This document summarizes the existing Sri Lankan legal framework regarding cybercrimes. It outlines several key cybercrime offenses recognized under Sri Lankan law, including computer hacking, computer cracking, unauthorized modification of computers, crimes against national security/economy/public order, unlawful acquisition of information, illegal interception of data, and use of unlawful devices. It discusses the elements and penalties for each offense based on provisions in the Computer Crimes Act and other Sri Lankan legislation such as the Intellectual Property Act and Sri Lanka Telecommunications Act.
Vanderburgh County Sheriff says he will Not Raid Delta 8 Shops
Existing Sri Lankan Legal Framework on Cyber Crimes
1. 1
EXISTING SRI LANKAN LEGAL FRAMEWORK ON CYBER-CRIMES
By
Vishni Lakna Ganepola
Attorney-at-Law
LLB (Hons)(London), LLM (London)
Introduction
What are the offences that are considered to be cyber-offences under the Sri Lankan law?
What would be the consequences, if a person commits such cyber-crime in Sri Lanka? In order
to find the answers for the above questions, one need to analyse the provisions of the Sri
Lankan legislative enactments which provides for the identification and prevention of cyber-
crimes and the provisions which provide the investigation procedure to be adapted in tracing
the criminals. The law governing the cyber-crimes is mainly found in the Computer Crimes Act
No.24 of 2007 (CCA) while few other legislative enactments such A provide for the
identification of various other offences. With regard to admissibility of computer evidence,
Evidence (Special Provision) Ordinance and Electronic Transaction Act No.19 of 2006 (ETA)
provide the requirements that need to be established before the courts in order for the
evidence to be accepted as relevant.
Cyber-Crime Offences Recognised under the Sri Lankan Legal Framework
The most significant legislative enactment enforced in order to recognise cyber-crimes is the
Computer Crimes Act No.24 of 2007. The act was put into force with the objective of
identifying computer crimes and providing the procedure for the investigation and prevention
of such crimes. In compliance with the first mentioned objective, eleven offences are
recognised under the Part I of the CCA. These offences are common offences that are
internationally recognised. Apart from the above eleven offences recognised under the CCA,
few other legislative instruments such as Penal Code, Criminal Procedure Code, OPO, IPA and
SLTA too provide for the identification, prevention and investigation of cyber-crimes.
2. 2
• Computer Hacking
The first offence the act recognises, is the unauthorised access to a computer. In order to
prove the accused guilty of computer hacking the prosecution has to satisfy the following
elements of the offence;
a) Does an act to secure for himself or for another individual access to any computer or
any information held in thereof,
b) Does such act to secure access the same intentionally, and
c) Does such act with the knowledge or having reasons to believe that he has no lawful
authority to secure such access 1
An individual so convicted shall be liable to a fine not exceeding Rs.100,000 or to
imprisonment for a term which may extend to 5 years, or both.2 The offence is commonly
known as computer hacking. However, the above offence may be committed while using
cookies, web bugs and in the process of web linking, web framing or spamming since through
the above processes the outsiders may get the opportunity of accessing the computer system
without lawful authority.3
• Computer Cracking
The CCA provides for the recognition of the any act done to secure unauthorised access to
commit an offence i.e. computer cracking, as a cyber-crime. The elements of the offence as
provided by the section 4 of the CCA are as follows;
a) A person does an act in order to secure for himself or any other person access to any
computer or any information thereof,
b) Such person has intention to secure such access,
c) He does such act with the knowledge or having reasons to believe that he has no
lawful authority to secure such access, and
1
Computer Crimes Act No.24 of 2007, section 3
2
Computer Crimes Act No.24 of 2007, section 3
3
Sunil D. B Abeyaratne, Introduction To Information And Communication Technology Law (1st ed, Sunil DB
Abeyaratne 2008) 94
3. 3
d) Does so with the intention of committing an offence4
In the above case, the offence that may be committed by securing access to an information
system, may be an offence described under the CCA or under any other provision and the
required intention need not to be directed at any particular programme, data or computer.
