yourself while person Y would try his best to attack you. The smarter of ..... it is from. As a counter to this issue, in the case of sending confidential data by email, the ..... Unsolicited and bulk emails separately do not count as spam. It is a matter.
THE INCIDENCE OF CYBERCRIME IN PAKISTAN This project looks at how the increase in usage of internet has amplified the incidence of cybercrime in the society. Lack of training and awareness about preventive measures has added to the risks that people are exposed to everyday making them vulnerable to areas of cybercrime we are looking into i.e. hacking, spamming, phishing, and harassment. These domains have been discussed in detail along with suggestions on how to diminish the risks associated with them. Primary data from the National Response Centre for Cybercrime (NR3C) and results from a survey conducted in a target group of university students was used to analyze the prevailing trends of victimization, correlation between gender and types of cybercrimes and actions taken to deal with those crimes.
UFAQ MANZAR SAMA TANVEER SANWAL JAMAL
2
1
Contents
2
Introduction ........................................................................................................................................... 4
3
2.1
Background ................................................................................................................................... 4
2.2
Purpose and Research ................................................................................................................... 8
Methodology ......................................................................................................................................... 9 3.1
Research Strategy.......................................................................................................................... 9
3.2
Data collection .............................................................................................................................. 9
3.3
Secondary Data ............................................................................................................................. 9
3.4
Primary Data ............................................................................................................................... 10
4
Literature Review................................................................................................................................ 11
5
Research Findings: .............................................................................................................................. 21
6
Types of Cybercrime........................................................................................................................... 29 6.1
Hacking ....................................................................................................................................... 29
6.1.1
Insiders ................................................................................................................................ 31
6.1.2
Outsiders ............................................................................................................................. 33
6.1.3
Insiders and Outsiders ......................................................................................................... 35
6.1.4
Denial of Service Attacks (DoS) ......................................................................................... 39
6.1.5
Defacement ......................................................................................................................... 40
6.1.6
Solutions ............................................................................................................................. 42
6.2
Phishing and Scamming .............................................................................................................. 44
6.2.1
Understanding Spam: .......................................................................................................... 44
6.2.2
How it’s done: Phishing ...................................................................................................... 45
6.2.3
Resurgence of Macros:........................................................................................................ 46
6.2.4
Zombie Computers AKA Botnet: ....................................................................................... 47
6.2.5
The Curious Case of Mules:................................................................................................ 47
6.2.6
Spear-phishing Attacks: ...................................................................................................... 49
6.2.7
Free Advertisement: ............................................................................................................ 51
6.2.8
A Low-Risk Resource for Terrorists ................................................................................... 51
6.2.9
How to Protect Against Spam and Phishing ....................................................................... 52
6.3
Cyber Harassment ....................................................................................................................... 55
6.3.1
Cyber Stalking .................................................................................................................... 56
6.3.2
Cyber Bullying: ................................................................................................................... 57
6.3.3
Hate Speech and Trolling:................................................................................................... 58
6.3.4
Causes of Cyber Harassment: ............................................................................................. 59
3
7
6.3.5
Effects of Cyber Harassment .............................................................................................. 64
6.3.6
Preventive measures and actions......................................................................................... 64
Laws and Challenges to Cybersecurity: .............................................................................................. 66 7.1
On Phishing and Scamming: ....................................................................................................... 66
7.2
On Cyber-harassment.................................................................................................................. 69
7.3
On Pakistan’s Electronic Crimes Act 2015 (PEC):..................................................................... 72
8
Conclusion .......................................................................................................................................... 74
9
Bibliography ....................................................................................................................................... 79
10
Appendix ......................................................................................................................................... 83 10.1
Interview with Salman Sufi (Special Monitoring Unit Law & Order) ....................................... 83
10.2
Interview with Sadaf Baig (Media Matters for Democracy)....................................................... 87
10.3
Interview with Aun Abbas (NR3C) ............................................................................................ 89
4
2 Introduction 2.1 Background In this era of exponential advancements, very few technologies can claim to have grown at a pace similar to that of the internet. With the advent of the World Wide Web (www) and the Dot Com (.com) revolution of the 90s, the internet saw extraordinary expansion from just sixteen million worldwide users in 1995 to over three billion users in 2015. Now a smartphone that easily fits into a jeans pocket gathers several hundred times more connectivity and computing power than the mammoth computers of earlier times. The Apollo Guidance Computer (AGC) used to guide earliest missions to the moon was not particularly powerful, operating at 0.043MHz, which by modern standards is less equipped than a toaster.1 The shrinking of hardware and growth in connectivity have brought security issues that were previously a concern of corporations to every individual carrying a mobile device. Unlike the earlier corporation’s security plans of safeguarding their information with humans and user badges, latest technologies require much more sophisticated protection, just not in the form of a physical guard. Over the years a mystique grew on the challenge of outsmarting the computer. A look at the films of the era when the public started to get private access to computers and the internet reveals growing interest in the genre of science fiction. From the Italian Job (1969) to ‘Office Space’ (1999), and from ‘Swordfish’ (2001) to ‘We Are Legion’ (2012), hacking movies have blurred the lines of morality and cybercrime. Some grew up desensitized about the seriousness of such a crime, while others developed admiration for hacking and relevant skills. Such science fiction movies managed to ascertain the lack of computer security, which resulted in a growing interest towards innovative ways of breaking into different security systems. Not to undermine the
1
Puiu, Tibi. 2015. zmescience. October 13. http://www.zmescience.com/research/technology/smartphone-powercompared-to-apollo-432/.
5
most important factor of financial gains which will be discussed in this project; as they say, crime is where the money is. Computers are often blamed for the destruction and immorality that they cause in science fiction movies. This raises the question, ‘Can computers think?’ This has been answered in the book, ‘Computers, Minds and Conduct’. The authors claim that computers cannot think because they are machines with no understanding of their own. They merely adhere to the instructions given to them by breaking them into further sub instructions. This is their only way of interpreting the code and involves no understanding or intelligence. They further refute the allegation that computers have been reported to do something apart from the specifics of their programming. Computers can be autonomous from their programmers, exceed what they have been programmed to do, initiate operations they are not explicitly programmed to accomplish simply because of bugs. These bugs do not occur on their own; they are programed and sent by another human. This leads to the conclusion that it is the humans and not the computers that can think and need to be stopped. Humans have numerous motives for engaging in crime. A person may want to hack and gain access to someone else’s machine for reasons ranging from financial gains to revenge and personal satisfaction. The earliest reported instance of computer vulnerability surfaced in 1988 when a Cornell University graduate Robert Morris, Jr., unleashed an internet worm that selfreplicated and propagated from one device to another. The program worked in the background and the commands embedded in a message ran through a server program. It gave him unauthorized access and exhausted the system’s resources. The Morris Internet worm resulted in monetary damages worth $100 million. Only after getting mainstream media attention, this incident made people take computer security seriously. Since then, hacking has gained popularity on a global scale. ‘Guccifer’, an example of a serious Romanian hacker has caused a number of high-level
6
security breaches that involved members of the US Governments. He has been successful in obtaining personal information about the officials by hacking their AOL, Yahoo, Flickr and Facebook accounts. He is also the one responsible for hacking the AOL account of President George Bush's sister and claims to have repeatedly hacked Hillary Clinton's private email server. The seriousness of cybercrime, in whatever form it may come in, cannot be emphasized more, as generally speaking it is the manifestation of physical fraud in a different state. Approximately 43% of the world’s population now has internet access, which is up from 6.5% in 2000 and the global penetration of mobile-cellular subscriptions has reached 97%. In the developed world, more than 80% of all households have access to the internet. By the end of 2015, 3.2 billion people were using the internet globally of which 2 billion were from developing countries2.This globalization of technology facilitates the ever-increasing risk of cybercrime. A survey of Fortune 1000 companies found an annual growth rate of 64% in cyber-attacks being carried out through the internet3. In Pakistan, the incidence of cybercrime has also been on the rise. According to official statistics, the education system of Pakistan comprises of almost 0.26 million institutions, and 1.5 million teachers who facilitate approximately 41 million students4. If literacy is defined as the ability to read and write one’s name, it is approximately 69% in Pakistan. As the literacy rate increases, the number of people who can use the internet will also increase. Pakistan is ranked 27th
2
1 (ITU), International Telecommunication Union. ICT Facts and Figures. 2015. Bagchi, Kallol and Godwin Udo. "An analysis of the growth of computer and Internet security breaches."Communications of the Association for Information Systems 12.46 (2003): 129. 4 Rahman, Dr. Taimur. 2014. "The Internet, Youth and Education in Pakistan." National Human Development Report 2015, November. 3
7
in the world due to its internet usage as its citizens have a large social media footprint. With increased usage, come greater threats. According to the Federal Investigation Agency's (FIA) National Response Centre for Cybercrime (NR3C), 10% to 16% of Pakistan's population consists of active internet users who use the internet for social networking, online banking, internet surfing, communication, entertainment, online shopping, map directions, online education and auction, data transfer, medical assistance and online gaming. The types of crime committed in cyberspace are hacking, identity theft, cyber bullying, cyber stalking, financial fraud, digital piracy, computer viruses and worms, malicious software, intellectual property rights, money laundering, denial of service attack, electronic terrorism, vandalism and extortion5. Pakistan is not devoid of cybercrime cases similar to the ones discussed on a global scale. In 2012, the police arrested members of a gang from Bahawalpur who had hacked several bank accounts, credit card numbers and used fake vouchers claiming to be from the National Bank of Pakistan to steal millions of rupees. In Peshawar and other cities, university students have been arrested by the FIA for blackmailing women through hacking and defacement. Also, there are numerous reported cases of unregistered Subscriber Identity Modules (SIMs) to threaten and blackmail people. 1415 illegal accused mobile phone SIMs were collected from Dera Ghazi Khan alone. In Pakistan, the government has also been a victim. A hacker under the alias ‘Zombie_ksa’, hacked the website of the Supreme Court of Pakistan and defaced it. He uploaded content against the judiciary and Chief Justice and demanded that pornographic sites be banned and the poor be assisted. Given that the number of internet users is increasing day by day, it is expected that the
5
n.d. Natural Response Centre for Cyber Crime. http://www.nr3c.gov.pk/cybercrime.html.
8
rate of cybercrime will increase as well, which makes it utmost important that the issue of cybercrime be understood as fully as possible so that measures can be taken to counter it. Although Pakistan and other countries have established laws against cybercrime, they have failed to curb the issue because of institutional incapability, societal norms and lack of awareness. The purpose of our project is to explicitly research the incidence of four types of cybercrime namely hacking, spamming, phishing and harassment.
2.2 Purpose and Research Against this background and based on the seriousness of the situation, the primary purpose of this project is to research the incidence of various types of cybercrime and to provide an account of online expression and cyber risks in Pakistan by addressing the following research questions: 1. Are people aware of the risks they are exposed to in cyberspace? 2. What are the apparent patterns of stalking behaviors on the internet? 3. What type of financial opportunities are present in cyberspace in Pakistan? 4. How will the mindset regarding activities which some companies use for marketing such as spamming, phishing change in Pakistan? 5. What drives cybercriminals? 6. How might characteristics of the internet such as its global reach and online anonymity assist fraudsters and frustrate law enforcement? 7. What might internet users do in order to reduce their risk of victimization? 8. What low cost security solutions are available in Pakistan?
9
3 Methodology 3.1 Research Strategy The matter of this research is such that it requires the employment of a variety of means and strategies in order to sufficiently address our research questions. We ensured anonymity of our respondents in order to maintain the validity of our primary research. We also ensured that credible organizations and representatives are interviewed in order to make our research valid. To ensure reliability of our data, we took a large sample across different age groups and identifiable cohorts.
3.2 Data collection We collected both primary and secondary data for the various issues discussed in this project. For the section on cyber stalking and harassment, we targeted universities, social media, online journals and news articles. Our sources for obtaining research on hacking, phishing and spamming were online journal articles, the FIA’s National Response Centre for Cyber Crime (NR3C), cyber security solutions providers and universities.
3.3 Secondary Data The secondary data used in this project for the purpose of providing background information was mostly collected online in the form of journal articles from reliable databases such as JSTOR and Wiley, news articles, documentaries, resources on websites of credible organizations working on cybercrime such as National Center for Victims of Crime, Working to Halt Online Abuse (WHOA) and National Cybercrime Training Partnership as well as websites of local organizations such as Bolo Bhi, Digital Rights Foundation and Bytes for All. We also obtained information from books and journals that have been discussed in the literature review, regional print media, and press. Existing Pakistani literature on cybercrime also served as a point of reference.
10
3.4 Primary Data The research strategy that we implemented also included the collection of primary data for the sole purpose of attempting to fill the gap in research that exists on this topic in the Pakistani context. We obtained primary data through surveys, unstructured and semi structured interviews, field notes, analysis of documents and materials and case studies. Since a survey is one of the most effective methods of sampling individual units from a population, we designed a survey with the intention of gathering a sample size large enough to be representative. The target audience for this survey were individuals from various universities of Pakistan in terms of discipline, area and degree certification. Universities from Lahore and Karachi were targeted such as the Lahore University of Management Sciences, University of Central Punjab, Beaconhouse National University, Kinnaird College for Women, COMSATS, University of Engineering and Technology, Institute of Business Administration (IBA). We narrowed down our target audience to university students because most students are regular users of the internet which meant greater chances of getting responses from individuals who had been victims of cybercrime at one point or another. Enumerators were hired for obtaining survey responses in areas that we could not reach easily such as universities based outside of Lahore. In order to ensure that the results were genuine and dependable, we cross checked surveys and contacted random respondents to ensure authenticity. We also contacted individuals with interesting responses to take semi structured and unstructured interviews of these victims of cyberstalking, phishing, spamming, harassment and hacking to get detailed case studies of their experience with cybercrime and how they dealt with it. 318 students completed our survey and these individuals comprise of the sample of our project. We did statistical modelling by doing a trend analysis on the data to estimate relationships and correlations among variables to be able to analyze the occurrence of cybercrime in Pakistan.
11
Another method of primary data employed was interviews to obtain open ended qualitative data. Field notes were taken while conducting primary research in this form to serve as a point of reference during later analysis. Initially, we took unstructured interviews to establish contacts and develop a cleared idea of the issue at hand. Once sufficient insight, knowledge and information had been gained, we mostly conducted semi structured interviews to cover a very specific list of questions and topics in the interview. In order to maintain reliability and validity, we designed specific questions that were not leading and were worded carefully and clearly. We also remained as neutral as possible during the interviews so as not to influence the respondents’ answers in any way. The credibility of this method of data collection was ensured by selecting individuals who were accomplished in their respective fields. These individuals ranged from heads and representatives of government organizations such as the FIA (CPLC) and the National Response Center for Cybercrime to private NGOs such as Bytes for All and PISA to cyber security solutions providers such as Ebryx.
4 Literature Review Cybercrime has different forms and Grabosky sums them up in three broad categories: 1) Conventional computer crimes such as digital child pornography, piracy, or intellectual property theft, forgery, harassment and stalking 2) Attacks on computer networks or hacking 3) Conventional criminal cases such as drug trafficking with digital evidence.6
6
Grabosky, Peter. "The Global Dimension of Cybercrime." Global Crime 6.1 (2004): 146 - 157.
12
Conventional crime has adopted the internet for crimes previously committed physically and Marjie Britz distinguishes organized crime from cyber-gangs. She defines organized crime as a crime that has the elements of violence, physical interaction and corruption of political figures, organizational rules and investment in legitimate businesses. Cyber-gangs and cyber-criminal organizations are non-violent to the extent of being facilitated by the internet. Britz focuses on how criminal gangs have incorporated technology into the old crimes to facilitate them, but she does not treat cybercrime as an entity employing physical means. She gives an exhaustive list of physical crimes like extortion, cargo heists, ATM/Credit Card frauds, fraud, gambling, money laundering, theft of property, sex and pornography, etc. and explains how each of these crimes have modernized in a way to incorporate technology and in some cases being wholly transferred to the platform of cyberspace. For example, gambling previously involved street polity rackets and sports wagering while now the method includes online casinos and internet sports wagering.7 Yanping et al have grouped different forms of cyber-crimes into three roles they could play. First, the internet could be a tool in a criminal activity e.g. copyright infringements and spamming. An enormous amount of copyright material is available on the net and is being shared through peer-to-peer connections (torrents). Spamming, because of virtually no cost, has also been criminalized in the U.S and some companies had to pay large sums of money to settle suits against unsolicited emails. Second, the internet could also be a place of the target. An ever-increasing number of internet users provides easy targets to either stop access of members to websites or to take over them. The number of internet users is increasing on average at a staggering rate of 806 % globally and currently around 3.27 billion people use the internet. Therefore, a large number of online users and networks become targets of such attacks. Attacks are made through malicious
7
Britz, Marjie T. "A New Paradigm of Organized Crime in the United States: Criminal Syndicates, Cyber-gangs, and the Worldwide Web." Sociology Compass 2, no. 6 (2008): 1750-765. doi:10.1111/j.1751-9020.2008.00172.x.
