It is of no doubt that electronic commerce holds the key to present and future global and local economic and social growth. However, like every other concept of human invention, e-commerce has some undeniable teething problems that tend to bedevil its full applicability. This paper hopes to throw light on some of these challenges. It does not claim to be exhaustive; rather it is only a guiding light for further research.
CYBER CRIME
‘Crime is always a by-product of an innovation or invention’
Cyber criminal activities started with the evolution of the internet and other technological innovations of our day. One undeniable feature of the internet is its speed, ease and breath. This very advantage is what cyber criminals have capitalized on to swindle unsuspecting users of huge resources.
Before delving deeply into the core of this subject, it is pertinent to attempt a definition of what cyber crime is. A simple but compact definition is ‘unlawful acts using the computer as either a tool or target or both.’ A broader definition was given in the Telecommunications and Postal Offences Decree.
“any person who inter alia engages in computer fraud or does anything
relating to fake payments, whether or not the payment is credited to the
account of an operator or the account of the subscriber is guilty of an offence”
Furthermore, cyber crime has also been regarded as computer mediated activities which are either illegal or considered illicit by certain parties and which can be conducted through global electronic networks. Internet crime has been further given a working definition thus; an act committed by use of the internet (one host communicating with another host) which is classified as a criminal offence according to national law
Criminal activities on the internet range from fraud, theft, pervasive pornography, pedophile rings, drug trafficking to cyber extortion, hacking etc. The severity and effect of cyber crime on business, society and government is unquantifiable. Annually, over $1.6 trillion is lost to cyber criminals. Cyber crime is attracting more attention by the authorities for various reasons;
1. Money can be transferred through the internet. This is achieved through online electronic payments, such as credit or cash cards, electronic money etc
2. There is no internationally accepted method of verifying the integrity and accuracy of the information that flows through the web.
3. Frauds committed via the internet pose complicated enforcement and jurisdictional problems to investigative agencies and the judiciary.
4. Finally, electronic commerce is here to stay. Despite the myriad of problems yet it is impossible to think of modern commerce without electronic commerce.
Why break into computers?
- Hack for pride and fame
- Steal information
- Erase data
- Cause malfunction on the system
- Obtain storage space for pirated goods
- Obtain anonymity in order to:
- Break into another computer (fame & pride / steal info / erase data / cause malfunction etc.)
- Distribute illegal material
- Launch a DOS-attack
- Send spam
- Phishing attacks
- Create an unauthorized net in order to:
- Launch a DOS-attack
- Manipulate lotteries and games by sheer frequency
Just as the elements of traditional crime must be fully present for an accused to be indicted, so also does cyber crime has some specific elements and stages which the prosecutor must establish to convict an accused. These stages include;
(a) Planning: at this stage the criminal carefully observes the pattern and trends of the target. This would include his data entry style, programme listing, systems documentation etc.
(b) Execution: most computer crimes are executed remotely, thereby eliminating the need for physical presence. Criminals execute their act by modifying application programmes or operating system, accessing controlled programmes etc
(c) Concealment: the criminal having executed his act, deliberately conceals it from being discovered. Cyber crime can be concealed by representing the act as an error or omission, performing the illegal act in conjunction with an authorized activity.
(d) Conversion: the criminal has to convert the criminal object into tangible object of use to him. Conversion can take place in different means, sale of data unauthorizely acquired, destruction of data in cases of revenge, or in most cases for the financial gain.
The New Jersey Star Ledger reported that a 13 years old boy used his parent’s auction account with eBay (an online Auction company) to successfully bid on $1.2 million medical centre in Jacksonville, Florida and another $400,000 bedroom suite that once belonged to Sir John A. Macdonald- Canada’s first prime minister.
CLASSIFICATION OF ELECTRONIC COMMERCE FRAUDS
Consumer- type fraud: this is perpetuated through internet auction frauds, health care products sales; travel and tourism services.
Investment–type fraud: this is perpetuated through pyramid selling schemes, ‘pump and dump scam’, ‘risk free’ marketing, off-shore frauds etc.
Business-type fraud: this is actualized through online payment and manipulation of data fraud and the usage of Net fraud. It is achieved through manipulation of internet access services, international modem dialing and web cramming.
