Evidence (Amendment ) Act 2012

What the hack happened?

The Star quoted me in the following article on 19 August 2012:-

Sunday August 19, 2012

What the hack happened?
By LISA GOH
lisagoh@thestar.com.my

Losing your personal particulars to hackers can lead to financial losses, heartaches, loss of reputation – and sometimes friends, too.

IT starts out so innocently. A simple vote request by an acquaintance for a competition on Facebook; one click and law student Sharlyn J. discovers she has been hacked and locked out of all her social media accounts emails, Facebook, Twitter, Skype and MSN Messenger.

“I clicked on the link and a new window popped up. It looked exactly like Facebook – the colour and the fonts – but I didn’t double check the URL. That was my mistake.

“The site required me to type in my email address and password. I was a little reluctant at first but the girl kept pleading for me to vote for her so in the end, I did. Right after that, I knew something was wrong. I got locked out of all my accounts,” says Sharlyn, 19, of the incident last May.

If that wasn’t bad enough, within the hour, she received a text message that said “Hi Sharlyn. Your full name is , your IC number is , your IP address is , you are a student at college etc.” The hacker demanded money in exchange for getting her accounts back.

Gone in a second: It’s a nightmare for anyone who has discovered that his or her personal particulars have gone into the wrong hands.
“He/she even said I’m not asking for much, just RM300. You can report to the police, but there’s no point. I can’t be tracked.’

“That person had all my personal particulars. I was really freaked out. I had just started college and was living on my own. What if he had my home address as well?”

Failing to get a response from Sharlyn, the hacker then sent another text message, offering her a discount of RM150.

“I called my mum and told her what happened. I was really scared but I ignored him. I lodged a police report and opened new accounts the next day to tell all my friends to delete the old ones,” she says.

However, even weeks on, the hacker was still assuming her identity and chatting with her friends – as she found out later. She never got any of her accounts back.

In other instances, the identity thief doesn’t come to you for money. He goes to your friends, as local film producer Wendy Wong discovered.

Early last month, Wong sent her notebook for servicing. After getting her notebook back two weeks later, her problems started. When she logged into her email account, there was a prompt saying that the account was in use.

She didn’t think much of it, but then came phone calls asking if she was all right and if she was stranded in Spain.

Her email account had been hacked. Assuming her identity, the hacker emailed all her contacts to tell them she had lost her wallet and asked them to send money so she could settle her hotel bill in Spain. The hacker asked her contacts to send her RM10,929 (2850) via Western Union to an address in Madrid.

“I was in Kuala Lumpur all the while. Good thing some of my friends called me to check before sending money over. I had friends who were already planning to transfer the money,” Wong says, adding that she was alerted of the situation by an mStar journalist who had called her to ask if she was indeed stranded in Spain.

Several attempts to change her password failed as the hacker made repeated assaults on her account. Wong has since lodged a police report and alerted the customer service of her email account provider.

“This has affected my reputation. Those who know me well would know I would never go around asking people for money. But what about those I have just met, or are just starting a business partnership with? What would they think of me?”

For that reason, Wong held a press conference early this month to clear her name and to alert all her contacts of her predicament.

“It’s not so easy for me to just get another email address as that’s where my contacts reach me. But it looks like I don’t really have much choice now,” she laments.

When it comes to hacking and identity theft, the most important thing is doing everything you can to make sure it doesn’t happen in the first place. – Nigel Tan

Symantec Malaysia systems engineering director Nigel Tan says that when it comes to identity theft, more often than not, it’s an opportunistic crime, and it’s a two-step process.

“Someone steals your personal information, then uses that information to impersonate you to commit fraud. It’s important to understand this two-step approach, because your defences also must work on both levels,” says Tan, who is Symantec’s principal consultant for Asia South.

According to the Symantec Internet Security Threat Report for the year 2011, a total of 232 million identities were breached worldwide, and of that, 80.5% were by hackers.

In 2011, the Malaysian Communications and Multimedia Commission (MCMC) recorded a total of 199 hacking complaints, and six identity theft complaints. For this year up till Aug 9, MCMC recorded 141 hacking complaints, with no identity thefts as yet.

Under the law, hacking itself is an offence under the Computer Crimes Act 1997, says KL Bar Information Technology Committee co-chairman Foong Cheng Leong.

Section 4 of the Act, for example, finds “unauthorised access with intent to commit or facilitate commission of further offence” a crime, whereby a person convicted could be liable to a fine not exceeding RM150,000, or to imprisonment for a term not exceeding 10 years, or both.

Further offences, such as cheating, can be pursued under the Penal Code, Foong explains. Victims can also file civil suits if the perpetrator is known to them.

However, identity theft could prove to be more than a mere inconvenience for victims, in light of Section 114A of the Evidence Act 1950, as it holds the account owner responsible for any material published from his/her account, “unless the contrary is proved”.

This amendment to the Act, passed in Parliament in April this year, drew heavy objections from various quarters.

On Thursday, Information, Communications and Culture Minister Datuk Seri Dr Rais Yatim announced that the Cabinet has decided to maintain it.

Hacker’s victim: Wong is worried that her reputation may have been marred by the stranger’s doings.

But what drives hackers to hack and steal another person’s identity?