13
codes, viruses, denial-of-service (DOS) attacks, and hacks. DOS attacks are becoming increasingly popular because they are usually targeted at high profile companies, banks, etc. Their purpose is to stop access of intended users to a particular website, service, etc. Recently, the group anonymous has demanded that DOS attacks should be recognized as a legal form of protest. Third, traditional crimes have shifted to cyberspace e.g. phishing, identity theft, child pornography, online gambling, and cyber-terrorism. Phishing refers to obtaining sensitive information like passwords, etc. by posing as trustworthy entities. In online space, identity theft can occur through many ways and the most common of them is through social networking sites. Fake accounts are made using the credentials of the original personality and are used for malicious purposes. The Internet has also played a role of a facilitator in the distribution of child pornography that has been criminalized internationally in any form, whether be it the possession or distribution- intended or unintended.8 In Pakistan’s context, limited literature exists when it comes to cybercrime. According to an article, individuals in Pakistan are victims of various cybercrimes such as “...financial crimes, cyber pornography, sale of illegal articles, online gambling, intellectual property crimes, email spoofing, cyber stalking, forgery, unauthorized access to computer systems\networks, theft of information contained in electronic form, virus/worm attacks, logic bombs, Trojan attacks, internet time theft, password cracking and buffer overflow…”9 yet there are no proper measures in place to combat the problems. Another research on Pakistan compares cybercrime with conventional crime and describes the types and targets of cybercrime and the prospects of a global culture of
8
Zhang, Yanping, Yang Xiao, Kaveh Ghaboosi, Jingyuan Zhang, and Hongmei Deng. "A Survey of Cyber Crimes." Security and Communication Networks Security Comm. Networks 5, no. 4 (2011): 422-37. doi:10.1002/sec.331. 9 Imam, Ahsan Latif. "Cyber Crime in Pakistan: Serious Threat but No Laws!" http://blogs.tribune.com.pk/story/15063/cyber-crime-in-pakistan-serious-threat-but-no-laws/.
14
cybersecurity. It discusses Pakistan’s cyber laws and suggests that the country should foster international linkages in order to increase web security and increase awareness about cybercrimes. Another research focuses on the advent of cybercrime in Pakistan given the increasing availability of the internet in the country. Approximately 10.6% of the population had access to the internet at the time of the study in 2009 compared to just 0.1% in 2000. They define cybercrime as any illegal act using computer as a tool or subject of the crime and predict that it will continue to increase in the country as long as network subscribers continue to increase and information remains easily accessible. Therefore, security authorities must give high priority to this type of crime. Although existing research talks about the emergence and existence of cybercrime in Pakistan, it does not provide data on the instances of such crime, which is a gap found in most research that exists on this topic. Cyberspace is an evolving arena with new threats emerging every other day. David Wall in his book 'Cybercrime' offers solutions to the issue in terms of controlling and policing the cyberspace and proposes methods to do both in an easy way. Wall looks into different types of cybercrimes including computer integrity crime, computer-assisted crime and computer content crime. Salvatore Poier when reviewing the book added that when trying to police and control we pose a threat to the freedom the internet provides and the methods used should only increase security for users and not restrict the freedom of publishing and gaining access to information.10 Majid Yar in his book 'Cybercrime and Society' has critically analyzed hacker’s identity and the issue of piracy. He has also looked into different types of cybercrimes and has dedicated special chapters on "Cyberfrauds, Scam and Cons", "Illegal, Harmful and Offensive Content
10
Wall, David. Cybercrime: The Transformation of Crime in the Information Age. Cambridge: Polity, 2007.
15
Online" and "Victimization of Individuals Online". These chapters further look into social issues such as hate speech, child pornography, cyberstalking, hacking and pedophilia. Yar in his book considers piracy as a social phenomenon, therefore, he is wary of the risks of indiscriminate criminalization. In the core of the book, he critically analyses hackers’ identity and the issue of piracy. Moreover, he talks of political hacking and so-called “hacktivism”. This is important because it points out how fragile and easy it is to manipulate opinions in the information society. After an analysis of well-known types of cybercrime- cyber-frauds, scam and cons, hate Speech, child pornography to cyberstalking and pedophilia; the book gives an introductory essay on the control and surveillance issue. He describes the problem at hand, uses examples, data and statistics to back his arguments and provides further questions for research to show the gaps that need to be filled in this field.11 Since cyberspace is a continually changing entity there is a need to keep updating current publications in order to keep up to date with the rapid advancements in telecommunication and internet. Most of the literature that exists does not discuss recent issues such as the crime risks associated with the use of mobile and wireless technologies; online gaming; threats to critical infrastructure posed by individuals and organized groups with political or religious motivations; the latest malware threats arising from bots, kernel-mode software, and ransomware and risks associated with new payment systems including credit cards. The effectiveness of Social Network Analysis (SNA) has been evaluated in an article 'The Social Network of Hackers' which has been listed under Global Crime. SNA has been used by previous researchers such as Morselli who used it to evaluate police investigations and found SNA
11
Yar, Majid. Cybercrime and Society. London: Sage Publications, 2006
16
metrics to be correlated with certain roles in criminal organizations. Researchers have also adopted SNA to uncover terrorist networks and this article particularly focuses on botnets and the ability of SNA to enhance the value of information on botmasters and hackers who may or may not be loosely associated with the victim. Although SNA can be used as a promising research method it is critical that the challenge of meaningful analysis of the data is conducted successfully.12 Bernat and Godlove describe the social networking phenomenon as ‘hyperinterconnectivity’. By 2009, one out of four people in the world was connected to the internet, which means that there could literally be no space between the victims and the perpetrators. It is not possible to estimate the accurate impacts of cybercrime due to underreporting. Companies sometimes are not willing to reveal any cyber-attacks to prevent shocks in company stocks. Likewise, young people might try to hide victimization and not report to parents or the police. Bernat and Godlove touch on the issue, but do not provide any tangible suggestions towards stopping or mitigating the effects of such a global phenomenon. Miller and Mundey delve into certain rules to follow in this age of hyper-interconnectedness to protect especially the youth on social media. A study composed of 227 young Social Network Sites (SNS) users revealed that about 75% of the respondents had at least one incidence of disenchant (discontent or discomfort) because of SNS. To avoid these negative interactions, youth follows three simple rules to avoid future incidences. First, limit what you share with others; second, do not try to find too much about other people online as a matter of principle; third, keep online contact with people you know in real life.13
12
Décary-Hétu, David, and Benoit Dupont. "The Social Network of Hackers." Global Crime 13, no. 3 (2012): 160-75. doi:10.1080/17440572.2012.702523. 13 Bernat, Frances P., and Nicholas Godlove. "Understanding 21 St Century Cybercrime for the ‘common’ Victim." Criminal Justice Matters 89, no. 1 (2012): 4-5. doi:10.1080/09627251.2012.721962.
17
Hof et al. have carried the conversation further by pointing out how new technology poses a threat to the new generation and greater control oriented laws to tackle the threats raise the question of freedom versus state control. The current conversation in the realm of cyberspace is regarding the misuse of new technologies by mostly the young generation and at what point should a line be drawn. Two phenomena have emerged in criminal law: grooming and sexting. The perpetrators use the children and adolescents as victims requiring care and attention. Their actions involve paying for travel expenditures of the children, etc. With the end to develop child pornography and abuse them, which is itself a criminal act. Hof et al. cite an Associated Press poll according to which a third of 18-24 years old and a quarter of 14-17 years old have at some point in time been involved with sexting. Users describe it as ‘flirty’ and ‘fun’. But such behavior could be extremely dangerous because once compromising photos or conversations are leaked to the society, they can be devastating for the person.14 Cyberstalking is the unwanted following and pursuance of an individual online with invasion of privacy and constant monitoring of every move involved in the process. It is a form of threat and harassment that can disturb the victim and induce fear and distress. A number of authors have defined it as “the use of electronic communication including, pagers, cell phones, e-mails and the Internet to bully, threaten, harass, and intimidate a victim”.15 It is not just limited to individuals. Bocij and McFarlane define cyber stalking as a group of behaviors in which an individual, group of individuals or organization uses information and communications technology (ICT) to harass
14
Hof, Simone Van Der, and Bert-Jaap Koops. "Adolescents and Cybercrime: Navigating between Freedom and Control." Policy & Internet 3, no. 2 (2011): 51-78. doi:10.2202/1944-2866.1121. 15 Alok Mishra, and Deepti Mishra. "Cyber Stalking : A Challenge for Web Security (PDF ..." Accessed May 16, 2016. http://www.researchgate.net/publication/259148587_Cyber_Stalking__A_Challenge_for_Web_Security.
18
one or more individuals. Such behaviors include and extend beyond crimes such as false accusations and threats, identity and data theft, intimidation and confrontation.16 Earnest and Young carry out a Global Information Security Survey annually in which they investigate the most important cybersecurity issues that businesses face. The 2015 Global survey had 1755 organizations as participants and the survey applied its previously proposed concept of how organizations could get ahead of cybercrime by following a three-stage journey- ‘Activate, Adapt and Anticipate’. Organizations need to have a solid cyber-secure foundation for them to adapt to changes for survival and growth. They must anticipate what they need to protect and rehearse appropriate responses to likely attacks. The 2014 information security survey discusses the three foundational, dynamic and proactive approaches in detail and the following 2015 report builds on it. The reports claim that the threats to cybersecurity are evolving so the issue needs to be taken seriously by departments other than IT. In a rapidly evolving world, "cybersecurity is key to unlocking innovation and expansion, and by adopting a tailored organization and risk-centric approach to cyber security, organizations can refocus on opportunities and exploration. Building trust in a business that operates successfully within the Internet of Things (IoT), and that fully supports and protects individuals and their personal mobile devices (from a simple phone to a health care device, from smart appliances to smart cars), is a key to competitive differentiator and must be a priority". For the organizations to recognize the current challenges and to understand what they need to do, they need to think fully about today's attacks in the digital world, how they unfold, why are they still so vulnerable and how to shift to an active defence strategy. The report identifies the accelerating
16
Bocij, Paul and Leroy McFarlane. "Online harassment: Towards a definition of cyberstalking." Prison Service Journal 139 (2002): 31 - 38.
19
catalysts that pose a threat to the organization to be mobile, internet of things, sensors, analytics, social, 3D printing, cloud, cyber and artificial intelligence. According to the survey, 44% feel vulnerable in relation to unaware employees, 34% feel vulnerable due to outdated systems, 44% see phishing as the top threat and 43% see malware as the top threat. The report encourages organizations to start thinking about risk management principles and proposes a starting point:
1. Focus on what matters most 2. Measure and report 3. Comprehensive in Nature 4. Allocation of risk appetite 5. Integrate with business planning
According to the survey, 59% see criminal syndicates as the most likely source of an attack, 54% see hacktivists as the most likely source of any attack and only 35% suspect state-sponsored attacks. Only a minority claimed to have a robust incident response program that includes third parties and law enforcement and is integrated with their broader threat and vulnerability management function. The respondents considered data leakage and loss prevention a matter of high priority; insider risks and threats of medium priority and social media as a matter of low priority for their organization over the next 12 months. The report concludes itself by emphasizing on why active defence is important and how to build it. 17 Frank Guarnieri and Eric Przyswa base their article “Counterfeiting and Cybercrime: Stakes and Challenges” on the cybercrime definition articulated in the Tenth United Nations Congress on
17
Creating Trust in the Digital World. http://www.ey.com/Publication/vwLUAssets/ey-global-information-securitysurvey-2015/$FILE/ey-global-information-security-survey-2015.pdf.
20
the prevention of Crime and Treatment of Offenders in a workshop devoted to the issue of crimes related to computer networks. The risks are divided into two types: risks to the cyberspace and risks through the cyberspace. Risk management should focus on economics instead of criminals and the book concludes by giving suggestions on risk management. The issue of counterfeiting and cybercrime creating new forms of criminality is looked from the angle of criminal organizations, search-engines and consumers. The proliferation of points of vulnerability has been discussed on criminological level, capitalist system level and geographic level and the consequences of such as boomerang effect have been discussed.18
Digital piracy is a crime on which Robert G.Morris, Matthew C. Johnson and George E. Higgens conducted a test to explore the role of gender in predicting college student's willingness to participate in such a crime. Digital piracy and illegal data sharing lead to fiscal losses which are responsible for a decrease in available jobs, lost tax revenue and reduced creative motivation on the part of developers. The findings suggest that gender is not the significant motivation force behind the crime when controlled for other factors and even the impact across genders is well matched in lieu of existing theories of crime such as social learning, self-control, techniques of neutralization, and micro anomie. The standard model suggests that neutralization is the strongest predictor in the world followed by micro anomie and then differential association and race, selfcontrol being the least significant.19 Gabriel Weimann in his book “Terror on the Internet” has treated the issue as one of political communication and marketing. Communicative uses focus on advancing ideological messages and
18
Guarnieri, Franck, and Eric Przyswa. "Counterfeiting and Cybercrime: Stakes and Challenges." The Information Society 29, no. 4 (2013): 219-26. doi:10.1080/01972243.2013.792303. 19 Morris, Robert G., Matthew C. Johnson, and George E. Higgins. "The Role of Gender in Predicting the Willingness to Engage in Digital Piracy among College Students." Criminal Justice Studies 22, no. 4 (2009): 393-404.
21
disseminating views, while marketing focuses on instrumental uses of internet in data-mining, networking, recruitment and mobilization, online instruction and chatrooms to coordinate action. The last chapter of the book on “Balancing Security and Civil Liberties” talks of political marketing playing a role in circumstances such as hyperlinks and blogs being used to extend interactive reach and functionality. He has used the example of Al-Qaeda and Bunt’s work i.e. “Virtually Islamic: Computer-Mediated Communication and Cyber-Islamic Environments,” to explain how the political group used the internet to politically communicate and spread terrorism.20
5 Research Findings A survey designed for university students was conducted in two cities of Pakistan. After obtaining 318 responses to our survey, the data was coded and converted to a format suitable for our statistical software, Stata12. A trend analysis was done by means of frequency distribution, mean, and standard deviation analysis to investigate the correlation between gender, victimization, social media footprint, how serious an issue is considered and security measures taken. We generated a dummy variable ‘Female’ to separate the females from our dataset and checked its relationship with the incident of victimization of various cybercrimes. The correlation between victimization and women is stronger than the correlation between victimization and men, which implies that the
20
Weimann, Gabriel. Terror on the Internet: The New Arena, the New Challenges. Washington, D.C.: United States Institute of Peace Press, 2006.
22
chances of females being victimized are much higher compared to the males. Figure 1 lays out the reasons for victimization of women when it comes to cybercrime.
Figure 1: Victimization of Women
A plausible explanation for these results is that the social context of Pakistan allows for suppression of the female voice, hence it results in greater victimization of women. Cultural norms and the concept of ‘honor’ make women reluctant to seek help, therefore crimes that occur online are swept under the carpet. Moreover, according to the results, women are less likely to be victims of crimes such as credit card theft and e-commerce. Our sample size mostly comprised of university students who in a Pakistani society are not financially independent, therefore this result could be an indicator of this phenomenon. According to some NR3C data that we obtained directly from the organization, the occurrence of computer and mobile related crime and forgery is the third most frequent offence in Pakistan (Figure 2). According to a study conducted in Pakistan on online purchasing behavior,
23
the majority of the people were not comfortable with using credit card online and 171 out of 300 agreed that they hesitate when faced with an online transaction. 21 The comfort level shows that people in Pakistan are still struggling with using digital currency and may become victims of perpetrators who take advantage of people who are unaware of the safety precautions required to protect digital currency.
