaws, within the UK, hacking and the introduction of computer viruses20. At this point, the international nature of a computer crime has been neglected. The Act does not put forward improvised extradition rules. This hampers applicability of the law in the sphere of international hacker guilds. Under Section 15, the provisions for extradition have been explained as the following 15 Extradition where Schedule 1 to the Extradition Act 1989 applies The offences to which an Order in Council under section 2 of the [1870 c. 52.] Extradition Act 1870 can apply shall include— (a) offences under section 2 or 3 above; (b) any conspiracy to commit such an offence; and (c) any attempt to commit an offence under section 3 above.15 Of course, provisions taken directly from the 19th century Act like that of Extradition Act 1870 are not sufficient in the complicated situation of 21st century. We actually have to catch and prosecute the virtually operating hackers and fabricators. Moreover, the Section 17 related to the interpretation of the Act and the defined computer crimes too have become rather outdated. Misuse cannot be constrained in altering/erasing the data, copying and moving it, etc. Complicated operations like those of implanting a dormant Trojan horse too need to be brought to the book. Certain activities like infiltration of a protected network need special mention. This is particularly important in relation to e-commerce. Today’s hacking activities and implantation of viruses are not constrained in the realm of executable programs only, as has been laid down in the Section 17 of the Act. Rather, denial of service attacks and bombardment with millions of fake emails are needed to be specified. Modern computer crimes cannot be diagnosed or prevented under generic terms. These days, there are software applications available that can automatically feed hundred and thousands of passwords in a given secured system. Generalisation under the term “control access” is thus insufficient. Nowadays, it is not necessary that an individual has to personally hack a secured network. He can launch the attack from various networks with the help of highly replicating viruses. The issue of automatic replication should be mentioned under the Act. In regards of e-commerce in particular, there are no specific definitions available except like those of control access and conspiracy. This is clearly an area where new and appropriate legislation is required21. Also, the current Police and Justice Bill contains amendments to the Computer Misuse Act 1990. These are intended to bring UK law in line with the council of Europe Convention on Cybercrime and the European Council Framework Decision on Attacks against Information Systems 2005/222/JHA22. Certainly, installation of firewalls, authentication services and hardware cryptography should be made mandatory to prevent forgery and crimes. Conclusion In the previous section it has been rather clearly laid down that the Computer Misuse Act is based on the structural and technical aspects of computer crimes. In this context also, the Act needs amendments and it does not fulfil its purposes in the desired way. When it comes to e-commerce, the problem becomes graver. There are almost no specifications in the said Act that would cater to the security requirements of the 21st century e-commerce. In the last twenty years, Internet has revolutionised the nature and lifecycle of the business transactions. The technicality of the financial functions of electronic systems has been drastically increased. Hacking remains the greatest threat to the future of e-commerce. The hackers steal the passwords and confidential records of the customers online which causes detriment to the sectors like banking and retail. In such a state of affair, the Computer Misuse Act 1990 must be amended and adjusted as per the European standards and also e-commerce specific sections need to be appended. A proper understanding of the global Internet coupled with technical analysis of the crime cases is necessary and pre-conditioner for improving the existing rules and regulations in the sphere of Computer Misuse Act and its applications. References Bibliography Blyth, Andrew & Kovacich, Gerald L.(2001) Information Assurance: Surviving the Information Environment. New York: Springer. Calder, Alan (2007) IT Regulatory Compliance in the UK. Cambs: IT Governance Limited. Casey, Eoghan (2002) Handbook of Computer Crime Investigation: Forensic Tools and Technology. London: Academic Press Doyle, Stephen (2008) Essential ICT for AQA AS Level. Glasgow: Folens Limited. Halabi, B., Halabi, S., McPherson, D. (2000) Internet Routing Architecture. San Francisco: Cisco Press. Lauden, Kenneth C. & Traver, Carol Guercio (2008) E-commerce: Business, Technology, Society. Upper Saddle River: Prentice Hall Norris, Anthony Charles (2002) Essentials of Telemedicine and Telecare. Hobokon: John Wiley and Sons Osbourne, Mark & Summitt, Paul M. (2006) How to Cheat at Managing Information Security. Burlington: Syngress Paladin Press (1990) Computer Crimes: High-Tech Theft. Boulder: Paladin Press Reynolds, Janice (2004) The Complete E-Commerce Book. San Francisco: CMP Books Rowland, Diane (2005) Information Technology Law. New York: Routledge. Schmidt. Igna D., Dobler, Thomas & Schenk, Michael, (2000) E-commerce: A Platform for Integrated Marketing, Case Study on U.S. Retailing. Piscataway: Transaction Publishers Toren, Peter (2003) Intellectual Property and Computer Crimes. New York: Law Journal Press. Websites Computer Evidence – Michael J L Turner – Expert Evidence (2010) Computer Evidence – Computer Misuse Act 1990 case. Retrieved September 6 2010 from http://www.computerevidence.co.uk/cases/CMA.htm Office of Public Sector (2010) Computer Misuse Act 1990 (c. 18). Retrieved September 6, 2010 from http://www.opsi.gov.uk/acts/acts1990/ukpga_19900018_en_1.htm Parliamentary Office of Science and Technology (n.d.) http://www.parliament.uk/documents/post/postpn271.pdf. Retrieved September 6, 2010 from http://www.parliament.uk/documents/post/postpn271.pdf Swarbrick, David, (2009) UK Law, UK Law forum, R v Gold and Schifreen, HL 21 April 1988, [1988] AC 1063, cpu, crm, , law-bytes@swarb.co.uk, David Swarbrick. swarb.co.uk. Retieved September 7, 2010 from http://www.swarb.co.uk/lawb/cpucmaRvGold.shtml Read More