[ISN] Ghana: Computer Security, Our Data Protection And Legislations

From: InfoSec News (alerts@private)
Date: Mon Jun 02 2008 - 00:09:19 PDT


http://allafrica.com/stories/200805300826.html

Public Agenda (Accra)
OPINION
30 May 2008 

When Abed-Nego Bandim, 27 left Ghana a few years ago for further 
studies, not many gave him the chance to rise to stardom. But Abed, as 
he is affectionately called defied all odds and recently graduated in 
LLM from the Robert Gordon University (RGU) in Scotland. While in 
school, Abed became the first international student to be elected 
Student President of RGU IN 2004. That was also the first time an 
international student had been elected to the post in the north east of 
Scotland.

Abed, who was studying an LLM International Information Technology Law, 
decided to run for Student President because he was extremely interested 
in the activities of students and what they were receiving in terms of 
welfare needs such as food, accommodation and transport.

In Abed's manifesto, he said his main objective was to form a student 
general assembly to brainstorm and debate issues relating to the overall 
welfare of the students both academically and socially. Abed soon 
emerged as a good organizer of people a feat he would carry into his 
future career. Little wonder that on competing his LMM course, Abed 
became a Senior Fellow of the Young UK and Ireland Programme. In 2006 he 
was also appointed as ELIR for Higher Education in Scotland. From the 
look of things, Abed is destined to become one of the young leaders 
Ghana and indeed Africa will be looking to for the future. Below is an 
analysis of what he suggests should be done to deal with computer 
insecurity and concludes that this will vary amongst sectors-government, 
military, banking, commercial etc.

The internet brings with it unprecedented potential for the positive 
development of our society. The ability to disseminate information and 
to communicate almost instantaneously has already revolutionised 
numerous facets of our lives and will continue to do so. Simultaneously, 
the computer and related activities or use provides enormously effective 
tools and mechanisms for individuals and groups who seek to conduct 
unlawful activity. People have often agued that, each advance in 
technology has brought new means which traditional crimes could be 
committed. So it is with the computer.

Recent development at the Electrical Commission (EC) of Ghana regarding 
the issue of the bloated voter register in certain parts of the country 
raises the fundamental questions of computer and internet crimes and how 
it can properly be dealt with by law. The EC and the NDC argument on the 
issue of the doctored disk is the best case scenario for this exercise 
and probably sets the tone for the various arms of government especially 
the legislature and stakeholders to consider either a specific 
legislation which prosecutes individuals for Computer Misuse and Data 
Protection violations or consider amending the already existing Acts to 
effectively deal with computer and internet related crimes. These Acts 
often contain wording to the effect that those responsible for data 
processing operations, such as company directors, data controllers, data 
processors etc are under a statutory duty to take adequate, appropriate 
or effective technical security measures to protect data against 
accidental or unlawful destruction or alteration, and unauthorised 
access or disclosure. Examples of such legislation include:

The Data Protection Act

The Companies Act

The Financial Service Act

So exactly what is meant by the term "effective", "appropriate" or 
"adequate" computer security and how can one quantify this metric? And 
with the new means of facilitating mass communication comes the ability 
to commit crimes inexpensively, quickly, and across enormous 
geographical space.

The question then is:

The domestic criminal law in any civilised legal system is as important 
as, if not more important than, any computer specific legislation in the 
battle against cybercrime. But such a system does not necessarily hold 
all of the answers.

Critical analysis of what crime is, how crime is committed and how 
criminals are punished can best determine the above question. Crime, in 
any well organised, civilised legal system or society is defined as any 
unlawful activity or default which is an offence against the public and 
renders the person guilty of the act liable to legal punishment. 
Criminal law suit are normally initiated by the state through the 
recommendation of the Attorney General's Department or the office of the 
Director of the Public Prosecutions (DPP) or the Police in most 
countries. There are two main sources of law that can be used to 
prosecute computer related crimes. These are common laws and the 
statutory laws. To establish any form of criminal act against accused 
person's three elements come into play, i.e. the actus reus and the mens 
rea and in some countries no defence.

Cybercrime what is it?

Just as any other normal crime is an unlawful conduct that involves the 
use of a computer or computer device for unlawful purposes, domestic or 
traditional crimes such as fraud, data and privacy, computer hacking, 
crimes of dishonesty, child pornography and sexual crimes, offences 
against property, deformation, drug trafficking, road traffic offences 
etc. are increasingly evident that crimes of this nature are now highly 
sophisticated, much more easily to commit with the aid of the internet, 
computers; and its related components than before and difficult to 
define when one commits it, hence the need for specific computer 
legislation to combat these crimes.

CASE ANALYSIS IN RELATION TO COMPUTER CRIMES

Crimes of Dishonesty

In most cases when one commits a crime by using a computer or the 
internet, the objective will be to simply break into a computer in order 
to get a thrill out of being able to do so, and do not wish to gain any 
tangible benefit from the act. Such crimes can best be dealt with under 
a specific Computer Misuse Legislation. However, often computer crime is 
aimed at securing some positive gain, other than simply breaking into a 
system. On occasions, the aim is to benefit financially, and such cases, 
a crime of dishonesty may be have been committed. There are two main 
types of such crimes that may affect computer activities: Theft and 
Fraud.

Theft: or stealing is defined according to the laws of Ghana as: The .. 
taking or appropriation of the property of another without the consent 
of the owner and with the intention to deprive him of that property. 
This definition is recognised in any or all jurisdictions; however, 
going by this definition according to the law of Ghana, will not be 
enough to deal with theft committed with the use or aid of a computer. 
For example, it will be very difficult to hold one responsible for 
copying a document from the computer since he/she will not permanently 
deny the owner of ownership of his property even though he/she might be 
taking it without his/her knowledge, because, there must be an intention 
to deprive the owner of the computer work under the definition of the 
law of theft. Intention here is again relevant in establishing a 
criminal act, the person downloading or copying must have an intention 
not to return the document. For instance, where a hacker gains access to 
a computer or computer network and removes some files from it will not 
be committing the act of theft, even though he took or committed the act 
without the knowledge or permission of the owner.

The case of Smith v. Dewar and Another. Two accused persons were charged 
inter alia that they "did steal a moped". Both entered pleas of not 
guilty. It was held that no intent existed, therefore any presumption of 
theft arising from the unauthorised removal of the moped from the place 
where the owner had placed it was not binding and the two were found not 
guilty. Realistically, under a specific computer legislation persons can 
be charged for unauthorised access to computer material with or without 
intent. Another issue which is critical in the debate on the role of the 
criminal law concerns the availability of the legal remedies. For 
example, in an act of an employee seeking to obtain unauthorised access 
to information held on the employer's computer might constitute serious 
industrial misconduct justifying summary dismissal. However, it can also 
be agued that employers have the responsibility and should take the 
necessary steps to bring such a prospect unequivocally to the notice of 
employees. Although, it may be considered that the threat of dismissal 
is a more real sanction in the employment relationship than that of 
criminal prosecution. (See the Monday edition for the concluding part of 
this article)

Copyright 2008 Public Agenda. All rights reserved. Distributed by 
AllAfrica Global Media (allAfrica.com).


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jun 02 2008 - 00:18:32 PDT