Figure 2:Category-wise Percentage of Cyber Crime in Pakistan
Next, we checked the impact of an individual’s social media footprint on their likelihood of being victims of cybercrime. Social media footprint can be defined as the virtual trail of data users leave behind as well as the information that is publically available every time the internet is used. For the purpose of our dataset, we created an index of users’ online presence based on the number of social networking platforms that they use. The use of every additional app was treated
21
Rehman, Kashif ur, and Muhammad Ashfaq. 2011. "Examining Online Purchasing Behavior: A Case of Pakistan." International Conference on Social Science and Humanity (IACIT Press) 5.
24
as carrying equal weight towards their online presence, irrespective of the time they spent using that app. We divided social media footprint into ‘high’ and ‘low’ with ‘high’ constituting of people who used more than 2 social networking applications and ‘low’ comprising of people who were not as active online and used less than 2. Out of 318 respondents, 231 had a high social media footprint while 87 had low social media presence. These 87 individuals also include those individuals who use only Facebook or WhatsApp. The results revealed that there was negative correlation between cybercrime and social media footprint which means that more active individuals have lesser chances of being victimized online.
According to a dataset obtained from the NR3C, the most frequent offence is of computer related acts causing personal harm through social media and around 60% of reported crimes are Facebook related. Moreover, in an interview, the dean of Student Affairs at LUMS, Yasser Hashmi said, “Social media has increased our vulnerability to cyber-bullying, it is difficult to get out of the loop and mitigate the impact of cyber-bullying on an individual.” However, our survey result does not support this. We suspect that this may be because experienced users of social media are well aware of the existence and consequences of cybercrime and know about the precautionary measures that need to be taken to avoid being a victim of cybercrime. Our dataset reveals a negative correlation between number of years the individual has been a user of social networking sites and victimization, which supports our reasoning because of a greater knowledge of risks involved in the use of cyberspace.
We also looked into how individuals rank their experience with various cybercrimes such as phishing, spamming, hacking, stalking and harassment. Individuals were asked to rank the seriousness of their experience on a scale of 1 to 10. We created dummy variable ‘Very Serious’
25
for people who responded with 8 and above, ‘Moderate’ for responses that ranked seriousness between 4 and 7 and ‘Not Serious’ for responses that ranked below 4. We did a gendered analysis of these variables to find out how seriously men and women rated their experience with cybercrime. The results indicate that 43.3% of women ranked hacking as a very serious issue followed by stalking, spamming and phishing. On the other hand, 62.9% of women ranked phishing as a moderately serious problem followed by spamming, stalking and hacking. Next, we looked at how rating of seriousness effected action taken against cybercrime. Dummy variables for type of action taken were generated: ‘Serious Action’ represents reporting to the police and FIA and ‘Non-Serious Action’ represents reporting the crime on the relevant social media application, taking help from a computer expert etc. The result reveals that regardless of level of seriousness, every respondent took some sort of action when they were victimized instead of not taking any action at all. In an open ended question on ways to deal with cybercrime, most individuals expressed distrust in the authorities and cybercrime laws prevailing in the country and said that they prefer to deal with it on their own by either correcting their privacy and security settings online or taking help from a computer expert. Most ended up blocking and reporting the offender online. Another popular precautionary measure was not uploading pictures and personal information online in the first place. In the case of cyberstalking, there was negative correlation between serious action taken and level of seriousness, which means that respondents do not report cyber stalking to the police or FIA. For all other cybercrimes, the correlation is positive which means that if the issue was considered serious by the individual, he or she was likely to take serious action against the crime. The popularity of actions taken to deal with cybercrime was checked. The results indicate that the most popular response amongst both men and women is to fix their online security and
26
privacy setting, reporting to the concerned social media application as a second popular option followed by taking help from computer experts respectively. A difference between responses by men and women is that for men, taking no action is preferred to reporting to the police while women are indifferent between reporting to the police and not taking any action. According to the NR3C dataset, only 20% of all cybercriminal activity is reported in Pakistan. Moreover, in 2015, 4361 complaints were launched and only 618 inquiries took place which is only 14.2% of the total complaints received in that year out of which only 32.6% were registered as cases (Figure 3 on the following page). The lack of prompt response and attention given to complaints and inquiries coupled with the fact that the lengthy process of filing a complaint makes people unsure about the acceptance of their case makes people reluctant to report their issue to the Police or FIA. In an interview, a representative of NR3C stated that women do not usually report their cases to the authorities because they are afraid of dishonoring their families because crimes such as hacking, harassment and stalking are blamed on the woman involved which makes them afraid of publicizing and drawing attention to their victimization. This explains why women are less likely to take strong action against their offender despite thinking that the offence is serious.
27 MarYear Complaints Enquiries Cases Arrests
2007
2008
2009
2010
2011
2012
2013
2014
2015
16
Total
157
368
510
704
786
917
1312
1782
4361
945
11842
73
241
491
279
500
597
697
676
618
191
4363
8
58
68
52
53
65
100
305
202
66
977
10
63
57
79
39
30
73
113
213
677
15
17
15
3
47
107
71
275
1317.8
1523.0
56.61
13.46
113.96
14.41
121.12 9
29
Grey Traffic (VoIP) setups captured Loss Averted through Action against VoIP setups (figures in Million Pak Rs.)
3160.479
Devices Forensically Analyzed
292
964
1964
1116
2000
2388
2788
2704
2472
764
17452
Forensic/ Technical Reports
219
723
1473
837
1500
1791
2091
2028
1854
573
13089
HDD Forensically Analyzed
191
631
1285
730
1309
1563
1824
1769
1618
500
11421
47771.
157710
321310
182577
390676
456116
442374
404419
12499
2
.4
.4
.6
327200
.8
.8
.4
.2
0.4
28662
946262
192786
109546
196320
234406
273670
265424
242651
74994
72
4
24
56
00
08
08
64
52
24
101
333
679
386
691
825
964
935
854
264
Volume/data Forensic (GB)
Cost of HDD Forensic at the rate of PFSA Pak Rs.
2855147.2 Rs. 171.3 Million
Mob & Other Devices Forensically Analyzed
6031
Figure 3: NR3C Data. Please note that NR3C provides free of Cost Digital Forensic Analysis services. Cost as per PFSA rate is calculated to show the efficacy of the department
28
The survey also reveals that hacking is the most common cybercrime targeting university students as 42.5% of the respondents said that they had been a victim of hacking. The second most common cybercrime is online stalking with 40.5% university students being victims of online stalking while only 13.5% have been harassed online. Figure 4 distinguishes between the means for incidences of cybercrimes amongst males, labelled 0 and females, labeled 1.
Figure 4: Gendered Victimization. Male (0), Female (1)
When asked how they would define cyber harassment, most individuals correctly identified it as the online form of real life stalking, bullying, harassment, hate speech, misusing someone’s personal information and data. Hacking, the creation of the victim’s fake account and adoption of the victim’s identity were cited as the consequences of cyber harassment. However, only 5.3% of
29
the respondents pointed out that this is an illegal offence. This leads to the conclusion that while cyber harassment is prevalent among university students in Pakistan and they have awareness of what it is and how it can be dealt with using the options available online, neither does the majority realize the seriousness of the issue, nor do they think that this act is illegal in the country and should be dealt with by approaching the relevant government authorities. This can be corrected by raising awareness about cyber harassment, its causes and consequences, and the various options available for successfully dealing with it.
6 Types of Cybercrime 6.1 Hacking To hack is to gain unauthorized access to a computer that does not belong to you. In today’s modern world, this is a grave problem and it is extremely important to find a solution to minimize its consequences. Howard Raiffa, influential Bayesian decision theorist and pioneer in the field of decision analysis, has given a guidance to the solution of this problem in these words: Game theory, however, deals only with the way in which ultra-smart, all knowing people should behave in competitive situations, and has little to say to Mr. X as he confronts the morass of his problem. To be able to deal with the issue strategically we should follow a game theory perspective like Howard Raiffa’s. So to look at the issue from a game theory perspective, assume that there are two players in this game. You are Person X whose computer is at stake and the other person is Person Y who wants to gain access to person X’s computer. You, as Person X, will try to protect yourself while person Y would try his best to attack you. The smarter of you two will win the game. In today’s digital age, every person is Person X whose computer privacy and data are at
30
stake. There are many prevention and safety measures taken by individuals and corporations to protect themselves and we will look into the common types in this chapter. But if you, person X, want to be ultra-smart, you should think as a hacker and not as a victim. Knowing how a hacker would respond in different cases will prove to be more effective than just observing what option seems best to you. In this game, Person Y, the hacker is shrewd and keeps track of the victim’s moves and tries to get as much information as possible. Similarly, you being Person X, the target, are rational and would try to protect yourself and minimize risks. There are many options that you may consider that might help you secure yourself. You can do a security assessment in which you can check for all obvious threats, such as strong passwords, buffer overflows and ensure that security patches are updated regularly. Additionally, this will help you keep an eye on the log files and audit it so you can notice any suspicious activity. You will install security solutions and follow the rules of keeping a strong password. You will also take steps to physically protect the machine and would avoid using any external hard drive or software from untrusted sources. If you think your internet explorer is acting suspicious, you would consider using a different browser. Summing up, you would try to take the precautionary steps based on your understanding and do relevant research because you are a rational person. However, it is not necessary that the measures taken by you are fully effective in protecting you. Now we can analyze the situation by looking at the three possible threats person X faces. Person X can be at risk because of an insider, an outsider or both. First, we analyze the risks from insiders, the threat and the solutions followed by the same analysis for the outsider and the case where both the insider and outsider are a threat.
31
6.1.1 Insiders According to a research, insiders pose greater threat than outsiders, accounting for 65% of the nuisance. 22 There could be multiple reasons why a staff member or a colleague would be interested in stealing your data. They may do it so that they can work from home in case it is not officially allowed. They may be saving it for future use, in case they get an opportunity to sell it to a competitor or they may have already been bribed to steal it. They may be planning a complaint against the company for which they need the data to accuse the company of being engaging in illegal or unethical work. Even if you take the obvious prevention methods such as firewalls and intrusion detection tools, the main and strongest point of ingress for the attackers will continue to be the staff members who are either ignorant, greedy or unhappy. We can take the example of scamming; you cannot stop a staff member from opening an email attachment which looks relevant unless you train your employee to differentiate between safe and unsafe attachments. The attack can take place in many forms. In a brute force attack, the hacker has the employee ID list and can use an automated program that will try thousands of passwords every minute. The authorized user can also carry out buffer overload attacks in which he will pass more input than the program would expect to receive which would trick the operating system into executing the commands the hacker has written as a memory code. A company should be cautious when giving database access to all the employees. Every insider can be a risk, they can try to gain privileges and carry out offensive acts such as modifying company data.
22
Schifreen, Robert. 2006. Defeating the Hacker : A non-technical guide to computer security. Wiley.
32
6.1.1.1 Social Engineering Hackers may use the skilful technique of social engineering for numerous reasons. Let us look at the Hacker’s condition. The hacker wants to know the IP address, operating system, database, user names along with email ID's and the security methods used in an organisation. Furthermore, he knows that the company is very possessive about their secrets and would not tell an outsider because of which the hacker would want to target an insider. The process of social engineering involves persuading someone to divulge confidential information by pretending to be someone who is entitled to own it. This can be carried out in person, face to face, or over communications media such as telephone or email without the help of any software. No special software is neededjust clever words. The targets are usually junior staff members who are unaware of the risks, are not familiar with most of the company’s employees and are more likely to accommodate people who they believe are from their company because they want to protect their job. The hacker may disguise himself over a phone call and ask for a list of the ID's of the company's employees or any other detail that they might be able to get. In this process, there is a great risk to the hacker as he carries out the act in person, usually by direct communication with the company employee so he needs to weigh if the advantages would outweigh the risks. The hacker would not always communicate over a phone call, he may even fake a job application for an IT department position, and inquire about the system and the details in the interview through cross questioning. After this, the hacker will be capable of launching brute force and dictionary attacks. He would know the security software used for the company and would focus on defeating that particular type. Since people are the major culprit in this type of hacking, the solutions to this problem are the people themselves. A human firewall can be created by each company in which the employees are trained on how to defend themselves from social engineers to maintain privacy and secrecy.
33
Every company should have the formal written document called Acceptable Policy Use (AUP), which should be signed by employees before they get access to any sort of technology or network. The document should clarify what the employee is allowed to use, what the employee is not allowed to use and what the consequences of breaking the law are. The document may contain policies on sections such as Web surfing, Virus Precautions, Personal email, Software installation, Firewall, Encryption, Law, Logging and surveillance, Passwords, Laptops, Use of internet forums and the disposal of equipment. 6.1.2 Outsiders The outsiders for an organization are people who are not a part of the organization and do not have legitimate access to the company’s machines. The outsiders for an individual can be anyone who is not given access to the device by the owner but tries to get illegitimate access. In this section, we will try to focus on the hacking of wireless networking by outsiders who are not given a password to the network. We will also discuss how firewall as a protection mechanism may fail and why from outsiders. 6.1.2.1 Wireless Networking When LAN and WAN cables were used to connect to the network, the network operators has control over who uses the network, but with the advancement in technology anyone with the Wi-Fi password can connect to the network. Wi-Fi has gained popularity as it cuts down on cable costs and provides the convenience of being used on any portable device and does not require a huge desk space. However, Wi-Fi has attracted hackers who either want free connectivity or have other motives such as stealing data. Locating the unprotected Wi-Fi is extremely easy for a hacker as any device with wireless connectivity will display the available networks and give the option of connecting to any of them. They can then use a program that searches for WAP and helps the
34
hacker choose the fastest connection with the best signal. Such programs can be self-made or downloaded from the internet. Wi-Fi connections at home and at the workplace need to be protected and it can be done easily. If the Service Set Identifier Broadcasting (SSID) is disabled, the network would not be broadcasted in the available networks list of a potential hacker. Avoiding personal name to identify one’s SSID in case the network is made public makes it difficult for the hacker to guess the password. Companies use same default usernames and passwords for Wireless Access Point (WAP), changing them provides enhanced security. WAP manufacturer's websites provide updates to firmware software for their devices, installing those covers security threats. It is recommended to get a WAP which has a logging facility to keep a tab on who has been using WLAN without permission. Bluetooth can also be used to steal Wi-Fi, therefore Bluetooth should be turned-off while not in use. 6.1.2.2 Firewall Firewall is a very important tool for security from outsiders. A firewall is an electronic filter that allows you to block communications over the internet according to their source, destination, direction or port number. Note that the firewall only protects from the outsiders, not from the insiders. Firewalls need to be configured properly or the hackers can use techniques such as tunnelling which allows the internet traffic to be send over non-standard ports to confuse and bypass the firewall. Thus, one needs to be careful when selecting a firewall for personal or business use. This can be done by doing research and survey of the options you are considering. Please note that companies that offer firewall and security use hacking competitions’ success stories to market themselves by boasting that the firewall stood up to millions of attempted attacks. One must be smart enough to realise that they just reinforce the fact that firewall will protect you if it is correctly
35
configured and do not take into account attacks such as social engineering. The results they state are in an idealistic world where all the insiders are following the rules and there can be no denial of service attack either. Firewalls can be effective in providing you protection against Vandals, who are less skilled hackers trying to break into your system with less evil motives but Firewalls may fail when a skilled hacker targets an insider from your company to break into your system. It is for this reason that one cannot depend on the firewall to protect your system on its own.
