Should "Spoofing" be a Part of Pakistan's
Cyber Crime Law?
One of the definitions of "spoof (v.)" in the American Heritage Dictionary is to "satirize gently"[1], yet there is nothing "gentle" about the punishment described for "Spoofing" (on the internet) in the The Prevention of Electronic Crimes (in Pakistan) Act-2007.
Wikipedia describes a spoofing attack (in the context of network security) as "a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage" [2]. For example, one form of internet spoofing is "phishing" (web-page spoofing) where an authorized website/webpage is created often matching the interface design and url address of a popular website to fool the users into giving in their personal information and/or other useful information trusting it to be the authorized website. It is quite close in meaning to "identity theft", but it's different from that in the sense that one might use spoofing to commit identity theft (or blackmail, or some other crime).
Exactly how different types of internet spoofing is implemented is not part of the debate. It could be through email using a fake and misleading id, through a website using a deceiving url name, or through the use of a fake alias when chatting online. The motive behind spoofing can be easily understood as well. Clearly, it can pave ways for identity theft, blackmailing or all sorts of other related crimes. The point that needs to be justified is whether spoofing, of all forms in a network security context, is to be considered an offensive crime (or even an offense) or not. Is it a big threat for the internet security in Pakistan?
Internet's growth in Pakistan is phenomenal, perhaps more so compared to it's growth in the rest of the world. No school/college going teenager is perhaps unaware of it and perhaps of internet browsing, file sharing, content downloading and of course internet chatting. Even the older generation is getting accustomed to it, but the usage in this case is a little limited. But considering the relative unawareness towards the security issues of the internet in Pakistan, spoofing is or can be considered as an emerging threat to the internet community in the country.
A good motive for a slightly mislead person to commit spoofing would be to gain some personal information about a particular person by faking someone else's identity. But it is not an offense which should warrant a 3 year imprisonment or a heavy fine or both (under The Prevention of Electronic Crimes Act). There is no need for such a heavy punishment, only a need to educate the general population about the matter.
The Budapest Convention on Cybercrime is not specific about spoofing, but it describes more of a general rule against a crime "when committed intentionally and without right, the causing of a loss of property to another person" [3]. This is in contrast with the Prevention of Electronic Crimes (in Pakistan) Act, which is much more specific, yet inconclusive, about the subject, and is particularly harsh.
Spoofing on a more professional or advanced level where the crime is offensive (as described in The Budapest Convention on Cybercrime) should have a severe punishment, but there is no need for it to be considered a crime which needs a specific clause for it in a crime bill. It should rather be included or described as a possible means to commit the mentioned offense for further clarification about the matter. Hence there needs to be a certain tolerance on the matter in Pakistan (in a security context), and also a need to properly inform the users of the internet about the adverse effects and consequences of spoofing.
Refrences:
[1] http://dictionary.reference.com/browse/spoof
[2]http://en.wikipedia.org/wiki/Spoofing_attack
[3]http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm (Article 7 & 8)
Comments