Wednesday, October 13, 2010

Microsoft: Malaysia Lemah Kuatkuasa Undang-Undang Siber

KUALA LUMPUR:  Sungguhpun Malaysia mempunyai peruntukan undang-undang untuk mendakwa pesalah jenayah siber tetapi masih lemah daripada segi penguatkuasaan.

Oleh itu, Malaysia perlu memberikan lebih tumpuan kepada penguatkuasaan undang-undang siber sedia ada bagi membendung aktiviti berkaitan jenayah siber, kata naib presiden korporat Microsoft Corporation, Pamela S. Passman.

Katanya Malaysia perlu melabur lebih banyak dalam latihan penguatkuasaan undang-undang dan membina infrastruktur undang-undang yang dapat bertindak sebagai pencegahan kepada aktiviti jenayah siber.

"Malaysia juga patut mengikuti perkembangan terkini aktiviti jenayah siber, supaya ia tidak menjadi subjektif, dan lebih mudah untuk mendakwa pesalah.

"Sesetengah negara telah mula menyemak semula undang-undang sedia ada atau mengeluarkan undang-undang baru mengenai siber untuk menangani isu baru mengenai ICT (teknologi maklumat dan komunikasi).

"Satu perjanjian antarabangsa mengenai jenayah siber adalah sesuatu yang ingin diratifikasikan oleh Microsoft dan negara seperti Malaysia patut menyokongnya," kata Passman, yang juga timbalan ketua majlis (hal ehwal korporat global).

Beliau berkata demikian kepada pemberita selepas menghadiri sesi pleno hari kedua persidangan Third Global Knowledge (GK3) di Pusat Konvensyen Kuala Lumpur (KLCC). Persidangan tiga hari itu bermula kelmarin.

Passman bertanggungjawab memastikan syarikat gergasi itu menyediakan penasihat kepada kumpulan perniagaan, membangunkan kedudukan korporat terhadap isu dasar awam, hak harta intelek, cetak rompak, keselamatan internet, perdagangan antarabangsa, kemudahan akses dan telekomunikasi.

Malaysia telah memperkenalkan beberapa undang-undang siber, termasuk Akta Jenayah Komputer 1997, Akta Tandatangan Digital 1997, Akta Komunikasi dan Multimedia 1998 dan Peraturan Tandatangan 1998.
Mengenai saman terbaru Microsoft terhadap penjual yang didakwa menjual perisian palsu Microsoft secara dalam talian, katanya ia merupakan usaha berterusan oleh syarikat itu.

Pada Selasa, Microsoft berkata syarikat itu memfailkan 52 saman dan merujukkan 22 kes kepada agensi penguatkuasaan tempatan di 22 negara terhadap penjual yang didakwa menjual perisian palsu Microsoft secara dalam talian.

Katanya 15 daripada saman itu dikesan membabitkan sindiket pemalsuan terbesar yang ditumpaskan awal tahun ini oleh pihak berkuasa China, Biro Penyiasatan Persekutuan (FBI) dan Microsoft.

Saman itu difailkan di Belgium, Kanada, Perancis, Jerman, Hong Kong, India, Ireland, Itali, Belanda, Turki, Afrika Selatan, United Kingdom dan Amerika Syarikat. BERNAMA

Khamis Disember 13, 2007


Sumber:

Tuesday, October 12, 2010

Internet Piracy - Copyright Infringement and Adequacy of MAS Law



Introduction
The Internet is a worldwide system of computer networks. Using the same protocol, any one computer can get information from or talk to any other connected computer. It therefore facilitates content and information transmission, sharing and retrieval.


Role of Internet Service Providers
With new technologies and the facilities offered by the Internet, on-line piracy has come about in many ways. In most instances, the Internet service providers are involved. Commercial undertakings have without the authorization of or any payment to copyright owners ripped and made available recorded music for download. Often times, hacking software is posted. It may be used to break copy protection and other technological measures available and embedded in copyright protected materials to prevent unauthorized copy and transmission. They make their money through banner advertising. There are also other sites that provide links to these unauthorized databases.

Peer to peer (“P2P”) networks and systems allows a group of computer users using the same net working program to connect with each other and directly access files from each other’s hard drives. The common software enables users at any time to connect directly with the hard drives of all other users logged onto to Internet. The electronic files of a user are therefore made available to all other users.

There are various participants to a P2P network. They include (i) providers of the P2P software, (ii) intermediaries such as Internet and other service providers, (iii) up loaders and, (iv) down loaders.
The role of the Internet service providers is also important for another reason. Individual items of software held by up-loaders are identified by reference to an Internet protocol or IP address. The address is numeric in form and is allocated to a particular address space in such a manner that an individual computer or a network of individual computers will communicate to the Internet via that address. The IP address but not the identity of the up-loader may be identified. The cross referencing between the IP address and the individual’s details is held by the Internet service provider who provides with interconnectivity to the Internet. Unless the identity of the up-loader is divulged, no effective action can be taken against the up-loader.

In the case of a motion picture, sound recording, musical works, audio visual product and business software, only the person by whom the arrangements for the making of the motion picture or recording can authorize it to be placed or copied onto a website, or transmitted across a network, or performed or downloaded by a computer. These works however contain much underlying works which are themselves individually protected. Such underlying synchronized works would include literary and dramatic works, musical works, artistic works, image rights and so on. The rights of the individual owners of such underlying works should be protected. They should continue to retain their respective rights to take both civil and criminal action against infringers.

Copyright Act 1987
A film is defined to mean the fixation of a sequence of visual images on any material so as to be capable by the use of that material of being shown as a moving picture or of being rerecorded onto some other material. “Fixation” means the embodiment of sounds, images or both or of the representation thereof, in a material form sufficiently permanent or stable to permit them to be perceived, reproduced or otherwise communicated during a period of more than transitory duration.

“Reproduction” means the making of one or more copies of work in any form or version and “copy” means reproduction of a work in written form, in the form of a recording or film, or in any other form. “Infringing copy” in relation to copyright, means any reproduction of any work eligible for copyright the making of which constitutes an infringement of the copyright in the work or, in the case of any article imported into Malaysia without the consent of the owner of the copyright, the making of which was carried out without the consent of the owner of the copyright. These definitions it is submitted, are broad enough to include the down loading of a computer file. It is both a civil and criminal offence if done without the Malaysian copyright owner’s consent. These definitions are also broad enough to protect the copyright of the owners of the under lying works that are embodied in the film or sound recording. The only room for argument is whether the storage of the film or sound recording and the underlying works in a computer or any electronic medium amounts to infringement. It must be so. Accordingly, sections 13 and 41 of the Copyright Act (“Act”) 1987 should be amended to define an unauthorized act or an infringing copy to include “the reproduction or storage in any material or electronic form”.

It is not clear whether the word “makes” includes the act of downloading. Obviously if the downloader subsequently burns in hard copy form a disc of the copyrighted work for downloading, there would an offence. But what if reproductions are made from direct connections to the hard drives of other users logged onto the Internet using the same software. So as to make the act of downloading an offence as well, “downloading or storage of copyright protected work in a computer or on any medium by electronic or other means that will facilitate downloading” should be made an act controlled by copyright. If greater protection were desired, perhaps, downloading or storage of copyrighted work itself if done without authorization would be sufficient to constitute infringement. The purpose for which the downloading or storage is made is not relevant to found liability.

The act of uploading however is presently not a criminal copyright infringement. Therefore, a person who “uploads or stores any work protected by copyright in a computer or on any medium by electronic or other means whether or not for the purpose of making available the work for subsequent downloading, distribution, dissemination or any further dealings in the work” should be guilty of an offence. Such an offence can also form the basis for civil infringement. If adopted in the context of civil infringement, authorization is required for any “distribution, dissemination or in any manner dealing in the work via broadcasting”. “Broadcast” is defined as the transmitting by wire or wireless means visual images, sounds or other information that is capable of being lawfully received by members of the public or is transmitted for presentation to members of the public. It will also include communication of the work to the public that is already an offence.

