most computer crimes involve either fraud or abuse, or both, distinguishes between the two notions in the following way: He identifies computer fraud as computer-related crimes involving “deliberate misrepresentation or alteration of data in order to get something of value”;he defines computer abuse, on the contrary, as “willful or negligent unauthorized activity that affects the availability, confidentiality, or integrity of computer resources.”Power notes that these abuses can include “embezzlement, theft, malicious damage, unauthorized use, denial of service, and misappropriation.”
Can we construct a profile for a typical cybercriminal? Some people associate cyber criminals with “hackers,” “malicious hackers.” Many people think of the typical computer hacker as the very bright, technically sophisticated and Young. Is such a portrayal accurate? A problem solver rather than as a criminal.” we should carefully distinguish hackers who commit crimes. People who are primarily nonprofessional or amateur criminals, and “professional criminals.”
Although many malicious hackers are considered amateur criminals, some possess an expertise with computers comparable to that of the best technical experts in computer science.
computer criminals are often referred to in the media as hackers, and that, as a result, “hacker” now has a negative connotation. “Hacker” meant anyone who “programmed enthusiastically” and who believed that “information sharing is a powerful positive good.” Hacker as “an expert or enthusiast of any kind.”Note that, according to this definition, a hacker need not be a computer enthusiast; for example, someone could be an astronomy hacker. In fact, a hacker, in the generic sense of the term, might have no interest in computers or Cyber technology at all.
However, distinctions between hacking and cracking, and between white-hat and black-hat hackers, are generally not recognized and observed in the world beyond the computer community. So themedia often refers to crackers, or“black hat hackers,” simply as hackers. This, in turn, has perpetuated the negative image of hackers and hacking in society at large.
In some cases, counter hacking has been preemptive; in other cases, it has been reactive.
It is difficult to provide a moral justification for counter hacking; and from a legal perspective, it is not clear whether “hacking back” can be viewed in a way that is not criminal. For example, if hacking is illegal, then it would seem that hacking back would be no less illegal. However, until a case of counter hacking—especially one that involves a pre-emptive attack in the form of a DDoS—is officially tried in court, it is difficult to say how our legal system will respond.
Clearly, (a)–(c) are criminal acts, but should any of these acts necessarily be viewed as a computer crime or cybercrime? One could point out that it would not have been possible to commit any of them if computer technology had never existed, and this might initially influence some to believe that the three criminal acts are somehow unique to computer technology. Even though each act involves the presence of computer technoogy, each of them can easily be understood and prosecuted as a specific example of ordinary crime involving theft, breaking and entering, and vandalism, respectively. So we might infer that there are no legitimate grounds for having a separate category of computer crime. Can we justify such an inference?
Some cybercrimes will span more than one category.
Disclaimers : a statement that denies something, especially responsibility. Caveats : a warning or proviso of specific stipulations, conditions, or limitations.
Chapter 5 -
Legal Issues in Computing
IT 5105 – Professional Issues in IT
Ref : Tavani, Herman T., “Ethics and technology: controversies, questions, and strategies for ethical computing” , 4th Edition.
Identify methods by which computing services can be
Discuss the legal implications of compromising computing
Discuss the types of policies that should be included for system
use and monitoring.
Describe the basic elements of compliance laws – such as ADA508,
FERPA, HIPAA, and Sarbanes-Oxley.
Describe the differences in accountability, responsibility, and
Describe current approaches to managing risk, and describe the
legal implications of compromising computing services.
Evaluate an acceptable use policy.
No. 24 OF
Introduction - Cyber Crime
When was the last time you heard about cyber crimes in
Sri Lankan news media?
What was about it?
Break into financial and government institution network?
Cyber Stalking and Cyber Bullying?
Were we more focused on financial crimes and neglected
interpersonal criminal behaviors?
Globally it is more than that…
In Earlier Days…
Disgruntled employees who altered files in computer
databases or who sabotaged computer systems to seek
revenge against employers.
Computer-savvy teenagers, sometimes described in the
media as “hackers”, breaking into computer systems,
either as a prank or for malicious purposes.
