Sweet Baby Jesus!!!!!
I spent the last few hours reading the 2015 Jamaican Cybercrime Act.
Though it is a relatively easy (36-page) read, let me spare you the trouble of wading through the legalese and mis-spellings.
The Cybercrime Act of 2015 seeks to address:
Additionally, the Act specifies legislation related to protected computers (Section 11), rules on inciting cybercrime (Section 12), and guidance on hindering or prejudicing cybercrime investigations (Section 13).
In an effort to include everyone in the fun, Section 14 addresses offences by corporate bodies. Further, the Act outlines actions that someone that is harmed by cybercrime (corporate body or individual) can take to get compensation from their "victimizer" or "offender" (Section 15).
At this point, you are saying to yourself "Sounds good to me. What is your problem, Ty?"
As usual, the devil is in the details.
I won't spend this post providing a sentence-by-sentence review of the Act (like I did two years ago when the Cybercrime Act of 2010 was under review. Those details are here).
For that detailed review, I am available for consulting via my security firm.
In this blog, I will only highlight the most glaring and mind-boggling concerns.
Lack of Awareness of the IT Security Profession and Education
Let me start off with the basics.
Sections 5 and 6 demonstrate a marked lack of understanding of the field of computer security and the fundamentals of training computer security professionals.
System administrators who install patches for zero-day exploits are normally warned that the patches may have unforeseen and untested impact on the rest of their ecosystem, which is typical of the field. Under these sections of the Jamaican Cybercrime Act of 2015, any system administrator who performs a security update is potentially in breach of the Act.
Another example is that of a system administrator, security professional or academic who needs to listen to and gather network traffic to detect security attacks; in order to spot and respond to these attacks and secure their systems. Under the current legislation, they could face prosecution.
Not to mention the fact that teaching the next generation of security experts becomes untenable in Jamaica under this Act; for fear of prosecution.
All in all, a bone-headed move if one wants to foster secure and private systems in Jamaica.
Or maybe I got this all wrong and these exceptions will be covered under an amendment of the Interception of Communications Act?
Nuh Run Nuh More Joke Roun Ya
The next point is so frustrating that I have to quote directly from the Act.
A person commits an offence if that person -
(a) uses a computer to send to another person any data (whether
in the form of a message or otherwise) that is obscene, constitutes a threat, or is menacing in nature; and
(b) intends to cause, or is reckless as to whether the sending of the data causes, annoyance, inconvenience, distress, or anxiety, to that person or any other person.
An offence is committed under subsection ( 1) regardless of whether the actual recipient of the data is or is not the person to whom the offender intended the data to be sent.
So, you are telling me that any politician or (rich) Jamaican who receives a text, email or other commnicae that they can interpret as threatening, obscene or menacing, may sue under this new Act (whether the message was intended for them or not).
Goodbye freedom of expression.
Goodbye, joking around (or ramping) with a friend in what may be subjectively interpreted as negative.
I am hoping that the intent of the Law, possibly cyberbullying or spam of online porn, etc, is different from the letter of the Law.
Right now, a lot of people are going to be in trouble.
This could also be a very effective way of shutting down a rival, whether political, business-related or other.
Everyone Knows What a Protected Computer Is
Section 11 mentions a "protected computer" and assumes that a reasonable person should know what a protected computer is.
Unfortunately, this is a highly subjective call that requires a judge to know the thoughts and mindset of an alleged offender.
Without having computers clearly defined and labelled as protected computers, this section is open to manipulation from the owners of computer systems that may argue (and defend) the "protected computer" status of their systems.
Overall, a horrible way to craft Law.
Where are the 'agreed upon" standards?
What is universally understood?
Is there a definition of "Protected" that is clear to everyone?
Is there a "Data Protection Act"?
From section 10 onwards, it gets progressively worse, because the rules build upon the previous sections, which we have already gone through and declared as bone-headed.
Section 12 states that if you and your friend are running a joke on another friend and it mistakenly gets to the wrong person, then that person can charge both of you under this Act.
