Abstract
In Malaysia, cybersecurity is governed by several main legislations such as the Computer Crimes Act 1997, Communications and Multimedia Act 1998, the Malaysian Penal Code and Personal Data Protection Act 2010. Other relevant statutes include Sexual Offences Against Children Act 2017, Sedition Act 1948 and more. Despite the existence of these cyber laws, cybercrime still remains a growing concern in today’s age where the usage of the Internet is no longer uncommon due to affordability and awareness. The primary reason for the rampancy of cybercrime in our nation is because of the lack of far reaching and comprehensive laws to prevent the floodgate of cyber threats, risks and vulnerabilities. Therefore, this paper aims to shed some light on the loopholes of the existing cyber related legislations in Malaysia. At the same time, practical suggestions for the way forward are further addressed which reflect the urgency for better law to protect cyberspace users.
Introduction
As the adage goes, whatever goes to the Internet, stays on the Internet. It is an uncomfortable truth that whenever your personal information or data is made available on the web, no one can assure that such information will not be at risk of data exploitation, spying or any illegal activity. Any person can be a victim of a cybersecurity threat especially during this time of novel coronavirus disease pandemic where people shift to the Internet as a gateway to the world.
Living in this new normal, most consumers purchase items online, workers, students and children spend their time mostly with electronic gadgets to minimise social contacts, in particular during the implementation of movement control order or lockdown in our country. Inevitably, the online perpetrators would take advantage of the present circumstances to lure people into the “trap” set by them. What is even more worrying is that the minors are categorised as the vulnerable group to cybercrime. Cybercrime or high-tech crime can take place in many forms like phishing, spoofing, hacking, malware etc.
| Incident | 2017 | 2018 | 2019 | 2020 | 2021 |
| Content related | 46 | 111 | 298 | 170 | 91 |
| Cyber harassment | 560 | 356 | 260 | 596 | 417 |
| Denial of service | 40 | 10 | 19 | 16 | 22 |
| Fraud | 3,821 | 5,123 | 7,774 | 7,593 | 7,098 |
| Intrusion | 2,011 | 1,160 | 1,359 | 1,444 | 1,410 |
| Intrusion attempt | 266 | 1,805 | 104 | 116 | 159 |
| Malicious codes | 814 | 1,700 | 738 | 593 | 648 |
| Spam | 344 | 342 | 129 | 145 | 102 |
| Vulnerabilities report | 60 | 92 | 91 | 117 | 69 |
| Total | 7,962 | 10,699 | 10,772 | 10,790 | 10,016 |
Table 1: Reported Incidents based on General Incident Classification Statistics 2017 – 2021
Source: MyCERT
Table 1 above depicts the number of reported cyber related cases according to general incident classification by Malaysia Computer Emergency Response Team (MyCERT) from the year 2017 to 2021. From the trend, we can see that the number of reported cases surged drastically from 2017 to five digits in the following years, with fraud showing the highest number of reported incidents every year. Based on the recent statistics, in just less than a quarter of this year – March 2022, there are 1,159 reported cases.
While enforcement and public awareness drive the growth of the local cybersecurity market, the enactment of a stand-alone law or legislation to specifically address cybercrime is a prior condition to effectively nip the problem in the bud. The absence of such law and the drawback of the existing cybersecurity related laws in our country hinder the efforts to curb the growing prevalence of cyber threats.
At present, there is an urgent need for the law to keep pace with the efficacy of evolving technology today to govern its rapid advancements. However, the truth is our legal framework to govern cybercrime is way far from reaching where it is supposed to be.
Background
Before delving further, one should first understand the laws we have and the purposes they serve. Speaking of cybercrime, the legislation that first comes to most people’s minds is the Computer Crimes Act 1997 (“the CCA”). CCA is the legislation enacted to deal with misuse of computers that came into effect more than two decades ago on 1 June 2000, which had made Malaysia as one of the countries with computer-specific legislation. Till today, the long standing CCA has yet to be extensively reviewed and revised.
Prior to that, another legislation which deals with the protection of cyberspace users is the Communications and Multimedia Act 1998 (“the CMA”). It provides a regulatory framework to cater for the convergence of the telecommunications, broadcasting and computer industries, with the aim of pushing Malaysia as a major global centre and hub for communications and multimedia information and content services. Pursuant to the enactment of CMA, the Malaysian Communications and Multimedia Commission (“MCMC”) acts as the new regulatory body for communications and multimedia industry in Malaysia.