6.1.3 Insiders and Outsiders The hacker may have different motives to hack into systems with major motives being data theft and defacement. Now we will look into how the hacker may hack, what he would target and how a person X can minimize the risk. We will begin by discussing backups, encryption and password as a risk reducing mechanism before we move on to the type of attacks and safety suggestions against them. The most important daily routine action that should be taken by everyone is to maintain a backup. A backup is a copy of your database and it is up to you to decide whether you want to keep a complete backup or a partial backup and if you only want a data backup or a full system backup. If you are keeping your backup in a hard disk, you should make sure that it is in a zone which is away from disasters such as a bomb or fire. It is preferred to keep the backup outside your company; this may be in some other branch or in the possession of a trusted employee. Backups target hackers because it is a readymade compilation of all the data they might need. Since multiple files are created dynamically, the owner faces difficulty in keeping them all safe and a hacker can exploit the situation. Backups can be extremely useful in cases where a system fails due to any
36
reason and any company should prioritize maintaining them. Companies should also pay attention to the archiving policy and decide if they want it to be tampered with or not. Encryption is the best strategy amongst existing ones because it gives users peace of mind knowing that even if the offender gets illegitimate hold of the data, it will take him time to decipher it. The quality of a good encryption is that everybody knows what is required to crack the algorithm, but nobody is able to do so. Since the algorithm is crucial, one should always use a recognized international standard algorithm and be aware of any proprietary encryption algorithms developed by backup software developers.The length of time required to crack down a known encryption algorithm is one of the reasons why experts specify certain definite time periods for the duration of the passwords after which they automatically expire. Apart from backups, data in any form should be encrypted as well. The consequences of encrypting data are that it adds another level of complication for the users, slows-down performance and attracts hackers. You can also encrypt your data storage devices by formatting them to NTFS format which will allow you to copy encrypted files to the device without losing the encryption. For added security you can buy USB sticks and portable hard disk drives that include hardware-based encryption as standard. Anything copied to the device will be automatically encrypted and access to the files requires a special program to be run that asks for your password. You can use the public key and private key mechanism to share the password with the receiver after encryption. Apart from encrypting backups, it is extremely important for one to encrypt emails as well. Emails are very popular as a medium of sending information (especially confidential information) between people. This method is very highly insecure and unreliable as there is no build-in way of discovering if the email has reached the destination, if the email is secure and from the sender it states it is from. As a counter to this issue, in the case of sending confidential data by email, the
37
data is encrypted by the sender and later decrypted by the recipient. There are four methods to do this encryption; Scrambling, Integrity, Non-repudiation and digital signatures. In Scrambling, the information cannot be read by someone who is not the destined recipient. In Integrity, the decryption process will fail if someone tries to alter the content or the transmission fails. The public key encryption type non-repudiation accurately traces the sender of the message. Similarly, Digital Signatures also confirm the sender by taking a digital signature of the sender whenever an email is sent or received. Passwords are cheap and easy as they do not require purchasing hardware or installing expensive software. However, if the password comes in wrong hands, the results can be disastrous. If someone other than the legitimate owner gets hold of the password, there is a probability that no one will ever be able to figure out if someone is using the account. This is why passwords need to protected and we will discuss some ways of securing passwords. There are many ways that a hacker could try to steal your password. Even if the hacker cannot break the password, it still can be as easy for him by using a keystroke logger23. At sign up, people are given instructions on how to make the password strong by including characters and numbers in their passwords, one should follow the instructions and keep a habit of changing the password every month or so. There are many ways a password can be used and two of them are discussed below:
6.1.3.1 One-Time passwords A one-time password expires after each use. The next time the user needs to log in, a new password has to be used. This helps to avoid shoulder-surfing, where someone stalks the person entering the
23
Keystroke logger is a software that captures what is typed and sends it to a remote location. It is useful for stealing passwords, credit card numbers, and other confidential information.
38
password, and also in the case where a secret key-stroke logger grabs the password. Once all the passwords are exhausted, the user can be secretly issued a new list of passwords by post or by a secure email. Special precaution needs to be taken to make sure that nobody gets illegitimate hold of the list of the passwords. 6.1.3.2 Duress passwords As we all know that attackers are interested in obtaining passwords, there could be instances where perpetrators force a user to share or enter the password. The authenticator is provided with two passwords; a 'regular' password and a 'panic' password. Under panic situations, the user enters the panic password which signals the system that the password is entered under duress and the transaction needs to be stopped initiating counter measures. Duress passwords can be used in many cases. In an ATM the user may choose a predefined pin for normal authentication and use the same pin in the reverse order to signal duress and limit the amount of the transaction. In case of biometric verification, one can use the left thumb instead of the right one. In a home security system, there may be a panic password given to the issuer which would help turn the alarm off and deceive the burglar that they are no longer under the threat of the police. When authenticating access to a network, the duress password would direct the user to a different database than the normal one which would prevent access to important information24. Duress password in a mobile can protect the mobile data. They can also be used to protect backups in a way that a duress password would delete all the data since it is at risk. The advantage of duress password is that the offender is deceived that he has gained access to the data and his further attempts are discouraged. However, there are ways to bypass the duress password system but in case where the offender is not aware
24
Clark, Jeremy, and Urs Hengartner. 2008. "Panic Passwords: Authenticating under Duress." School of Computer Science ; University of Waterloo.
39
of the duress mode he would not try to bypass. Thus, duress passwords can be effectively used as a part of the intrusion detection process and also to minimize the damage. 6.1.4 Denial of Service Attacks (DoS) Denial of service attacks require the hacker to use the publicly available facilities of the target computer and make the network or the computer temporary unavailable to its legitimate users. The hacker does not need to worry about overcoming security barriers such as passwords and firewalls. There is a limit to the amount of requests the server can process per minute and denial of service attacks exceed the limit to the extent where the system can no longer process the requests resulting in a system crash. Committing such attacks is easy as it only involves selecting proper tools and a target. Previously, the Denial of Service Attack's traffic originated from a single source and the solution would be to somehow manage to make your machines work and block the IP of the source that is attacking you. This also required the attack source to have a larger server than the victim to be able to send the sufficient volume of data. However, the attackers progressed and came up with the Distributed Denial of Service (DDoS) Attacks mechanism. They employe and controll thousands of computers from around the world to join them in the attack and send the traffic from different IP's making it impossible for the victim to control the situation by just blocking an IP. Here the risk is not only to the computer that is being attacked, but also to the computers which are being used as zombies by the attacker to carry out the DDoS attack. This is done with the help of Trojan software and viruses which are installed on the computers of the people who fall victim to spam. The zombie computer works fine so the owner does not realise that the computer is being used by somebody else. The hacker makes a team of several thousand zombies after which they attack the company from numerous locations using the computers they do not physically own. Sometimes the DoS attacks are nor deliberate but accidental. This can be
40
due to an error in the configuration file of hackers or any hardware malfunction. However, most of the times it is deliberate and you should have a backup strategy to handle the situation as nothing can be done urgently if you are not prepared. Because firewalls and different software fail to prevent the attack, the better option would be to spend on hardware products that can filter out the DoS traffic before it reaches your network. As the work is technical, you might want to consider outsourcing it to a third party for their filtering services and as an alternative route to all your traffic. The disadvantages of outsourcing will be dealt with later, but for now it is important to understand that if public servers are maintained, the best option is to leave the responsibility to professionals. Despite all this, at your own personal level you should install all security patches on workstations and networks and update them regularly. 6.1.5 Defacement One of the purposes of a hacker to hack is to deface a company or an individual. Defacement is when hackers do unauthorized alteration of content of a website or any other media. A study of 462 defaced websites by Hyung-jin Woo et al. describes how the websites were changed. In their paper 'Hackers: Militants or Merry Pranksters? A Content Analysis of Defaced Web Pages' explain this behavior through the Social Identity Theory which suggests that people have an innate and powerful tendency to organize themselves into groups because of which they try to maximize the esteem of their group by various methods one of which is defacement through hacking. The extent to which persons associate themselves with groups establishes their social identities. These groups might be political (liberals, conservatives), religious (Christian, Muslim), ethnic (Jews, Arabs), or even social (Cubs fans, Mets fans). The fact that 70% of the defacements were just pranks by people who wanted to impress other people by showing how smart they are
41
supports this theory that the move has a social identity factor attached to it25. One example of defacement is of the CIA website which was hacked and the name was changed to Central Stupidity Agency by Swedish hackers in 1966 as they were angry over a court case. Another example of political defacement is when Bill Clinton's website directed people to playboy.com. Since these cases are related to famous entities they were reported, there are numerous cases which go unreported. Since the most common target for defacement is a website, steps should be taken for its security by the owner of the website. The website server can be placed at the owner's premise, at a co-location or with a third party hosting provider, but the responsibility of protecting it lies with the owner. The Common web hack techniques are SQL injections, Cross-site scripting, Cookie poisoning and Form Variable tampering. The SQL Injection is a type of web application security vulnerability in which the attacker submits a database SQL command to be executed by a web application, exposing the back-end database. The Cross-site scripting attack takes advantage of a website vulnerability in which the site displays content that includes unprotected user data. On the Web, cookie poisoning is the alteration of a cookie (personal information in a Web user's computer) by an attacker to gain unauthorized information about the user for purposes such as identity theft. The Form Variable Tempering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, which can be user credentials and permissions, price and quantity of products, etc. This information is often stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application
25
Woo, Hyung-jin, Yeora Kim, and Joseph Dominick. 2009. "Hackers: Militants or Merry Pranksters? A Content Analysis of Defaced Web Pages." (Routledge). http://dx.doi.org/10.1207/s1532785xmep0601_3.
42
functionality and control. In order to protect your website one should take basic steps such as using basic http authentication, protect the domain name. As a safety precaution, website owners should restrict the type of files users can upload as any file may contain a poisonous script. Use a security certificate whenever you are passing personal information between the website and web server or database and download security software to do penetration testing. Installing a Web Application Firewall (WAF) scans the data passing through the website server and data connection. Admin pages should be hidden because if they are not indexed the hacker will find it difficult to locate it. Network security should be tightened and special consideration should be given to scanning the external drives plugged in as they need to be scanned for malware regularly. Passwords should be protected through the password protection mechanisms. A Web filtering software can be used to control user's access to websites. Such programs include reporting facilities so if someone is making repeated attempts to access banned sites, system manager can be alerted. 6.1.6 Solutions There can be many solutions to limit the threat from both outsiders and insiders and the perfect one would vary from one organization to another. Protecting oneself can be as easy and cheap as hiding the name of a website and it can be as expensive as outsourcing the responsibility to someone else. Security through Obscurity (STO) is the belief that a system of any sort can be secure as long as nobody except the owner is allowed to find out anything about its internal mechanisms which reduces the need for additional security. Example can be using an obscure URL instead of a very difficult password. Since nobody except the owner would know of the existence of the domain, nobody would try to hack it which reduces the need for a password to be extremely strong.
43
Since the existence of the protected system is itself a secret, it does not require further security. The disadvantage of using such a technique is that anyone with the URL can breach and the owner might not even notice any defacement. Thus STO should be used as a layer, but should not be relied on solely for protection. If a company that does not have the resources to take care of their IT security, one option is to outsource the task to Managed Security Service Providers (MSSP). They can do simple routine work such as resetting forgotten passwords, installing patches on servers as well as mundane tasks like checking firewall logs for evidence of attempted hacks while keeping a watcheye for alerts from Intrusion Detection Systems. They perform regular analysis on the firewall logs and work to investigate any entry that arouses their suspicion. However, they would require administrator level passwords to do their job properly, which transfers the risk of Insiders from one premise to another. This might be riskier in the sense that one doesn’t know the MSSP company employees personally. But as we have learned, the insider problem cannot be eliminated, it can only be minimized, and in this case we can do that by signing a legal contract with the company and only outsourcing the important functions and not all. When deciding the MSSP Company, you should do a research and ask the clients the company had had for feedback. You should make sure that the MSSP you choose has a 24 hours a day availability for all the days of the year including public holidays so you get the rapid response you need. A satisfactory contract and SLA (Service Level Agreement) between you and the MSSP is vital so you know what kind of service and response times you can expect. Once the contract is made, it is recommended that you ask someone to try to hack the system just to make sure the company is meeting your expectations.
44
6.2 Phishing and Scamming 6.2.1 Understanding Spam: The curse of ‘unsolicited bulk’ emails is commonly known as spam and has reached unprecedented levels. Unsolicited and bulk emails separately do not count as spam. It is a matter of consent rather than content. If a user has not explicitly consented to receive an email and the same email is sent to a large number of users then such emails technically come under the ambit of spam. This distinction is important because legislators keep hitting the wall trying to control the content of spam, while the real issue regarding the sending method remains unaccounted for. Spammers do not care about who they send emails to, not even the organization they claim to be sending messages from because spam is usually ignored. According to Radicati Group’s estimate there are 2.6 billion email users worldwide and this number is expected to grow to 2.9 billion by 2019. Also, the average number of email accounts owned per person is expected to rise from 1.7 to 1.9. These huge increases mean that the spammers and phishers will have larger pool of targets. The same report also predicts the average number of spams per person/day will increase from 12 in 2015 to 19 by 2019. Multiplying these simple numbers gives us the total number of emails in tens of billions per day26. A Symantic report claimed that among the scanned emails, about half of them contained spam and new variants of malware were emerging every day, which hints towards the idea that the sophistication of attacks is on the increase. 27 Not all are sent by humans behind a computer, many are sent through compromised computers (bots) all around the world that are controlled by the attacker.
26
"Email Statistics Report, 2015-2019." http://www.radicati.com/wp/wp-content/uploads/2015/02/EmailStatistics-Report-2015-2019-Executive-Summary.pdf. 27 MailOnline, Chris Pleasance for. "Is This the End of Spam Emails? Number of Nuisance Messages Fall to Their Lowest Level in 12 Years as Fraudsters Turn to Alternative Methods of Hacking ." Mail Online. 2015. Accessed May 20, 2016. http://www.dailymail.co.uk/news/article-3166313/Is-end-spam-emails-Number-nuisance-messages-falllowest-level-12-years-fraudsters-turn-alternative-methods-hacking.html.
45
6.2.2 How it’s done: Phishing Phishing, like fishing, is the setting of an automated bait to lure the target into revealing its identity and sensitive information. The phish (target) gets an email with the looks of a legitimate business or organization in order to reveal personal information. This could include username, password, credit card number i.e. any information that could be used to steal money. The email might simply contain a form directly asking for personal information or it could redirect to another website through a link. The usual questions are that the company has either lost your information or requires you to confirm it once again so that the services could be resumed, or else the account will expire. Most people usually do not give-away their personal information, but many fall for such scams because the emails are framed to look legit. Email addresses are collected through different sources and a majority uses their first name for the email address. This allows the phisher to use the target’s name giving the email a more personalized, hence deceptive outlook. The grammar, titles, subject, core and symbols in the email are mimicked in a way to deceive the user to believe that the email is from the company itself. Not only the phishers can easily fake the ‘From’ address (commonly known as spoofing), they can also hide the original destination of the links shown in the email making it difficult to ascertain its origins. Some emails contain spyware that collect the data put in a real website by the user and send it back to the phisher. The end-user (phish) does not even realize that every key-stroke they make on their computer is being recorded and sent to the phisher. Phishing is where the money is, therefore the targets usually are the banks, internet retailers, auction sites, political campaigns etc. The phisher could use the obtained information to access accounts, make transactions, create new accounts or possibly sell the information to an interested party.
46
Spyware and malware applications are readily available nowadays. They are hidden in spam emails and target a very large audience. A large proportion of phishers involved in phishing are ‘script kiddies’- those who do not write the programs themselves. They know what certain codes can do, but do not know the actual process behind them. They use the material developed by serious crackers who have the technical knowhow of the code they write and can write Worms, Trojans or might even have a Botnet under their control. Unlike the script kiddies who target those with specific security loopholes, the serious crackers can target individual systems using a multiplicity of techniques. Organized crime has penetrated the cyber-realm. Serious crackers are hired, in return the mafia provides them with protection and resources. 28 6.2.3 Resurgence of Macros: Recently, there has been a resurgence of Macro-viruses. Written in the same language as software like Microsoft Word, they are embedded in the file attachments and once the file is opened, the virus spreads to the users address list. “Almost 16 years ago, the Melissa macro virus first appeared, quickly managing to infect some 20% of the world's computers - all through the simple technique of targeting a significant weakness in Microsoft Office applications' Visual Basic for Applications (VBA) macro processing.”29Recently, in an update to Microsoft’s Office Suite, system administrators have been provided with an option to stop macros from running. Previously, a spear-phishing attack on a company’s specific employee could put it in grave problems. “Though attacks involving macros are simple to pull off, they can have surprising results, such as hackers
28
Lininger, Rachael, and Russell Dean Vines. Phishing: Cutting the Identity Theft Line. Indianapolis, IN: Wiley Pub., 2005. Print. 29 "Articles." Articles. Accessed May 20, 2016. http://www.btc.co.uk/Articles/index.php?mag=Security.