We all know what happens when you build a house on sand.
*Shaking my head*
Protect The Lawyers
Section 13 is the only section where there is an explicit call-out for what it means to "not commit an offence". Of course, it stipulates the cases where lawyers are not liable or covered under this Act.
Why wasn't there a call-out for IT security professionals and academics in previous sections?
All a Unnu is Fi Wi
This final point is what infuriates me most.
From the Act:
22.-( 1) This Act applies in respect of conduct occurring
(a) wholly or partly in Jamaica;
(b) wholly or partly on board a Jamaican ship or Jamaican aircraft;
(c) wholly outside of Jamaica and attributable to a Jamaican national; or
(d) wholly outside of Jamaica, if the conduct affects a computer or data-
(i) wholly or partly in Jamaica; or
(ii) wholly or partly on board a Jamaican ship or Jamaican aircraft.
Translation: If you are Jamaican or if you are accessing "stuff" in Jamaica, it does not matter where in the world you are, you are governed by this Cybercrime Act.
I leave you to think through the impact of this.
Spoiler Alert: All Jamaicans wherever you are, you are screwed.
I am extremely disappointed in Minister Paulwell and his team.
You can do better.
The Jamaican people deserve better.
All you have to do is to include a Computer Science professional in the drafting of Acts like these to advice you on the feasibility of these rules.
Or maybe you want this Act exactly as it is.
Readers, what are your thoughts?
6/9/2015 10:48:27 pm
This is a result of persons who think they know it all taking on something out of their realm.
6/10/2015 02:24:16 am
6/10/2015 12:02:45 am
Forgot to mention that companies that are used in these offences are also liable.
6/10/2015 02:18:02 am
Well said yet you were so kind. This Act is drivel. It should be taught in a legislative drafting class of what NOT to do. Like you, I have serious concerns about the impact on freedom of expression and the intended reach of the Act. Every Jamaican everyweh?! Heh.
6/10/2015 02:23:37 am
I tried my best to contain my displeasure and cleaned it up quite a bit.
6/10/2015 08:11:26 pm
So can I charge Digicel as their texts and emails are "menacing" and "annoying"? Smh...saaaad
6/11/2015 01:59:34 am
You are well within your rights under the Act.
6/11/2015 07:34:20 am
Ugh-- sometimes we just get things so wrong that it's hard to wrap my brain around it. The whole, "here, we want to you to figure out when there's a security breach, but you're not allowed to actually monitor what's going on" thing seems like an example of a real knowledge gap between the legislation as written, and actual implementation. That would be like telling cops to hand out speeding tickets without monitoring traffic!
6/11/2015 03:13:42 pm
6/12/2015 09:44:24 am
6/12/2015 11:14:30 am
Well now I'm just downright curious-- any primer recommendations for the IT savvy, but security noob crowd?
8/4/2015 07:32:22 am
Those were the most hilarious responses I have ever read.
8/4/2015 07:00:23 am
You should read the "Telecommunications Act" that itself shows short sighted vision of the future in a field that evolves constantly. It in itself is a joke, but by the expression on our Government's face when questioned about it, you'll quickly realize how serious and clueless they are.
8/4/2015 10:01:47 am
In case you missed the back and forth
8/4/2015 10:04:03 am
In case you missed the back and forth
8/4/2015 12:47:49 pm
I get the point, but when you use language that mocks, derides, shows them up, etc. you are only getting their hackles up and on the super defensive.
8/4/2015 09:21:19 pm
Jonathan, I refer to the Act and did not personalize it. Thus, there was no personal derision, mocking or showing up. Also note that my analysis from a few years ago, was very dry and measured. Also note that those recommendations were mostly ignored.
1/3/2016 03:50:01 am
I'm glad to be reading this article, I simply want to offer you a huge thumbs up for your great information.
Leave a Reply.
Dr Tyrone Grandison
Executive. Technologist. Change Agent. Computer Scientist. Data Nerd. Privacy and Security Geek.