Why Malaysia Should Amend Its Cyber Security Laws
Malaysia only started to join the ‘internet party’ in 1995, and the growth in the number of Internet hosts in Malaysia began around 1996. Anticipating possible abuses, the Malaysian Parliament has passed several cyber-related legislation since 1997. On 1 September 2016, Malaysia has taken an initiative to establish its very first cyber court, to deal with massive cyber-related cases, both civil and criminal.
Computer Crimes Act 1997 (“CCA”)
Malaysia’s Computer Crimes Act 1997 (“CCA”) has been enacted in 1997 to cater offences relating to the misuse of computers (which includes hacking). It was enacted two years after what has been considered as the beginning of the Internet age in Malaysia.
One interesting fact, with the current growth of technology advancement in Malaysia, the CCA has never been amended by the Government of Malaysia (“GOM”) since the day it was enacted, until today.
Statistics on the number of individuals charged and prosecuted under the CCA for the past ten years are to date, unknown. Following this, law practitioners in Malaysia believe successful prosecutions under the CCA are very low and subsequently, many accused have been declared not guilty, mostly due to technical errors and procedural mishaps.
Vide Pendakwa Raya (Public Prosecutor) v Vishnu Devarajan, the accused has been charged with 36 charges under sections 3 and 5 of the CCA, and due to technicality, procedural errors, and the prosecution being inexperienced in handling computer crime cases (inferring from how the charge sheets were drafted), the accused has been found not guilty on all 36 charges and the court has declared those charges as defectives. Of course, learning from experience and mistake made in this case, the prosecutors have started to improve their skills and knowledge for the next cases charged under the CCA.
The growth of Internet has welcomed more windows of opportunities for computer crimes. Statistics show that there are currently 26.3 millions Internet users in Malaysia and is expected to increase to 29.4 millions users by 2023.
The statistics above should deploy a legitimate concern to the GOM to amend our existing cyber-related laws in protecting the cyber realms (especially its users) in Malaysia. Increasing number of Internet users means more opportunities for cyber criminals to take advantages from this limitless virtual dimension.
The generality on the existing provisions under the CCA may come with a blessing in disguise. Some provisions in the CCA may seem too general and ambiguous but they may be used in this modern scenario, considering that the CCA was enacted, without any amendment, in 1997. For instance, if someone intentionally attacked or infected another computer by using malware or ransomware, it may be an offence under section 5 of the CCA. Section 5 states that it is an offence for a person to do any act which he knows will cause unauthorised modification of the contents of any computer, upon conviction, he will be liable to a fine not exceeding RM100,000 or imprisonment not exceeding 10 years, or both if the act was done with the intention of causing injury.
Unfortunately, to date, there are no reported cases on anyone in Malaysia being prosecuted for infecting any computer using malware or ransomware issues.
Communications and Multimedia Act 1998 (“CMA”)
The CMA provides for and regulates the converging areas of communications and multimedia in Malaysia. In particular, the CMA regulates various activities carried out by licensees (i.e. network facilities providers, network service providers, applications service providers and content applications service providers) as well as those utilising the services provided by the licensees.
The CMA, amongst all, requires licensees to use best endeavour to prevent network facilities or network services from being used for the commission of any offence under Malaysian laws; prohibits fraudulent or improper use of network facilities or network services; prohibits the use and possession of counterfeit access devices; prohibits use of equipment or device in order to obtain unauthorised access to any network services; and prohibits interception of any communications unless with lawful authority.
Prosecutions on the offences under the CMA are nothing new in Malaysia. As compared to the CCA, the CMA has been used as an efficient tool for prosecutions more frequently than the CCA.
Offences on cyberbully in Malaysia is relying on the CMA as the main reference tool on prosecution. Section 233 of the CMA is usually invoked to prosecute cyberbullies, to which resulted in many Malaysians to be charged under this previously-mentioned provision. However, this section is not fully meant or crafted for prosecutions of cyberbullies. Presently, Malaysia does not have a specific law on cyberbullies although the GOM, in 2017, used to publicise that a law on cyber bullying was being drafted.
Recently, the Ministry of Health also has made an announcement on body shaming in Malaysia. A person who body shames another person shall be held accountable for an offence, and may be prosecuted under sub-section 233(1)(b) of the CMA. This announcement is made in conjunction with the Ministry’s efforts to raise mental health awareness and reminding the public to stop making negative comments about an individual’s body. Nevertheless, whether the Malaysian Communication and Multimedia Commission (“MCMC”) as the regulator will take this body shaming seriously or not, is another issue.
