Sunday, October 10, 2010

Malaysian Cyberlaws : issues and development

Posted on 1:37 AM by cyberlaw2010

The Multimedia Super Corridor (MSC) is part of the Malaysian
government initiative to transform Malaysia from a manufacturing-based
economy to a knowledge economy where intellectual capital is a core
component in the manufacture of a product or the delivery of a service. The
MSC is positioned as a regional IT hub for world-class technology companies
and local high tech venture capital companies. The MSC also aims to provide
a perfect environment for companies to create, distribute and employ
multimedia products and services to the rest of the world. In order to
facilitate the operations of the multimedia industry, the MSC (which is a 15-
by-50 kilometer zone extending from the KL City Center to the KL
International Airport) will be provided with a high capacity global
telecommunications and logistics infrastructure, new policies and cyberlaws
and an attractive living environment of a garden city. The cyberlaws are
necessary to protect the intellectual property rights and to provide a
conducive environment for the conduct of electronic commerce. This paper
will review all of the major Malaysian cyberlaws and provide some
comments on these cyberlaws. In view of the increased incidence of
cybercrime lately and the serious nature of these crimes (in that it caused loss
worth millions of dollars worldwide and other damages), the paper will
discuss the Malaysian computer crime legislation in more detail.

The Malaysian Cyber Law
This section provides an overview of the major Malaysian cyberlaws.
Each cyberlaw will be expanded further in the subsequent sections. The five
cyberlaws which have been enacted since 1997 are listed in chronological
order. The Digital Signature Act 1997 was the first cyberlaw to be passed by
the Malaysian parliament. The aim of this cyberlaw, like their counterparts
(e.g. Utah Digital Signature Act 1995) elsewhere, is to enable businesses and
the consumer to use electronic signatures (instead of handwritten signatures)
in legal and business transactions. The Computer Crimes Act 1997 provides
law enforcement with a legal framework that covers unauthorized access and
the use of computers and information and states the various penalties for the
different offences committed. The next cyberlaw to be enacted is the
Telemedicine Act 1997. This cyberlaw empowers medical practitioners to
provide medical services/consultations from remote locations through the use
of electronic communications facilities such as videoconferencing. Following
on is the Communications and Multimedia Act 1998 which is to regulate the
converging communications and multimedia industries and to support the
national policy objectives set for the communications and multimedia
industries. The Malaysian Communications and Multimedia Commission Act
1998 was later passed by parliament to establish the Malaysian
Communications and Multimedia Commission which is the regulatory and
supervisory body to oversee the development and related matters of the
communications and multimedia industry. The Ministry of Energy,
Communications and Multimedia is in the process of drafting a new
legislation on Personal Data Protection to regulate the collection, possession,
processing and use of personal data by any organization to provide protection
to an individual’s personal data and thereby safeguarding his privacy rights.
This to-be-enacted legislation is founded on nine data protection principles
which are (1) Manner of collection of personal data (2) Purpose of collection
of personal data (3) Use of personal data (4) Disclosure of personal data (5)
Accuracy of personal data (6) Duration of retention of personal data (7)
Access to and correction of personal data (8) Security of personal data (9)
Information to be generally available. These principles are quite similar to the
UK Data Protection Act 1998.


The primary intent of the Digital Signature Act 1997 is to regulate the
use of digital signatures and to provide for matters connected therewith.
We start with the privacy implications of digital signatures in general. A
digital signature is a 'message digest' encrypted using the sender's private key.
The recipient can recreate the message digest from the message they receive
using the sender's public key. He can then compare the two results to satisfy
himself that the contents of the message received is the same as that which
was sent (data integrity) but also that the message have been sent by the
purported sender (sender authentication) and that the sender cannot later deny
that he did not send the message (non-repudiation). Digital signatures are
subject to a form of 'spoofing' by the creation of a bogus public key that
purports to be that of a particular person. To address that risk, a certification
authority's (CAs) duty is to certify that a public key is that of a particular
person. The current practice is to use separate key-pairs for encryption of
message content and for digital signatures. The OECD encryption guideline
states that this distinction should be taken into account in development of
national policies on access to keys.

The first concern is regarding how private keys are generated. For
security reasons, it is therefore essential that key-generation is undertaken
entirely under the control of the individual concerned, and that the private
key never leaves the possession of that person without strong security
precautions being taken. If any other approach is used, serious privacy and
security issues arise because there is opportunity for the individual to be
convincingly impersonated. The second concern relates to how the private
keys are stored and backed-up and how back-up copies are stored. In most
cases, other organizations are involved and therefore the private key must be
subject of strong cryptography-based security precautions. In its absence, the
risk of impersonation is a possibility. Escrow is an arrangement whereby
something is kept with a trusted party, but may be accessed by third parties
under certain conditions. It is known as private key escrow when used for
private keys. The key pair must be withdrawn or 'revoked' if there are
sufficient reasons to believe that a private key has been compromised. There
exists the risk of an impersonator requesting revocation and certification of a
replacement.

These concerns are adequately addressed in the Digital Signature Act
1997 (hereinafter referred to as DSA97). The DSA97 states the duties of the
licensed certificate authorities (CAs) and the duties of the subscriber upon
acceptance of an issued certificate. The DSA97 further makes the subscriber
responsible for the control of his private key. The DSA97 also provides for
the temporary suspension of a certificate by the CA if the subscriber’s private
key is believed to be compromised. Certificates can be revoked upon request
or if unreliable. The liability limits of the certificate authority is specified in
Section 60(1)(2) and is limited to such amount as may be specified in the
certificate issued to the subscriber. There could be different limits in different
categories of certificates. The risk of forged digital signatures lies on the
recipient, if such reliance is not reasonable under the circumstances. If the
reliance is reasonable, the risk is not on the recipient and it is probable that
the repository or the CA would bear the risk. Two other issues relate to the
effect of a digital signature. The first is “a digitally signed message is deemed
to be a written document” (see section 64(1)(2) DSA). It would be considered
a written document for Part V and sections 91 and 92 of the Evidence Act
1950. The second is “a digitally signed message is deemed to be original
document” (section 65 DSA).