The mere act of turning on the computer with the intention to commit or securing access to
any programme or data held in a computer is sufficient.5 Upon conviction, a person guilty
shall be liable to a fine not exceeding Rs.200,000 or to imprisonment for a term which may
extend to 5 years or both.6
• Unauthorised Modification
Causing a computer to perform a function without lawful authority is an offence identified
under the section 5 of the CCA. Accordingly, if a person;
a) Causes a computer to perform any function,
b) Does so intentionally,
c) Does so without lawful authority, and
d) Does so knowing or having reasons to believe that such function will result in
unauthorised modification, damage or potential damage to any computer system or
programme
shall be guilty of an offence.7 Offences such as sniffing and phishing where information is
gathered through internet by monitoring data travelling over a network without lawful
authority may fall under the scope of this provision.8
The illustrations to the section 5 provide the situations which may amount to unauthorised
modifications. As provided, any unauthorised modification to occur any one of the following
conditions must arise.
4
Computer Crimes Act No.24 of 2007, section 4
5
The offences such as theft of information, identity theft, fraud(cheating), forgery may fall under the scope of
the section 4 since they are offences recognised under the Penal Code.
6
Computer Crimes Act No.24 of 2007, s 4
7
Computer Crimes Act No.24 of 2007, section 5
8
Sunil D. B Abeyaratne, Introduction To Information And Communication Technology Law (1st ed, Sunil DB
Abeyaratne 2008) 96
4. 4
a) Impairing the operation of any computer, computer system or the reliability of any
data or information held thereof
b) Destroying, deleting, corrupting, adding, moving or altering any information held in
any computer
c) Makes use of a computer service involving computer time and data processing for the
storage or retrieval of data
d) Introduces a computer programme which will have the effect of malfunctioning of a
computer or falsifies the data or any information held in any computer system
Upon causing one of the above instances to take place, the element of “causing the computer
to perform a function”, shall be satisfied. Consequences of the above occurrences need not
to be permanent. A person proven guilty of unauthorised modification before a court of law
shall be liable to a fine not exceeding Rs.300,000 or to imprisonment for a term which may
extend to five years or to both.9
Instances such as where viruses are transmitted from one computer to another causing the
other computer to function in a way that would damage its system, trojans, time bombs, logic
bombs and unsolicited emails may fall under the scope of this provision.
• Cyber-Crimes Committed Against National Security, National Economy and
Public Order
National security is a country’s main concern. The legislative, executive and judiciary of a
country coordinate their functions with the main objective of protecting the national security
and public order. Through protecting national security and public a government intends to
establish a self-sufficient economy. With the development of technology legislators have
identified that the computer and information systems are capable of threatening a country’s
national security, national economy and public order. So, has the Sri Lankan legislators and
without any hesitation they have introduced a provision which recognises computer-related
conduct which may threaten the national security, national economy and public order as a
cyber-crime. Accordingly, any person who
9
Computer Crimes Act No.24 of 2007, section 5
5. 5
a) Causes a computer to perform any function,
b) Does so intentionally,
c) Knowing or having reason to believe that such function will result in danger or
imminent danger to
a. national security;
b. national economy; or
c. public order,
shall be guilty of an offence under the CCA.10 Offences related to cyber-terrorism may fall
under the scope of the provision and a person so found guilty shall be liable to an
imprisonment for a term not exceeding 5 years.
• Unlawful Acquisition of Information
Information is considered to be one of the most valuable assets internationally. Therefore, it
is essential that such valuable assets be protected from harm and destruction so that owner
of such assets shall be ensured with his ownership to the information he possess. With the
objective of protecting information and data from unlawful acquisitions, the CCA has
introduced a provision to prevent individuals from unlawfully obtaining data with the use of
computer devices and cyber-space. Accordingly, any person who conducts himself to satisfy
one of the following elements may be considered to have fulfilled the actus reus aspect of the
offence.
a) Buys, receives, retains, sells, or in any manner deals with,
b) Offers to buy or sell, or in any manner deals with, or
c) Downloads, uploads, copies or acquires the substance or meaning11
If any person who commits any of the above-mentioned acts with the relevant mens rea
elements i.e.
a) With knowledge that any other person has without lawful authority obtained
information from a computer or a storage medium of a computer, or
10
Computer Crimes Act No.24 of 2007, section 6
11
Computer Crimes Act No.24 of 2007, section 7
6. 6
b) Having reasons to believe that any other person has without lawful authority obtained
information from a computer or a storage medium of a computer12
shall be guilty of an offence under the CCA and be liable to a fine not less than Rs.100,000 and
not exceeding Rs.300,000 or to imprisonment for a term not less than six months and not
exceeding 3 years, or both.13 In the event a person is charged with the offence unlawful
acquisition of information, the fact that the offender had authority to access the computer or
to carry out a certain act is immaterial.
