Types of Cybercrimes
Module 7: Cybercrimes
Data Policy Violations
The use of data, including the volume of cross-border data flows, is increasing every year, and this includes personal data. However, there is a lack of adequate regulations in many countries for the collection and processing of personal information which can have significant ramifications, making data protection laws critical. In recent years, increasing attention to the issue of data protection has led to a number of Asian states enacting new privacy laws.(1) However, many states continue to protect individuals’ privacy only inadequately, especially from state surveillance activities.(2)
The rise of sophisticated surveillance technologies and the use of biometric technologies without proper safeguards are just some of the many threats to the right to privacy across Asia. There have, however, been some encouraging judgments in recent years pointing to the willingness of the judiciary in certain states to protect the right to privacy.
The Supreme Court of India on ‘Pegasus’ spyware
In Manohar Lal Sharma v. Union of India(3) the Supreme Court of India considered the alleged involvement of the Indian government in the unauthorised use of Pegasus spyware software to engage in mass surveillance. The petitioners in Manohar (a mix of public interest litigants and those claiming to be victims) alleged that the government’s unauthorised use of Pegasus was a violation not only of rights to privacy but also of freedom of expression due to a ‘chilling’ effect.(4)
The Pegasus software, developed by the Israeli NSO group, infiltrates digital devices and can access and remotely transmit “emails, texts, phone calls, as well as the camera and sound recording capabilities of the device” and can also access its stored data. In 2018, the research laboratory The Citizen Lab discovered that individuals from over 45 countries were suspected to have been targeted by Pegasus. Reports from further investigative efforts alleged that some 50,000 individuals were under surveillance using this spyware. The reports suggested that “nearly 300 of these numbers belonged to Indians, many of whom are senior journalists, doctors, political persons, and even some Court staff”.(5)
In response to media revelations, the government of India has offered cagey explanations, with the country’s IT Minister denying illegal use of Pegasus, while not denying actual use of the spyware.(6) This purposeful ambiguity was reflected in the context of the Manohar litigation, with the government filing an affidavit containing a blanket denial of the petitioners’ allegations without addressing them in any specificity.(7) When afforded opportunities to file a further affidavit, the Solicitor General declined, citing national security concerns as the reason for not revealing further information.(8)
The Supreme Court of India reaffirmed its previous holding in Puttaswamy(9) that privacy was ‘sacrosanct(10) The Court also noted that the threat of surveillance impacts how a citizen “decides to exercise his or her rights”, and may result in self-censorship, a matter of particular gravity for journalists.(11) The Court further noted the case’s significance for the protection of journalistic sources.(12)
The Court found that, in view of the vagueness of the government’s affidavit, the petitioners had made out a prima facie case for examining their allegations and was quite critical of the government for providing inadequate disclosure in a matter pertaining to fundamental rights.(13) The Court rejected the government’s national security rationale for nor revealing any detailed information, noting: “National security cannot be the bugbear that the judiciary shies away from, by virtue of its mere mentioning.”(14) Ultimately, the Court declined to order the government to file a further affidavit, considering it had already been granted ample opportunity to do so, and instead ordered the constitution of an Expert Committee headed by a former Supreme Court justice for the purpose of conducting a fact-finding inquiry.(15)
Courts have found cybercrimes legislation to be overbroad where authorities are granted wide-ranging powers to collect or take down certain categories of data without sufficient safeguards. For example, in 2014, the Supreme Court of the Philippines considered the constitutionality of several sections of the 2012 Cybercrime Prevention Act in Disini et al. v. The Secretary of Justice et al.(16) The Court upheld many provisions but found several to be unconstitutional because of their overbreadth. For example, section 19 of the Act, which authorised the Department of Justice to restrict or block access to data that was “prima facie found to be in violation of the provisions of this Act” was deemed to be inconsistent with constitutional guarantees of freedom of expression and freedom from unreasonable searches and seizures. The Court reasoned that “for an executive officer to seize content alleged to be unprotected without any judicial warrant, it is not enough for him to be of the opinion that such content violates some law, for to do so would make him judge, jury, and executioner all rolled into one”.