Cybercrime also revolves around identity theft and invasion of privacy, unsurprisingly, the discussion of this subject matter is also centred around one’s personal data protection. The law for personal data protection in Malaysia – Personal Data Protection Act 2010 (“the PDPA”) came into force in 2013. The purpose of the PDPA is to regulate the processing of personal data in commercial transactions and for matters in connection therewith and incidental thereto. Nevertheless, the limited scope for application of PDPA warrants a legislative change for a thorough cyber safeguard.
For cyber related crime activities which are not specifically fall within the ambit of any aforementioned statutes, for instance online cheating, fraud, criminal defamation, intimidation and pornography, the offences may be charged under the backup law that is the Malaysian Penal Code.
In the age of digitalisation, the minors are increasingly exposed to a multitude of digital technologies at early stage of their life. In connection with that, there is a rising demand for child digital privacy. However, there is no legislation that exclusively deals with online child protection despite the varying aspects of child protection under the Penal Code, Sexual Offences against Children Act, the Child Act, CMA and CCA as they were not enacted with those intentions in mind.
Analysis
The Computer Crimes Act 1997
In the wake of new technologies and economic innovations, cybercrime is not only constrained to the confines of computers as most users are intercommunicating virtually through multiple devices, platforms and networks and leveraging technology in almost every aspect of their lives.
Given that the Long Title declares CCA as “an Act to provide for offences relating to the misuse of computers”, it could have directly implied that malware invasion is covered by the Act, but regrettably the Act further provides for the definition of “computer”. The definition is given under section 2 of the CCA as follows:-
“computer” means an electronic, magnetic, optical, electrochemical, or other data processing device, or a group of such interconnected or related devices, performing logical, arithmetic, storage and display functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device or group of such interconnected or related devices, but does not include an automated typewriter or typesetter, or a portable hand held calculator or other similar device which is non-programmable or which does not contain any data storage facility.
Taking into account the evolving nature of information and communications technology (“ICT”), the definition is too restrictive and specific. The fact that the emergence of newly developed mobile devices and hybrid innovations in ICT, it nonetheless raises the question on whether they are considered as “computer” falling under the definition under section 2 of the CCA due to its restrictive meaning.
It is true that whether mobile devices and hybrid innovations are “computers” have no significant difference in terms of their operation as long as they are functional as designed. But, viewing from a legal perspective, the legal demarcation between what is “computer” and what is not, is crucial as it could result in different application of the law.
As a comparison, the Singaporean Computer Misuse Act 1993 (SCMA) adopts a flexible approach in defining the word “computer”. This is reflected in Public Prosecutor v Muhammad Nuzaihan Bin Kamal [2000] 1 SLR 34 where a conviction was made on the accused for, inter alia, the offence of unauthorized access to computer material and modification of a computer’s contents under the SCMA. The subject matter in this case, the “computers” were the “proxy servers”. If this case was to be brought before the jurisdiction of the Malaysian court, the accused would most likely be acquitted as the proxy server merely functions as a storage, in which it does not satisfy the conjunctive requirements under the definition of CCA.
As a way forward, the legislature should amend the given definition of “computer” under CCA and adopt an extensive yet flexible legal definition to prevent ambiguities.
The Communications and Multimedia Act 1998
CMA on the other hand, has been efficient legislation to prosecute the offenders. Reference is frequently being made to CMA for cyberbullying offences despite is not created for prosecutions of cyberbullies. The two main provisions pertaining to criminalisation of offensive contents are sections 211 and 233 of the CMA – prohibition on provision of offensive content and improper use of network facilities or network service.
It is criticised by some that the offensive contents provided under the provisions are too broad. Further, they are said to be encroaching an individual’s freedom of speech due to the vague and ambiguous terms that can easily be misused to stifle speech and expression.
As such, a careful examination to the provisions providing for offensive contents, has to be done in order to strike a balance so that freedom of speech may be exercised while it is not abused at the same time.