The same offence is recognised under the IPA and it is specifically for the protection of
computer programmes. In par with the objective of providing the law in relation to intellectual
property, the act has specifically identified computer programmes as work that could
protected under the copyright law.14 In protecting copyrights and other intellectual property
rights that are recognised under the act, the act recognises few offences that could be
committed violating these rights and their penalties.15 Accordingly, infringing the rights of a
person in relation to his computer programme copyright is recognised as an offence. A person
with the knowledge or having reasons to believe that he is in possession of or has access to a
computer programme and wilfully makes use of such programme for commercial gain shall
be guilty of an offence.16 Upon conviction a person shall be liable to a fine not exceeding
Rs.500,000 or to imprisonment for a term not exceeding 6 months or to both. In the case of
Soft Systems (Pvt) Ltd. Vs. Visual Tech Microsystems17, the Commercial High Court abiding
with the above provision held that computer software are fully covered by the Copyright Law.
• Illegal Interception and Intrusion of Data
If you post a picture with your kid in social media with a caption as to where you are right
now, a person who illegally intercept your account can find where you are and thus can be a
huge threat to your life or your kid’s. If he commits an offence by illegal intercepting your
data in your social media account, how can he be convicted? The Sri Lankan legal framework
on cyber-crimes has recognised the significance of protecting the citizen’s right to privacy and
12
Computer Crimes Act No.24 of 2007, section 7
13
Computer Crimes Act No.24 of 2007, section 7
14
Intellectual Property Act No.36 of 2003, section 6(1)
15
Intellectual Property Act No.36 of 2003, chapter XXXVIII
16
Intellectual Property Act No.36 of 2003, section 178((3)
17
7. 7
thereby under the CCA and SLTA has taken a positive step towards enforcing the right by
implementing laws to prevent citizens from intruding the right to privacy of the others.
As per the CCA any person who,
a) Intercepts
a. any subscriber information or traffic data or any communication, to, from or
within a computer; or
b. any electromagnetic emissions from a computer that carries any information,
and
b) Does so
a. With knowledge; or
b. without lawful authority
commits an offence.18 Upon conviction a person shall be liable to a fine not less than
Rs.100,000 and not exceeding Rs.300,000 or to imprisonment for a term not less than 6
months and not exceeding 3 years, or to both.19
The SLTA recognises few offences and accordingly a person who without lawful authority
intrudes,
a) into the content of a message or its usage information by electronic or other means,
b) with the intention of interfering with any message or its usage information
c) with the intention of unlawfully learning the contents of any message or its usage
information
commits an offence punishable.20 Further, any person who wilfully seeks to intercept or
improperly acquaint himself with the contents of any telecommunication transmission not
intended for general reception shall be guilty of an offence.21 Accordingly, the provisions
prevent individuals from invading the right to privacy of the others by inhibiting them from
reading, unlawfully learning or seeking to intercept the content or usage information of the
messages. For purpose of this provision, usage information includes identity of calling
18
Computer Crimes Act No.24 of 2007, section 8
19
Computer Crimes Act No.24 of 2007, section 8
20
Sri Lanka Telecommunications Act No.25 of 1991, section 52
21
Sri Lanka Telecommunications Act No.25 of 1991, section 53
8. 8
subscriber, called subscriber, date and time of originating and type of message. Further, the
act provides that any unauthorised interception and disclosure of contents of message by
telecommunication officials shall be considered to have committed an offence while any such
act committed in the course of performing their duties shall be exempted. A person convicted
of committing such offence shall be liable to a fine or imprisonment for a term not exceeding
six months or both.22
In analysing the application of the above provisions an issue may arise as to whether,
telecommunication messages may include emails or other messages through the cyber-space.
The act interprets messages as;
“any communication sent or received or made by telecommunication or given to a
telecommunication officer to be sent by telecommunication or to be delivered and
includes any signal or combination of signals used for the broadcasting of music,
conversations, speeches, lectures, stage performances, writing, facsimiles, images,
pictures or actuation or control of machinery or apparatus.”23
Considering the above interpretation, it can be submitted that the above interpretation can
be interpreted to include messages sent through cyber-space. If not, since the computers and
internet facility may mostly be used commit above offences, these provisions from the SLTA
may be considered to be a part of the existing legal framework on cyber-crimes.
