Discussion of Issues

Security risk in networks may originate in computing failures such as the presence of bugs or lack of systemic integration that leaves gaps that intruders exploit to gain unauthorized entry. Once they break into systems, intruders may then plant programs that modify, destroy or spy on the system for further gains. The intruders might also steal data or information, or engage in network eavesdropping for the same ends.

However, it must be stated at the outset that the problem of security cannot be confined to the manner of use or abuse of a specific technology. It is part of the generic question of maintaining and generating trust and confidence in the online business environment; this becomes more acute with changes in technology becoming more pronounced and pervasive. The Internet has led to a disruption of existing security structures and demonstrated the need for change in that environment. Moreover, the concern for a more secure infrastructure merges with the security of the entirety of business operations. The variety of transactions running on different application systems and security requirements needs to be integrated holistically.

Legislative Measures in General

It has become pretty well established that the options for tackling security, as well as other general issues for e-commerce, revolve around applying or modifying existing laws or creating new legal instruments. Many nations introduced laws to curb computer misuses before the Internet acquired widespread appeal. It therefore became necessary to make adjustments in those laws to catch up with new forms of abuse that the Internet facilitated.

The Organisation for Economic Cooperation and Development (OECD) has set out policies and guidelines that member states would be expected to follow.^[4] Of the most important group of states, the European Union and the United States, in particular, have formulated policies and taken steps to prevent such abuses on the Internet as the provision of harmful and illegal content, piracy of intellectual property, breach of personal privacy and system or transactional security.

The European Commission embarked on combating 'cybercrime' as part of the eEurope initiative it launched in December 1999. Various action plans and policy frameworks^[5] have been adopted by the European Council to enhance network security and establish a uniform approach to cybercrime.

Whilst it has not viewed the introduction of a legal instrument as a pressing need, it recognises the necessity, in the long run, of a harmonised approach towards the legal treatment of cybercrime (especially hacking and denial- of-service attacks) by member states. In the meantime, it encourages increased training for special law enforcement units. Recently, the European Commission has proposed the creation of a 'European Network and Information Security Agency' to provide advice for member states in matters of cybersecurity.^[6]

An interesting development is the Council of Europe's Cybercrime Convention (which has already been adopted). It provides for four categories of criminal offences: offences against the confidentiality, integrity and availability of computer data and systems; computer-related offences; content-related offences; offences related to infringements of copyright and related rights. Other than the consolidation of the various offences in one piece and creating uniformity across signatory states, the Convention offers little more than what is found in current laws of most nations. A positive development is that the U.S. has endorsed the main thrusts of the Convention.

In the U.S., the Computer Fraud and Abuse Act addresses unauthorized access, dissemination of malicious software and trafficking in stolen access devices (such as passwords). The law has been amended after the 9/11 events by the USA Patriot Act of October 26, 2001.^[7] The amendment gives law enforcement agencies more leeway in mounting surveillance over, and more extensive powers of prosecution of, cybercrimes in furtherance of the protection of the national information infrastructure. It also raises the penalties in the previous Act.

More recently, the Institute for Information Infrastructure Protection (U.S.) has made recommendations in its report, 'Cyber Security Research and Development Agenda,' on identifying sources of attacks and securing those systems which have been affected by attacks.^[8] The Bush Administration has also presented its 'National Strategy to Secure Cyberspace,' to enhance the protection of computer networks, in particular to prevent threats that could result in 'debilitating disruption to our nation's critical infrastructures, economy or national security.' ^[9] However, it has suggested no further regulation - a fact ceased upon by critics.^[10]

Hacking

Unauthorised intrusion (hacking) into networks as well as private accounts has now become widespread. Very recently, hackers rummaged through the network of the University of Texas at Austin and accessed records of more than 55,000 students and staff.^[11]

Police forces across the world routinely arrest and investigate hack- ers. Britain's National Hi-Tech Crime Unit in collaboration with its counterparts in the U.S.-the U.S. Secret Service and the FBI- arrested two men on charges of introducing worms into computer systems and causing damages around the world.^[12]

The standard legal responses across nations have been to criminalise hacking. Three offences have been created: unauthorised access, access with intent to damage contents and unauthorised interception of services. A fourth offence was introduced by a small number of states (following the U.S.) to protect special networks (defence, finance and the like) from any attack.