In the civil context causing an infringement to take place is itself an infringement. However, the act is silent on whether authorizing an infringement is itself an infringement. To be guilty of authorizing an infringement, the defendant must have expressly or implicitly sanctioned, approved or countenanced the infringement. That is pre-conditioned on the defendant having the right to authorize infringement. It is questionable whether the up loader by offering his files for download may be said to have authorized infringement. He does not possess the right to authorize in the sense of him having a right to give the necessary sanction, approval or countenance to infringe. This is still so even if he were aware that his P2P peers would infringe or is indifferent as to what they might do. The wrong of authorizing infringement is a very narrow one that is ineffective in practical terms. The term “causing” an infringement in section 36(1) of the Act, appears capable of a wider application. To “cause” must be a question of fact and circumstances. It is not conditioned upon there having to be a right “to cause” (an infringement). Rather, it is premised on the degree of control the up loader has over the creation of and the computer containing the uploaded work. He controls the means, mode and equipment by which infringement is committed and allows the downloader infringer access to these. He in fact is well aware that there would be infringement and actively encourages such infringing. However, the intent and the ingredients for causing infringement should be adequately set out in section 36(1) of the Act. Perhaps it should be provided that “for the avoidance of doubt, a person causes another to do an act, the doing of which is controlled by copyright without the license of the owner of the copyright if he (i) controls or has the ability to control the means, equipments, modes and instruments by which the infringement would be effected; (ii) has knowledge or reason to suspect that such infringement will take place; and (iii) intends, encourages, promotes, assists or enables the use of the means, equipments, modes and instruments to effect an infringement and takes no reasonable steps to limit the use of such means, equipments, modes and instruments supplied to legitimate purposes or takes no reasonable steps to filter or block any infringement”.

The difficulty remaining is whether the wrong of “causing” an infringement can only be sustained if the primary act of infringement is completed. This appears to be likely so. To get away from such rigidity, the law should be amended to provide that causing “an imminent infringement” or if the causative acts make it likely that an infringement will occur, that should suffice. A suitably worded provision would be: “copyright is infringed by any person who does, or causes any other person to do, without the license of the owner of the copyright, an act the doing of which is controlled by copyright under this Act”.

In the context of an offence for copyright infringement, it is an offence to sell or distribute infringing copies. The computer file in data format that is transmitted over the network has no physical existence. It is uncertain whether such an infringing computer file meets the definition of it being an “unlawfully reproduced copy”. As mentioned earlier, by definition, “copy” must be in some material form. Are data packets residing in a computer file in material form? To remove such an uncertainty, perhaps the word “material” should be deleted from the definition of “copy”.

Unauthorized distribution of the copyrighted work by way of sales is an act of infringement. Whether there is such a distribution and sale of the infringing file is questionable. The computer file residing in the host computer is never physically moved to the down loader’s computer. Instead the down loader creates a new file. There may be no monetary gain. Perhaps “transmission of the work to the public by electronic or other means which upon being received results in the copy of the work”.

Pirated works are openly advertised for sales either in the print media or via the Internet. Accordingly the right to advertise copyright protected work should be an act controlled by copyright and advertising for sales, hire or rental of infringing copies of works should be an offence. Any reproduction made including those that are temporary or of transient duration is covered under the right of reproduction. (Examples would be copies of works made in the servers and other computers that are the engines of electronic commerce and digital networks) A person making a temporary pirated copy is no more or no less guilty of infringement than a person making a permanent pirated copy of the work. Under emerging new business models the full economic benefit can be quickly derived by making and using a temporary copy of the work. To allow the making of temporary copies therefore goes against the copyright owners’ exclusive legal entitlement to exploit their creations. It will also unreasonably prejudice the legitimate commercial interests of the copyright owners. Where the making of a temporary or transient copy is necessary for technical reasons as in the case of acts of caching by service providers, any exception should be on condition that the service provider does not modify or edit the contents of the work and does not interfere with the use of technological protection measures. There may be an exception for “the making or reproduction of temporary copies of the work if it is for technical or legal reasons and provided that there shall be no modification or editing of the work or interference with the use of any technological measures by the owner”.

Legal protection and remedies
Adequate legal protection and effective legal remedies are provided against the circumvention of effective technological measures that copyright owners use to restrict acts in respect of their works which are not authorized by the authors concerned or permitted by law. In this respect, the law should prohibit the business of providing circumvention tools and services. What must be suppressed is the providing of, manufacture, importation, supply, distribution and sales of decryption devices and other devices and services which are intended to gain access to, or the use of copyrighted material. The factors for determining whether a given tool is a circumvention tool may include those set out in the US Digital Millennium Act 1998 which are (i) the way the devices and services are designed and/or produced; (ii) whether the way the devices and services are marketed has any significant commercial purpose or are they marketed for use primarily for the purpose of circumvention; and (iii) whether the manufacturer or marketer of the devices are acting in concert with the user who to his knowledge is using the devices for circumvention purposes. The test has to be an objective one.
A balance must be maintained and exceptions and limitations to the prohibitions be provided particularly in the face of countervailing national interests such as when copyright owners totally deny access to their works by customers from the non profit sector such as educational institutes, libraries and research organizations or where law enforcement and national security interests or where access to copyrighted material is required to achieve interoperability of computers.

Copyright owners have the exclusive right to control retransmissions over the Internet. They must retain the absolute right to authorize or prohibit the retransmissions of their works. The value of audiovisual work will drastically reduce if unauthorized Internet retransmissions were easily available. There would be considerable practical difficulty in the collection of any remuneration due. Program suppliers usually license their programs by geographic regions. If unauthorized programming becomes available online via the Internet, such global marketing structure would be displaced and the value of such geographically limited licenses is lost. Where authorization for retransmission is given, copyright owners must have an equal and absolute right to impose the terms and conditions for the retransmission. Territories of the world market are targeted differently; for instance, it is an essential requirement in the case of audiovisual works in the form of films. Worldwide distribution of content over the Internet seriously impacts on local release patterns.
It is the object of copyright laws to provided copyright owners with effective action and expeditious remedy against any form of infringement. It is against this aim that the liability of service providers must be considered. As providers of on line services they are directly and intimately involved in transactions dealing with copyright materials and other forms of intellectual property.

The Communications and Multimedia Act 1998 and the Malaysian Communications and Multimedia Code
Service providers in Malaysia are licensed operators under the Communications and Multimedia Act (“CMA”) 1998 and their licenses are subject to conditions that they must adhere to. Their activities are also subject to the provisions of the CMA. The Malaysian Communications and Multimedia Code (“Code”) requires Internet Access Service Providers “to comply with and incorporate terms and conditions in the contracts and legal notices as to terms of use with subscribers of their service”. The following terms shall be included, namely (i) subscribers shall comply with the requirements of Malaysian law including, but not limited to the Code, and shall not provide prohibited contents or any content in contravention of Malaysian law; (ii) the Internet Access Service Provider shall have the right to withdraw access where a subscriber contravenes what is stated in (i); and (iii) the Internet Access Service Provider shall have the right to block access to or to remove such prohibited content provided such blocking or removal is carried out in accordance with the complaints procedure set out in the Code. By Section 98(2) of the CMA “compliance with a registered voluntary industry code shall be a defense against any prosecution, action or proceeding of any nature whether in court or otherwise regarding a matter dealt with in the Code”. Whether copyright infringing material or content is to be regarded as “prohibited content or content in contravention of Malaysian law” is a matter for interpretation. If it is to be so regarded and the Internet Access Service Provider withdraws access to the subscriber or blocks access to or removes such content, then, the objective of the copyright owner is achieved. What if the Internet Access Service Provider refused on the ground that it is not the adjudicating tribunal to decide on whether the contents complained of are indeed infringing?

In the event the Code is not intended to deal with infringing copyright content, a new part would have to be included in the Act dedicated to controlling the activities of service providers that relate to and govern the manner they are to deal with the transmission of infringing materials over their networks. Operating within the scope of their licenses and the provisions of the CMA, it must be acknowledged that in relation to the electronic copy of the work, they are entitled to deal with it incidentally in the course of their providing the technical means to enable users of the network or other networks to access the work for listening, viewing or any other form of legitimate utilization. Such incidental dealings in the electronic copy of the work would include storing, transmitting, routing or providing connections to the work on their own primary or other networks. This obviously is a necessity and network users would expect such services and that it is within the intent of the CMA that such services be provided by the network service providers.