“Hackers” who used computers to transfer money from
wealthy individuals and corporations to poorer individuals
Many Cybercrimes Go Unreported
Organizations are reluctant to report cybercrimes because
of the embarrassment it might cause them.
Because the victims fear the negative repercussions:
reporting the crimes would be tantamount to admitting
that their computer security practices are inadequate.
What might happen if a customer discovered that the bank where she
deposits and saves money had been broken into;
She might decide to transfer her funds to a bank that she perceives to be
If cyber-related crimes committed by employees working inside a financial
institution were reported and publicized, the institution could also suffer a
loss of customer confidence. 6
Hackers; Were They Countercultural Heroes?
Stereotypical computer hackers, unlike most professional
criminals, are not generally motivated by greed; some
seem to thrive on a kind of “joyriding” (the thrill
experienced in figuring out how to break into
Inclined to attack computers merely to prove that they
could and “show off” to one another.
Hackers; Were They Countercultural Heroes?
However, it is also worth noting that many malicious
hackers do not possess outstanding technical skills but are
savvy enough to locate sophisticated “hacking tools” that
can be downloaded from the Internet for free, and many
of these individuals are sufficiently astute to take
advantage of “holes” in computer systems and programs.
Hacking vs. Cracking
Meaning of “hacker” began to change in the 1980s when
the media started applying the term to criminals using
In order to avoid confusion with virus writers and
intruders into information systems, traditional hackers
began calling these destructive computer users crackers.
Crackers often engage in theft and vandalism once they
have gained access to computer systems.
According to Hacker Jargon;
Hacker - “an expert or enthusiast of any kind.”
Cracker - “who breaks security on a system.”
White Hat & Black Hat
“White hat hackers” is used to refer to those “innocent,”
or non-malicious, forms of hacking, while “black hat
hackers” refers roughly to “cracking.”
But for the General Public,
It is one term: hacking
it is always bad…
Active defense hacking, sometimes also referred to as
“hacking back against hackers.”
Counter hacking activities have been carried out both by
individuals and corporations; they are directed against
those who are suspected of originating the hacker attacks.
Case of “two wrongs making a right”? Should counter
hacking be legalized? Can it ever be ethically justified?
Individuals who successfully complete those certification
programs are trained and certified not only in the use of
defensive measures to ensure the security of their
employers, but also appear to be authorized to engage in
According to Hacker Jargon;
• The goal of the ethical hacker is to help the organization take
preemptive measures against malicious attacks by attacking the
system himself; all the while staying within legal limits . . .
• An Ethical Hacker is very similar to a Penetration Tester . . .
• When it is done by request and under a contract between an
Ethical Hacker and an organization, it is legal. 12
Counter Hacking : Bad Effects
Can cause harm to innocent individuals.
Hacking back against those who launch DDoS attacks, many
innocent persons are adversely affected because the
attacks are routed through their computer systems.
Perpetrators of DDoS attacks use “host computers, ”which
often include the computers of innocent persons, to
initiate their attacks (a technique sometimes referred to as
This would suggest to the victims of these attacks that they
originated from the host computer, as opposed to the
computer of the initiator of the attack.
So when victims hack back, they can unintentionally cause
the intermediate computer to be assaulted.
Do we need a separate category in our
legal systems to handle crimes with
Individual who uses surgeon’s scalpel to commit a murder
would not consider as a medical crime. It’s a murder even
though a medical instrument was being used.
People use automobiles to assist criminals in “getaway”
operations, but we don’t have a category called
People steal televisions, but we don’t say television
So why do we need a separate category,
cybercrime, for criminal acts involving cyber
Yet law-makers have determined it necessary, or at least
useful, to enact specific laws for crimes involving
computers and cyber technology.
Are the following computer crimes?
a.) Boralugoda steals a
computer device (e.g., a
laser printer) from a
c.) Shaggy enters a computer lab
that he is authorized to use and
then places an explosive device,
set to detonate a short time later,
on a computer system in the lab.
b.) Madapaatha breaks into a computer
lab and then snoops around.
