A push by the Washington, D.C.-based Business Software Alliance (BSA) to have Congress pass legislation that will include new categories of cyber crime is a move to fill in “small gaps that need to be bridged”, according to a lobbyist with the group.
The changes will address law enforcement’s lack of criminal laws that don’t cover every type of cybercrime, and adequate funding for investigations that are often complex, cross-continent, and time consuming, said Franck Journoud, manager of information security policy with BSA.
“It’s important for the Internet to continue to grow for people to have strong confidence that they’re going to be safe online,” said Journoud.
If the Cyber-Security Enhancement Act is passed, cybercrimes will include the stealing of access codes or electronic identifiers from a computer, accessing a computer without authorization even if the access causes no harm, and will define a new crime based on intent to commit a cybercrime.
The Act will also increase funding for three law enforcement agencies – U.S. Secret Service, Federal Bureau of Investigation, and U.S. Department of Justice – towards cybercrime investigations and prosecutions.
The Act reflects a concern on the part of industry players, of which BSA is primarily comprised, for the inability of industry and software providers to stay ahead of hackers and any nefarious use that might take place, said Howard Simkevitz, lawyer with Toronto, Ont.-based law firm Lang Michener LLP. “I do think [the Act] will help because it captures potential harm.”
But the changes are really about granting law enforcement the ability to intervene before harm occurs in instances of trafficking of personal information and personal data, said Simkevitz – something that Canadian criminal law doesn’t provide.
It’s a “crucial part” that Canadian law needs, he said, however there is the concern that law enforcement could obtain subscriber information from Internet Service Providers (ISPs) without going through the standard process of getting a warrant.
“There would have to be the proper observed procedures in place… I don’t like the idea of law enforcement having carte blanche to go after any suspected security breach.”
But Journoud doesn’t see how the bill could allow for that level of intrusion, saying that the Act is merely about “limited but important changes” for investigating cyber criminals.
But criminalizing these activities may not be the best approach, especially considering there are already laws in place to combat these types of crimes, said David Fewer, staff counsel at Ottawa, Ont.-based Canadian Internet Policy and Public Interest Clinic.
“When passing a law, you want to make sure you’re doing it for the right reasons,” said Fewer, adding he’s not sure the Act will help the cyber crime situation – besides, anti-spyware laws in effect in the U.S. already address the issue of unauthorized content to some extent.
Such an Act, he said, may have “unintended consequences” to certain user groups depending on how they’re crafted. In particular, comparative price shopping Web sites, which rely on accessing publicly available computer systems on the Internet, may be limited in how they conduct business.
Among the real drivers behind the push for the Act is competitive pressure from businesses, said Fewer, citing a case when eBay Inc. sued Bidder’s Edge Inc. for trespassing on eBay servers to compile comparative consumer data based on publicly-available information.
“Usually we don’t say that’s a bad thing… But eBay had a strong motivation to make sure that you didn’t get access to that information until you’d already visited three or four different Web pages on eBay.”
It would certainly be interesting if the Canadian Alliance Against Software Theft (CAAST) – the BSA’s Canadian counterpart – adopted a similar movement north of the border, said Fewer, who believes cybercrime laws are lacking here.
“We’ve had a difficult time getting current law enforcement to look at things like spyware and spam and legislate here. Existing laws haven’t been taken up by authorities in a particularly confidence building manner.”
Having said that, Fewer isn’t certain that laws focusing merely on accessing a computer system will work because the Internet is after all an access machine. “That’s its purpose. It’s a network. So when we start to say I get the right to control your ability to use resources that I voluntarily made available to the network, I get worried.”