Duppy kno who fi frighten - Highlights of the 2015 Cybercrime Act of Jamaica

Sweet Baby Jesus!!!!!

I spent the last few hours reading the 2015 Jamaican Cybercrime Act.

Though it is a relatively easy (36-page) read, let me spare you the trouble of wading through the legalese and mis-spellings.

The Cybercrime Act of 2015 seeks to address:

1. Unauthorised access to computer program or data (Section 3)
2. Access with intent to commit or facilitate commission of offence (Section 4).
3. Unauthorised modification of computer program or data (Section 5).
4. Unauthorised interception of computer function or service (Section 6).
5. Unauthorised obstruction of operation of computer (Section 7).
6. Computer related fraud or forgery (Section 8).
7. Use of computer for malicious communication (Section 9).
8. Unlawfully making available devices or data for commission of offence (Section 10).

Additionally, the Act specifies legislation related to protected computers (Section 11), rules on inciting cybercrime (Section 12), and guidance on hindering or prejudicing cybercrime investigations (Section 13).

In an effort to include everyone in the fun, Section 14 addresses offences by corporate bodies. Further, the Act outlines actions that someone that is harmed by cybercrime (corporate body or individual)  can take to get compensation from their "victimizer" or "offender" (Section 15).

At this point, you are saying to yourself "Sounds good to me. What is your problem, Ty?"

As usual, the devil is in the details.

I won't spend this post providing a sentence-by-sentence review of the Act (like I did two years ago when the Cybercrime Act of 2010 was under review. Those details are here).

For that detailed review, I am available for consulting via my security firm.

In this blog, I will only highlight the most glaring and mind-boggling concerns.

Lack of Awareness of the IT Security Profession and Education

Let me start off with the basics.

Sections 5 and 6 demonstrate a marked lack of understanding of the field of computer security and the fundamentals of training computer security professionals.

System administrators who install patches for zero-day exploits are normally warned that the patches may have unforeseen and untested impact on the rest of their ecosystem, which is typical of the field. Under these sections of the Jamaican Cybercrime Act of 2015, any system administrator who performs a security update is potentially in breach of the Act.

Another example is that of a system administrator, security professional or academic who needs to listen to and gather network traffic to detect security attacks; in order to spot and respond to these attacks and secure their systems. Under the current legislation, they could face prosecution.

Not to mention the fact that teaching the next generation of security experts becomes untenable in Jamaica under this Act; for fear of prosecution.

All in all, a bone-headed move if one wants to foster secure and private systems in Jamaica.

Or maybe I got this all wrong and these exceptions will be covered under an amendment of the Interception of Communications Act?

Nuh Run Nuh More Joke Roun Ya

The next point is so frustrating that I have to quote directly from the Act.

A person commits an offence if that person -
               (a) uses a computer to send to another person any data (whether
in the form of a message or otherwise) that is obscene, constitutes a threat, or is menacing in nature; and
             (b) intends to cause, or is reckless as to whether the sending of the data causes, annoyance, inconvenience, distress, or anxiety, to that person or any other person.

An offence is committed under subsection ( 1) regardless of whether the actual recipient of the data is or is not the person to whom the offender intended the data to be sent.

So, you are telling me that any politician or (rich) Jamaican who receives a text, email or other commnicae that they can interpret as threatening, obscene or menacing, may sue under this new Act (whether the message was intended for them or not).

Goodbye freedom of expression.

Goodbye, joking around (or ramping) with a friend in what may be subjectively interpreted as negative.

Wow!!!!!!!!

I am hoping that the intent of the Law, possibly cyberbullying or spam of online porn, etc, is different from the letter of the Law.

Right now, a lot of people are going to be in trouble.

This could also be a very effective way of shutting down a rival, whether political, business-related or other.

Everyone Knows What a Protected Computer Is

Section 11 mentions a "protected computer" and assumes that a reasonable person should know what a protected computer is.

Unfortunately, this is a highly subjective call that requires a judge to know the thoughts and mindset of an alleged offender.

Without having computers clearly defined and labelled as protected computers, this section is open to manipulation from the owners of computer systems that may argue (and defend) the "protected computer" status of their systems.

Overall, a horrible way to craft Law.

Where are the 'agreed upon" standards?

What is universally understood?

Is there a definition of "Protected" that is clear to everyone?

Is there a "Data Protection Act"?

Hmmmmm....

Plain Stupidity

From section 10 onwards, it gets progressively worse, because the rules build upon the previous sections, which we have already gone through and declared as bone-headed.

Section 12 states that if you and your friend are running a joke on another friend and it mistakenly gets to the wrong person, then that person can charge both of you under this Act.

We all know what happens when you build a house on sand.

*Shaking my head*

Protect The Lawyers

Section 13 is the only section where there is an explicit call-out for what it means to "not commit an offence". Of course, it stipulates the cases where lawyers are not liable or covered under this Act.

Interesting!!!!!!

Why wasn't there a call-out for IT security professionals and academics in previous sections?

All a Unnu is Fi Wi

This final point is what infuriates me most.

From the Act:

22.-( 1) This Act applies in respect of conduct occurring
                    (a) wholly or partly in Jamaica;
                    (b) wholly or partly on board a Jamaican ship or Jamaican aircraft;
                    (c) wholly outside of Jamaica and attributable to a Jamaican national; or
                    (d) wholly outside of Jamaica, if the conduct affects a computer or data-
                        (i) wholly or partly in Jamaica; or
                        (ii) wholly or partly on board a Jamaican ship or Jamaican aircraft.

Translation: If you are Jamaican or if you are accessing "stuff" in Jamaica, it does not matter where in the world you are, you are governed by this Cybercrime Act. 

I leave you to think through the impact of this.

Spoiler Alert: All Jamaicans wherever you are, you are screwed.

Conclusion

I am extremely disappointed in Minister Paulwell and his team.

You can do better.

The Jamaican people deserve better.

All you have to do is to include a Computer Science professional in the drafting of Acts like these to advice you on the feasibility of these rules.

Or maybe you want this Act exactly as it is.

Readers, what are your thoughts?