The Malaysian Penal Code
Identity theft happens when cybercriminals attempt to induce Internet users to reveal their credentials and personal information. These information and credentials obtained then would be manipulated to the owner’s disadvantage such as monetary gains. Such incidents often occur by emails masquerading from individuals who impersonate someone from purported banks, government agencies or companies.
While online identity theft or fraud is not an uncommon scenario in Malaysia, there is still no provision to specifically address this type of cybercrime. Nevertheless, it has been suggested that section 416 of the Penal Code may be applied to identity theft. The section provides that it is an offence to “cheat by personation” where a person cheats by pretending to be some other person, or by knowingly substituting one person for another, or representing that he or any other person is a person other than he or such person really is. Cybercriminals convicted under the section are punishable with imprisonment for a term which may be extended to seven years and/or fine.
This so-called back up law or legislation is not adequate to deal with online identity theft and the enactment of the Penal Code was not to tackle cybercrime in the first place. So far, no cases reported in respect to actions on online identity theft or fraud specifically in the context of cybercrime.
Additionally, young children who are vulnerable to sexual grooming and abuse. At that stage of their life, they are still oblivious about the boundaries of social interaction. When a platform is given to the children to publicly express and expose themselves to the digital world, parental or guardian consent must be of paramount consideration or necessary step to be taken before allowing these innocent children to access to cyberspace.
With that being said, the mere reliance on the Penal Code for digital theft and children digital privacy protection is insufficient and will lead to massive loopholes. Legislative approach in creating a stand-alone law to safely protect would be able exclusively deal with these crimes.
The Personal Data Protection Act 2010
An individual’s right to privacy is recognised as the right to personal liberty in Sivarasa Rasiah v Badan Peguam Malaysia & Anor [2010] 3 CLJ. The case referred to Govind v State of Madhya Pradesh AIR [1975] SC 1378 and held that personal liberty under the Article 5 of the Federal Constitution encompasses the right to privacy.
It is true that we have laws for personal data protection in Malaysia that is the PDPA, however the limitation in the scope of application of the law does not adequately safeguard the cyberspace users. The application of PDPA solely covers commercial transactions. In other words, it applies to any commercial dealing of contractual or non-contractual nature regarding to supply or exchange of goods and services pursuant to section 4 of the PDPA. The exclusion of non- commercial transaction or activity particularly social media (unless it is used for commercial purpose) is a bane in catering for the needs in protecting different stakeholders taking into consideration that social media is nearly used by everyone in this world.
Ironically, another flaw of the PDPA is the blanket exemption to the government. The Federal and state governments are exempted from the application of the act. As a matter of fact, the governments can easily access to our personal data and information and they are the ones we entrusted our personal data with. Apparently, we now have no right to initiate legal action against the government if our personal data stored, controlled and processed by them have been manipulated or leaked. For fairness and justice, the federal and state governments should be held accountable for public’s personal data from being used for unauthorised purposes.
Moreover, the PDPA does not confer any civil remedy mechanism. In cases of data breach, the victims do not have clear a directive of a statutory civil right for them to bring action against the wrongdoer. Therefore, in addition to sanction and compensation, the implementation of a remedial mechanism in the law is no less of its importance.
To amend the current PDPA, it is recommended for the legislature to consider the enforcement of the European Union (EU) General Data Protection Regulation 2016/679 (GDPR) to serve as a guideline for improvement of data privacy and protection.
GDPR is designed to give EU citizens the control over their own personal data which stands out as one of the robust privacy laws in the world. Clear consent and justification are required by GDPR prior to collection of data includes personally identifiable information, web-based data, health and genetic data, biometric data, racial and/or ethnic data, political opinions and sexual orientation. This comprehensive set of regulations would certainly bring a much desirable outcome in facing economic and national security challenges.
Conclusion
Limitless cyberspace with zero boundaries can erode a national security border. In absence of laws for enforcement of cybersecurity as well as directive for the pursuance of legal remedy by a victim of cybercrime, it is as if there is no law at all. For cyber laws to keep up with the advancement of technology is indeed easier said than done. In spite of that, it is not something impossible to achieve. Legislative efforts are significant in closing the gap between the law and evolution of new digital technologies. If not now, then Malaysia would be left far behind than the country already is.
Written by Sovitra Sukahut Som, Sovitra was the First Runner-Up in the ALSA UUM Article Writing Contest 2022: A New Face of Cybercrime