The CCA has specifically mentioned about the Penal Code in section 4 of the CCA. Section 4 states that it is an offence under the CCA if a person does a ‘computer crime’ with the intention to commit fraud or dishonesty or to cause injury as defined in the Penal Code.
Malaysian cyber laws do not have a specific provision on the electronic or computer-related identity theft or identity fraud. However, it has been proposed for section 416 of the Penal Code to also be applied to identity theft. Under section 416 of the Penal Code, it is an offence to “cheat by personation”, i.e. where a person cheats by pretending to be some other person, or by knowingly substituting one person for another, or representing that he or any other person is a person other than he or such person really is.
To date, while there has been news of individuals committing identity theft or fraud, such cases have usually been tried on the basis of contravening national registration regulations (in relation to impersonating or theft of identification cards). There have been no reported cases for actions on identity theft or identity fraud specifically in the context of cybersecurity or cybercrime.
In cases where computer-related crimes are involved, but do not specifically fall within the ambit of any of the aforementioned statutes (for example, online fraud, cheating, criminal defamation, intimidation, gambling, pornography, etc.), such offences may be charged under the Penal Code, which is the main statute that deals with a wide range of criminal offences and procedures in Malaysia.
Using Penal Code as a ‘backup’ law to protect the cyber realm is not sufficient. In fact, the Penal Code was not enacted to properly address cybercrime. It should be one of our main concerns that, utilising Penal Code when there is no existing law to cater certain cyber offences may lead to inadequate protection under relevant laws (i.e. injustice) and other massive loopholes.
Personal Data Protection Act 2010 (“PDPA”)
PDPA in Malaysia only protects personal data received and processed in commercial transactions. Ironically, PDPA does not apply to the GOM and state governments, which now gives us no apparent right to take action against the GOM or state governments in the event our personal data stored, controlled, and processed by the GOM and state governments have been manipulated or leaked. Despite we still have the option under common law principle to take action against the GOM and state governments if our personal data have been wrongly used, this still does not guarantee that we will have a bright chance to proceed with this action. From what we might know, the court will strike out our application for any reason the court may think reasonable, eventually.
When there was a massive data leaked in 2014, where 46.2 million of personal data have been leaked to unauthorised third parties, Fahmi Fadzil, a politician and a member of Parliament of Malaysia, has taken the initiative by taking a legal action against the MCMC and its appointed private company to manage MCMC’s public cellular blocking service (PCBS), Nuemera Sdn Bhd, on the basis that they have failed to protect the personal information belonged to the majority of Malaysians. Presently, it is, however, unknown on the progress of this case.
Nevertheless, Nuemera Sdn Bhd is currently being investigated by the Personal Data Protection Department (“PDPD”) under section 9 of the PDPA, which requires a data user to “… take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction…”.
One of the latest data breaches happened in Malaysia was last September 2019, when Malindo Air confirmed data breach, exposing millions of its passengers’ personal data. The leaked information contained passengers’ full names, home addresses, email addresses, dates of birth, phone numbers, passport numbers and expiration dates. These data were shared and distributed in groups on instant messaging service (e.g. Telegram), and on cloud storage and file-hosting services (e.g. mega.nz and openload.cc).
Unfortunately, we have yet to hear from the GOM or PDPD on possible action that will be initiated against Malindo Air for its failure to protect its passengers’ personal data. It is possible that there will be no action taken against the airline considering the GOM and PDPD’s previous records.
Presently, PDPA does not provide provision on the requirement for a data user to notify or report any breach of personal data to PDPD. This is the biggest weakness of the PDPA. Other than the PDPD who acts as the authority for personal data protection in Malaysia, the PDPA should also stipulate the requirement for the data user to notify its clients or users regarding any breach of data, and give assurance on certain actions to be taken to control the damage, if any. If something wrong happens to their personal data, the public deserves to know about it.
GOM and state governments should also be held responsible on public’s personal data that have been collected and processed by the GOM and state governments. PDPA should be amended, or a new Act should be enacted specially for the GOM and state governments’ responsibilities on personal data. Government should also be held responsible to take practical steps to protect the personal data of the public, which includes to protect the data from being hacked and leaked.
Additionally, the PDPA also should also stipulate a clear directive on civil remedies. Victims of any data breach should be clearly given statutory permission to take legal action against any data user for the failure to protect their personal data.