• Use of Unlawful Devices
Supply and possession of a device, computer password, access code or similar data without
the permission of the owner of such device or information may constitute the offence of use
of unlawful device. The offence was designed to criminalise the market for “hacker tools”.
Under the existing Sri Lankan legislative framework on cyber-crimes any person who,
a) Produces, sells, procures for use, imports, exports, distributes or otherwise makes
available
a. Any device including a computer or computer programme;
b. Computer password, access code or similar information by which the whole or
any part of a computer is capable of being accessed,
b) Does so without lawful authority, and
22
Sri Lanka Telecommunications Act No.25 of 1991, section 54
23
Sri Lanka Telecommunication Act No.25 of 1991, section 73
9. 9
c) Does so with the intent that such device shall be used for the purpose of committing
an offence under the CCA
shall be guilty of an offence.24 In the event the prosecution succeeding in proving the accused
guilty of the above offence, he shall be liable to a fine not less than Rs.100,000 and not
exceeding Rs.300,000 or to imprisonment for a term not less than 6 months and not
exceeding 3 years, or to both.25 In the explanation to section 7 it is provided that the fact that
the offender had authority to access the computer or had authority to perform a function as
well as whether the offender’s conduct was intentional or whether he had the knowledge
that he is likely to cause a loss or damage to any person or institution is irrelevant.
In the modern context, most of the financial transactions are carried out online with the use
of computers and cyber-space. Therefore, it can be undoubtedly accepted that the criminals
may use the computers as the payment device in committing computer-related frauds.
Accordingly, the PDFA too provides few provisions for the identification and prevention of
offences by the use of unlawful devices.
Section 3(1) of the PDFA identifies 19 offences in relation to fraudulent activities that can be
committed with the use of a computer. Accordingly, the possession and having control over
equipment used for making and altering payment devices26, tampering with any equipment
used for accepting or processing of payment devices27, use of devices for the purpose of
capturing authorization data passing28, providing cardholder information or full track data to
unauthorised individuals29, using, producing and possessing any counterfeit or unauthorised
payment device30, making a fraudulent application for a payment device31 and 10 more
offences are identified as payment devices frauds while the later sections provides for the
identification of attempt, abetment and conspiracy to commit an offence recognised under
the act to be an offence. The sections can be interpreted to include computers as payment
devices.
24
Computer Crimes Act No.24 of 2007, section 9
25
Computer Crimes Act No.24 of 2007, section 9
26
Payment Devices Frauds Act No.30 of 2006, section 3(1)(a)
27
Payment Devices Frauds Act No.30 of 2006, section 3(1)(b)
28
Payment Devices Frauds Act No.30 of 2006, section 3(1)(c)
29
Payment Devices Frauds Act No.30 of 2006, section 3(1)(d)
30
Payment Devices Frauds Act No.30 of 2006, section 3(1)(e) and section 3(1)(g)
31
Payment Devices Frauds Act No.30 of 2006, section 3(1)(f)
10. 10
• Unauthorised Disclosure of Information
A person to be proved guilty of unauthorised disclosure of information, the prosecution has
to undertake the burden of proving the following elements to the offence.
a) Discloses information that he is being entrusted with which enables him to access any
service provided by means of a computer, and
b) Does so
a. without any express authority or
b. in breach of any contract expressed or implied32
Once the prosecution succeed in proving the accused guilty of the above offence he shall be
liable to a fine not less than Rs.100,000 and not exceeding Rs.300,000 or to imprisonment of
either description for a term not less than 6 months and not exceeding 3 years or to both.33
In the explanation to section 7 it is provided that the fact that the offender had authority to
access the computer or had authority to perform a function as well as whether the offender’s
conduct was intentional or whether he had the knowledge that he is likely to cause a loss or
damage to any person or institution is irrelevant.
Apart from the above provision, section 54 of the SLTA also provides for the above offence
(discussed above). The provision provides for the interception and disclosure of the contents
of message by the telecommunication officials. Accordingly, an official who disclose contents
of a message while acting beyond his official capacity shall be liable to a fine not exceeding
Rs.10,000 or imprisonment for a term not exceeding six months or both.34
• Attempt, Abetment and Conspiring to Commit an Offence Under the CCA
Attempt
An unsuccessful effort to commit an offence is an attempt to commit a crime. Under the CCA,
any person who attempts to commit or to cause any offence under the CCA to be committed,
shall be guilty of an offence and upon conviction be liable to a fine not exceeding one half of
the maximum fine provided for each of such offences, or to imprisonment for a term not
32
Computer Crimes Act No.24 of 2007, section 10
33
Computer Crimes Act No.24 of 2007, section 10
34
Sri Lanka Telecommunications Act No.25 of 1991, section 54
11. 11
exceeding one half of the maximum term provided for each of such offences, or to both.35
When the offence phishing is considered, since it is an attempt to acquire one’s sensitive
information such as password by way of emails and online advertisements, causing the user
to enter a fake website.