47
holding company data hostage for money, or using hacked machines to literally cut off electricity to thousands of homes.”30 6.2.4 Zombie Computers AKA Botnet: Humans have limited capabilities compared to the tasks a computer can perform and sending spam is one such avenue where computers prove much faster. Attackers need compromised computers to help them with sending millions of spam each day. Those users who successfully become the targets of spammers act as surrogate machines working for a mother pc under the control of an attacker. A few commands allows the attacker to use the compromised PCs to send spam without the end-users knowledge. “The Spamhaus Project is an international nonprofit organization that tracks spam and related cyber threats such as phishing, malware and botnets”31 around the world. Currently, it tracks more than three billion mailboxes and helps stop spam and malware sent to the users. As of May 2016, the countries with the highest number of spam-bots are India, Vietnam, China, Iran, Russia, Indonesia, Brazil, Pakistan, Mexico and the United States. Ptcl.net.pk also occupies a position in the top ten list of highest number of detected spam-bots that can be used for spam, phishing and denial of service attacks (DoS). 6.2.5 The Curious Case of Mules: Once the accounts have been compromised, mules (intermediaries) are used to transfer small amounts of money back to the attacker for a commission. The attackers do not directly syphon-off the money to their own accounts because otherwise the money trail can be detected and the transaction gets reversed. The basic purpose of the mules is to take reversible transactions
30
Paul Szoldra. "The Favorite Method Hackers Use to Take over Computers Just Got Killed by Microsoft." http://www.techinsider.io/microsoft-macros-office-2016-2016-3. 31 "About The Spamhaus Project." About The Spamhaus Project. Accessed May 20, 2016. https://www.spamhaus.org/organization/.
48
and make them into irreversible ones. The market for compromised accounts portrays an interesting image. These accounts are sold for pennies on the dollar. It seems that the real task is not of compromising accounts, rather is of transferring the money from them. This suggests that the bottleneck is created because of a shortage of mules, and not because of the number of stolen accounts. A research by Dinei Florencio and Cormac Herle argues that it is not the victim’s money that is at risk, rather it is the mule from whom the money is being ‘borrowed’. In the case of the US, the Regulation E of the Federal Reserve Board “covers all transfers except by check and credit card, and limits the user’s liability to $50 if the loss is reported within two days of discovery. Interestingly, even in cases involving negligence the user’s liability is limited”. The banks have to cover loses as long as the person reports the fraud within the given time period.32 The following table gives a simple representation of the gains and losses of the various parties for a $100 fraudulent transfer via a mule: Before Discovery
After Discovery
Victim
-$100
$0
Bank
$0
$0
Mule
+$10
-$90
Attacker
+$90
+$90
Before the discovery, the victim loses $100 while the mule receives his $10. At discovery, the bank is bound to reimburse the money to the victim (because of Regulation E) and the money the mule received get reversed. While the attacker has already ‘borrowed’ the money from the mule.33
32
Dinei Florencio, and Cormac Herley. "PHISHING AND MONEY MULES." http://research.microsoft.com/pubs/143095/mules.pdf. 33 Ibid
49
If the mule has a good amount of money in his account, the bank can recover it easily. On the other hand, when students and people with weak bank history become mules and initiate irreversible transactions, the bank accrues uncollectible debt. Thus, the most effective way of stopping online fraud is to make the recruitment of the mules harder, rather than trying to stop the number of compromised accounts. This is not to say that the banks should allow their customer’s accounts to be compromised. 6.2.6 Spear-phishing Attacks: Spear-phishing is a more targeted attack and the victim is not just a random person as is in a simple phishing attack. The phisher chooses his target(s) carefully, studies them and ‘angles’ to tempt the phish into opening up the email. The sender’s address is usually the one from which the phish gets regular emails from so that the target does not become suspicious. Social Networking sites have become the best source for knowing about the interests, hobbies and the lifestyle of a person. This information is used to formulate more personalized emails. Spear-phishing poses the greatest threat because of the economic costs it could incur to the businesses. Nowadays, almost all the valuable research and trade secrets are stored on company’s network. Any breach could result in a hostage situation where the phishers threaten to leak the gathered information to the public or the business rivals. Typically, small businesses do not have sophisticated setups to protect them and often become the victims. The employment of new email authentication mechanisms (DKIM, SPF, and DMARC) has curtailed the ability of spammers to victimize individual users by posing as legitimate businesses and this idea is supported by a
50
comparatively reduced number of mass spams, while spear attacks have gained strength and sophistication.34 Following are brief accounts of three spear-phishing attacks: In 2011, interestingly the famous American cyber-security solutions company RSA got spear-phished. Two targeted emails were sent to four employees. They were crafted so well that one of the employees retrieved the email from the junk folder and opened the attachment by the name of “2011 Recruitment Plan”. The attacker was able to create a back-door and steal the employee’s passwords. The hack provided the attackers with company’s important information, while nobody could have imagined a cyber-security firm to go down so easily.35 In 2013, a man was sentenced to four years of imprisonment for stealing more than £1.5 million from UK students. The students were sent a fake link asking them to update their student loan account and the attacker used that information to steal large sums of money from student’s bank accounts. The scam was bust open with a concerted effort of the banks, the internet service providers and the student loan company.36 In June 2015, Ubiquiti Networks got $46.7 million stolen from its finance department. Spoofed emails pretending to be originating from the executives allowed the attacker to syphonoff money to foreign accounts. Some of the money was recovered, while a large amount still remains unfound. These few examples show how serious economic costs could be to larger companies.
34
Schifreen, Robert. Defeating the Hacker: A Non-technical Guide to Computer Security. Chichester, England: Wiley, 2006. 35 "Hacker Lexicon: What Are Phishing and Spear Phishing?" Wired.com. Accessed May 20, 2016. https://www.wired.com/2015/04/hacker-lexicon-spear-phishing/. 36 "Man Jailed for Phishing Scam That Targeted UK Students to Steal £1.5m." The Guardian. 2013. Accessed May 20, 2016. http://www.theguardian.com/uk-news/2013/dec/14/man-jailed-phishing-scam-uk-students-olajideonikoyi.
51
6.2.7 Free Advertisement: At zero cost, spamming has become the most attractive form of advertisement. A majority of us would have given their mobile number or email address while shopping. The companies compile this gathered data and sell them to prospective buyers. A buyer could be anybody ranging from a local business trying to sell their new product or a scammer trying to loot money. Once the information is provided, it is not possible to completely stop one’s information from spreading. Many have made multiple email accounts just to avoid giving their main one from being spammed. Yet, new sophisticated methods find email addresses one way or the other. The Terms of Agreement/Policy are made so long and cumbersome to read that a majority does not even bother reading and accept it not knowing that they might be legally allowing the company to do whatever it wants to with the information provided. Large companies send promotional emails, but the number of emails sent is so large that they have become a nuisance. One app, Unroll.me, that blocks such emails has recently released a list of companies that send the greatest number of spam and also a list of the most unsubscribed ones. Some of the names in the top fifteen list are Facebook, Twitter, and LinkedIn with 310, 173, and 157 emails sent on average per person. Among the most unsubscribed companies are Twitter, Goodreads and Flipboard.37 Not all the users read the cumbersome safety instructions and do not have the know-how to protect themselves online, coupled with such large number of spams the chances of successful spoofed emails become greater. 6.2.8 A Low-Risk Resource for Terrorists A majority of countries have their critical infrastructures online, which makes them a very attractive target for the terrorists. Imagine the scale of upheaval any one of communications, 37
McAlone, Nathan. "The 15 Companies That Flooded Your Inbox with the Most Email Spam in 2015." Business Insider. 2016. Accessed May 20, 2016. http://www.businessinsider.com/the-companies-who-send-the-most-emailspam-2016-2.
52
energy, emergency, transport, finance, IT or nuclear sectors being compromised could bring. Imagine a large banks services going down for some time or electricity being not delivered to certain important areas. These attacks are indeed possible given the sophistication the terrorists have gained in cyber knowledge. In 2005, a Moroccan based in London was jailed for spreading bomb-making techniques and used money phished from compromised accounts. He had 37,000 credit card numbers under his possession and further money stolen was to be to fund terrorist activities. In another incident, five men conned pensioners from January 2014 to May 2015 undetected in phishing attacks and stole nearly £160,000. The money was to be used to finance the travel of prospective jihadists to Iraq and Syria.38 The Stuxnet virus allegedly developed by unidentified state(s) to attack the Busheher Nuclear facility was developed to destroy key features of the infrastructure. Fortunately, the facility had not been switched on at the time of attack and the level of destruction would unimaginable if a working nuclear facility was targeted.39 Phishing provides an easy and low-risk high return source for terrorists either working in groups or sleepercells. It also provides an easy means to collecting data on targets by sending malwares, gathering information on their location and ultimately targeting them physically. 6.2.9 How to Protect Against Spam and Phishing Rapid increase in the number of internet users and continuous innovation make it more challenging to secure the cyber-space. The universal connectedness of the internet complicates the issues revolving around it, because cyberspace is not owned by a single entity-it’s a global
38
Arthur Martin. 'Bank of Terror' Gang Accused of Cold-calling Scam That Rinsed Pensioners' Accounts to Fund Jihadis' Journeys to Syria to Fight with Isis Extremists." http://www.dailymail.co.uk/news/article3072294/Phishing-gang-plundered-elderly-vulnerable-victims-accounts-fund-jihadists-travel-Syria-join-Isisextremists.html. 39 Niall Firth. "Computer Super-virus 'targeted Iranian Nuclear Power Station' but Who Made It?" http://www.dailymail.co.uk/sciencetech/article-1314580/Stuxnet-worm-targeted-Iranian-nuclear-power-stationsophisticated-virus-attack-ever.html.
53
phenomenon. New innovative software, hardware and the endless possibilities of their applications are being discovered and predicting the future path such a dynamic thing would take is not easy. The innovations will always have new loopholes to cover and attackers to exploit them, which means that cybersecurity will mostly be playing catchup. “The covert nature of the threat means that the public and businesses can underestimate the risks.”40 It is not possible to eradicate spamming or phishing completely. Hackers will ultimately find loopholes in the systems to exploit. One option to reduce it is to remove the motive for profit by making online transactions secure and impenetrable, which seems highly unlikely to happen any sooner. Almost every bank, virus protection software and online transactions site provides the basic safety measures for the users to avoid being spammed and phished. Some non-exhaustive measures are as follows:
The most basic thing to do is to not open any suspicious email and delete it immediately.
Some companies provide spam filtering and blocking software. These software check incoming emails for unwanted mail and block them from reaching the users inbox.
There are times when one has to provide an email address and there is no avoiding, for such occasions one should have a disposable account.
Spammers use email address generators and send bulk email to them, therefore it is recommended to use email addresses that have numbers and symbols in them
40
The UK Cyber Security Strategy Protecting and Promoting the UK in a Digital World. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-securitystrategy-final.pdf.
54
HTML format can carry malware. Although it makes user experience vibrant with pictures etc. but it also makes it prone to attackers, therefore emails should be viewed in plain text unless necessary.
Avoid providing your email address on blogs and websites
Report spam
Most of us in the developing world have not yet acquired the idea of paying for the software we use. The cracked versions picked up through peer-to-peer (torrent) networks are not trustworthy. They could be compromised and steal the users data quite easily. Phishers keep on taking advantage of the bugs in a software until they are caught and patched through an update. End-users need to keep on updating their software regularly. Unfortunately, a lot of free antispyware software are themselves compromised. It should be made sure that the anti-spyware software being used is famous for its security (reviews can easily be googled). The email platform is inherently weak and can be exploited. While interacting with their customers, the businesses should make sure that their clients are well informed not to share personal information over the internet. The emails they send, should be standardized so that any changes to the format are easily recognizable. Businesses should use full names of their customers, avoid sending attachments, share no links and try to use simple text (rather than HTML). Those who do fall prey to the scams are usually the ones who do not usually go over their credit-reports, therefore credit-reports must be checked regularly. Once a suspicious activity is noted, the user must file a report with the institution running their account and also the relevant governmental agencies.
55
6.3 Cyber Harassment With the advent of the internet came cybercrimes and crimes that were committed terrestrially also started being committed online such as harassment, stalking and bullying. In legal terms harassment is defined as persistent, unsolicited and threatening acts by a party toward a victim with the intention to terrify, bother, threaten, humiliate, harass, stalk or terrify the victim. This may include demands, threats or coercion, and the individual’s gender, nationality and religion may be factors that make them victims of such harassment. When it takes place on any electronic platform where communication with others is possible or on other mobile or internet technology it is referred to as cyber harassment. Some examples of this type of harassment are unwanted, continually threatening emails, instant messages or social media contact, comments that intend to cause distress, blogs created with the intention of verbally attacking and upsetting a victim and intentionally breaking into the victim’s personal account or computer, using photos of the victim without consent and sending them to amateur pornographic websites by digitally manipulating them. Cyber harassment may not always be from strangers, it can also be done by close friends, family members or romantic partners which makes such behavior abusive and not acceptable under any circumstances. A key feature of harassment to note here is that an action is considered harassment when the harasser has been asked to stop and does not. Not all unpleasant interactions fall under the category of harassment. For instance, simple disagreements over instant message, spam, comments and things said on someone’s website unless they are forged to be from someone they are not from or directly threatening someone. Simply put, harassment is repeated communication that persists
56
even after the harasser has been told to stop.41 For the purpose of this project, cyber harassment includes cyber stalking, cyber bullying, online hate speech and trolling. 6.3.1 Cyber Stalking Cyber stalking occurs when someone uses the internet to harass someone they do not directly know. Nearly all of the acts that constitute cyber harassment constitute cyber stalking if they are a part of a series or pattern of such behavior. Stalking generally includes harassment with the addition of a substantial threat to the victim and stalkers usually want revenge or attention. Stalking involves threatening behavior which includes following a person around, sending them threatening messages and calls, leaving them notes, written messages and objects, appearing at a person’s home or work place and making harassing phone calls, or messages. All of this comes under the category of terrestrial stalking. Cyberstalking features linked patterns of online and offline behavior. Cyber stalking refers to offenders following their victims around on the internet, especially in chat rooms, forums, message boards, mailing lists and newsgroups in which the victim participates. Other examples of activities that fall under cybercrime include false accusations, monitoring, and privacy invasion, making threats, identity or data theft or gathering information to harass. At times offenders also attempt to form relationships with those who are friendly with the target in order to obtain personal information about the target or they might end up hiring private detectives and running background checks in order to get more information. Cyber stalkers are generally obsessed with their targets. Therefore, cyber stalking basically includes emotional and mental assault in a virtual setting where damage is inflicted. Cyber-stalking
41
n.d. Working to Halt online abuse. http://www.haltabuse.org/help/isit.shtml.
57
is a criminal offense that falls under multiple legislations suh as slander, harassment and defamation and can lead to conviction and penalty.42 6.3.2 Cyber Bullying: Cyber Bullying is a relatively new legal term similar to harassment with the addition that the victim and the offender are minors. The age group involving the abuser and the victim is the specific distinction between cyber bullying and cyber harassment. Cyber bullies may or may not know their targets. According to U.S. Legal Definitions, "cyber-bullying could be limited to posting rumors or gossips about a person in the internet bringing about hatred in other’s minds; or it may go to the extent of personally identifying victims and publishing materials severely defaming and humiliating them."43 Cyberbullying is defined in legal glossaries as “actions that use information and communication technologies to support deliberate, repeated, and hostile behavior by an individual or group, that is intended to harm another or others or the use of communication technologies for the intention of harming another person or the use of Internet service and mobile technologies such as web pages and discussion groups as well as instant messaging or SMS text messaging with the intention of harming another person.”44 Examples of cyberbullying include online interaction that aims to intimidate, gain control, manipulate, falsely discredit or humiliate the victim repeatedly. A cyberbully may be anonymous and may involve other people online who do not directly know the target. This is called a ‘digital pile-on’.45
42
2012. The Anna Kavanaugh Charitable Foundation. http://www.theannakavanaughfoundation.org/CyberBullying_Harassment.html. 43 "Cyber Bullying Law and Legal Definition". U.S. Legal Definitions - http://definitions.uslegal.com/c/cyberbullying/ 44 "Definition of Cyber-Bullying". USLegal.com. US Legal, Inc. Retrieved 5 February 2016. 45 n.d. Cyberslammed. http://www.cyberslammed.com/where-to-start.html.
