BOSTON (06/30/2000) - It took more than an estimated US$8 billion in computer damage worldwide from the "ILOVEYOU" virus for Philippine Republic Act 8792 to come about.
The country's week-old electronic commerce act lays out how "hacking or cracking" crimes should be punished in the Philippines. Love bug virus suspect Onel de Guzman will not face charges under the new law however, but rather ones already on the Republic's books that address theft and credit card fraud. [See, "Love Bug Author Charged, May Face Stiff Jail Term," June 30.]The Filipino government's implementation of the new law raises the larger question of what laws are in place to address Internet security globally.
Experts suggest that in many countries existing laws against fraud, trespassing and causing harm could potentially cover computer-related crime. But they also point out that fine-tuning and coordinating cyber law efforts globally could take years as many countries' citizens are just seeking to get online.
"I think most governments are sincere in their interest in passing legislation that will help protect companies and customers from such abuses," said Vint Cerf, a principal with the Global Internet Project and senior vice president for Internet Architecture and Technology at WorldCom Inc., in an e-mail exchange with the IDG News Service. "The technical community needs to help the legislators understand enough about how the network works to help fashion enforceable laws."
"Not all such attacks can be prevented and in the absence of defense, one wants laws with whichone can prosecute abusers," Cerf said. " Multinational companies ... are already well-aware of the problem and have been actively seeking to draw the attention of governments and industry to the need to develop technical measures to defend against these abuses and to develop legal frameworks that can function on an international scale to bring abusers to account for their misdeeds."
Within its newly approved electronic commerce law, Filipino lawmakers outlined penalties for the unauthorized access or interference into a computer system, server or communication system. They provided penalties for corrupting, stealing or destroying a computer system without the owner's consent.
That includes the introduction of computer "viruses and the like" that cause corruption, destruction, alteration, theft or loss of electronic data messages or electronic documents. If convicted, the crimes are punishable by a minimum fine of one hundred thousand Filipino pesos or about US$2,316 and a mandatory prison sentence of six months to three years.
Lee McKnight, an associate professor of international telecommunications at Tufts University's Fletcher School of Law and Diplomacy, suggests it may take other significant events like the "ILOVEYOU" virus to push countries to develop Internet laws.
"Y2K is a perfect example," McKnight said. "The U.S. had to preach to other countries to address the problem."
McKnight said the top 30 industrialized countries are discussing the needs for Internet-specific laws, but it is not the priority in developing countries. The priority in the developing world, in fact, is just to allow their citizens access the Internet, he said.
Pressure from multinational companies and the U.S. may be needed to put this issue on the radar screens of developing countries. McKnight said.
"This is going to take five or 10 years," McKnight said. "This is not going to happen overnight."
Collaborative efforts already are under way, however, in many developed countries. During May, representatives of the G8 group of nations, representing the world's leading industrialized countries and Russia, met in Paris and agreed to boost cooperation to fight cybercrime.
Participants there confirmed their support of the Strasbourg, France-based Council of Europe's efforts to finalize a Convention on Cybercrime, which will be the first international treaty to deal with the different forms of criminal activity in cyberspace. The 41-nation council opened its membership to Japan, the U.S., South Africa, Canada and Israel for development of the treaty.
The treaty would require countries to approve and enforce laws regarding interception of data, interference with computer systems and fraud and forgery via the Internet. It also requires them to provide national law enforcement the authority to carry out computer searches and seizures of computer data.
According to a Council of Europe statement, the draft convention is expected to be finalized by an expert panel by December 2000 and the Committee of Ministers could adopt the text and make it ready for approval by as early as September 2001.
In the U.S., the National Infrastructure Protection Center, a division of the U.S. Federal Bureau of Investigation, has said that awareness-building efforts are under way to make sure countries have laws in place to prosecute computer crimes, especially with the sabotage potential of viruses.
"Everyone realizes that we are at a point that business is in transition, technology is in transition and there is a legal transition as well," said Randy Picker, a law professor at the University of Chicago Law School. "The reality is the legal clock is a lot slower than the business or technology clock."