Network Service Providers
Ordinarily, network service providers cannot be liable for infringement. In a P2P file sharing context, they are just intermediaries. They are not involved in any way in the infringement. They merely provide the technical infrastructure infrastructure or connectivity that facilitated the exchange of infringing files by P2P peers. The network service providers may however be made answerable for the infringement. Any laws to provide for the legal responsibility and liability of these providers must provide incentives and encouragement to join the copyright owners, enforcement agencies and consumers to take all steps necessary to deter the use of the digital networks for copyright piracy, detect and eliminate copyright infringements that take place over the networks and identify and pursue the infringers and instigators of infringements. Such incentives and encouragement would be in the form of the remedies for infringement that would otherwise be available against the service provider being limited or reduced. This is the approach adopted by the US Digital Millennium Copyright Act 1998 and the E.U. Electronic Commerce Directive (2002).

To fix or impute the service providers with liability, the law must legislate against these network service providers primary infringement as well as secondary or indirect infringement activities such as authorizing or causing infringement, joint liability, contributory or vicarious infringement etc. In so far as the transmission of an electronic infringing copy of the work is concerned, it is submitted that the network service providers are already liable as primary infringers and offenders under the amendments suggested above. For instance, the service provider would be regarded as an infringer in relation to the electronic copy of the work transmitted via their networks, they become aware or ought to be aware of infringing materials or activities on their systems and do nothing to remove or cut off access to the offending material. It is not necessary that the service providers be notified of the presence of infringing materials and activities on their systems, but if notified, then, the defense of lack of awareness cannot avail itself to them. They should then be imputed with notice. It would be preferable if “a network service provider is made liable for infringement for transmitting electronic infringing copies of work to the public if (i) it is aware or have knowledge of or ought to be aware or have knowledge of the electronic copy of the work that is transmitted through its network systems is an infringing copy; or (ii) it receives a statutory declaration (from the copyright owner or his authorized representative?) that provides in his belief in good faith, an act which constitutes infringement has occurred in the course of making available an electronic copy of the work on the network to which the network service provider provides access and the grounds of his belief and neglects or fails within a reasonable time to take the necessary action to remove or disable access to the work that is infringing. This approach is entirely consonant with the requirements of the CMA and the Code. There must be safeguards. A person who knowingly misrepresents or suppresses relevant and essential facts just to assert infringement must be liable in damages.

Also relevant, is whether network service providers must disclose identifying information in their possession with regard to an on line infringer where a request for the information is made by copyright owners or their legal representatives. A time limitation within which to respond must be provided. These are information and particulars that are readily available. One significant tool for Internet anti-piracy enforcement is the availability of and access to data about Internet users and website operators after identification of their IP addresses in order to identify copyright infringers. The most significant sources of these data are the WHOIS databases and the subscriber and traffic data stored by the service providers. The data will assist in the real time identification of the registrant of the domain name and the server where the related website is maintained. Accordingly, a network service provider should be liable for infringement if it refuses to disclose to the copyright owner or his authorized representatives, information relating to the identity of the infringer, his contact details, specified or other information and documents that are useful for the purpose of protecting the owner’s copyright. To ensure the integrity and accuracy of the data, the law must make it an offence to fraudulently misrepresent or suppress essential information in the registration process. The network service providers must in their agreement with subscribers ensure that this is spelt out for otherwise, the information even if provided by them would be of little use to copyright owners.

Conclusion
Whether providers of file sharing software and services can be fixed with liability for copyright infringement depends on the role they play and the degree of control they exert over the file sharing process. If the infringing files are stored on their servers (referred to at times as the site and facility) and made available for download, then their position would be as that of the up loader. It should not matter where their servers are located. They may even be located outside of Malaysia but so long as they have control over the same, they should be guilty of infringement. The law should provide that “a person shall be guilty of infringement if he stores or causes to be stored any recording or reproduction of an infringing work on servers or other storage or retention facilities or means wherever located knowing that or under circumstances which render him likely to know that the infringing work may at any time subsequently be reproduced or accessed or dealt with in a manner that is prejudicial to the interest of the owner of the copyright by the public”. Such infringement is of course in addition to and not an alternative to the direct infringement of having unlawfully reproduced the copyright protected work. Substituted for the requirement for control over the servers, is the requirement for knowledge or presumed knowledge that there will be subsequent infringements made from the unlawfully reproduced file that is held in storage. Implicit in the proposed provision is the presumption that the provider must have control over the site and facility.

INDRAN SHANMUGANATHAN
INTELLECTUAL PROPERTY & TECHNOLOGY PRACTICE GROUP
For shearndelamore.com

Semua pihak perlu tangani jenayah siber

Oleh Siti Mariam Md. Zain

SEMUANYA di hujung jari anda. Frasa ayat ini cukup popular ketika ini. Memang, kecanggihan teknologi maklumat (IT) mendorong kita memilih sesuatu yang boleh dilakukan dengan lebih mudah dan pantas.

Jika boleh, semua urusan mahu dibuat di satu tempat. Faktor masa dan belanja banyak mempengaruhi pilihan ini. Justeru, apabila pihak bank berlumba-lumba menawarkan perkhidmatan on-line atau lebih dikenali sebagai perbankan Internet, ramai yang mengalu-alukan usaha ini. Sebagai pengguna, ia dilihat menguntungkan mereka.

Namun pada masa yang sama, ada perkara yang terus menjadi kebimbangan. Sejauh mana kaedah ini selamat digunakan atau dalam bahasa mudah, sejauh mana wang pengguna mampu dilindungi terus menjadi tanda tanya.


Walaupun pihak bank berkali-kali mengatakan keselamatan menjadi keutamaan mereka, hakikatnya, masih ada pengguna yang mengadu kehilangan wang menerusi transaksi yang dijalankan, tanpa sedar mahupun disedari.


Mengapa ini berlaku? Alasan yang diberikan oleh pihak bank apa yang berlaku bukan kerana kesilapan mereka. Segala urusan yang disediakan dijamin mempunyai ciri-ciri keselamatan yang tinggi. Tambah mereka lagi, pelanggan bukannya tertipu sewaktu berurusniaga dengan bank, tetapi sebelum itu lagi. Maknanya ada pihak lain yang ‘memotong jalan’ menggunakan kaedah-kaedah yang sama seperti disediakan oleh bank terbabit. Lebih tepat, laman-laman web perbankan telah diciplak untuk ‘menghalalkan’ penipuan tersebut.

Sebagai pengguna, dapatkah kita menerima alasan ini? Tentu jawapannya tidak. Hakikatnya, pengguna bukan sahaja tertipu tetapi mungkin juga terpaksa membayar harga perkhidmatan yang ‘ditawarkan' pihak tertentu.

Menurut seorang pakar komputer yang enggan dikenali, “dengan hanya memiliki sebuah komputer, Internet dan perisian pelayar, seseorang boleh mencipta laman web bank untuk melesapkan berjuta ringgit wang pelanggan. Malah untuk mencipta laman web palsu ini, mereka tidak memerlukan masa yang lama, hanya kira-kira satu hingga dua jam sahaja,” katanya sambil menjelaskan perisian yang dimaksudkan boleh didapati di pasaran.

Kegiatan itu bagaimanapun tidak boleh meniru URL (alamat domain) asal laman web berkenaan kerana ia dilindungi, tetapi mereka boleh mewujudkan rangkaian alternatif sehingga mengelirukan para pelanggan bank. Ini bukan satu perkara yang pelik. Baru-baru ini Pusat Keselamatan dan Tindak Balas Kecemasan Teknologi Komunikasi dan Maklumat Negara (NISER) mengesan penipuan yang berlaku.

Serentak itu, pihak polis telah menangkap empat pelajar universiti dan sembilan yang lain kerana mencipta laman web palsu bank-bank tempatan untuk mencuri maklumat pelanggan sebelum mengeluarkan wang mereka.