58
The suicide of Tyler Clementi is a high profile case study that has brought about international awareness about cyber bullying and digital ethics. Clementi, an 18-year-old freshman at Rutgers University, committed suicide by jumping from the George Washington Bridge after his roommate and hall mate used a webcam to record and stream a same sex encounter in Clementi’s room. The invasion of privacy and outing combined to cause mental anguish that caused Clementi to take his life. One of the reasons why cyber bullying is more harmful than terrestrial bullying is that offenders cannot visibly see how much harm they are inflicting and thus they may not know when to stop, often taking matters to extremes where victims may be emotionally damaged and resort to extreme measures such as suicide or fall into depression. Statistically, suicide is a rare consequence of cyber bullying but Clementi’s case gained media attention and brought the issue of cyber bullying to the forefront. 46 6.3.3 Hate Speech and Trolling: Trolling is something different from the types of cyber harassment discussed above. Some internet trolls may engage in cyber bullying but most others engage in harmless mischief whereas cyber bullying is always accompanied by an intention to harm someone. Internet trolling is the practice of deliberately provoking users through provocative language and upsetting comments and content for instance by posting meaningless questions for their own amusement, without any regard over whether the targets are hurt. More recent definitions of trolling are broader, and include those who cyberbully, with the explicit desire to degrade, humiliate and hurt someone they know or even high profile celebrities.
46
Clementi, Tyler. 2010. Tyler Clementi: A Call to Act on Cyberbullying. October 5. http://www.cbsnews.com/news/tyler-clementi-a-call-to-act-on-cyberbullying/.
59
Hate speech is speech that offends, threatens, or insults groups, based on race, color, religion, national origin, sexual orientation, disability, or other traits. In cyberspace, hate speed usually manifests itself on social networking platforms. HateBase is an online application that records occurrences of online hate speech. It reveals that the majority of hate speech victims have been targeted on the basis of ethnicity and nationality with religion and class emerging as recent factors.47
48
According to Citron and Norton, “the internet facilitates anonymous and
pseudonymous discourse, which can just as easily accelerate destructive behavior as it can fuel public discourse”.49 This is supported by the Director of Operations at The Sentinel Project, Drew Boyd, who stated that “the Internet grants individuals the ability to say horrific things because they think they will not be discovered. This is what makes online hate speech so unique, because people feel much more comfortable speaking hate as opposed to real life when they have to deal with the consequences of what they say”. 50(http://unesdoc.unesco.org/images/0023/002332/233231e.pdf) 6.3.4 Causes of Cyber Harassment: The causes of cyber harassment can be divided into factors that facilitate it such as features of the internet that support cybercrime, characteristics of victims that make them susceptible to attack as well as psychological factors that cause an individual to turn into a cyber offender. The low probability of identification and the high level of anonymity offered by the internet is a cause for cyber stalking because offenders know that they can get away with whatever they want to do provided they take the steps and precautions required to remain invisible online. The fact that signing up for email and social media accounts is free leads to offenders creating fake
47
Quinn, Timothy. n.d. hatebase. http://www.hatebase.org/popular. UN Human Rights Council Special Rapporteur on Minority Issues (HRC, 2015) 49 Citron, K. D. and Norton, H. 2011. Intermediaries and hate speech: Fostering digital citizenship for our information age. Boston University Law Review, Vol. 91, pp. 1435–84. 50 Interview: Drew Boyd, Director of Operations, The Sentinel Project for Genocide Prevention, 24 October 2014 48
60
profiles that they can use for the sole purpose of harassing and stalking individuals online. Almost all online blogs have a free comments section where people can target individuals and engage in hate speech, virtual abuse and bullying. Internet proxy applications like ZenMate allow offenders to route their IP address so that their location cannot be traced. According to IPI, cyber stalkers and harassers can be of any age or gender, belonging to any race, religion or nationality. The driving force behind their actions can range from need for power and control, revenge and peer acceptance to deviant fantasies, psychiatric illness or perceptual distortions.51 Psychiatrists, psychologists, and other mental health professionals view most stalkers as suffering from a psychiatric illness causing them to be psychotic or delusional. Stalkers may also be driven by psychological factors or they may be patients of some type of personality disorder. In the most severe cases, the stalker is defined as a predator or sociopath. According to Meloy, author of the book, The Psychology of Stalking some stalkers are also psychopaths who are biologically predisposed to antisocial activity and have little or no empathy towards their victims.52 Whatever the psychological basis may be, the stalker rarely grasps the extent of the fear he or she is causing because of being blinded by his or her motivations for stalking someone in the first place. In the case where the stalker’s motivation is to get revenge, the stalker is fully aware of the suffering causes to the victim but feels that the victim deserves it. In 1999, Australian stalking expert, Dr. Paul Mullen, and a group of investigators identified five types of stalkers which remains applicable today and can be applied to cyber stalkers.53 They are:
51
Nuccitelli, Michael. n.d. Cyberstalking Facts, Types of Cyberstalkers. https://www.ipredator.co/cyberstalkingfacts/. 52 The psycology of stalking by Reid Meloy (book) 53 GWU. n.d. George Washington University. https://haven.gwu.edu/types-stalking.
61
1. Rejected Stalkers: This type of stalker arises after the end of a close relationship. A motivation for rejected stalker is either to reconcile the relationship because they feel misunderstood or to get revenge for the breakup because they are angry. 2. Resentful Stalkers: This type of stalker feels that he or she has been wronged, mistreated or humiliated and so seeks to gain retribution for this. Resentful stalkers are cognizant of the fact that the victim is aware of the stalking, but continue to seek ways to instill fear and distress in the victim. This type of stalker may be a patient of severe mental illness and develop paranoid beliefs about the victim and get a sense of power and control from inducing fear in the victim. 3. Intimacy Seekers: This type of stalker is usually lonely and so wants to engage in a relationship with someone. The victim in such case is usually a stranger or an acquaintance who the stalker wants to befriend. The mental illness in this case is Erotomania in which the stalker is under the delusional belief that the victim is in love with him or her or they are already in a relationship. Blinded by their distorted perceptions of a destined love, they lose sight of the distress and fear they are causing the person they stalk. Intimacy seeker stalkers are usually the type that harass and stalk celebrities and public figures. 4. Incompetent Suitors: This type of stalker is similar to the previous one but unlike intimacy seeker’s aim of getting involved in a loving relationship with the victim, this type of stalker’s aim is to go on a date or get involved in a short term sexual relationship with the victim. This type of stalker may stalk for a brief period of time but feeling entitled to a relationship with the victim inspires this stalker to gradually increase their frequency of contact. This type of stalker tends to lack social, communication or courting skills and may be indifferent to the victim’s distress. This insensitivity may be associated with cognitive
62
limitations or poor social skills consequent to autism spectrum disorders or intellectual disability. 5. Predatory Stalkers: Predatory stalking arises in the context of deviant sexual practices and interests. Perpetrators are usually male and victims are usually female strangers in whom the stalker develops a sexual interest. The stalking behavior is usually initiated as a way of obtaining sexual gratification (e.g., voyeurism targeting a single victim over time), but can also be used a way of obtaining information about the victim as a precursor to a sexual assault. In this sense the stalking is both instrumental and also gratifying for those stalkers who enjoy the sense of power and control that comes from targeting the usually unsuspecting victim.54 This type of stalker is the most dangerous and determined out of the five types identified by Mullen. Characteristics of victims can also be a cause of cybercrime. Children are popular victims of cyber harassment in the form of cyber bullying. Other characteristics of victims are that they use the Internet frequently, have been involved in a break up or divorce, have fired someone as an employer, know, work with or have been introduced to mentally ill individuals who often form unhealthy and abnormal fixations with someone. Based on their work with stalking victims for eight years in Australia, Mullen and Pathé identified different types of stalking victims dependent on their previous relationship to the stalker. These are:55 1. Prior intimates: Victims who had been in a previous intimate relationship with their stalker. The authors describe this as being "the largest category, the most common victim profile being a woman who has previously shared an intimate relationship with her (usually) male
54 55
GWU. n.d. George Washington University. https://haven.gwu.edu/types-stalking. Mullen, Paul E.; Pathé, Michele (2002-01-01). "Stalking". Crime and Justice 29: 273–318.
63
stalker." These victims are more likely to on the receiving end of violence by their stalker especially if the stalker had a criminal past. Victims who have "date stalkers" are less likely to experience violence by their stalkers. A "date stalker" is considered an individual who had an intimate relationship with the victim but it was short-lived. When considering cyber stalking, the stalkers of such victims may try to keep tabs on them through social media to know of their current residence, job, relationships and friends to facilitate their terrestrial stalking. 2. Casual acquaintances and friends: Amongst male stalking victims, most are part of this category. This category of victims also includes neighbor stalking and may cause the victim to ultimately change his or her place of residence. 3. Professional contacts: These are victims who have been stalked by patients, clients, or students whom they have had a professional relationship with. According to the study, certain professions such as health care providers, teachers, and lawyers are at a higher risk for stalking. 4. Workplace contacts: The stalkers of these victims tend to visit them in their workplace which means that they are either an employer, employee, or a customer. When victims have stalkers coming to their workplace, this poses a threat not only to the victims' safety but to the safety of other individuals as well. 5. Strangers: These victims are typically unaware of how their stalkers began stalking because typically these stalkers form a sense of admiration for their victims from a distance. 6. The famous: Most of these victims are individuals who are portrayed heavily on media outlets but can also include individuals such as politicians and athletes.
64
6.3.5 Effects of Cyber Harassment According to the Anna Kavanaugh foundation, cyber harassment has severe effects on its victims. Research reveals that individuals who are bullied, stalked or harassed online perceive the trauma at higher stress levels than do victims who are bullied, stalked or harassed in person. According to Dr Carll of the APA Media Psychology Division, "It is my observation that the symptoms related to cyberstalking and e-harassment may be more intense than in-person harassment, as the impact is more devastating due to the 24/7 nature of online communication, inability to escape to a safe place, and global access of the information."56 Long term lasting impacts of the post-traumatic stress syndrome and clinical depression such as “panic attacks, ongoing heightened stress, anxiety, fear, nightmares, shock, disbelief, grief, confusion, feelings of helplessness, hyper-vigilance, changes in eating, and sleeping difficulties” 57 are common in victims and result in shortening their lifespan due to their detrimental consequences on the victim’s health. According to Dr YeoJu Chung of Kyungil University, "…cyberbullying makes students socially anxious, lonely, frustrated, sad and helpless. Lots of adolescents have trouble recovering from negative effects of cyberbullying. We can help them use emotion regulation skills to recover, rather than become bullies themselves."58 6.3.6 Preventive measures and actions From the individual’s end, solutions for cyber harassment can be divided into two categories, namely, precautions to take to avoid cyber harassment in the first place and actions to take in case
56
(Telegraph 2011) Telegraph. 2011. Cyberstalking 'more dangerous than traditional bullying'. Aug 8. http://www.telegraph.co.uk/technology/internet/8687956/Cyberstalking-more-dangerous-than-traditionalbullying.html. 57 2012. The Anna Kavanaugh Charitable Foundation. http://www.theannakavanaughfoundation.org/CyberBullying_Harassment.html. 58 Telegraph. 2011. Cyberstalking 'more dangerous than traditional bullying'. Aug 8. http://www.telegraph.co.uk/technology/internet/8687956/Cyberstalking-more-dangerous-than-traditionalbullying.html.
65
the offence has already occurred. Individuals can take certain measures and precautions to avoid being a victim of cyber harassment. Some of these precautions include maintaining strict privacy settings on social media, not divulging any personal information on online blogs and websites, using safer computers such as at public places to avoid online monitoring, regularly changing passwords and pins to avoid hacking and blocking harassers on social media. In case it has already happened, the victim should report the case to the authorities immediately along with evidence of all online correspondence such as documents, messages, chat logs, posts and comments. In some cases, the authorities can track the harasser through an Internet Service Provider (ISP) and issue a restraining order against the individual. If inappropriate content is displayed online, the victim can contact the website operators by phone or email requesting the content be removed or blocked. For social media platforms, using the platform’s help center to log the issue can help.59 For example:
Facebook: go to the Facebook Help Center and choose Report Something, then Report Something again, and pick your topic from the list displayed
Twitter: go to the Twitter Help Center and select the right topic under Report a Violation or possibly Account Access
Instagram: go to the Instagram Help Center, select Privacy and Safety Center, then the appropriate topic, e.g. Report Something
59
n.d. Tackling online harrasment. https://phoenix.symantec.com/Norton/au/online-harassment-experiencewomen/assets/Norton_OnlineHarassment_AU_TipSheet.pdf.
66
Victims who can also file a civil suit against the offender, have accounts revoked and damaging websites shut down. However, this depends on the country and how strict prevailing laws are against such forms of harassment.
7 Laws and Challenges to Cybersecurity: 7.1
On Phishing and Scamming: Phishing has become one of the safest methods to steal money because of the anonymity
the internet provides. The phisher could be sitting thousands of miles away siphoning somebody else’s money. Anonymity is supported by weak and in some cases non-existent laws, particularly in the case of international agreements. Hackers from Eastern Europe and Brazil are notorious for the very reason. It is very difficult to have perpetrators extradited even if they get caught. Most of the times, the cost of prosecuting the phisher exceeds the amount stolen, which does not motivate the governments enough to peruse such cases actively or the laws related to them. In 2003, President Bush signed the Controlling the Assault of Non-Solicited Pornography and Marketing Act, or CAN SPAM Act to regulate online spam. The Act laid down rules for sending bulk emails, but did not prohibit it. The main points that the act covers are:
Do not use misleading information either in the subject line or the header
Identify the message as an ad
Identify your business location
Tell recipients how to unsubscribe from your emails
67
Honor such requests and monitor online misuse of your business’s name 60
Initially, the act attracted a lot of criticism against its impotency in acting as a deterrent, but recent studies using prosecutions, fines, detentions and a sample of over five million spams sent in the US over a period of fifteen years shows that the law indeed has a deterrent effect. The study shows that under the CAN SPAM Act, punishments are mostly through fines and not imprisonment. Most spammers are rich so fines do not play much of a correctional role. On the other hand, the number of days a person is imprisoned does have a significant role in the reduction of spam, which implies that the law must be amended to allow for greater imprisonment lengths rather than fines. The Act also relies on opt-out regulations rather than opt-in61 ones, which makes it legal to send unsolicited bulk emails until one is abiding by the regulations. 62 While the US law focuses on the opt-out side, the UK legislation focuses more on the opt-in side. The Privacy and Electronic Communications (EC Directive) Regulations 2003 ‘cans’ spam by declaring that: “A person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender. A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—(a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or
60
Ftc. n.d. CAN-SPAM Act: A Compliance Guide for Business. https://www.ftc.gov/tips-advice/businesscenter/guidance/can-spam-act-compliance-guide-business. 61 Opt-in and opt-out refer to subscribing in and out of an emailing list 62 Kigerl, Alex. n.d. Spammers should be given prison sentences under the CAN SPAM Act. http://blogs.lse.ac.uk/usappblog/2015/03/10/spammers-should-be-given-prison-sentences-under-the-can-spamact/.