By thinking about cybercrimes in terms of their unique or
special features—conditions that separate them from
ordinary crimes—we could distinguish authentic or
“genuine” cybercrimes from other crimes that merely
involve the use or the presence of cyber technology.
“Crime in which the criminal act can be carried out
only through the use of cyber technology and can
take place only in the cyber realm.”
• reproduce copies of
• distribute proprietary
information (in digital
form) across a computer
technology to gain
• an individual’s or an
• a password-protected
unleash one or
• disrupt the transmission
information across one
or more computer
networks, including the
• destroy data resident in
a computer or damage a
resources, or both
Activities involving the unauthorized exchange of copyrighted music
on the Internet via Napster and subsequent P2P-relatedfile-sharing
sites are examples of………….
The launching of the Conficker virus is an instance of ………..
The DDoS attacks on government and commercial Web sites illustrate
an example of…………… , because they
involved the breaking into, as well as the unauthorized use of, third-
party computer systems to send spurious requests to commercial Web
sites (as opposed to the kind of “genuine” requests sent by users who
wish to access those sites for legitimate purposes). Since DDoS attacks
also cause serious disruption of services for the targeted Websites,
they can also be classified as ……………………..
cyber piracy (Category 1);
cyber vandalism(Category 3);
cyber vandalism (Category3);
cyber trespass (Category 2)
Crimes involving stalking, and pornography can each be
carried out with or without computers and cyber
There is nothing about them that is unique to cyber
technology, so crimes such as, cyber stalking, and Internet
pornography would not qualify as genuine cybercrimes.
Cyber-Exacerbated vs. Cyber-Assisted Crimes
This distinction enables us to differentiate between a
crime in which someone merely uses cyber technology
from crimes, which are significantly affected by
computers and cyber technology.
Due to the technology, these types of crime rates are
going higher. Specifically in Cyber Exacerbated Crimes.
Cyber Exacerbated Crime in which an imposter obtains
key pieces of personal information in order to
impersonate someone else.
The information can be used to obtain credit,
merchandise, and services in the name of the victim, or to
provide the thief with false credentials.
In the past, identity thieves have combed through
dumpsters (and some still do) looking for copies of bank
statements and for papers containing account information
on credit card bills that people dispose of in their trash.
(This behavior is sometimes referred to as “dumpster
Factors such as lax security and carelessness involving
customer information contained in computer databases
made it easy for some identity thieves to acquire personal
information about their victims.
Information brokering has become a lucrative business.
Make connect professional criminals and employees in
organizations that have access to sensitive information
about people’s financial records.
Identity Theft From Emails
A scheme involving e-mail that appears to have been sent
by a reputable business.
For example, you may receive e-mail that looks as if it
were sent by eBay, Amazon, or PayPal.
Often these e-mail messages include the official logos of
the companies they purport to represent and might look
legitimate; the message informs you that your account is
about to expire and that you need to update it by
verifying your credit card number as well as other kinds
of personal information.
Avoid Identity Theft from Emails
How can a potential victim differentiate legitimate e-mail
sent from businesses such as eBay or PayPal from that sent
by identity thieves?
Typically, e-mail from identity thieves will not address the
potential victim by name; so this can be an indication that
the e-mail is not from a legitimate source.
Users wishing to verify the authenticity of the e-mail can
contact the company by phone, or through the company’s
legitimate e-mail address, if they are in doubt.
Phishing and Identity Theft
Many e-mail messages sent from identity thieves are
generated through spam.
Using spam to gather personal information is sometimes
referred to as phishing or “automated identity theft”.
An automated version of phishing, sometimes called
“pharming,” automatically “redirects the victim to the
Activities involving pharming and phishing, along with
conventional e-mail spam, increase the amount of identity
theft that can be accomplished over the Internet.
Combat Cyber Crime - Tools
Track criminals and their activities.
