Want to make Sri Lanka South Asian hub for cyber law- Jayantha Fernando
JAYANTHA FERNANDO IS A DIRECTOR/LEGAL ADVISER OF THE INFORMATION COMMUNICATION TECHNOLOGY AGENCY (ICTA) AND A LEADING PRACTITIONER IN THE AREA OF CYBER LAW AND CYBER CRIMES WITH AN LLM QUALIFICATION IN THIS RESPECT. AFTER COMMENCING READING IN THE CHAMBER
Q To start off could you give a short introduction into how you made advances in this area?
There were no real laws governing internet security in Sri Lanka. As I finished my legal studies, there was little interest but this aspect was becoming increasingly relevant. But IT related crimes were seldom considered in that time frame. In 2003 there was a draft which was pending, but in 2004 when the current Solicitor General Mr. Suhada Gamalath who was the Secretary of the Justice Ministry at the time got together with me to begin creating a comprehensive framework based on international precedent. Even at that time we could see that the main jurisprudence was coming from the Budapest Convention on cyber crime which was adopted in 2001 in Hungary, which is why it is called the Budapest Convention. This is actually the European Convention adopted by the ministers of the Council of Europe. After this, a committee chaired by Mr. Gamalath of which I was the secretary, created a framework and made our laws compatible with the Budapest Convention in creating substantive and procedural laws. So, when it went to parliament people may have wondered what connection we have with a European Council, but it was done with the long term intention that one day when we sought to accede to the Convention that it could be done with no issues. So, what was done was, a complete overhaul of the then Bill to include aspects which were compatible with the Convention and the inclusion of substantive and procedural laws. That is the difference Sri Lanka has vis a vis the laws of India, Singapore and Malaysia, which more or less hurried it, so while they had substantive laws, their procedural laws were all over the place. So, we were mindful of these factors when we were drafting our Computer Crimes Act.
Q What were the challenges you faced on the road to this point?
The Bill, when presented to parliament was referred for review to a parliamentary standing committee. When it went to the standing committee on law reform, it went into the principles and they were curious about the Budapest Convention. They eventually supported Sri Lanka following this model after comparing legislation in Pakistan, India, Malaysia and Singapore. India was looking for substantive law reforms after the Mumbai terror attacks, and they too looked to the Budapest Convention to adopt substantive laws, and made the laws substantially similar. They are trying to bring their procedural laws in line now. Thereafter the ICTA, through the connections Justice Mark Fernando had, established contact with the Council of Europe which said that Sri Lanka’s laws were the laws which were most compatible with the Budapest Convention. So, we continued the dialogue and held three events in Colombo in 2008, 2010 and 2013. The Council of Europe came for these events on Criminal Justice Law Enforcement training, judges training, on gathering of electronic evidence and presenting them to court. When they came in 2013 there was a discussion as to why Sri Lanka would not accede to the Convention. It was very difficult, because there was a lot of discussion among foreign affairs ministry, Justice ministry, the former AG, and then pushed the then government to take a policy decision. The decision to allow Sri Lanka to join the Convention was due to the efforts of Mr. Gamalath and others who pushed it. There were many obstacles to overcome, for instance when there is an offence committed there are Provisions in our Criminal Procedure Code, which guide the course of action to be adopted, so if we were to accede to the convention all of our laws must be compatible with the directives in the Convention.
Q Are these only applicable to cyber crimes?
Not at all, because as much as it furthers areas relating to cyber crime, the gathering of electronic evidence and the admissibility if such evidence in relation to other offences is also a very relevant area. Its applicability will extend to that as well.
Q What are the main benefits of acceding to the Convention?
Improving the legal system, the progression of jurisprudence relating to cyber crime, and improving the methods and practices adopted in the investigation of a crime, in gathering evidence and presenting it to court. These areas were the primary benefits of joining the Convention.
Q How many countries are currently a part of the convention? Is there urgency within the non contracting nations to become signatories?
The number of member nations is fewer than 50, but those who are along the pipeline are many. There are those
Even Canada is one week behind Sri Lanka in acceding to the Convention. Malaysia and Singapore are behind us and now they seek our advice on procuring an invitation to join the Convention. So, I want to make Sri Lanka the hub for laws on cyber crime in South Asia...
who have used many aspects of the Convention as a tool in formulating or reviewing their existing laws, and it numbers around 125 countries. Even Canada is one week behind Sri Lanka in acceding to the Convention. Malaysia and Singapore are behind us and now they seek our advice on procuring an invitation to join the Convention. So, I want to make Sri Lanka the hub for laws on cyber crime in South Asia, and to be a major contributor in a global context.
Q There are certain areas of ambiguity in this arena when it comes to distinguishing between ‘cyber terrorists’ and ‘hacktivists’ (people who impose their ideals of civic activism through hacking) where sometimes an individual could fall into both categories. All over the world there is a group called ‘Anonymous’ that fight for transparency and freedom of speech, ‘Lulsec’ in Russia that started on those ideals but ended up censoring media, and even charity groups like ‘random hacks of kindness’ in Canada which are established to help people unable to help themselves. Sometimes the intention is well founded, but most often they do have anarchical undertones. Does the end justify the means? What provision does the Convention have to offer in this regard?
The Convention itself clearly demarcates areas of authorization, which is an essential requirement in deciding whether it amounts to an offence or not. S. 2, 3 and 4 of the Computer Crimes Act in Sri Lanka deal with situations of authorization and unauthorised access. Unauthorised access is clearly set out, so the law relating to it is fairly clear. So, even instances of hacking for a ‘good purpose’ or morally justifiable purpose, like you said happens in Canada, must be sanctioned by the government or an authority competent to give them clearance in order for it to be within the constraints of the law.
Q Is there a definition of ‘hacking’?
Thankfully no. To give a restrictive definition will cause problems because this is such a dynamic area of law. So, broad and general wording has been used in depicting certain concepts. Even our Computer Crimes Act will have to be reviewed soon, because we have given definitions of ‘computer’ and ‘computer system’ which may not hold its validities for long.
Q What is your forecast for Sri Lanka in this area?
Well these are very promising times, because to become a member nation is not easy. There is a very cumbersome process. So, we have gained the advantage over many countries which would have been fancied to enter before us. I believe this will strengthen our municipal laws and also change the outlook of many countries towards us in many aspects. Our relations with countries will have a mark improvement. This Convention is, and will continue to be the leading authority in international law governing this area, the force of which even a subsequent UN Convention will not have.