Another of the provisions of the Act deemed unconstitutional was section 12, which authorised law enforcement authorities to “collect or record by technical or electronic means traffic data in real-time associated with specified communications transmitted by means of a computer system” with ‘traffic data’ being defined as “the communication’s origin, destination, route, time, date, size, duration, or type of underlying service, but not content, nor identities”. The section also required service providers to “cooperate and assist law enforcement authorities in the collection or recording” of the traffic data. In finding the provision to be overbroad, the Court reasoned as follows:
Due cause is also not descriptive of the purpose for which data collection will be used. Will the law enforcement agencies use the traffic data to identify the perpetrator of a cyber attack? Or will it be used to build up a case against an identified suspect? Can the data be used to prevent cybercrimes from happening?
The authority that Section 12 gives law enforcement agencies is too sweeping and lacks restraint. While it says that traffic data collection should not disclose identities or content data, such restraint is but an illusion. Admittedly, nothing can prevent law enforcement agencies holding these data in their hands from looking into the identity of their sender or receiver and what the data contains. This will unnecessarily expose the citizenry to leaked information or, worse, to extortion from certain bad elements in these agencies.
Section 12, of course, limits the collection of traffic data to those “associated with specified communications.” But this supposed limitation is no limitation at all since, evidently, it is the law enforcement agencies that would specify the target communications. The power is virtually limitless, enabling law enforcement authorities to engage in [a] “fishing expedition,” choosing whatever specified communication they want. This evidently threatens the right of individuals to privacy.
The recognition at the national level of a right to privacy and its extension to the digital realm follows the rapid growth in adoption of data protection legislation around the world since the entry into force of the European Union’s General Data Protection Regulations (GDPR) in 2018. The GDPR has set a new standard for the protection of personal data online and has served as a template for numerous other countries’ legislation. The California Consumer Privacy Act (CCPA) likewise has sweeping rules regarding consumers’ rights to know what personal information is being collected from them, to request deletion of their data, and to opt out of data collection.(17) Because of its application to the technology sector of Silicon Valley, the CCPA has also been lauded for advancing the state of data protection globally.(18)
Criminalisation of Online Speech
Cybercrimes legislation often seeks to deal with a wide range of illegal or harmful content that is posted online. This may include incitement to terrorism, hate speech, sexually explicit content such as child pornography, and content which breaches intellectual property rights.(19)
This is often the area in which such legislation conflicts most severely with the right to freedom of expression and the right to information. Any restrictions on these rights must meet the requirements listed under Article 19(3) of the ICCPR: namely that restrictions be provided by law and necessary for one of the exhaustive list of legitimate purposes (to respect the rights or reputations of others or protect national security or of public order, or of public health or morals). In 2011, the UN Special Rapporteur on Freedom of Expression listed the following examples of kinds of expression the restriction of which would fall under these legitimate purposes: (a) child pornography; (b) direct and public incitement to commit genocide; (c) hate speech; (d) defamation; and (e) incitement to discrimination, hostility or violence.(20)
Even legislation that does criminalise these forms of expression needs to be precise, have adequate and effective safeguards against abuse or misuse in order to meet the requirements of legality and necessity. For example, in the case of restrictions on child pornography, the Special Rapporteur noted that the safeguards should include oversight and review by an independent and impartial tribunal or regulatory body.(21) In 2018, the Special Rapporteur stated: “Broadly worded restrictive laws on “extremism”, blasphemy, defamation, “offensive” speech, “false news” and “propaganda” often serve as pretexts for demanding that companies suppress legitimate discourse.”(22)
Criminalisation of online speech can occur through the application of cybercrime legislation or through the application of non-internet-specific criminal provisions. A 2017 report by the Association for Progressive Communications comparing India, Malaysia, Myanmar, Pakistan and Thailand’s laws found:
All these states either have laws that target cyberspace specifically (along with legal provisions that affect online speech), or they are moving towards such a law. All of these states also utilise offline laws to criminalise and punish online speech. Most of them also utilise multiple legal provisions to target and criminalise a single instance of online speech. They also prescribe harsher punishments for online “offences” than for offline speech.(23)
Association for Progressive Communications, ‘Unshackling expression: A study on laws criminalising expression online in Asia’ (2017) at p. 25
For more on the criminalisation of online speech, see Module 3 of Media Defence’s Advanced Modules on Digital Rights and Freedom of Expression Online.