A packet sniffer or “sniffer” is a program that Monitors
the data traveling between networked computers;
However, these kinds of software programs have also
been used by malicious hackers to capture user IDs and
Combat Cyber Crime - Tools
To track the activities of criminals who use cyber
A specialized form of audit-trail software that records
every key struck by a user and every character of the
response that the system returns to the user.
It is especially useful in tracking the activities of
criminals who use encryption tools to encode their
Combat Cyber Crime - Techniques
Sting Operations and Entrapment
To catch members of organized crime involved in drug
dealing, gambling, pornography, and so forth.
Would such kind of techniques are ethically justifiable?
Can save many innocent lives and can significantly
lessen the harm that might otherwise occur to some
Pen Registers : When a suspect makes a phone call,
displays the number being dialed
Trap-and-Trace Devices : when the suspect receives a
phone call, displays the caller’s phone number.
A pen register used on the Internet can reveal the URLs of
Web sites visited by a suspect.
Surveillance is Ethical?
Critics argue that this increased domestic surveillance will
erode basic civil liberties.
Could be abused by those in power, under the convenient
excuse of crime prevention and national defense, to
achieve certain political ends.
Biometric technologies have also been used by law
enforcement agencies to combat crime and terrorism.
the biological identification of a person, which includes
eyes, voice, hand prints, finger prints, retina patterns,
and hand-written signatures.
Through biometric technologies, one’s iris can be read in
the same way that one’s voice can be printed.
The digital representation of these biometric data is
usually transformed via some algorithm to produce a
template, which is stored in a central computer database.
As biometric technologies used for authenticating an
individual’s identity, as passports.
While biometric devices are a highly accurate means for
validating an individual’s identity, they are also
Biometric identification tool using face-recognition
technology can scan the faces of people entering a public
place. The scanned images can then instantly matched
against the facial templates of suspected criminals and
terrorists, which were contained in a central computer
Biometrics - Issues
Some supports this, even it violates civil liberties.
Point to at least three problems: error, abuse, and
Errors occur in matches resulting, will make innocents
Purposes for which biometric technologies are
originally authorized can expand significantly and can
lead to possible abuses.
Loss of privacy and civil liberties for individuals.
Those who favor using biometric technology argue that it
provides increased security, even if using this technology
undercuts some civil liberties for ordinary citizens. 36
Laws are typically limited in jurisdiction to nations where
they are enacted. Traditionally, crimes are prosecuted in
the legal jurisdictions in which they were committed.
In certain cases, suspected criminals have been
extradited from one legal jurisdiction to another (and
sometimes from one country to another) to stand trial for
an accused crime.
As cyberspace has no physical boundaries, it can be
difficult to prosecute cybercrimes involving multiple
nations, as well as multiple states within nations.
So, it is a question whether the concept of legal
jurisdiction makes any sense in cyberspace.
Enforcing Cybercrime Laws Globally
Criminal enforcement has been hampered by the lack of
international legal agreements and treaties on cyber
E.g.: ILOVEYOU virus in 2001 - Originated in Philippines
but effect was global.
Software Contracts - Case Study
MegaTech Corporation, a major computer company in the
United States, has developed and released a new software
product that has been distributed globally.
However, this product has a serious defect that causes
computer systems using it to crash under certain conditions.
These system crashes, in turn, result in both severe disruption
and damage to system resources.
MindWaves, a company headquartered in eastern Asia that
purchased this product from MegaTech, has experienced
multiple system crashes since installing it, which has also
resulted in a severe loss of revenue for that company.
What legal recourse does/should MindWaves have in its
complaint against MegaTech Corp., given that its complaint
involves companies in two sovereign nations?
Software Contracts - Case Study
Disclaimers and caveats issued by manufacturers to
protect themselves against litigation.
Applicable Jurisdiction clause for tailor made software
Cybercrime and Free Press
A relatively recent challenge for law enforcement in
cyberspace, especially at the international level, has
emerged in response to controversial “journalistic”
practices involving some new online media outlets and
Should they be viewed as journalistic activities that are
protected by a free press?
E.g.: WikiLeaks controversy