TOP INTERNET CRIME ACTIVITIES IN 1999 AND 2000
1999 Top 10 Frauds | % | 2000 Top 10 Frauds | % | |
1 | Online Auctions | 87.0 | Online Auctions | 78.0 |
2 | General Merchandise Sales | 7.0 | General Merchandise Sales | 10.0 |
3 | Internet Access Services | 2.0 | Internet Access Services | 3.0 |
4 | Computer Equipment/ Software | 1.0 | Computer Equipment/ Software | 1.0 |
5 | Work-at-home | 1.0 | Work-at-home | 3.0 |
6 | Advance Fee Loans | 0.2 | Advance Fee Loans | 2.0 |
7 | Magazine Sales | 0.2 | Nigerian Money Offers | 1.0 |
8 | Information Adult Services | 0.2 | Information Adult Services | 1.0 |
9 | Travel/ Vacations | 0.1 | Travel/ Vacations | 0.5 |
10 | Multi-Level marketing/ Pyramids | 0.1 | Credit Card Offers | 0.5 |
Source: Internet Fraud Watch (www.fraud.org)
A list of possible internet crime is inexhaustible; however a few would support this line of thought.
1 Identity theft- the criminal either steals the victim’s information or card and goes ahead to pose to a seller that he is the owner for payment purpose. The closest provision of our law relating to this act is in S. 419A of the Criminal Code which provides inter alia
“any person who by false pretence or by means of any other fraud obtains credit for himself or any other person- in incurring any debt or liability; or by means of an entry in a debtor and creditor account between the person giving and the person receiving credit, is guilty of a felony….” The truth is that even this section cannot successfully nail a cyber criminal in view of the intricacies involved in electronic commerce.
The Advance Fee Fraud and Other Fraud Related Offences Decree were enacted to ease the proof of this crime. Furthermore the Economic and Financial Crimes Commission is now charged with the responsibility of enforcing Decree No. 13 1995.
2 Cyber Pornography: this includes pornographic websites including transmission of images of children; pornographic magazines using computers and the internet, dissemination of pornography etc. The American case of State of New York v. Buffnet an ISP pleaded guilty to the misdemeanor charge of knowingly providing access to child pornography. Investigation revealed that the ISP hosted a pornography newsgroup called ‘Pedo University’. The police warned the defendant but it refused to comply, after which its servers were ceased and it was made to remove the pictures and pay fine. The Convention on the Rights of a Child guarantees the right of protection of children against pornography and obscenities.
A learned author puts it in perspective thus;
“…. The latest trend seems to be towards interactive ‘LIVE SEX’ where people perform on and according to requests by subscribers to the services. The end user can view all of these on his computer, save and transmit it or printout hard copies of images and text.”
3 Internet Matrimony: Marriage and relationships are largely built on communication between two willing adults. The internet offers an unprecedented communication platform for such issues. The story was told of one Anastasia Solovieva of former Soviet Union who was matched with a fat, elderly man (Indle King Jr.) who had been a former tug earlier convicted of violence upon his earlier internet gotten wife.
Two years after the marriage, Anastasia was found dead, strangled and buried in a junkyard by her husband. Internet matrimony is gradually filtering into Nigeria with the recent report of an American lady who met her bricklayer husband in the chat room. Time will tell how well such marriages would work. A lot have turned out to be charades in which one of the parties knowingly induces the other for a personal advantage.
4 Sale Of Illegal Or Stolen Goods: the internet offers a gateway for the sale of goods through auction, mail-order or directly to the buyer. These goods include but not limited to hard drugs eg. Cocaine; body parts eg kidneys; by-product of endangered species, ammunitions, stolen goods etc section 427 of our Criminal Code criminalizes reception of stolen goods. The elements of such successful charge include;
1. The theft of the goods
2. The goods were taken into possession by the accused.
3. At the time of receiving, the accused knew that the goods were stolen
The Endangered Species (Control of International Trade and Traffic) Act controls the sale of animal species threatened with extinction. The Economic and Financial Crimes Commission (Establishment) Act also makes it an offence to own or sell or buy narcotic drugs.
5 Piracy, Copyright Infringement, Trademark Violations: the case of Playboy Enterprises Inc. V. Frena operator of a bulletin board allowed its subscribers to upload and download digitized pictures copyrighted by ‘playboy’ magazine. He was held liable for infringement notwithstanding that he claimed ignorance and promptly removed the pictures on knowing. So many other intellectual property crimes could still be committed by a person. This includes software piracy, trademarks violations, theft of computer source code etc in Nigeria the only regulation that can be construed to nail infringers is the Copyright Act or case laws
6 E-Mail Spoofing: This is when an e-mail appears to originate from a source but which actually did not. A good example was given by a learned writer. In India, a Pune based businessman received an e-mail from the Vice President of the Asia Development Bank (ADB) offering him a lucrative contract in return for a large sum of money. The victim verified the e-mail from the website of ADB and found it correct so he sent the required amount into the specified bank account. It later turned out that the e-mail was actually sent by a Nigeria based Indian!