Dalam tempoh sembilan bulan pertama tahun ini (2006), sebanyak 159 kes kecurian identiti pelanggan perbankan Internet telah dikesan, meningkat 27 kes berbanding 132 kes yang dilaporkan dalam tempoh sama tahun lalu. Jumlah kerugian bagaimanapun tidak dapat diperoleh kerana dirahsiakan oleh pihak perbankan terbabit.

Usaha pihak polis yang berjaya memberkas penjenayah siber ini harus dipuji, namun itu bukanlah pengakhiran kepada kisah penipuan ini. Mungkin masih banyak penjenayah yang lebih bijak tetapi masih bebas di luar sana. Lalu apa lagi yang boleh dilakukan untuk mengatasi masalah ini?

Menurut Ketua Pegawai Eksekutif (CEO), DigiCert Sdn. Bhd., Noor Azli Othman, untuk menjamin keselamatan, setiap bank harus mempunyai sijil digital. Sijil digital tersebut jelasnya, mampu memastikan setiap pemalsuan laman web dikenal pasti dengan serta-merta.

“Saya tidak menafikan orang masih boleh menciplak laman web terbabit tetapi dengan adanya sijil digital, pengguna boleh tahu tulen atau tidak sesuatu laman web itu,” katanya ketika dihubungi Mingguan Malaysia.

DigiCert adalah syarikat pengeluar sijil pengesahan digital untuk urus niaga secara elektronik. Sijil digital merupakan keperluan yang penting bagi memastikan keselamatan yang berterusan untuk transaksi dalam talian. Ia juga adalah kenyataan yang mengesahkan identiti seseorang dan keselamatan laman web. Setakat ini beberapa agensi kerajaan telah mengguna pakai kaedah ini termasuk Lembaga Hasil Dalam Negeri (LHDN) dan semua syarikat pembekal yang berdaftar dengan kerajaan.

Noor Azli berkata, sijil digital pihaknya berasaskan infrastruktur kunci awam (IPK) untuk memberikan perkhidmatan lebih baik kepada pelanggan sekaligus meningkatkan tahap kepercayaan komunikasi Internet. Ia telah diterima di seluruh dunia sebagai kaedah yang paling menjamin keselamatan setakat ini.

Membincangkan tentang ancaman siber, perkara ini bukan baru. Di negara maju seperti Amerika Syarikat (AS), masalah ini telah wujud awal lagi. Namun usaha untuk mencegah giat dilakukan dari semasa ke semasa.

Tidak dinafikan dalam persaingan dunia global, ancaman siber sebenarnya sering dihadapi oleh para pengguna komputer masa kini memandangkan kebanyakannya mempunyai sambungan kepada rangkaian Internet.

Apa yang pasti ialah, kesan ancaman siber ini boleh merebak secara global dalam masa yang amat singkat dan lebih membimbangkan ia tidak bersifat setempat atau terhad mengikut sempadan seperti keganasan fizikal. Jika ada pihak yang bimbang dengan penularan jenayah siber perbankan Internet, ada pihak lain melihat, masalah sebenar membabitkan keselamatan proses transaksi tersebut berpunca daripada pengguna itu sendiri.

“Saya percaya masalah ini wujud kerana pengguna kita sendiri yang tidak berhati-hati,” kata Dekan Fakulti Teknologi dan Sains Maklumat Universiti Kebangsaan Malaysia (UKM), Prof. Dr. Aziz Deraman. Mengambil dirinya sendiri sebagai contoh pengguna tetap perbankan Internet, Prof. Aziz mengakui sekiranya pengguna itu celik komputer, tidak akan timbul masalah yang sedang membelenggu sesetengah pihak ini.

“Pihak bank tentunya mempunyai tahap keselamatan yang tinggi. Dari segi bank sendiri mungkin tiada masalah tetapi yang menimbulkan masalah ialah pihak luar. Kerana itu kita sebagai pengguna perlu berhati-hati,” katanya. Bagaimanapun untuk meningkatkan tahap keselamatan bagi kebaikan kedua-dua pihak, beliau mencadangkan agar pihak bank menambah pengenalan-pengenalan diri pengguna dari semasa ke semasa.

Mengulas lanjut, Prof. Aziz berkata, beliau juga kurang bersetuju sekiranya ada pihak yang mencadangkan supaya menggunakan sistem lama–beratur di pejabat-pejabat pos atau bank untuk melakukan urusan kerana ia membazirkan banyak masa, tenaga dan wang selain kaedah tersebut bukan ciri-ciri sebuah negara maju.

“Kita dalam jangka untuk menjadi negara maju pada 2020, sepatutnya yang perlu dilakukan ialah mencari jalan untuk mengurangkan jurang digital di kalangan rakyat. Jika semua pihak faham dan celik komputer, masalah penipuan jika tidak dapat dihapuskan pun akan dapat dikurangkan,” tegasnya.

Sememangnya penggunaan teknologi komunikasi dan maklumat (ICT) tidak dapat dielakkan dalam mengharungi era globalisasi. Dalam hal ini, seharusnya semua pihak atau agensi yang terlibat dapat mewujudkan kerjasama serta persefahaman ke arah menangani ancaman ini.

Pada masa yang sama pengguna juga perlu memahami tanggungjawab masing-masing. Lebih utama, jurang digital perlu dikurangkan. Jika ini berlaku, jenayah siber yang dibimbangi semakin menular di negara ini akan dapat diatasi.


Artikel ini pula di petik di laman sawang rasmi Kementerian Perdagangan Dalam Negeri dan Hal Ehwal Pengguna yang boleh dilayari di

DNA digital - Forensik komputer jejaki penjenayah siber

DNA digital - Forensik komputer jejaki penjenayah siber
By MOHD RIDZWAN MD IMAN
2nd May 2002 (Utusan Malaysia)




KITA tentu biasa mendengar mengenai ujian DNA yang dijalankan ke atas seseorang bagi mengenal pasti keturunan, penyakit dan sebagainya dalam industri perubatan dunia. Begitu juga ujian forensik yang dijalankan ke atas mayat-mayat bagi mengenalpasti pelbagai kemungkinan punca kematian dan faktor-faktor berkaitan.

Bagaimanapun, sebenarnya teknologi forensik dalam bidang perubatan juga kini telah diaplikasikan dalam dunia teknologi pengkomputeran digital yang semakin mencatatkan perkembangan pesat.

Seperti diketahui, teknologi dibangunkan untuk tujuan pembangunan atau kebaikan tetapi ia tidak akan terlepas juga dari aktiviti negatif oleh pihak-pihak yang sentiasa mengambil kesempatan dari apa sahaja teknologi untuk kepentingan peribadi.

Aktiviti pencerobohan dan penggodaman komputer, serangan virus perosak komputer dan data, kecurian maklumat, pengintipan dan sebagainya merupakan aspek negatif atau tindakan jenayah dalam dunia siber masa kini.

Forensik komputer merupakan teknologi yang digunakan dalam membantu penyiasatan, analisis dan mendapatkan bukti-bukti dalam penyiasatan jenayah komputer untuk dikemukakan kepada kekuatan undang-undang.

Maklumat dan bukti ini diperlukan bagi sesetengah isu penipuan dan jenayah siber seperti penyalahgunaan e-mel, penipuan sistem, melanggar hak cipta terpelihara dan senario berkaitan penyalahgunaan komputer.

Seperti yang diketahui, penjenayah sama ada di dunia nyata atau maya akan cuba menyembunyikan jejak-jejak perbuatan jahat mereka selepas melakukan jenayah dan teknologi forensik komputer diperlukan bagi menjejaki mereka.

Pakar keselamatan ICT yang terlibat dalam pembentukan unit jenayah komputer Scotland Yard, John Austen berkata, pasukan Interpol di Eropah telah menubuhkan jawatankuasa menangani masalah jenayah ICT pada 1990 selepas masalah pertama di kesan pada 1989.