Cyberstalking and Online Harassment
Online harassment is becoming increasingly prevalent with the spread of social media, which can provide especially fertile ground for it. Cyberstalking is undue harassment and intimidation through electronic communications, such as text messages, phone calls or social media posts, and it can severely restrict the enjoyment by the victims of their rights online, particularly if they come from vulnerable and marginalised groups, including women and members of sexual minorities. Research has shown that online harassment is often focused on personal or physical characteristics, with political views, gender, physical appearance and race being among the most common.(24) Furthermore, women encounter sexualised forms of online harassment at much higher rates than men.(25)
A worrying new trend: non-consensual dissemination of intimate images
A particular form of online harassment that has emerged as a concerning new trend is the non-consensual public sharing online of private and sexually explicit images, mostly of women, often by former partners in retaliation for a break-up or other falling out, or for the purposes of extortion, blackmail or humiliation. However, the cybercrimes legislation in only a few countries specifically provides for offences related to non-consensual dissemination of intimate images (NCII), often leaving victims with insufficient recourse against perpetrators due to gaps in legal protection.(26) The Philippines(27) and Singapore(28) are examples of exceptions to this, with both states’ having specifically criminalised NCII.
The importance of a name
The non-consensual dissemination of intimate images is often referred to as ‘revenge porn’. However, activists and researchers have universally rejected the term as being misleading.(29) Firstly, the word ‘revenge’ implies that the victim has committed a harm worth seeking revenge for. Secondly, ‘porn’ conflates the practice with the consensual production of content for mass consumption, which NCII decidedly is not. Thirdly, the term “repackages an age-old harm as a new-fangled digital problem,” belying the long history that exists of images of women being distributed non-consensually across a range of mediums.(30) Lastly, the term oversimplifies the offence by ignoring a range of aggressors and motivations and invoking a moralist reaction against the victim.(31)
Ongoing harassment and attacks on members of the media have also become a particularly worrying trend.
It is also worth noting that the crime of cyberbullying, which is the sending of intimidating or threatening messages, often via social media, and which is prevalent among children and young adults. According to the United Nations Children’s Fund (UNICEF):
“[Cyberbullying] can take place on social media, messaging platforms, gaming platforms and mobile phones. It is repeated behaviour, aimed at scaring, angering or shaming those who are targeted. Examples include:
– spreading lies about or posting embarrassing photos of someone on social media;
– sending hurtful messages or threats via messaging platforms;
– impersonating someone and sending mean messages to others on their behalf.
Face-to-face bullying and cyberbullying can often happen alongside each other. But cyberbullying leaves a digital footprint — a record that can prove useful and provide evidence to help stop the abuse.”
The scale of the problem is significant and growing. A study by UNICEF and the UN Special Representative of the Secretary-General (SRSG) on Violence against Children found that one in three young people in 30 countries reported being a victim of online bullying.(32)
Cyberbullying Legislation in the Philippines
The Philippines has sought to address cyberbullying among children through the Anti-Bullying Act of 2013.(33) The law requires that primary and elementary schools adopt an anti-bullying policy and creates annual reporting requirements for schools and school boards. Under section 2(d), ‘bullying’ is defined as including: “Cyber-bullying or any bullying done through the use of technology or any electronic means.” This is an innovative approach which may be contrasted with the normally overbroad approach taken in some countries of trying to criminalise cyberbullying.
The Budapest Convention on Cybercrime defines the following types of cybercrimes:
- Illegal access to a computer system;
- Illegal interception;
- Data interference;
- System interference;
- Misuse of devices;
- Computer-related forgery;
- Computer-related fraud;
- Child pornography;
Offences related to infringements of copyright and related rights.(34)
Although these definitions date to 2001, much of what constitute cybercrimes today is still covered by these categories and provisions.