7 Cyber Defamation: Defamation was defined by section 142 of Shariah Penal Code of Zamfara state as spoken or reproduced words by mechanical means intending to harm or knowing or having reason to believe that such imputation will harm the reputation of a person. The usual question here is who is liable for the defamatory material, is it the author, the host or the ISP? In Anderson V. New York Telephone Co. where the plaintiff a bishop was defamed by a client of the defendant who leased a recording machine with which he recorded some information about the plaintiff’s infidelity and account of children born outside wedlock. He sued the telephone company for defamation. It was held that the telephone company cannot be held liable for acts done by its client. Another interesting case is Stratton Oakmont Inc. V. Prodigy Services Co.
8 Cyber Stalking: Stalking has been defined as the crime of following someone over a period of time in order to force them to have sex or kill them. Although no universal definition exists yet cyber stalking has been defined as the use of the internet, e-mail or other electronic methods to stalk or harass a person. One Donald Ridley in UK pleaded guilty to internet stalking. He conducted a campaign against a lady he knew 6 years earlier by setting up a website which invited strangers to rape and abuse her. At a point the victim was receiving up to 30 mails per day including unwanted visitors.
9 Hacking: hacking is an act of securing unauthorized access to a computer or computer network. Hackers are divided into two types- white-hat hackers and black-hat hackers. White- hat hackers are legally employed or independent contractors who hack to check the security of a system. Black-hat hacking is illegal, because such hackers do their activities to cause damage or steal information from the computer or network of a victim. Apart from the above classification hackers have also be classified thus;
1. Code Hackers- they can succeed in making the computer do nearly anything they want.
2. Crackers- they take pleasure in circumventing Operating Systems and its security apparatus.
3. Cyberpunks- they have perfected the act of cryptography.
4. Phreakers- they use the internet to commit havoc on the telecommunication system eg. Telephone, TV etc.
Hacking, therefore involves penetrating computer systems, which of course requires security procedures to be circumvented. The hackers have found a wide range of ways to achieve this. In most cases these attacks are done for the challenge and challenge alone. The majority of hackers are not motivated by any sense of criminal imperative, but only by a deep curiosity and a fascination with what they see as the ultimate computer ‘game’.
Packet sniffing, tempest attacks, password cracking, buffer overflow, Email Interception, Trojans etc are means through which hackers perform their nefarious activities. Nigeria like most developing countries has no sophisticated laws on which to successfully prosecute criminal hackers.
An important issue in hacking is unauthorized modification of computer programmes or data. Due to lack of an appropriate legislation in Nigeria we could take a cue from our fellow Commonwealth sister India. India has enacted the Criminal Damage Act (1971) this act makes damage or erasure of computer programmes or data an offence. Property here implies property of a tangible nature whether real or personal. Information is an intangible property and as such cannot be destroyed in the traditional sense. The following cases illustrate the point better.
Cox v. Riley – The accused was found guilty of criminal damage where he had erased the programme from a plastic circuit card which was used to operate a computerized saw for cutting card which was used to operate a computerized saw for cutting programmed designs. Defence counsel argued that the only ‘damage’ done was to the electronic impulses which made up the computer programme and that since the programme was intangible property, such damage did not fall within the act.
The court held that the accused was not charged with damaging the programme but with damaging the plastic card in which it was housed. It was held that the card itself had been damaged by the deletion of the programme because that action had impaired its value or usefulness which required time and effort of a more than minimal nature to replace it. It was temporarily unable to perform the function it was designed to perform.
Re Whiteley Mr. Whiteley hacked into an academic computer system in order to delete, amend and add files. He had considerable computing skills, evidenced by the fact that he detected and deleted a programme which had been launched to track and trap him. It was submitted that the computer discs themselves had not been damaged and that the computer discs themselves had not been damaged and that his activities only affected the information stored on them, which was intangible property and, consequently, that his conduct fell beyond the reach of the act.
The court held otherwise that the computer discs had, in fact, been damaged because their usefulness had been impaired.
The basic purport of the above is summarized in Section 3 of the Computer Misuse Act- the requisite intent is to cause a modification to the contents of any computer;
(a) to impair the operation of any computer,
(b) to prevent or hinder access to any programme or data in any computer, or
(c) to impair the operation of any programme or the reliability of any data.
It does not matter whether the intent is directed at any particular computer, programme or data or programmes or data of a particular kind or at any particular modification or any modification of any particular kind.
A person while trying to cover up his tracks could attempt to erase data. In R v. Sinha
A doctor was charged for manslaughter and attempting to pervert the course of justice. A 30-year asthma patient was given a prescription that induced a fatal asthma attack through which she died. He then went to covertly modify her medical record by removing the fact that she was asthmatic. The information was however retrieved from the computer disk.