"Kes pertama yang dikendalikan oleh polis di Eropah itu ialah perbuatan menyebarkan virus melalui disket yang mampu memformat cakera keras kira-kira 20,000 institusi kesihatan di seluruh dunia,'' kata Austeen yang juga Pengarah, CC Information Security Ltd.

Katanya, ketika itu, pihak polis menghadapi masalah untuk menjejaki perbuatan tersebut yang dilakukan oleh sebuah syarikat dari Panama kerana tidak mempunyai kepakaran khusus.

Sejak itu, aktiviti jenayah berkaitan komputer terus berkembang dan menjadi bertambah pantas terutama selepas penerimaan total Internet di seluruh dunia.

Ancaman komputer lazimnya boleh dilakukan oleh penggodam profesional, agensi perisikan, jenayah terancang, agensi penyiasatan, media sambilan dan ekstremis politik.

Beliau berkata, semua negara kini tidak terlepas dari ancaman jenayah komputer dan harus bersedia menghadapi masalah perang maklumat yang boleh memberi kesan buruk apabila ia dilakukan.

Malaysia yang kini dalam proses membangunkan industri teknologi maklumat dan komunikasi (ICT) secara besar-besaran tidak terkecuali dari ancaman dan masalah berkaitan jenayah komputer.

Menurut Menteri Tenaga, Komunikasi dan Multimedia, Datuk Amar Leo Moggie, Malaysia mengalami kerugian kira-kira RM22 juta kerana terpaksa menyelesaikan pelbagai masalah akibat ancaman dan serangan berkaitan ICT.

Katanya, Pusat Keselamatan Dan Tindakbalas Kecemasan ICT Kebangsaan (NISER) mengkategorikan jenayah komputer kepada beberapa aktiviti, iaitu pengeboman mel, spam, pemalsuan, ancaman penggodaman, serangan virus, pencerobohan dan penafian perkhidmatan (DoS).

Statistik NISER juga menyatakan yang Malaysia mengalami 700 kes berkaitan keselamatan ICT tahun lepas yang bermula dari masalah sekecil mengubah muka hadapan laman web sehingga kepada ugutan rangkaian dan pencerobohan komputer pelayan web.

Sehubungan itu, bagi memastikan perkembangan ICT negara terus berkembang pesat, pelbagai langkah telah diambil oleh kerajaan dan juga swasta bagi menjamin perkembangan ICT negara tidak terbantut disebabkan masalah keselamatan komputer.

Pengenalan Undang-undang siber, penubuhan agensi pemantauan keselamatan seperti MyCert dan NISER adalah antara langkah-langkah yang diperkenalkan kerajaan dalam menangani isu-isu pemantauan dan pengukuhan keselamatan komputer.

NISER baru-baru ini telah memperkenalkan satu lagi perkhidmatan berkaitan keselamatan komputer iaitu Perkhidmatan Forensik Komputer yang bertujuan membantu syarikat dan agensi kerajaan di negara ini menjejak bukti-bukti digital penjenayah siber.

Perkhidmatan forensik komputer semakin mencabar dewasa ini berikutan peningkatan kecekapan penjenayah untuk cuba memusnahkan jejak dan identiti mereka selepas melakukan perbuatan jenayah siber tersebut.

Kebolehdapatan dan penggunaan teknik enkripsi berkuasa tinggi dan berleluasa menyukarkan pengurus IT biasa syarikat untuk mengetahui jejak tersebut tanpa perlu mendapatkan bantuan pakar forensik komputer yang terlatih.

Bagaimanapun, kemahiran yang dimiliki oleh penyiasat forensik digital akan perlu sentiasa dipertingkat kerana penjenayah sentiasa menggunakan kaedah dan teknik baru dalam menyembunyikan jejak jenayah mereka.

Pakar forensik kebiasaannya akan melakukan pelbagai kaedah dan teknik dalam menjalankan penyiasatan mereka. Senario tersebut seperti yang dilakukan oleh pasukan polis ketika mereka menjalankan penyiasatan kegiatan jenayah biasa.

Mereka harus mengambil kira pelbagai faktor dalam siasatan tersebut agar ia lebih teliti dan mampu menjejak sehingga ke akar umbi masalah.

Menurut NISER, perkhidmatan yang ditawarkan meliputi pengumpulan maklumat, mengenal pasti maklumat atau bukti-bukti kritikal, memulihkan kehilangan maklumat kritikal dan melindungi data elektronik ketika proses ujian forensik sedang dijalankan.

Analisis yang kebiasaannya dilakukan di makmal NISER termasuk menganalisis maklumat yang mampu mengeluarkan semula fail-fail tersembunyi dan juga memulih semula fail-fail swap.

Bagi memastikan data-data di atas komputer dijalankan penyiasatan tidak terganggu, pasukan penyiasat forensik NISER akan menyalinkan data-data tersebut ke komputer lain untuk tujuan dijalankan analisis.

"Walaupun melaksanakan kajian terhadap sumber asal akan lebih memudahkan pengesanan jejak penjenayah komputer tetapi ia bukan merupakan kaedah terbaik kerana dikhuatiri boleh menjejaskan data asal,'' kata NISER dalam laman webnya.

Maklumat dalam komputer asal sangat penting kerana kesilapan yang kecil sahaja boleh memusnahkan data asal atau jejak yang ditinggalkan penjenayah.

NISER menggunakan peralatan pengimejan cakera yang akan menyalin semua maklumat dari sumber asal dalam bentuk sedia ada yang kemudiannya boleh dijalankan kajian ke atasnya.

Selain daripada menawarkan perkhidmatan menjejak bukti penjenayah komputer, NISER juga menawarkan perkhidmatan memulihkan atau mengembalikan semula data-data dari komputer yang telah dipadam atau cakera keras yang telah diformat.

Kadar bayaran yang dikenakan oleh NISER adalah mengikut jumlah jam bekerja yang dilakukan oleh pasukan penyiasat forensik komputer dalam sesuatu kes. Secara purata, pemeriksaan forensik biasa akan mengambil masa sekurang-kurangnya satu jam. Maklumat lanjut boleh diperolehi dari tapak web www.niser.org.my.

Kesimpulannya, semakin canggih teknologi yang digunakan, semakin canggih pula perbuatan penjenayah di dunia ini.

Sebagai pengguna, kita tidak seharusnya terlalu mudah mendedahkan diri kita kepada perbuatan jenayah tersebut dengan mengambil segala langkah perlindungan yang perlu. Jika kejadian tersebut masih juga berlaku kepada kita, jangan lupa dapatkan khidmat pakar.

Ancaman Siber dan Pemantapan Undang-Undang

Dunia siber kini telah menjadi sebahagian daripada kehidupan manusia moden. Jika suatu masa dahulu kita hanya mengenali dan didedahkan dengan realiti alam siber di kaca televisyen dan layar perak sahaja melalui imaginasi dan fantasi filem dan drama fiksyen. Namun kini kita sedang berada di alam siber yang sebenar sepertimana yang sedang dilalui ketika ini sama ada kita sedar ataupun tidak.

Dunia siber yang masih baru ini menjadi semakin penting dalam segala aspek dan merupakan fenomena yang sedang melanda tatacara serta susun atur kehidupan manusia moden. Keadaan ini memerlukan alam siber yang penuh cabaran ini perlu dikawal, diatur dan dipantau secara konsisten melalui sistem dan perancangan yang komprehensif. Ini adalah kerana alam siber mampu meninggalkan kesan yang positif dan negatif kepada sesebuah negara dan rakyat. Pendekatan kerajaan, sikap rakyat dan sokongan perundangan sangat penting disinergikan bagi memastikan alam siber memberikan manfaat yang besar kepada pembangunan dan bukannya digunakan sebagai medan untuk meruntuhkannya.

Sehubungan itu, amaran akan musibah, bahaya dan ancaman siber baru-baru ini tidak boleh dipandang ringan. Ini kerana dalam dunia tanpa sempadan dan kawalan, sesiapa sahaja sama ada individu atau kumpulan dengan mudah bertindak menceroboh dan melakukan segala macam kerosakan serta kemusnahan kepada sesebuah masyarakat moden dan negara jika kita gagal dan cuai membendungnya.