Abetment
Whether committed alone or in group, crime is a crime. In the event an accused is found to
have assisted the master mind in committing an offence, he is considered to have committed
the offence. Under the CCA, any person who abets the commission of an offence shall be
guilty of the offence of abetment and shall on conviction;
a) if the offence abetted is committed in consequence of the abetment, be liable to the
same punishment as is provided for the offence
b) if the offence is not committed in consequence of the abetment, be liable;
a. where the maximum fine or term of imprisonment is provided for, to a fine not
exceeding 1/4 of the maximum fine provided for the offence or to
imprisonment for a term not exceeding 1/4 of the maximum term provided for
the offence, or to both; and
b. where the maximum fine or imprisonment is not provided for or the maximum
term of imprisonment is life, to a fine not exceeding Rs.250,000 or to
imprisonment a term not exceeding 5 years, or to both.36
Conspiracy
Any person who conspires to commit an offence under this Act shall be guilty of an offence
and shall, on conviction be liable to be punished with the punishment prescribed for abetting
the commission of that offence.37
Both the abetment and conspiracy may have the meaning as provided in the Penal Code.38
35
Computer Crimes Act No.24 of 2007, section 11
36
Computer Crimes Act No.24 of 2007, section 12
37
Computer Crimes Act No.24 of 2007, section 13
38
Computer Crimes Act No.24 of 2007, section 12(2) and 13(2)
12. 12
• Publication of Illegal Contents
Publication of illegal content in the cyber-space is a prevalent crime in Sri Lanka. Yet due to
various reasons such as unnecessary publicity, reputation of the individuals only a limited
number of cases are reported to the relevant authorities. Irrespective of the existence of
practical issues, in order to solve the technical issues, two legislative enactments provide for
the identification and prevention of publication of illegal contents i.e. the Penal Code and
the OPO.
The Penal Code (Amendment) Act No.16 of 2006 imposes a duty on the computer services
providers to prevent sexual abuse of children. Accordingly, such person is required to take
necessary steps to ensure that the facilities provided by him shall not be used for the
commission of an act which may sexually abuse children.39 His duty extends in to being
obliged to inform the OIC of the nearest Police Station where he has knowledge of such
computer facility being used for the commission of an act which may sexually abuse children.
He is required to submit information he possess in relation to the act and identity of the
alleged offender.40 Subsequently, the provision recognises the violation of such duty to inform
as an offence and that a person who contravenes the provision shall on conviction be liable
to an imprisonment for a term not exceeding two years or a fine or both.41
When the OPO is taken into consideration, it recognises four offences in relation to
publication of illegal contents;
a) For the purpose of;
a. trade or
b. distribution
c. public exhibition
to make or produce or have in possession obscene writings, drawings, prints,
paintings, printed matter, pictures, posters, emblems, photographs, cinematograph
films, video cassettes or any other obscene objects42
39
Penal Code (Amendment) Act No.16 of 2006, section 286B(1)
40
Penal Code (Amendment) Act No.16 of 2006, section 286B(2)
41
Penal Code (Amendment) Act No.16 of 2006, section 286B(3)
42
Obscene Publication Ordinance No.22 of 1983, section 2(a)
13. 13
b) for the purposes above mentioned to;
a. import
b. Convey
c. Export
d. cause to be imported, conveyed, or exported
any of the said obscene matters or things, or in any manner whatsoever to put them
in to circulation43
c) to;
a. carry on,
b. take part in a business concerned with any of the said obscene matters or
things,
c. deal in the said matters or things in any manner whatsoever,
d. to distributes them or to exhibits them publicly, or
e. to make a business of lending them44
d) to advertise or make known, in view of assisting in
a. the said punishable circulation or traffic, that a person is engaged in any of the
above punishable acts, or
b. how or from whom the said obscene mailers or things can be procured45
In the event the accused is proven guilty of the first offence, he shall be liable to a fine not
exceeding Rs.2,500 or imprisonment for a term not exceeding 6 months, or both. For the
subsequent offences the punishment shall be imprisonment for a term not exceeding 6
months and in addition with a fine not exceeding Rs.5,000.