The PDPA as well must be strengthened. The European General Data Protection Regulation (GDPR) shall be one of our main references in amending our PDPA. Current provisions under the PDPA are insufficient and too weak to protect the public in Malaysia from any abuse of their personal data.
GDPR represents one of the most robust data privacy laws in the world. It also gives people the right to ask companies how their personal data is collected and stored, how it is being used, and request that personal data be deleted. It also requires companies clearly explain how personal data is stored and used, and get someone’s consent before collecting it. GDPR requires clear consent and justification on the following types of data:
- Personally identifiable information, including names, addresses, date of births, social security numbers;
- Web-based data, including user location, IP address, cookies, and RFID tags;
- Health and genetic data;
- Biometric data;
- Racial and/or ethnic data;
- Political opinions; and
- Sexual orientation.
GDPR requires a company to take practical steps in ensuring personal data they have collected and stored are safe, by establishing, amongst others, the following:
- Data Breach Incident Response Plan;
- Hiring A Data Protection Officer (DPO); and
- Create a Record or Log of Risks and Compliance Progress.
Recent news about Facebook’s leaked documents and how Facebook is using personal data as a bargaining chip, and starting and ending nearly every business negotiation with a discussion about access to personal data should be taken seriously the GOM. Presently, Facebook has more than 2 billion users worldwide, which includes Malaysians. Commercial entities shall not be easily allowed to monetise data gathered and processed by them. Unfortunately, when there is a data breach occurring outside Malaysia involving Malaysians’ data, the PDPA has no extra-territorial jurisdiction to take any action for Malaysians’ data processed outside Malaysia (subsection 3(2) of the PDPA).
The above-mentioned points about GDPR are among the notions that the GOM should take into consideration to further amend our PDPA. Without proper amendments and stricter enforcement, our PDPA will always be a toothless tiger.
Copyright Act 1987
In today’s world, cybercrime can also happen under copyrights law. Generally, under the Malaysia’s Copyright Act 1987, copyright owners have the right to bring an action against any person for copyright infringement, either as a civil or criminal offence.
Section 41 of the Copyright Act 1987 sets out a range of offences for copyright infringement, which include making for sale or hire, distributing, and exhibiting in public any infringing copy during the subsistence of copyright in a work or performer’s right.
In Malaysia (as well as in other countries), film industry always becomes the victim of copyright infringement when their films or artworks becoming publicly available online, either on social media or websites. To make it even worse, some of the films have been leaked online before it was even being shown in cinemas.
Malaysia has one particular civil case, in 2018, where a well-known director and producer, Syamsul Yusof has taken a legal action against an individual for illegally uploading his film, Munafik 2, on Facebook wile the film is still being shown in cinemas. Syamsul has won the case against the defendant, Muhammad Izwan Shah Kamal Shah, who was ordered by the court to pay to Skop Production Sdn Bhd (Syamsul’s production company) RM100,000.
This was not Syamsul’s first time encountering this leaked film problem. In 2013, one of his films, KL Gangster 2, has been leaked on Youtube one month before its cinematic release.
‘WELCOMING’ CYBER THREATS
There are no specific provisions on the illegality of spam under the CMA or any other laws in Malaysia. However, section 233(1)(b) of the CMA provides that a person who initiates a communication using any applications service, whether continuously, repeatedly or otherwise, during which communication may or may not ensue, with or without disclosing his identity and with intent to annoy, abuse, threaten or harass any person at any number or electronic address commits an offence. The intent underlying Section 233(1)(b) may be utilised to deal with unsolicited communications. It may be an appropriate section to deal with the problems faced by spamming activities.
However, to invoke section 233(1)(b) of the CMA is not as easy as we thought. We must prove that the communication have been initiated with the intention of annoying, abusing, threatening or harassing a person. In cases of spamming, the consequences or effect of such communication may be that the recipients are annoyed, harassed or abused. However, it may be difficult to argue that this was the intention of the sender. The requirement or kind of “intent” the section requires may not always exist or be difficult to determine. This may give rise to enforcement and prosecution problems, bearing in mind that the onus of proof is on the prosecution.
Further, such intention may not exist given that people who initiated such communication for marketing and advertising purposes are unlikely to initiate such communication with the intent to annoy abuse, threaten or harass potential clients.
Unlike in Singapore, Malaysia does not have a specific legislation on spamming. Singapore has a Spam Control Act to provide for the control of spam, which is unsolicited commercial communications sent in bulk by electronic mail or by text or multi-media messaging to mobile telephone numbers.