Kesan dan akibatnya juga boleh membawa mudarat dan kemusnahan kepada kehidupan di muka bumi ini walaupun seseorang yang berniat jahat itu berada jauh beribu-ribu kilometer dari tempat sasaran iaitu dengan hanya semudah memetik butang komputer atau apa sahaja peralatan yang berkaitan dengannya. Dengan inovasi dan teknologi terhadapan hari ini yang semakin canggih dan sofistikated, segalanya boleh dilakukan dengan mudah di alam siber ini sama ada untuk tujuan kebaikan dan keburukan.

Transformasi siber menjadikan perhubungan dunia menjadi bertambah mudah dan pantas sekelip mata di mana segala urusan kehidupan berada di dalam satu sistem yang cukup sempurna dan teratur. Internet umpamanya adalah pelengkap kepada alam siber dan menjadikannya medium paling berpengaruh dan cukup mustahak kepada kehidupan manusia hari ini. Malaysia sebagai sebuah kerajaan elektronik (e-kerajaan) dalam hal ini tidak pernah ketinggalan dan dengan sokongan politik yang cukup kuat, kemudahan siber diaplikasikan hampir dalam segala bidang sama ada urusan berkaitan perkhidmatan awam, perbankan, perhubungan dalam dan luar negara, pendidikan, komunikasi dan sebagainya.

Namun begitu, semua perlulah berwaspada dengan ancaman jenayah siber yang semakin berleluasa dan mampu membawa padah yang sangat besar jika disalahguna sehingga boleh meruntuhkan sistem ekonomi, prasarana dan institusi serta menyebabkan kecederaan atau maut kepada orang ramai. Ancaman siber seperti spamming, pembiakan dan penyebaran virus, pengodam maya, e-mail bombing, penggunaan kata laluan orang lain, menipu, penyebaran bahan lucah, skim cepat kaya dan piramid, judi siber, penipuan kad kredit, peras ugut, pengintipan industri, pelaburan haram dan sebagainya juga mampu merosakkan sistem dan infrastruktur negara yang impaknya boleh mengakibatkan kematian, kecederaan manusia selain mampu melumpuhkan sistem ekonomi, sosial dan politik sesebuah negara.

Semakin tinggi kebergantungan dan hubungan sesebuah negara dan rakyat terhadap internet, semakin ia terdedah kepada ancaman siber. Amerika Syarikat (AS), Jepun, Eropah dan lain-lain yang menjadi peneraju dan peneroka alam siber tidak terlepas daripada ancaman ini. Antara serangan siber yang paling dahsyat yang pernah dilaporkan ialah beberapa percubaan mengakses sistem syarikat dan agensi kritikal di AS seperti Pentagon, NASA dan sebagainya.

Serangan selama dua tahun yang bermula pada tahun 2003 itu turut dikenali sebagai ‘Titan Rain’ dan dikatakan dilakukan oleh pihak musuh yang ingin mendapatkan maklumat perisikan negara tersebut. Keadaan ini menjadikan pentadbiran dan keselamatan AS menjadi kelam kabut serta pelbagai langkah dilaksanakan bagi mengelak kejadian sama berulang. Sehingga kini negara siber itu senantiasa berusaha mewujudkan sistem pertahanan dan kawalan yang cukup hebat bagi berhadapan dengan segala kemungkinan.

Serangan dan pencerobohan yang sama turut berlaku di Estonia yang maju dalam bidang teknologi maklumat dan komunikasi (ICT) di Eropah, banyak bergantung kepada aplikasi ICT dalam operasi kerajaannya sangat menakutkan semua pihak. Negara itu telah mengalami ancaman siber dalam bentuk tiga siri gelombang serangan siber yang serius selama tiga minggu berturut-turut. Kejadian yang dikenali sebagai ‘Perang Siber Estonian’ pada tahun 2007 itu telah menyebabkan loji rawatan air di negara itu terpaksa ditutup, sistem perbankannya tergendala dan laman web agensi kerajaannya diubah.

Kejadian itu telah menyedarkan banyak negara di seluruh dunia terutamanya pihak yang terlibat secara langsung dalam perancangan pertahanan dalam sistem pertahanan siber masing-masing. Ini kerana mana-mana negara yang tidak mempunyai sistem perlindungan yang baik mudah terdedah kepada ancaman siber. Jika salah perancangan, ancaman siber secara langsung dan tidak langsung boleh menjatuhkan sesebuah kerajaan dan meruntuhkan negara dalam masa yang sangat singkat.

Kerajaan Malaysia setakat ini melalui perancangan dan plan yang disediakan, komited mengawasi dan menjaga ruang lingkup siber negara daripada diceroboh dan dirosakkan oleh pihak-pihak yang tidak bertanggungjawab. Kerajaan juga sentiasa memantau dan mengawal perkembangan laman-laman web dan blog menerusi Pusat Keselamatan Siber Nasional (PKSN) dan buat masa ini, perkhidmatan bank, air dan keselamatan umpamanya terikat dengan teknologi maklumat (IT) global.

Lanjutan dari itu, langkah Malaysia menubuhkan Sekretariat Perkongsian Multilateral Antarabangsa Menentang Keganasan Siber (IMPACT) di Cyberjaya melalui peruntukan sebanyak AS$13 juta (RM42.2juta) adalah langkah tepat kerana ancaman siber mempunyai pelbagai bentuk dan sukar diramal. Melalui pakatan strategik, kesungguhan agensi-agensi kerajaan dan swasta yang terlibat dalam bidang keselamatan siber dari pelbagai negara boleh bertukar-tukar pengalaman dan berkongsi kemahiran untuk melindungi ruang siber masing-masing.

Kehadiran rakan kongsi Impact seperti F-Secure, Kaspersky Labs, Symantec Corporation dan Trend Micro bakal menyediakan peluang yang antara lainnya dalam bentuk latihan, penyelidikan dan pembangunan, dasar serta rangka kerja kawal selia. Menerusi kemudahan yang dirancangkan, Impact akan melaksanakan empat kegiatan teras iaitu maklum balas global; dasar dan kawal selia; latihan dan pembangunan; persijilan keselamatan, pembangunan dan penyelidikan di mana Impact setakat ini sudah membangunkan dua sistem teras untuk manfaat semua ahlinya, iaitu Sistem Amaran Awal (EWS) dan Platform Kerjasama Terjamin (GCP).

Di samping itu, sistem perundangan siber negara juga perlu dimantap lagi dan meluaskan skopnya seiring dengan situasi semasa. Malaysia sebenarnya adalah antara negara pertama di dunia yang memperkenalkan undang-undang siber yang komprehensif seiring dengan perkembangan pesat Koridor Raya Multimedia (MSC) negara seperti Akta Komunikasi dan Multimedia 1998, Akta Jenayah Komputer 1997, Akta Tandatangan Digital 1997, Akta Teleperubatan 1997, pindaan Akta Hak Cipta 1997 dan Akta Aktiviti Kerajaan Elektronik 2007.

Akta Tandatangan Digital 1997 misalnya memudahkan perdagangan elektronik (e-dagang) sebagai satu kaedah operasi dan bagi memantau tandatangan digital yang dibuat di dalam setiap transaksi elektronik. Seksyen 62 Akta berkenaan memperuntukkan denda tidak melebihi RM 100,000.00 atau dipenjara selama tempoh tidak melebihi 2 tahun atau kedua-duanya bagi kesalahan berkaitan tandatangan digital, manakala Seksyen 72 pula memantau aktiviti membuka rahsia maklumat yang diperolehi di bawah akta ini di samping Tanggungjawab Kerahsiaan dalam setiap aktiviti dan urusan.

Manakala Akta Aktiviti Kerajaan Elektronik 2007 menyediakan peruntukan pengiktirafan undang-undang sesuatu mesej elektronik dalam segala urusan antara kerajaan dengan orang awam, penggunaan mesej elektronik sesuatu maklumat yang dihasilkan, dihantar, diterima atau disimpan melalui cara elektronik untuk memenuhi kehendak undang-undang dan untuk membolehkan dan memudahkan urusan itu melalui penggunaan cara elektronik dan perkara-perkara lain yang berkaitan dengannya.