Invasion of Privacy and Identity Theft

The breach of security of networks (including through interception) often involves the unauthorised appropriation of personal data and information. Such forms of invasion of privacy differ from other less invasive ways of collecting information (using surveys, deploying cookies), but their implications are similar. Intruders put such information to further illicit use by selling or disclosing it to others to cause harm to the subject of the information.

Identity theft is a form of hacking which results in possession of personal data and information by the hacker to masquerade as the true identity owner for further use. It has gained particular notoriety in recent years. The use of false identities to undertake activities in the name of the true identity owner has devastating consequences for the latter. Their credit cards are used for transactions to the benefit of the thief; their identities are used to apply for loans, mortgages and the like. Estimates of identity theft by the U.S. Federal Bureau of Investigation go as high as 500,000 in 2002. The U.S. Federal Trade Commission has registered 161,000 complaints of identity theft, that is 43 percent of all complaints.^[13]

In many nations, fraudulent use of another's identity is generally dealt with under pre-existing laws sanctioning impersonation and misrepresentation. This may change with the mounting scale and breadth of identity theft taking place across nations. The U.S. introduced, in October 1998, the Identity Theft and Assumption Deterrence Act on a federal level , making it a criminal offence.

Piracy of Intellectual Property

The breach of network security may also involve unauthorised use of intellectual property (IP) belonging to others. The International Federation of the Phonographic Industry (IFPI) has reported a fall in global music sales of 7 percent (contrasted with 10 percent in the United States) which it ascribed to rising Internet piracy in 2002.^[14] Recently, the British Phonographic Industry and IFPI have formally written to British universities complaining about the state of music piracy on campuses and the likelihood of legal action for lack of action to curtail it.^[15]

The Motion Picture Association of America estimates yearly losses to piracy to be $3 billion.^[16] The trial in Norway, on behalf of the Motion Picture Association of America, of a teenager who had written a computer program that allowed copying of DVDs came to nought earlier this year. The court apparently viewed the program to be legitimately used to copy movies that were legally purchased. The case has been appealed.^[17]

The legal measures to combat online piracy of IP have been in the statute books of many nations since the introduction of new requirements through the 1996 Copyright Protocol of the World Intellectual Property Organisation (WIPO). The Protocol affirmed the need to protect online copyright and outlawed removal or tampering with rights management devices. Domain names have yet to be addressed in the same manner.

^[4]The OECD Guidelines for the Security of Information Systems and Networks of July 25, 2002.

^[5]An example is the Commission's Communication: Creating a safer information society by improving th security of information infrastructures and combating computer-related crime. COM (2000) 890 final, January 26, 2001.

^[6] [News] European cybersecurity agency planned.ITWorld, February 10, 2003. Available at: http://www.itworld.com/Sec/2199/ 030210eucybersecurity/.

^[7]The official title is the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act.

^[8]Brock Read, Group Calls for More Academic Research in Computer Security. Chronicle of Higher Education, January 31, 2003. Available at: http://chronicle.com/free/2003/01/2003013101t.htm.

^[9]Jonathan Krim, Cyber-Security Strategy Depends on Power of Suggestion. Washington Post, February 15, 2003, at E01.

^[10]Ibid.

^[11]Robert Lemos, Data thieves nab 55,000 student records. ZDNet, March 7, 2003. Available at: http://zdnet.com.com/2100-1105- 991413.html.

^[12]Two are held after computer virus raids. Daily Mail (UK), February 7, 2003. Accessed online from Factiva.

^[13]David Ho, Government reports surge of identity theft complaints last year. Associated Press Newswires, January 22, 2003. Accessed online from Factiva.

^[14]John Borland, Music industry: Piracy is choking sales. CNET News.com, April 9, 2003. Available at: http://zdnet.com.com/2100- 1105-996205.html.

^[15]Adam Sherwin, Universities to be sued over music downloads. Times Online, March 28, 2003. Available at: http:// www.timesonline.co.uk/article/0,,2-625793,00.html.

^[16]Norwegian teenager to face retrial for film piracy. Reuters. Oslo, February 28, 2003. Accessed online from Factiva.

^[17]Ibid.