Under the Singapore’s Spam Control Act, a person is deemed to have sent in bulk if a person sends, causes to be sent or authorises the sending of:
- 100 emails with the same or similar content in a 24-hour period;
- 1,000 emails with the same or similar content during a 30-day period; or
- 10,000 emails with the same or similar content during a 1-year period.
Though the amount of emails sent as defined by the Spam Control Act is still high, at least, Singapore has taken the initiative to control spams.
Australia (Spam Act 2003) and the United States (Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003, also known as CAN-SPAM Act) also have similar legislations in controlling spams.
In the US, the Federal Trade Commission (FTC) is in charge of enforcing laws under the CAN-SPAM Act and has the authority to levy fines against business owners. For each and every violation of the act, a business or person engaging in commercial emails can be fined up to USD11,000.
In Malaysia, the statistics assessed by the Malaysia Computer Emergency Response Team (MyCERT) has shown that Malaysians have received reported spam emails of 2,043,404 in 2018, as compared to 1,217,423 in 2017. And this total amount of spams, there are 1,698 spam were reported as containing viruses. And yet, the GOM has done nothing to address this problem.
Phishing is a fraudulent attempt, usually made through email, to trick a person to reveal his/her credentials to the attacker. Phishing emails usually appear to come from a well-known organisation and request for a person’s personal information such as credit card number, account number or login name and password. In Malaysia, the MCMC has reported that most of the phishing attacks detected were targeting internet banking users and tricking the users to reveal their credentials.
There are, however, no specific legal provisions or offences with regard to phishing in Malaysia.
Nevertheless, some legal experts have proposed for prosecutions on phishing to be made under section 416 of the Penal Code. The section states that any person is said to “cheat by personation”, if he cheats by pretending to be some other person, or by knowingly substituting one person for another, or representing that he or any other person is a person other than he or such other person really is. The offence of cheating by personation is punishable with imprisonment for a term which may extend to seven years and/or a fine.
This section 416 of the Penal Code may seem reasonable, but it is not sufficient to be used a tool for prosecutions. Even if the prosecution tries to use this section, no one can assure that this section may be successfully used to punish the attacker. As the onus of proof will be on the prosecution, this may be a very hard premise to be established by the prosecution.
Nevertheless, to date, of course, there are no reported law cases specifically in relation to phishing.
The MCMC as the regulator on multimedia and telecommunication in Malaysia, is trying their very best to cater on this issue. Other than advocating on educating the people on phishing issues, the MCMC also has provided an alternative for the people to report phishing emails to MCMC where actions will be taken immediately to remove the phishing sites and protect Internet users from any phishing attack. Users may submit their reports to MCMC through firstname.lastname@example.org or email@example.com. But this is, by far, the only thing MCMC can do to protect our cyber realm.
There is no specific provision which provides for denial-of-service (“DOS”) attacks. However, under section 233(1)(b) of the CMA, a person who continuously, repeatedly or otherwise initiates a communication using any applications services with the intent to annoy, abuse, threaten or harass any person at any numbered or electronic address commits an offence, regardless of whether the communication ensued and whether or not the person initiating such communication disclosed their identity.
To date, there are no reported cases on DOS attacks being charged under section 233(1)(b) of the CMA.
The GOM is Exposed to Cyber Security Threats Too!
When the GOM enacted the Electronic Government Activities Act 2007 with the intention to legally recognise all electronic communications and in dealings between the Government and the public, it has indirectly exposed itself to the opportunity to be hacked by irresponsible third parties.
Even though the initiative taken by the GOM to electronize its medium of communication with the public is commendable, this does not mean the GOM start and stop there; while it is highly encouraged for progressively practical and reasonable initiatives to protect the GOM’s online system and databases have to be taken. A strong and strict enforcement on the cyber-related legislations is one of the best options to protect the GOM’s databases, and also public’s.
Our government agencies’ websites being hacked by hackers is not something new. We have been hacked many times by hackers (some might have been unreported publicly), and even some of the hackers have been traced of being outside Malaysia.
TIME TO AMEND THE LAWS!
It is time for Malaysia to amend its cyber security law. With technological advancement happening in Malaysia today, we will never be able to protect our cyber realm without proper and stricter legislations. A great tiger does not only need its teeth and claws, but also strong jaws.
“A law is valuable, not because it is a law, but because there is right in it.” — Henry Ward Beecher, Life Thoughts.