10 Internet Time Theft: This is the unauthorized use of the internet time paid for by another person. Section 390 of the Criminal Code provides that every inanimate thing whatever which is the property of any person, and which is movable, is capable of being stolen.
An offence may also be proved under section 484 of the Criminal Code. It states
“Any person who, with intent to defraud any person,
Falsely represents himself to be some other person,
Living or dead, is guilty of a felony”
11 Web Jacking: This is the electronic version of hijacking. This occurs when someone forcefully takes over the website of the victim (by cracking the password and later changing it). The actual owner of the website does not have any more control over what appears on that website.
An incident occurred in the USA where the owner of a children website received a mail that her site has been web jacked. She ignored it, but later started receiving calls from different quarters. The webjackers had replaced a section of the site titled “How to have fun with goldfish”. They replaced ‘goldfish’ with ‘piranhas’. Piranhas are a dangerous flesh-eating fish. Many children visited and followed the instructions and where injured in the process.
12 Cyber Squatting: this is the act of reserving a domain name on the internet, thereby denying true users of the name from using it. The Cyber Squatter does this in order to sell such names for cut-throat prices.
13 Email Bombing: The cyber criminal registers the victim’s email with so many mail service organizations thereby making the person receive hundreds of unwanted emails everyday from different quarters. This can make the ISP to delete the victim from its service.
14 Salami Attack: this is used to perpetrate financial crimes. The key here is to make the alteration so insignificant that it would be mostly unnoticed.
A good example is the case of Ziegler. A bank employee had his employment terminated; he therefore decided to get back at his former employers. He wrote a program which was to deduct 10 cents from every account and dump in the account of the last person on the customers list every Saturday. He therefore opened an account in the name of Ziegler. This went on for a long time until another person actually bearing the name Ziegler opened an account and noticed the unusual deposits. He therefore reported the case to the bank and it was later discovered and prosecuted.
15 Denial of Service Attack: this usually involves a malicious flooding of commercial websites, causing them to crash and preventing genuine customers from patronizing the site. There is another variant called Distributed Denial of Service Attack. This is a concerted effort of different people from different parts of the world towards one system or network. It is a little difficult to prosecute this crime. However the European Convention on Cybercrime has provided a leeway in its Art. 5.
It is criminal ‘…when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data ’
16 Worm Attack: a ‘worm’ is a self-replicating programme which eats up space capacity within computers. Worms are found in networks where they infect all the computers connected to the main server.
17 Virus Attack: a computer virus as the name implies is analogous with medical viruses. A virus in cyber crime parlance is the computer ‘machine code’ that copies its code into a host programme when the programme is run. Viruses also duplicate themselves depending on the make up. Viruses are contacted through the use of electronic storage devices, downloaded data from the internet or through file transfer on a select network. Viruses can be classified in two ways;
(i) According to how they attach themselves to the host programme.
(ii) According to their activity
According To How They Attach Themselves To The Host Programme.
The following are types of viruses that have unique manifestation in how they attach themselves.
(a) Shell- this forms a shell around the host programme and gain ascendance over the host programme. This makes the original programme sub-program of the virus code.
(b) Add-on – these viruses add their own code either to the end or beginning of the host programme.
(c) Intrusive- these viruses replace the host programme code with their own code.
According To Their Activity
(a) Boot – this affects the booting of the system. This hinders the system from storing vital information necessary to load the operating system which helps the computer to start up.
(b) Programme- this virus infects executable programme files. They usually have extensions like .exe, .com, .sys, .drv. When the programme is executed it spreads to the files.
(c) Macros- this virus infects the macros of the Microsoft word documents and templates. The virus travels along with the document and infects other computers also.
(d) Polymorphic- this virus appears in different forms in different infections as it has the capacity the capacity to change its code. This is very difficult to difficult.
(e) Zoo- this is an experimental virus that is confined to a research lab.
18 Trojan Horses: Trojan horses don’t usually replicate themselves; instead they hide their true intent behind something benign. They can present themselves as games, programs, screensaver etc. Trojan horses are designed primarily to give hackers remote control of the victim’s computer. They also engage in other sinister acts;
(iii) They could send themselves to everyone in the victim’s address book.
(iv) they may erase or alter the victim’s files
(v) They may steal data including credit card details.
(vi) They may install a virus or download other unwanted programs.
19 Logic bombs: these are malicious programmes that are primed to start operating at some point in the future; the trigger can be a specific date or event
A sacked network administrator in the US was charged after he planted a logic bomb in the system of the company. This cost the firm an estimated $10 million in damage.