The Computer Crimes Act 1997 (hereinafter referred to as CCA97) is to
provide for offences relating to the misuse of computers. The objective is to
protect the victims of computer misuse by criminalizing associated activities
such as eavesdropping, unauthorized access to program or data in computer
with very high penalty levels. We will discuss a number of problematic issues
which include the extensive powers given to the enforcement authorities. The
term “computer” is defined broadly to include data storage facility or
communications facility and also to include computer network. The offences
created by the CCA97 are listed in section 3 to section 8 of the Act.

Section 3 – Unauthorized access to computer material
Section 4 –Unauthorized access with intent to commit or facilitate
commission of further offence
Section 5 – Unauthorized modification (temporary or permanent) of the
contents of any computer
Section 6 – Wrongful communication
Section 7 – Abetments and attempts punishable as offences
Section 8 – A person is deemed to have obtained unauthorized access to any
program, data or information (unless proved otherwise) if he is
found to have custody or control of such program, data, or other
information in any computer or storage media which he is not
authorized to have.
The penalty for gaining unauthorized access to computer material (such
as by hacking) is a fine not exceeding fifty thousand ringgit or to
imprisonment for a term not exceeding five years or to both. (see section 3(3)
CCA97). The penalty for gaining unauthorized access with intent to commit
or facilitate commission of further offence (which may involve fraud or
dishonesty or which causes injury as defined in the Penal Code) is more
severe with a fine not exceeding one hundred and fifty thousand ringgit or to
imprisonment for a term not exceeding ten years. (see section 4(3) CCA97)
The rationale behind the heavier penalty is probably that the punishment
should be proportional to the harm or damage caused (principle of
proportionality). It is conceivable for a hacker to change the prescription for a
particular treatment or to change the records of a patient such that his allergy
to certain medication is erased. In this case, serious harm could be done to the
patient concerned. The penalty for unauthorized modification is a fine not
exceeding one hundred thousand ringgit or to imprisonment for a term not
exceeding seven years or both; if the act is done intentionally to cause injury
as defined in the penal code then the penalty is stiffer with a fine not
exceeding one hundred and fifty thousand ringgit or to imprisonment for a
term not exceeding ten years or to both.

Section 6(1) states “A person shall be
guilty of an offence if he communicates directly or indirectly a number, code,
password, or other means of access to a computer to any other person other
than a person to whom he is duly authorised to communicate.” The above
will catch the hacker who publishes passwords on bulletin boards or by emailing.
Would a worker who accesses his office server from his home be
committing an offence under section 6(1) if a visitor unintentionally and
without his knowledge happens to see that access code? Even authors of
books that seek to alert users to certain security weaknesses or holes in
computer systems and indicate the means by which such systems could be
compromised may well be committing an offence under section 6(1). Section
7(1)(2) Abetments and attempts to commit offence are punishable offences.
Even any act preparatory to or in furtherance of the commission of any
offence shall be liable to punishment.

Compared with penalties for computer misuse in other jurisdictions (e.g. UK and Singapore),
the fine for a s.3 offence is set at an extremely high level. The powers of enforcement in
CCA97 are set out in section 10. Section 10 gives a police office of or above
the rank of Inspector wide powers of search. These powers extending from
cooperation of suspect to arrest without warrant (section 10(3)) were
criticized for – lack of safeguards to check abuse; - infringement of the right
to privacy and; - infringement of the right against self-incrimination. It is
rather unsettling that under Malaysian law, there is no rule of law that
evidence obtained from an illegal search and seizure is inadmissible in legal
proceedings. The CCA97 may be open to abuse where privacy might be
invaded to trawl for potential victims rather than to pursue criminals. Are the
sweeping powers given to enforcement officials to gather evidence really
that necessary? Is it really necessary to have such stiff penalties when to date
no one has yet been prosecuted successfully under the CCA97; evidence
gathering and subsequent prosecution is no easy task. Section 9(1) sets out
the principle that the offences under the Act are extra-territorial in nature and
those persons of nationality other than Malaysian are still liable to be
prosecuted for offences committed under the Act. If either the perpetrator’s
computer or the victim’s computer is physically in Malaysia, or the situation
where Malaysia is used as a transit point, then jurisdiction will be founded.
(section 9(2)). Enforcement would not be a trivial issue, as the enforcement
authorities would require the cooperation of the enforcement authorities of
the other country to obtain necessary evidence to be able to extradite the
accused. Furthermore Section 9(3) wording is rather confusing but it appears
that it is a statutory enactment of the rule against double jeopardy.


1 Response to "Malaysian Cyberlaws : issues and development"

.
CloudResearcher Says....
June 17, 2013 at 7:41 PM

Hello!

I would like to know is there any laws in Malaysia that can hinder digital forensics process specifically in cloud environment? If forensics investigator, for example, from US wanted to perform investigation onto cloud server located in Malaysia, will he face cross-jurisdiction issues? If yes, what are the laws that preventing him to do so?

Leave A Reply

Subscribe to: Post Comments (Atom)

I made this widget at MyFlashFetish.com.