68
negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that person’s similar products and services only; and (c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.”63 Although, the US and the UK both have made laws and convicted the offenders, yet they assume the first and seventh positions respectively on the world’s worst spam enabling countries. Interestingly, amongst the top ten worst spammers, seven are from the US, two from Ukraine and one from the Russian Federation. China, Russia, Japan, Ukraine, Hong Kong, and India are also on the list.64 Spamhause argues that the Internet Service Providers (ISPs) in these countries blatantly refuse to take action because the laws do not cover preemptive measures, which is a big reason why these countries have borne the greatest brunt of online financial fraud. Twenty-three states in America have specific laws catering to phishing, while they are missing in others. Even the states with no specific laws criminalize the activity. On the Federal level, no common law exists, but federal law against wire fraud is used to punish phishing crimes. The accused could be charged of either felony or misdemeanor depending on the facts surrounding the case. Phishing could result in jail, restitution, probation or a maximum fine of up to $10,000.65 The 2104 state law of Florida against the Fraudulent Use or Possession of Identifying Information specifically exempts the telecommunications providers and Internet Service Provider’s on the basis of good
63
(The Privacy and Electronic Communications (EC Directive) Regulations 2003 2003) Spamhause. n.d. The World's Worst Spam Enabling Countries. https://www.spamhaus.org/statistics/countries/. 65 Theoharis, Mark. n.d. Phishing: Sentencing and Penalties. http://www.criminaldefenselawyer.com/crimepenalties/federal/Phishing.htm 64
69
faith transmission/reliance. The Law states that “a provider of an interactive computer service is not liable under the laws of this state for removing or disabling access to content that resides on an Internet website or other online location controlled or operated by such provider if such provider believes in good faith that the content is used to engage in a violation of this part”. 66 ISPs selling services to spam gangs turn a blind eye until an issue is brought to light in press and media either because they want to keep on making money and do not want to invest in closing the loopholes based on their own cost-benefit analysis, or just because of gross mismanagement. Apart from the gloomy picture painted above, the developed countries realize the need for protecting their interests in the cyberspace. Amongst other countries, for example the UK has developed a robust strategy devoted to the objective of protecting its cyberspace with the vision “to derive huge economic and social value from a vibrant, resilient and secure cyberspace”67. The UK government has also devoted a sum of £650 million of public funds to a four year National Cyber Security Program aimed at creating awareness among the public and businesses regarding online crime.68 7.2
On Cyber-harassment Internet technology also creates possibilities for anonymous communications and hence
for anonymous cyberstalking. The ease with which users can send anonymous messages makes legal regulation of online harassment a very difficult task. Tracing a cyber-stalker is another challenging obstacle to any legal action because the electronic footprints left behind by cyber
66
Legislature, Florida. n.d. The 2015 Florida Statutes. http://www.leg.state.fl.us/STATUTES/index.cfm?App_mode=Display_Statute&Search_String=&URL=06000699/0668/Sections/0668.705.html. 67 UK, Government. 2011. "The UK Cyber Security Strategy." November. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-securitystrategy-final.pdf. 68 Ibid
70
criminals can be effectively covered by re-mailer technology. Since the internet has inexpensive and easy access and is a global medium not bound by frontiers, cyber stalkers may be based in any part of the world while their victims may be miles away. Although the Internet is not a lawless place, there are difficulties in applying laws that are made for specific countries and not for citizens of other countries. Prosecuting a foreign cybercriminal is difficult because the act that is an offence in one country may not be considered an offence in the offender’s country. There may also be problems of extradition and cross-border policing. An advantage of these laws is that they provide legal mechanisms for obtaining the identity of the culprit. Cyber harassment laws have put pressure on Internet providers, social networking sites, and other websites to require identifying information when a user logs on or utilizes the site or service. Penalties for violating cyber harassment laws vary widely by jurisdiction. In most cases, cyber harassment is charged as a crime. Cyberstalking is considered to be a more serious misdemeanor and may be punishable by a lengthy prison sentence. 69 Laws that protect citizens from cyber harassment vary from place to place and country to country. Certain characteristics of the internet pose challenges to the implementation of these laws such as the internet’s boundless nature and the anonymity that it offers, victims and perpetrators could be sitting thousands of miles away. Most Western European countries have laws that protect citizens against cyber harassment as a punishable crime. In the United States, many states have laws that provide some protection. No federal laws exist the issue directly but they do address stalking in general and cover some aspects of this crime which can be extended to its online manifestation. Most jurisdictions have
69
n.d. What are Cyber Harassment Laws? http://www.wisegeek.com/what-are-cyber-harassment-laws.htm
71
laws defining and punishing stalking, harassment, and bullying and with the use of internet and online communication becoming the primary mode of communication, most jurisdictions have been updated to include the issue of cyberstalking, harassment, and bullying. An advantage of these laws is that they provide legal mechanisms for obtaining the identity of the culprit. Cyber harassment laws have put pressure on Internet providers, social network sites, and other websites to require identifying information when a user logs on or utilizes the site or service. Penalties for violating cyber harassment laws vary widely by jurisdiction. In most cases, cyber harassment is charged as a misdemeanor. Cyberstalking is considered to be a more serious crime and may be punishable by a lengthy prison sentence.70 The issue of cyber harassment is addressed in the New York Penal Code under Article 240 as “a person is guilty of aggravated harassment in the second degree when, with intent to harass, annoy, threaten or alarm another person, he or she: 1. Either (a) communicates with a person, anonymously or otherwise, by telephone, by telegraph, or by mail, or by transmitting or delivering any other form of written communication, in a manner likely to cause annoyance or alarm; or (b) causes a communication to be initiated by mechanical or electronic means or otherwise with a person, anonymously or otherwise, by telephone, by telegraph, or by mail, or by transmitting or delivering any other form of written communication, in a manner likely to cause annoyance or alarm; or 2. Makes a telephone call, whether or not a conversation ensues, with no purpose of legitimate communication…”71
70
n.d. What are Cyber Harassment Laws? http://www.wisegeek.com/what-are-cyber-harassment-laws.htm n.d. New York Penal - Article 240 - § 240.30 Aggravated Harassment in the Second Degree. http://law.onecle.com/new-york/penal/PEN0240.30_240.30.html. 71
72
According to Citron, this penal law has loopholes and has not been updated to reflect the realities of the internet.72 The US Code 223, ‘Obscene or harassing telephone calls in the District of Columbia or in interstate or foreign communications’ is worded more clearly. 73 In Canada, the Protecting Canadians from Online Crime Act was a bill introduced in the parliament in 2015 which was eventually passed as an official law. The act not only makes it a criminal offence to stalk and harass someone online but also specifically makes the nonconsensual sharing of intimate pictures online an offence. It also grants courts the power to order a Canadian Internet Service Provider to delete the images from its server and talks about arrest warrants. 7.3
On Pakistan’s Electronic Crimes Act 2015 (PEC): Pakistan’s legal system is mostly developing on the basis of case law. As of yet, the judicial
system is in its nascent stages of learning how to tackle with cybercrime. The PEC makes it mandatory for the government to provide technical training to the officers and staff of the special investigation agency, while giving the job of investigation and prosecution to a single entity that many have criticized. The vast powers given to the investigating officers have raised concerns over its misuse by the government that already has vat powers over the collection of online user’s data. The matter first got public notice in 1996 when President Farooq Leghari dismissed Benazir Bhutto’s government citing among other reasons that her government was using government machinery to tap phone-calls and other private information. Therefore, the threat of the
72
Sweeney, Marlisse Silver. 2014. What the Law Can (and Can't) Do About Online Harassment. November 12. http://www.theatlantic.com/technology/archive/2014/11/what-the-law-can-and-cant-do-about-onlineharassment/382638/ 73 n.d. Obscene or harassing telephone calls in the District of Columbia or in interstate or foreign communications. https://www.law.cornell.edu/uscode/text/47/223.
73
investigating agency turning into a tool for governments to use against their opponents is not unfounded. Cybercrime is an international problem and knows no bounds and the PEC touches the matter in an inexhaustive manner. The law allows the federal government to share data with foreign entities and has been criticized for having no oversight. Once the data leaves the hands of the government, there is no way to ensure that the privacy of individuals will be protected by the states that has obtained the data. The Prevention of Electronic Crimes Act 2015 of Pakistan criminalizes, amongst other things, electronic fraud, unauthorized use of identity information, sending malicious codes, spoofing, and spamming. The law also provides no liability to the internet service providers and relies on their good faith unless intentional mala fide actions on their part are proven. With regards to spamming, the law is completely vague and open to several interpretations. It criminalizes ‘unsolicited intelligence’, while the essence of spam i.e. the ‘bulk’ is altogether missing. Marketing emails and those from which the users have not opted-out, ironically are specified as not being a part of the definition of ‘unsolicited intelligence.’ This basically means that spamming clause coupled with no liability on the ISPs makes Pakistan a safe haven for spammers. In Pakistan, the Prevention of Electronic Crimes Act of 2015 discusses and defines the issue of cyber stalking and makes it punishable under the law as “whoever commits the offence specified…shall be punishable with imprisonment for a term which may extend to two years or with fine which may extend to one million rupees, or with both provided that if the victim of the cyber stalking is a minor the punishment may extend to three years or with fine may extend to ten million rupees, or with both. Any person may apply to the court for issuance of a restraining order
74
against an accused of cyber stalking and the court upon receipt of such application may pass such order as deemed appropriate in the circumstances of the case.”74
8 Conclusion The threat of cybercrime is very real. Michael Mullen, the US Navy admiral said, ‘the biggest existential threat that’s out there, I think, is cyber.’ It is as frightening for powerful organizations as it is for the individuals who get victimized. James Comey, Director of the FBI stated the following about cyber-security situation of the US: We face cyber threats from state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas - things of incredible value to all of us. They seek to strike our critical infrastructure and to harm our economy. Cybercrime is a grave problem that has penetrated every country in this globally connected world. This paper has discussed the incidence, causes, and consequences of hacking, spamming, phishing and harassment exhaustively along with the challenges that stand in the way of implementation of related laws to counter these problems. The incidence of cybercrime is growing at a fast pace as the use of the internet increases every day. In 2001, around 1.3% population of the country was using internet. By the end of 2015, this figure had risen to 11%. This is approximately 30 million individuals who use the internet and may be victims and perpetrators of cybercrime. Research suggests that 80% of these internet users
74
Bhi, Bolo. n.d. "Government’s Proposed and Modified Cybercrime Bill 2015." http://bolobhi.org/wpcontent/uploads/2015/04/PECA2015.pdf.
75
spend over an hour a day on the internet, as a consequence getting exposed to multiple risks in cyberspace.75 Hacking is one of the most common cybercrimes in the country along with issues such as phishing and spamming. Spamming continues to be a source of free advertisement for some and a cause of nuisance for others. Fraudulent spamming in the form of phishing has caused enormous financial losses. Financial losses through the internet in an economy like Pakistan’s has made people reluctant to use this medium of business transactions. Cyber harassment in the form of stalking, bullying, hate speech and trolling is another growing problem that instils fear and distress in its victims. In a survey conducted on university students in Pakistan, there was not a single respondent who had not been a victim of cybercrime at one point or another. It is not just university students but adults and minors as well who have been the victims of cybercrime in the country. Children may get bullied online and exposed to strangers who may lure them into a trap under the guise of friendship. Adults who carry out online transactions and store important data on their computers are at risk of financial theft and hacking. Cybercrime is a gendered issue in Pakistan as the majority of victims are women: a fact supported by the results of a survey conducted as a part of this project. The reason for this is attributed to the cultural norms and social context of the country where patriarchy and the concept of honor reigns. Women do not have opportunities at par with men to engage with technology, which leaves them with limited knowledge of the necessary precautions that must be taken by all internet users. They are also vulnerable targets who prefer not to report incidences of cybercrime because they are ‘supposed’ to safeguard the honor of their families. Unless the government treats cybercrime as a high priority-gendered issue, women will suffer the most.
75
2016. Internet World Stats. http://www.internetworldstats.com/asia.htm#pk.
76
There are two crucial aspects to combating cybercrime; first, it must be dealt with at an individual level; second, the state should play its appropriate role. One of the most effective ways to counter cybercrime at an individual level is to take precautions to avoid being a victim of it in the first place. Some of these precautionary measures are password protection of personal computers and devices, encryption of file and maintenance of regular backups of important data. In the case of shared devices, limiting the administrative powers and authority of all the accounts is recommended. Furthermore, avoiding unknown Wi-Fi networks and Bluetooth connections enhances security. Updating the firewall and anti-virus and scanning external drives for viruses when they are connected to computers and only visiting and downloading from trustworthy websites are some further precautions that every individual can take to avoid hacking. Similarly, to avoid the incidence of phishing, bank details for online transactions should only be entered on authentic websites and should never be saved on any online server. Cyber harassment can be avoided by stringent privacy settings on social media platforms and not divulging personal information on online forums. Focusing on the required amendments and the implementation of the law are fundamental steps that will play a crucial role in eliminating cybercrime in Pakistan. The ‘Prevention of Electronic Crimes Act, 2015’ was approved in the National Assembly in April 2016. The bill must also be approved by the Senate before it can be signed into law. 76 Although the law has brought up the issues in cyberspace elaborately, but it has been criticized for curbing free speech, internet freedom and giving overreaching powers to law enforcement agencies. The Act criminalizes mundane activities such as sending text messages without the receiver’s consent, criticizing
76
Khan, Raza. 2016. Controversial Cyber Crime Bill approved by NA. News, Islamabad: Dawn.
77
government actions on social media, sharing any information the government deems 'inappropriate', 'vulgar', or 'against the glory of Islam'. Critics have also argued that the matters criminalized by the Act are civil in nature and disproportionate punishments have been awarded. However, a major concern is that the level of awareness about such precautionary measures is low. This can be remedied by the government by making cyber safety a compulsory course and part of the curriculum in schools and universities. The FIA requires greater focus on the NR3C’s initiative of increasing cyber-awareness in which young volunteers-Cyber Scouts, are trained and sent to impart the knowledge among their peers. This initiative has not been able to realize its full potential successfully because of the lack of effective planning. The volunteers hired for training others are themselves busy students who are unable to dedicate appropriate time to this cause. The concept of cyber-scouts can be modified by hiring mature people who would not only teach the students, but also establish compulsory workshops for the staff members of institutions. Quality and a knowledge of updates is the essence of protecting people from ever-evolving threats. Thus, increasing awareness about cyber safety is a necessary step that the government needs to prioritize in order tackle cybercrime. Pakistan being a developing country with a large population using the internet has yet to develop cyber-norms. A low literacy rate with an equally low employment rate add to this disability. Therefore, the government needs to focus its energies towards tackling cybercrime as it is a matter of concern for the future generation and also for an already flailing economy. Ultimately, it can be concluded that if the findings of this project are taken as a parameter, the only way the future generation can utilize and enjoy the internet safely is if the present generation takes the necessary steps and measures to halt cybercrime for good. As much a boon the social networking sites are, they have been a bane equally. If the youth of today and tomorrow
78
is to benefit from advances in technology in the age of the internet, action must be taken immediately and with a sense of urgency while keeping in view that online freedoms are just as important as terrestrial ones.
79
9 Bibliography "About The Spamhaus Project." About The Spamhaus Project. Accessed May 20, 2016. https://www.spamhaus.org/organization/. "Articles." Articles. Accessed May 20, 2016. http://www.btc.co.uk/Articles/index.php?mag=Security. "Email Statistics Report, 2015-2019." http://www.radicati.com/wp/wp-content/uploads/2015/02/EmailStatistics-Report-2015-2019-Executive-Summary.pdf. "Hacker Lexicon: What Are Phishing and Spear Phishing?" Wired.com. Accessed May 20, 2016. https://www.wired.com/2015/04/hacker-lexicon-spear-phishing/. "Man Jailed for Phishing Scam That Targeted UK Students to Steal £1.5m." The Guardian. 2013. Accessed May 20, 2016. http://www.theguardian.com/uk-news/2013/dec/14/man-jailed-phishing-scam-ukstudents-olajide-onikoyi. (ITU), International Telecommunication Union. 2015. ICT Facts and Figures. http://www.itu.int/en/ITUD/Statistics/Documents/facts/ICTFactsFigures2015.pdf. 2003. The Privacy and Electronic Communications (EC Directive) Regulations 2003. http://www.legislation.gov.uk/uksi/2003/2426/regulation/22/made. 2012. The Anna Kavanaugh Charitable Foundation. http://www.theannakavanaughfoundation.org/CyberBullying_Harassment.html. 2016. Internet World Stats. http://www.internetworldstats.com/asia.htm#pk. Alok Mishra, and Deepti Mishra. "Cyber Stalking : A Challenge for Web Security (PDF ..." Accessed May 16, 2016. http://www.researchgate.net/publication/259148587_Cyber_Stalking__A_Challenge_for_Web_Secur ity. Arthur Martin. 'Bank of Terror' Gang Accused of Cold-calling Scam That Rinsed Pensioners' Accounts to Fund Jihadis' Journeys to Syria to Fight with Isis Extremists." http://www.dailymail.co.uk/news/article-3072294/Phishing-gang-plundered-elderly-vulnerablevictims-accounts-fund-jihadists-travel-Syria-join-Isis-extremists.html. Bagchi, Kallol, and Godwin Udo. 2003. "An analysis of the growth of computer and ınternet security breaches." Communications of the Association for Information Systems 12 (46): 129. Bernat, Frances P., and Nicholas Godlove. "Understanding 21 St Century Cybercrime for the ‘common’ Victim." Criminal Justice Matters 89, no. 1 (2012): 4-5. doi:10.1080/09627251.2012.721962. Bhi, Bolo. n.d. "Government’s Proposed And Modified Cybercrime Bill 2015." http://bolobhi.org/wpcontent/uploads/2015/04/PECA2015.pdf. Bibliography Bocij, Paul and Leroy McFarlane. "Online harassment: Towards a definition of cyberstalking." Prison Service Journal 139 (2002): 31 - 38. Bocij, Paul, and Leroy McFarlane. 2002. "Online harassment: Towards a definition of cyberstalking." Prison Service Journal (139): 31 - 38.