Akta Teleperubatan 1997 pula mengawal selia aktiviti teleperubatan di negara kita. Ketika Sukan Komanwel 1998, perkhidmatan perubatan dan teleperubatan telah dihubungkan kepada pusat perubatan di Amerika Syarikat dan Britain untuk mendapatkan nasihat pakar ke atas diagnosis dan rawatan atlit-atlit dan pelawat-pelawat. Kaedah ini juga membolehkan doktor menghantar fail-fail pesakit atau dokumen yang berkaitan seperti X-ray dan imbasan ECG secara elektronik, dan membenarkan interaksi bersemuka antara doktor dan pesakit.

Teknologi maklumat yang hebat dan canggih ini mewujudkan perhubungan pintar antara hospital di rantau ini serta di seluruh dunia yang membolehkan kepakaran doktor di seluruh dunia dapat dikongsi oleh doktor tempatan. Akta ini juga memperuntukan peraturan dan kawalan ketat ke atas amalan teleperubatan seperti kerahsiaan maklumat pesakit dan keperluan pengamal perubatan mendapatkan kebenaran daripada pesakit sebelum teleperubatan diamalkan. Menurut Seksyen 3 Akta ini, bagi sesiapa yang melanggar aturan teleperubatan walaupun mengamalkan teleperubatan dari luar Malaysia boleh didenda tidak melebihi RM 500,000.00 atau dipenjarakan selama tempoh tidak melebihi lima tahun atau kedua-duanya.

Di samping itu, memandangkan Malaysia tidak terkecuali dan terlepas dengan jenayah dan ancaman siber maka Akta Jenayah Komputer 1997 wujud untuk mengimbangi perkara berkenaan. Akta ini digunakan terhadap sesiapa sahaja tanpa mengira kewarganegaraan seseorang dan kesalahan di bawah akta ini boleh berlaku di mana-mana sahaja tidak kira samada di dalam atau di luar Malaysia asalkan ia melibatkan komputer yang berada di Malaysia.

Akta sedia ada sebenarnya masih belum mencukupi menyekat kegiatan jenayah berkaitan ICT dan siber. Walaupun perundangan siber di negara di Malaysia diakui ramai sebagai yang paling menyeluruh, namun keberkesanannya masih belum teruji sepenuhnya memandangkan kes jenayah siber yang serius dibawa dan didakwa di mahkamah masih kurang. Walaupun keadaan ini turut berlaku di kebanyakan negara memandangkan undang-undang ini masih baru, hanya di Eropah sahaja yang dilihat sedikit ke hadapan dalam bidang ini kerana mempunyai protokol-protokol tertentu yang ditetapkan.

Malaysia juga perlu memperkasa undang-undang siber yang diguna pakai di negara ini dengan merumuskan lebih banyak peruntukan bagi membendung atau menghukum pesalah jenayah itu untuk memastikan sektor ICT mampu terus berkembang pesat. Penyelaraskan undang-undang siber dan transaksi elektronik perlu sejajar dengan perkembangan terkini dalam perdagangan elektronik (e-dagang). Biarpun begitu, dari segi perlindungan pengganas, Malaysia antara negara pertama memperkenalkan kad pengenalan pintar yang membolehkan pihak penguat kuasa mendapatkan maklumat pembawa kad dengan cepat dan tepat.

Sesebuah negara yang bertindak bersendirian tidak mungkin dapat mengelak daripada berdepan ancaman serangan siber. Memandangkan jaringan Internet boleh melangkaui sempadan tanpa mengira negara dan negeri hingga menyebabkan dunia terdedah dengan ancaman siber, mahu tidak mahu semua pihak perlu bekerjasama. Oleh yang demikian, pihak kerajaan, swasta, golongan akademik, pakar dan individu, kita perlu berganding bahu melindungi sistem kita daripada terus menerima ancaman siber.

Malaysia juga patut melabur lebih banyak dalam penguatkuasaan undang-undang jenayah siber dan kerajaan perlu tegas dalam menghukum pesalah yang menjadikan dunia siber sebagai medan untuk melakukan jenayah dan aktiviti menyalahi undang-undang negara. September tahun lalu, dilaporkan Britain akan mengenakan denda sehingga 1,000 pound (RM7,000) terhadap ibu bapa 'pembuli siber' atau pelajar yang terbabit mengancam rakan mereka menerusi telefon bimbit, e-mel, khidmat pesanan ringkas (SMS) dan laman web sosial. Selain didenda, ibu bapa terbabit juga diarahkan mengawal tindak tanduk anak atau mereka sebaliknya akan diwajibkan menghadiri kelas keibubapaan serta dihadapkan ke mahkamah atas kesalahan jenayah wajar dicontohi Malaysia.

Di samping itu, cadangan untuk mewujudkan Mahkamah Keadilan Siber sejak tahun 1997 lalu perlu direalisasikan segera bagi menangani persoalan semasa dan segala undang-undang yang berkaitan dengan siber di samping menjadi tempat rujukan antarabangsa dalam menangani pelbagai isu siber berikutan cabaran, penyalahgunaan dan gejala negatif berkaitan siber semakin kompleks serta sukar ditangani. Untuk itu, peguam dan pengamal undang-undang di negara ini perlu bersedia mendalami pengetahuan mengenai siber bagi memastikan mereka mampu mengendalikan kes berkaitan jika Mahkamah Keadilan Siber ditubuhkan kelak.

Resource: http://mohamadsofee.blogspot.com/2008/08/ancaman-siber-dan-pemantapan-undang.html

Sunday, October 10, 2010

Malaysian Cyberlaws : issues and development

The Multimedia Super Corridor (MSC) is part of the Malaysian
government initiative to transform Malaysia from a manufacturing-based
economy to a knowledge economy where intellectual capital is a core
component in the manufacture of a product or the delivery of a service. The
MSC is positioned as a regional IT hub for world-class technology companies
and local high tech venture capital companies. The MSC also aims to provide
a perfect environment for companies to create, distribute and employ
multimedia products and services to the rest of the world. In order to
facilitate the operations of the multimedia industry, the MSC (which is a 15-
by-50 kilometer zone extending from the KL City Center to the KL
International Airport) will be provided with a high capacity global
telecommunications and logistics infrastructure, new policies and cyberlaws
and an attractive living environment of a garden city. The cyberlaws are
necessary to protect the intellectual property rights and to provide a
conducive environment for the conduct of electronic commerce. This paper
will review all of the major Malaysian cyberlaws and provide some
comments on these cyberlaws. In view of the increased incidence of
cybercrime lately and the serious nature of these crimes (in that it caused loss
worth millions of dollars worldwide and other damages), the paper will
discuss the Malaysian computer crime legislation in more detail.

The Malaysian Cyber Law
This section provides an overview of the major Malaysian cyberlaws.
Each cyberlaw will be expanded further in the subsequent sections. The five
cyberlaws which have been enacted since 1997 are listed in chronological
order. The Digital Signature Act 1997 was the first cyberlaw to be passed by
the Malaysian parliament. The aim of this cyberlaw, like their counterparts
(e.g. Utah Digital Signature Act 1995) elsewhere, is to enable businesses and
the consumer to use electronic signatures (instead of handwritten signatures)
in legal and business transactions. The Computer Crimes Act 1997 provides
law enforcement with a legal framework that covers unauthorized access and
the use of computers and information and states the various penalties for the
different offences committed. The next cyberlaw to be enacted is the
Telemedicine Act 1997. This cyberlaw empowers medical practitioners to
provide medical services/consultations from remote locations through the use
of electronic communications facilities such as videoconferencing. Following
on is the Communications and Multimedia Act 1998 which is to regulate the
converging communications and multimedia industries and to support the
national policy objectives set for the communications and multimedia
industries. The Malaysian Communications and Multimedia Commission Act
1998 was later passed by parliament to establish the Malaysian
Communications and Multimedia Commission which is the regulatory and
supervisory body to oversee the development and related matters of the
communications and multimedia industry. The Ministry of Energy,
Communications and Multimedia is in the process of drafting a new
legislation on Personal Data Protection to regulate the collection, possession,
processing and use of personal data by any organization to provide protection
to an individual’s personal data and thereby safeguarding his privacy rights.
This to-be-enacted legislation is founded on nine data protection principles
which are (1) Manner of collection of personal data (2) Purpose of collection
of personal data (3) Use of personal data (4) Disclosure of personal data (5)
Accuracy of personal data (6) Duration of retention of personal data (7)
Access to and correction of personal data (8) Security of personal data (9)
Information to be generally available. These principles are quite similar to the
UK Data Protection Act 1998.