Both the legislative enactments, Penal Code and the OPO provide for an effective legislative
framework on publication of illegal content and especially, the Penal Code provides for the
creation of a secure world for the children. However, the effectiveness of these enactments
is at stake due to the practical issues that hinders the application of law.
43
Obscene Publication Ordinance No.22 of 1983, section 2(b)
44
Obscene Publication Ordinance No.22 of 1983, section 2(c)
45
Obscene Publication Ordinance No.22 of 1983, section 2(d)
14. 14
Procedure Adopted in Relation Cyber-Crime Investigations: Sri Lanka
In general, when a criminal matter is to be investigated the procedure provided in the Criminal
Procedure Code Act No.15 of 1979 is applied. However, under special circumstances certain
other legislative instruments provide the special procedure that has to be followed in
investigating in matters. One such special circumstance is investigating into cyber-crimes. The
CCA specifically provide few special procedures that are to be followed in investigating into a
cyber-crime matter. Until recent past electronic evidence was not accepted before the courts
as credible evidence and the police officers are not sufficiently equipped and lack the
expertise knowledge to deal with the technological matters that has to be followed in the
cyber-crime investigating procedure. In order to provide for the above matters and assist the
authorities in conducting an effective investigation, the CCA introduced certain special
procedures in addition to existing. Yet, where the above provisions don’t provide for the
procedure to be adopted the procedures provided under the Criminal Procedure Code shall
be used.46
• Appointment of Panel of Experts
Since cyber-crime cases requires investigations conducted through computer systems and
cyber-space, the police officers who generally conduct investigations may find it difficult to
conduct a successful investigation without the assistance of a panel of experts. Therefore, a
special provision is provided under the CCA containing the procedure to be adopted in
appointing a panel of experts.
Who Are Experts?
Any public officer having the required qualifications and experience in electronic engineering
or software technology to assist the police officers in conducting investigations is known as
an expert for the purpose of the CCA. An expert shall be appointed by the Minister in-charge
of Science and Technology, in consultation with the Minister in-charge of Justice. He may do
so by publishing in the gazette.47 Experts may include;
46
Computer Crimes Act No.24 of 2007, section 15
47
Computer Crimes Act No.24 of 2007, section 17(1)
15. 15
• any member of the staff of any University who possesses the prescribed qualification
and, who is nominated by the Vice-Chancellor of the relevant University
• any public institution which in the opinion of the relevant University possesses the
prescribed qualification and is nominated by the Vice-Chancellor of such University48
Powers of the Experts
• Enter upon any premises along with a police officer not below the rank of a sub-
inspector49
• Access any computer or computer system or any programme, data or information held
in such computer to perform any function50
• Require any person to disclose any traffic data51
• Orally examine any person52
The main objective of this provision is to provide the police officers the assistance of a panel
of experts. In obtaining their expertise, the police officers are required to assist the panel by
making available the proceeding of the investigation, information, data and other material
required.53
• Powers of Arrest, Search and Seizure
Police officers are rendered with the power to exercise powers of arrest, search or seizure of
any information accessible within the premises. However, in the event an arrest is conducted
without a warrant, the police officers are required to act within 24 hours of such arrest and
produce the suspect before the Magistrate of the court nearest to place the suspect was
arrested.54
When powers of search and seizure are considered, both the police officers and the experts
under the authority of a warrant, have the power to obtain any information and to intercept
any wire or electronic communication.55 During certain special circumstances provided, the
48
Computer Crimes Act No.24 of 2007, section 17(2)
49
Computer Crimes Act No.24 of 2007, section 17(4)(a)
50
Computer Crimes Act No.24 of 2007, section 17(4)(b)
51
Computer Crimes Act No.24 of 2007, section 17(4)(c)
52
Computer Crimes Act No.24 of 2007, section 17(4)(d)
53
Computer Crimes Act No.24 of 2007, section 17(6)
54
Computer Crimes Act No.24 of 2007, section 21
55
Computer Crimes Act No.24 of 2007, section 18(1)
16. 16
police officers and experts even have the power to exercise the above powers without a
warrant.56
• Duties of the Investigating Officers
Despite the exclusive powers granted to the investigating officers they are also __ with certain
duties. The investigators are required to deal with confidential data which are of utmost
importance to institutions and individuals. Therefore, in handling these victimised data the
investigators are required perform certain duties.