80 Britz, Marjie T. "A New Paradigm of Organized Crime in the United States: Criminal Syndicates, Cybergangs, and the Worldwide Web." Sociology Compass 2, no. 6 (2008): 1750-765. doi:10.1111/j.17519020.2008.00172.x. Clementi, Tyler. 2010. Tyler Clementi: A Call to Act on Cyberbullying. October 5. http://www.cbsnews.com/news/tyler-clementi-a-call-to-act-on-cyberbullying/. Creating Trust in the Digital World. http://www.ey.com/Publication/vwLUAssets/ey-global-informationsecurity-survey-2015/$FILE/ey-global-information-security-survey-2015.pdf. Dean, Katie. 2000. The Epidemic of Cyberstalking. January 5. Décary-Hétu, David, and Benoit Dupont. "The Social Network of Hackers." Global Crime 13, no. 3 (2012): 160-75. doi:10.1080/17440572.2012.702523. Dinei Florencio, and Cormac Herley. "PHISHING AND MONEY MULES." http://research.microsoft.com/pubs/143095/mules.pdf. Ellison, Louise , and Yaman Akdeniz. 1998. "Cyber-stalking: The regulation of harassment on the ınternet." Criminal Law Review 29 -48 . Ftc. n.d. CAN-SPAM Act: A Compliance Guide for Business. https://www.ftc.gov/tips-advice/businesscenter/guidance/can-spam-act-compliance-guide-business. Grabosky, Peter. "The Global Dimension of Cybercrime." Global Crime 6.1 (2004): 146 - 157. Grabosky, Peter. 2004. "The Global Dimension of Cybercrime." Global Crime 6 (1): 146 - 157. Guarnieri, Franck, and Eric Przyswa. "Counterfeiting and Cybercrime: Stakes and Challenges." The Information Society 29, no. 4 (2013): 219-26. doi:10.1080/01972243.2013.792303. GWU. n.d. George Washington University. https://haven.gwu.edu/types-stalking. Hof, Simone Van Der, and Bert-Jaap Koops. "Adolescents and Cybercrime: Navigating between Freedom and Control." Policy & Internet 3, no. 2 (2011): 51-78. doi:10.2202/1944-2866.1121. Imam, Ahsan Latif. "Cyber Crime in Pakistan: Serious Threat but No Laws!" http://blogs.tribune.com.pk/story/15063/cyber-crime-in-pakistan-serious-threat-but-no-laws/. Imam, Ahsan Latif. 2012. Cyber crime in Pakistan: Serious threat but no laws. December 8. Khan, Raza. 2016. Controversial Cyber Crime Bill approved by NA. News, Islamabad: Dawn. Kigerl, Alex. n.d. Spammers should be given prison sentences under the CAN SPAM Act. http://blogs.lse.ac.uk/usappblog/2015/03/10/spammers-should-be-given-prison-sentences-under-thecan-spam-act/. Laughren, Jessica. 2000. "Cyberstalking awareness and education." Legislature, Florida. n.d. The 2015 Florida Statutes. http://www.leg.state.fl.us/STATUTES/index.cfm?App_mode=Display_Statute&Search_String=&UR L=0600-0699/0668/Sections/0668.705.html. Lininger, Rachael, and Russell Dean Vines. Phishing: Cutting the Identity Theft Line. Indianapolis, IN: Wiley Pub., 2005. Print. MailOnline, Chris Pleasance for. "Is This the End of Spam Emails? Number of Nuisance Messages Fall to Their Lowest Level in 12 Years as Fraudsters Turn to Alternative Methods of Hacking ." Mail
81 Online. 2015. Accessed May 20, 2016. http://www.dailymail.co.uk/news/article-3166313/Is-endspam-emails-Number-nuisance-messages-fall-lowest-level-12-years-fraudsters-turn-alternativemethods-hacking.html. McAlone, Nathan. "The 15 Companies That Flooded Your Inbox with the Most Email Spam in 2015." Business Insider. 2016. Accessed May 20, 2016. http://www.businessinsider.com/the-companieswho-send-the-most-email-spam-2016-2. Mohiuddin, Zibber. 2006. Cyber Laws in Pakistan: A situational Analysi and Way Forward. June 24. http://www.supremecourt.gov.pk/ijc/articles/10/5.pdf. Momein, Fahd Abdul, and Muhammad Nawaz Brohi. 2010. "Cybercrime and Internet Growth in Pakistan." Asian Journal of Information Technology 9 (1): 1 - 4. Morris, Robert G., Matthew C. Johnson, and George E. Higgins. "The Role of Gender in Predicting the Willingness to Engage in Digital Piracy among College Students." Criminal Justice Studies 22, no. 4 (2009): 393-404. n.d. Cyberslammed. http://www.cyberslammed.com/where-to-start.html. n.d. New York Penal - Article 240 - § 240.30 Aggravated Harassment in the Second Degree. http://law.onecle.com/new-york/penal/PEN0240.30_240.30.html. n.d. Obscene or harassing telephone calls in the District of Columbia or in interstate or foreign communications. https://www.law.cornell.edu/uscode/text/47/223. n.d. Tackling online harrasment. https://phoenix.symantec.com/Norton/au/online-harassment-experiencewomen/assets/Norton_OnlineHarassment_AU_TipSheet.pdf. n.d. What are Cyber Harassment Laws? http://www.wisegeek.com/what-are-cyber-harassment-laws.htm. n.d. Working to Halt online abuse. http://www.haltabuse.org/help/isit.shtml. Niall Firth. "Computer Super-virus 'targeted Iranian Nuclear Power Station' but Who Made It?" http://www.dailymail.co.uk/sciencetech/article-1314580/Stuxnet-worm-targeted-Iranian-nuclearpower-station-sophisticated-virus-attack-ever.html. Nuccitelli, Michael. n.d. Cyberstalking Facts, Types of Cyberstalkers. https://www.ipredator.co/cyberstalking-facts/. Ogilvie, Emma. 2000. "Cyberstalking." Trends and isues in crime and criminal justice (166). Paul Szoldra. "The Favorite Method Hackers Use to Take over Computers Just Got Killed by Microsoft." http://www.techinsider.io/microsoft-macros-office-2016-2016-3. Puiu, Tibi. 2015. zmescience. October 13. http://www.zmescience.com/research/technology/smartphonepower-compared-to-apollo-432/. Quinn, Timothy. n.d. hatebase. http://www.hatebase.org/popular. Schifreen, Robert. Defeating the Hacker: A Non-technical Guide to Computer Security. Chichester, England: Wiley, 2006. Spamhause. n.d. The World's Worst Spam Enabling Countries. https://www.spamhaus.org/statistics/countries/.
82 Sweeney, Marlisse Silver. 2014. What the Law Can (and Can't) Do About Online Harassment. November 12. http://www.theatlantic.com/technology/archive/2014/11/what-the-law-can-and-cant-do-about-onlineharassment/382638/. Telegraph. 2011. Cyberstalking 'more dangerous than traditional bullying'. Aug 8. http://www.telegraph.co.uk/technology/internet/8687956/Cyberstalking-more-dangerous-thantraditional-bullying.html. The UK Cyber Security Strategy Protecting and Promoting the UK in a Digital World. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cybersecurity-strategy-final.pdf. Theoharis, Mark. n.d. Phishing: Sentencing and Penalties. http://www.criminaldefenselawyer.com/crimepenalties/federal/Phishing.htm. UK, Government. 2011. "The UK Cyber Security Strategy." November. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cybersecurity-strategy-final.pdf. Wall, David. Cybercrime: The Transformation of Crime in the Information Age. Cambridge: Polity, 2007. Weimann, Gabriel. Terror on the Internet: The New Arena, the New Challenges. Washington, D.C.: United States Institute of Peace Press, 2006. Yar, Majid. 2006. Cybercrime and Society. London: Sage Publications. Yar, Majid. Cybercrime and Society. London: Sage Publications, 2006 Zhang, Yanping, Yang Xiao, Kaveh Ghaboosi, Jingyuan Zhang, and Hongmei Deng. "A Survey of Cyber Crimes." Security and Communication Networks Security Comm. Networks 5, no. 4 (2011): 422-37. doi:10.1002/sec.331.
83
10 Appendix 10.1 Interview with Salman Sufi (Special Monitoring Unit Law & Order)
Q. Why does the Women Protection Bill include cybercrime and to what extent? Cybercrime is one of the main things added in this act because it is growing by the second in a society where social networking is becoming a norm and there are a lot of issues when relationships are ending and people use the pictures sent out of love to blackmail. There were murders happening in Lahore. Last year a guy blackmailed her fiancé using pictures to come-over and killed her and her mother as well. So under the law a person can get a protection, residence and monetary orders so if I’m intimidating you and you have proof that I’ve sent you text messages, once you go to the court and show the messages you can seek a protection order against me and I’ve to submit all the evidence I’ve against you to the court and this way you will be protected and your identity will be kept protected. Q. Cybercrime is a very open ended thing, it includes a lot of things. For example, if somebody’s picture get leaked, which spread very quickly and FIA takes a lot of time to take action. So in such a scenario what action should we take? The implementation of this law is quite comprehensive. The implementation is through violence against women centers, that’s a one stop shop for all kind of violence. Once you report it, the women protection officer will be empowered to take action right away. So if you say this person has my pictures and he lives at this address and I’m in immediate danger and the person is going to spread my pictures, the women protection officer can actually go there and confiscate the phone/device but the issue is that we have to educate our people that you have to be very sensible once you are sharing this kind of information because as you said it only takes a micro second and
84
Facebook or text messages, twitter, etc. and even if you confiscate the phone the thing is on social media and out of government’s hands and it is a whole different process. First of all, you should not send pictures Q. Taking about children and even adults, they cannot even talk, sisters cannot talk to their brothers about it and parents do not educate their children and parents remain in denial that our child cannot do such a thing That is a problem and it’s going to take time because to accept these things. And you shouldn’t trust anyone with such personal things Q. Pictures can be edited so how do you tackle with that issue? You can find out if a picture was edited or morphed and through this law you can seek damages. You can seek protection order or monetary order Q. What is the protection order? And if there is a person who wants to remain anonymous, is there some sort of some clause that a victim can remain anonymous? Once you go to the court, its public record that is in constitution. Q. In the future can we change it, because in some cases the pictures are not even there and people are blackmailing? If you have a message and somebody is blackmailing you, you can absolutely seek a protection order and the bracelet thing introduced is precisely to keep the person away from the victim so he cannot come in a certain distance of the person and cannot contact you. Q. So what kind of proof do I require that a person is blackmailing me?
85
No witnesses, if you somebody has sent a text or Facebook message, it’s a proof. You can take it to the women protection officer and the court and it’s traceable by IP addresses as long as it is electronic evidence and it doesn’t lie. Electronic evidence is a trail and you can follow it and know who the person is. Q. What is the purpose of the toll free dial number? It will be activated from June starting from Multan and because our first center of violence against women is being established there. So where ever the center is established, anyone can contact it. If you are a victim, you can call that number and notify. There is no restriction and anyone can call on the victim’s behalf. If I see you are being targeted, I can call Q. How does the court’s protection order proceed? It goes to the center, and the staff will implement the order. The center will tell the perpetrator to stay away from the areas where the victim lives, works, etc. Q. In such cases police gets involved and what if the other party is really strong? There the bracelet comes into play. You cannot tamper with it and everyone will know the person’s location Q. Do you see this law being implemented outside Punjab? I hope it does. Sindh has the same law but they do not have the same implementation mechanism and I hope that do build the structure. Q. What would you suggest to the people using social networking sites?
86
One should be very careful of what they share online because once you send it, you don’t have any control over it not even Mark Zuckerberg so one should be very careful in sharing private and sensitive data.
87
10.2 Interview with Sadaf Baig (Media Matters for Democracy) The following are the main points of the interview:
1. Differentiation in the categories of cybercrime in Pakistan is not that vivid/fine. There is a difference between the kind of laws that are made in advanced countries and those of Pakistan. Cultural norms should be put aside while criminalizing any activity e.g. Hate speech not a crime the West and is protected by the constitution in the US, but the current Pakistani law criminalizes it. 2. Impact of cybercrime relating to women in Pakistan is greater (things like family honor come into play). Many issues do not even see the light of the day and are swept under the carpet 3. In the case of Pakistan, minorities are being targeted. There are two recent cases registered against Shias for liking a post that allegedly promoted sectarian hatred. 4. The narrative of terrorism and cybercrime is quite mixed in Pakistan and so are the laws. The punishments for such crimes in real life are different from the ones that happen online. The PEC makes spamming a criminal activity given certain conditions, while advertisement through print media is not a criminal activity and you see people throwing pamphlets into people’s houses. 5. If somebody glorifies a criminal online they are liable to severe punishments and government gives the argument that the security situation in Pakistan calls for it. Glorification is defined very broadly e.g. Bhutto was hanged over criminal charges so would I be breaking the law if I glorify him? Many people attended Mumtaz Qadri’s funeral and they are not liable to any charges, however If the same thing is done online, this law allows the government to put me in jail. This is real problem and needs to be tackled.
88
6. No transparency in international data sharing and people worry about it. Budapest convention along with other conventions enables governments to share data without informing people. This is a problem because there are no open laws against which people can raise their voice. 7. Judiciary must be provided with special training to deal with cases of cybercrime as it is a growing problem. 8. 70% of the cybercrime cases are registered by the women which hints towards the fact that it’s a gendered issue 9. PTA officials have vast authority over our cyber activities. FIA has the responsibility of evidence collection and prosecution and that is a big problem because how can a single organization assume two different roles. FIA officials were involved in leaking private information/photos of the victims in a case 10. Most of the cases are filed against family members and such cases get dropped even before a trial, also females are represented by male members of the family. These two phenomenon play against the protection of women’s rights and their right to pursue criminal charges against an individual. Males are also becoming victims of harassment because their status in the society is threatened. Some cases go unreported because of the social barriers to going to a court (gaps in practical steps rather than law related) 11. People should stay vigilant regarding the material they post online 12. National security is a big issue for Pakistan so the government wants more control, but that’s a slippery slope. Establishing something for tackling contemporary issue can turn into a tool for the government to misuse in the long-term.
89
10.3 Interview with Aun Abbas (NR3C) The following are the main points of the interview:
Cybercrime started when people started using the internet. In Pakistan only 20% of the cyber related crime is reported, the rest of the 80% remains unreported.
More than 60% of the crimes are Facebook related
People adopt the cyber means of committing a crime because they feel they can keep their identity anonymous which will make it safe for them
Crimes can be done to do fraud for financial gains to harm somebody’s reputation.
The harassment cases in men are 0.1% but the deformation case in men is 5%
Crimes are not gender specific ; there can be a man against man, woman against woman, man against woman and vice versa
The forms in which a complaint can be registered are : Online, form, fax, in writing and in person
People usually tend to compromise and forgive the culprit at the enquiry stage as the offender is usually someone related to the victim
If the victim wins the case, the culprit may be jailed
Women tend to avoid taking the case to court because their biggest fear is the men in her house, and taking a case to court would mean that her father/brother would find out about the incident. This increases trouble for the victim as the family would then punish her under the excuse of honor culture
There has been a case where a husband leaked naked pictures of her wife after divorce and the wife was reluctant taking the case to court because she did not want to expose the pictures herself as a proof of the activity
90
There have been above twelve thousand registered complaints in eight years
To be able to lodge a complaint, the victim has to be inside Pakistan or the case cannot be entertained
There is no cyberterrorism department in Pakistan
Cyberterrorists are a group of people who carry out cybercrime on a large scale
Our society is not mature enough to deal with the problem on their own and need to be given proper training
The best solution to counter the problem is to spread awareness
State sponsored terrorism is possible and Pakistan is not ready to deal with it yet. Examples of state sponsored terrorism are Estonia and Georgia’s case- state cases.
One should not open attachments to avoid spamming
NR3C claims that they have a great contribution to the cyber security bill
NR3C has an initiative to spread awareness on how to protect oneself from cybercrime. This involves a team of volunteers called Cyber Scouts who visit academic institutions to spread the message.