The primary intent of the Digital Signature Act 1997 is to regulate the
use of digital signatures and to provide for matters connected therewith.
We start with the privacy implications of digital signatures in general. A
digital signature is a 'message digest' encrypted using the sender's private key.
The recipient can recreate the message digest from the message they receive
using the sender's public key. He can then compare the two results to satisfy
himself that the contents of the message received is the same as that which
was sent (data integrity) but also that the message have been sent by the
purported sender (sender authentication) and that the sender cannot later deny
that he did not send the message (non-repudiation). Digital signatures are
subject to a form of 'spoofing' by the creation of a bogus public key that
purports to be that of a particular person. To address that risk, a certification
authority's (CAs) duty is to certify that a public key is that of a particular
person. The current practice is to use separate key-pairs for encryption of
message content and for digital signatures. The OECD encryption guideline
states that this distinction should be taken into account in development of
national policies on access to keys.

The first concern is regarding how private keys are generated. For
security reasons, it is therefore essential that key-generation is undertaken
entirely under the control of the individual concerned, and that the private
key never leaves the possession of that person without strong security
precautions being taken. If any other approach is used, serious privacy and
security issues arise because there is opportunity for the individual to be
convincingly impersonated. The second concern relates to how the private
keys are stored and backed-up and how back-up copies are stored. In most
cases, other organizations are involved and therefore the private key must be
subject of strong cryptography-based security precautions. In its absence, the
risk of impersonation is a possibility. Escrow is an arrangement whereby
something is kept with a trusted party, but may be accessed by third parties
under certain conditions. It is known as private key escrow when used for
private keys. The key pair must be withdrawn or 'revoked' if there are
sufficient reasons to believe that a private key has been compromised. There
exists the risk of an impersonator requesting revocation and certification of a
replacement.

These concerns are adequately addressed in the Digital Signature Act
1997 (hereinafter referred to as DSA97). The DSA97 states the duties of the
licensed certificate authorities (CAs) and the duties of the subscriber upon
acceptance of an issued certificate. The DSA97 further makes the subscriber
responsible for the control of his private key. The DSA97 also provides for
the temporary suspension of a certificate by the CA if the subscriber’s private
key is believed to be compromised. Certificates can be revoked upon request
or if unreliable. The liability limits of the certificate authority is specified in
Section 60(1)(2) and is limited to such amount as may be specified in the
certificate issued to the subscriber. There could be different limits in different
categories of certificates. The risk of forged digital signatures lies on the
recipient, if such reliance is not reasonable under the circumstances. If the
reliance is reasonable, the risk is not on the recipient and it is probable that
the repository or the CA would bear the risk. Two other issues relate to the
effect of a digital signature. The first is “a digitally signed message is deemed
to be a written document” (see section 64(1)(2) DSA). It would be considered
a written document for Part V and sections 91 and 92 of the Evidence Act
1950. The second is “a digitally signed message is deemed to be original
document” (section 65 DSA).


The Computer Crimes Act 1997 (hereinafter referred to as CCA97) is to
provide for offences relating to the misuse of computers. The objective is to
protect the victims of computer misuse by criminalizing associated activities
such as eavesdropping, unauthorized access to program or data in computer
with very high penalty levels. We will discuss a number of problematic issues
which include the extensive powers given to the enforcement authorities. The
term “computer” is defined broadly to include data storage facility or
communications facility and also to include computer network. The offences
created by the CCA97 are listed in section 3 to section 8 of the Act.

Section 3 – Unauthorized access to computer material
Section 4 –Unauthorized access with intent to commit or facilitate
commission of further offence
Section 5 – Unauthorized modification (temporary or permanent) of the
contents of any computer
Section 6 – Wrongful communication
Section 7 – Abetments and attempts punishable as offences
Section 8 – A person is deemed to have obtained unauthorized access to any
program, data or information (unless proved otherwise) if he is
found to have custody or control of such program, data, or other
information in any computer or storage media which he is not
authorized to have.
The penalty for gaining unauthorized access to computer material (such
as by hacking) is a fine not exceeding fifty thousand ringgit or to
imprisonment for a term not exceeding five years or to both. (see section 3(3)
CCA97). The penalty for gaining unauthorized access with intent to commit
or facilitate commission of further offence (which may involve fraud or
dishonesty or which causes injury as defined in the Penal Code) is more
severe with a fine not exceeding one hundred and fifty thousand ringgit or to
imprisonment for a term not exceeding ten years. (see section 4(3) CCA97)
The rationale behind the heavier penalty is probably that the punishment
should be proportional to the harm or damage caused (principle of
proportionality). It is conceivable for a hacker to change the prescription for a
particular treatment or to change the records of a patient such that his allergy
to certain medication is erased. In this case, serious harm could be done to the
patient concerned. The penalty for unauthorized modification is a fine not
exceeding one hundred thousand ringgit or to imprisonment for a term not
exceeding seven years or both; if the act is done intentionally to cause injury
as defined in the penal code then the penalty is stiffer with a fine not
exceeding one hundred and fifty thousand ringgit or to imprisonment for a
term not exceeding ten years or to both.

Section 6(1) states “A person shall be
guilty of an offence if he communicates directly or indirectly a number, code,
password, or other means of access to a computer to any other person other
than a person to whom he is duly authorised to communicate.” The above
will catch the hacker who publishes passwords on bulletin boards or by emailing.
Would a worker who accesses his office server from his home be
committing an offence under section 6(1) if a visitor unintentionally and
without his knowledge happens to see that access code? Even authors of
books that seek to alert users to certain security weaknesses or holes in
computer systems and indicate the means by which such systems could be
compromised may well be committing an offence under section 6(1). Section
7(1)(2) Abetments and attempts to commit offence are punishable offences.
Even any act preparatory to or in furtherance of the commission of any
offence shall be liable to punishment.

Compared with penalties for computer misuse in other jurisdictions (e.g. UK and Singapore),
the fine for a s.3 offence is set at an extremely high level. The powers of enforcement in
CCA97 are set out in section 10. Section 10 gives a police office of or above
the rank of Inspector wide powers of search. These powers extending from
cooperation of suspect to arrest without warrant (section 10(3)) were
criticized for – lack of safeguards to check abuse; - infringement of the right
to privacy and; - infringement of the right against self-incrimination. It is
rather unsettling that under Malaysian law, there is no rule of law that
evidence obtained from an illegal search and seizure is inadmissible in legal
proceedings. The CCA97 may be open to abuse where privacy might be
invaded to trawl for potential victims rather than to pursue criminals. Are the
sweeping powers given to enforcement officials to gather evidence really
that necessary? Is it really necessary to have such stiff penalties when to date
no one has yet been prosecuted successfully under the CCA97; evidence
gathering and subsequent prosecution is no easy task. Section 9(1) sets out
the principle that the offences under the Act are extra-territorial in nature and
those persons of nationality other than Malaysian are still liable to be
prosecuted for offences committed under the Act. If either the perpetrator’s
computer or the victim’s computer is physically in Malaysia, or the situation
where Malaysia is used as a transit point, then jurisdiction will be founded.
(section 9(2)). Enforcement would not be a trivial issue, as the enforcement
authorities would require the cooperation of the enforcement authorities of
the other country to obtain necessary evidence to be able to extradite the
accused. Furthermore Section 9(3) wording is rather confusing but it appears
that it is a statutory enactment of the rule against double jeopardy.



I made this widget at MyFlashFetish.com.