In conducting an investigation, if the investigators fear that the information stored in
computers may get lost, destroyed, modified or render inaccessible, they are required to give
written notice to person in control of such computer system to ensure such data is
preserved.57 Further, the investigator are required to make every effort to ensure that the
ordinary course of legitimate business for which the computer system is used is not hampered
or seized due to the investigation process. Yet, there are two exceptions to the rule and such
conduct is acceptable where it is impossible to conduct the investigation on the premises
where such computer system is located or where such seizure is essential to prevent the
commission or continuance of the offence.58
If information or items required for the inspection are seized or rendered inaccessible, the
police officers are required to provide the owner of such information or item a complete list
of the information and items seized with relevant details. Further, in case such owner make
an application, the police officers are required to allow a person nominated by the owner to
obtain a copy of such seized information.59 However, police officers may prevent themselves
from doing so if such permission might be prejudicial to the investigation.
Eventhough cyber-crimes are prevalent, only a limited number of cases are reported since
the victims fear that their confidential information may get exposed. In order to provide a
solution for the above, the CCA contains a provision imposing a duty on the investigators and
service providers to maintain strict confidentiality with regard to all information they access.
Further, they are required to refrain from utilizing such information for any other purpose as
56
Computer Crimes Act No.24 of 2007, section 18(2)
57
Computer Crimes Act No.24 of 2007, section 19
58
Computer Crimes Act No.24 of 2007, section 20
59
Computer Crimes Act No.24 of 2007, section 22
17. 17
well.60 The act has recognised the violation of the above provision as a punishable offence.
Accordingly, the act attempts to render justice to the victims by ensuring the confidentiality
of the victimised data.
• Duty to Assist Investigation
In order to maintain law and order, CCA requires any person called upon to make any
disclosure to corporate and assist the investigators in conducting the inspection. Obstructing
the lawful exercise of powers is recognised as an offence under the CCA.61
• Evidence Against Produced Cyber-Crimes: Sri Lanka
Law in relation to admissibility of evidence is governed by the Evidence Ordinance No.14 of
1895 in general. With the improvements in technology, certain provisions in the Evidence
Ordinance there arise a need for an amendment which would provide for the admissibility
of computer and electronic evidence. Accordingly, the Evidence Special Provisions Act No.14
of 1995 was introduced. The enactment provides for the admission of computer evidence
provided the following elements are proved.
• In the form it is produced, is capable of being perceived by the senses
• At all time the computer producing the statements were operating properly
• The information supplied to the computer was accurate 62
The procedure that has to be followed in producing computer evidence before courts is
provided under section 7 of the act. Accordingly, a strict set of rules have to be adhered by
the party producing computer evidence by sending notices to have access before 45 days of
the date fixed for trial. Any party to whom such notice is given within 15 days from receiving
such notice is permitted to access to the evidence to be produced.63 However, these strict
rules are lighten to a certain extent through the Electronic Transactions No.19 of 2006 and
the act handovers the burden of proof of the genuineness of such evidence from the
60
Computer Crimes Act No.24 of 2007, section 24
61
Computer Crimes Act No.24 of 2007, section 23
62
Evidence (Special Provision) Act No.14 of 1995, section 5
63
Evidence (Special Provision) Act No.14 of 1995, section 7
18. 18
proposing party to the opposing party.64 However, these lighter rules are applied only in
relation to commercial transactions under the Sri Lankan legislative framework.
Summary
The existing legal framework on cyber-crimes in Sri Lanka provides for the identification of
most of the offences. Enactments such as CCA, PC, OPO, SLTA, IPA and SLTA provides an
effective framework for the recognition of cyber-crimes. The procedure to be adopted in
conducting an investigation is provided mainly in the CCA and where the act does not provide
for any procedure, the procedure prescribed under the CPC shall be used. Computer evidence
is now admitted as evidence of fact under the Evidence (Special Provision) Ordinance and the
CCA also provide for the admissibility of special evidence that may be produced in case of
cyber-crimes. Accordingly, Sri Lanka has executed a successful attempt to implement an
effective legislative framework on cyber-crimes.
64
Sunil Abeyratne, 'Admissibility Of Computer Evidence Under Sri Lankan Law' Sunday TImes (2009)
<http://www.sundaytimes.lk/090426/It/it402.html> accessed 19 March 2017