Where previously the motive would have been to gain fame, Tan says more often than not these days, it’s for financial benefits. Social media sites have also not been spared.

“Hackers want to get into the social media because they want to exploit that circle of trust. When you see an email or link sent by someone you know, you’re more likely to respond,” he says.

His advice?

“Never ever click on links. Open a new browser and type in the URL. If you get a phone call from a bank saying your account has some issues, and they require your personal information, hang up and call the bank directly and ask them if they really have a problem with your account,” he says. (Refer to chart for more Do’s & Don’ts.)

He also advocates using different passwords for different accounts and changing them regularly (once every 90 days is ideal). Using the two-factor identification facility (where both a password and a code sent to your mobile is needed to access an account) where available would also act as a deterrent.

“It’s important to understand how easily personal data is linked these days. Information that can be easily found on Facebook can include your place of birth, your mother’s name and other personal details. And these are usually the security questions banks use.

“Personal information flows so easily from one thread to another, and hackers are always waiting to exploit that,” he says.

And sometimes, it’s all a matter of being aware of the personal information you give out. “When a site or a person (even in legitimate circumstances) asks you for certain personal information, just stop and just ask yourself, Do they really need that information and am I comfortable in giving that information?’

Give it some consideration, and if you don’t think they do, then don’t give it. “When it comes to hacking and identity theft, the most important thing is doing everything you can to make sure it doesn’t happen in the first place.”

Black day for Internet users

I was quoted in an article by Centre for Policy Initiatives, a non-profit policy reform organisation regarding the Evidence Amendment (No.2) Bill 2012. The article was later published in the Malaysian Insider.

The Evidence (Amendment) (No.2) Act 2012 will come into operation in a few days on June 1. The impact of this hastily and stealthily rushed legislation could be devastating.

De facto law minister Nazri Abdul Aziz denies that amendments to the Evidence Act were a means for the government to curb online dissent by making Internet anonymity more difficult to maintain or ignorance to be used as an excuse.

Instead Nazri claims that the law was tightened because “we don’t want [anonymous or pseudonymous] people to slander or threaten others,” according to a report in the Sunday Star.

However opposition leaders such as DAP secretary-general Lim Guan Eng are unconvinced.

Lim said that the amendment which was passed during the last sitting of the Dewan Rakyat and the Dewan Negara “will make it easier for the government to launch selective prosecutions of members of the opposition and civil society”.

According to him, a person is traditionally presumed innocent until proven guilty but the Evidence Act 2012 reverses this truism. Lim illustrates with a personal example: “In other words, I am responsible for anything posted on my website and the burden is on me to prove my innocence, not on the prosecution to prove my guilt”.

Lim also believes that the BN government would practise double standards in exercising the provisions of this legislation.

His misgivings are not entirely without basis, bearing in mind the several occasions when Malaysian authorities have been accused of filtering politically sensitive sites and most recently interfering in the Astro rebroadcast of BBC and Al-Jazeera’s live coverage of the Bersih 3.0 rally.

Nazri’s statement, “Under the amended Act, we shift the burden to the owner of the laptop or account so that we can get to the source [of the slanderous or seditious comments]”, prompted the Malaysian Bar to also express concern with regard to the presumption of guilt contained in the Act.

Internet Society Malaysian Chapter chairman Julian Vincent has pointed out that the amendments could be open to abuse by the investigators.

“In the internet environment where the websites even of the largest organisations are susceptible to hacking and manipulation, it is dangerous to have this presumption [of guilt] in place.

“The society expresses its hope that the cabinet will revise the current text and work to address privacy considerations and protect citizens’ rights and civil liberties in any future cyber security legislation,” he said.

Internet users across the board have criticized the amendment as unfair, concurring with the expert views that websites and social networking accounts (Facebook, Myspace, etc) or even e-mail could be easily hacked to post defamatory comments.

Despite the assurances by Nazri, an outspoken minister in the Prime Minister’s Department, the Netizens active on chat forums – as well as those who frequently forward chain mail and are addicted to Facebook or Twitter – harbour deep reservations about this newly revised law.

As it is, bloggers, such as Mohd Nur Hanief Abdul Jalil and Chan Lilian (Lim Guan Eng’s aide), have not been spared investigation by state officers for lese majeste and sedition respectively.

The public unease plays against the backdrop of reader participation in the relatively more free-wheeling news portals as compared with traditional media which has been subjected to pervasive state control.

Centre for Independent Journalism executive officer Masjaliza Hamzah has termed the amendments as a threat to freedom of expression and media freedom.

“The amendments are clearly an indirect way to control online content as it makes online sites responsible for comments posted by readers; forget about disclaimers on the comment section.

“This may force some sites to stop the comment feature because having to vet comments themselves may become untenable, and if this happens, it has a huge impact on the interactive nature of online media favoured by readers,” she is reported to have said.

Furthermore, Malaysia suffers the ignominy of appearing on the list of countries under surveillance as Enemies of the Internet, i.e. where authoritarian governments have employed censorship or filtering circumvention methods as well as systematic repression of Internet users.

The international watchdog body, Reporters Without Borders, had rated Burma, China, Iran, North Korea, Saudi Arabia and seven other countries as Enemies of the Internet in its RSF 2012 report.

The bottomline is that any repressive piece of legislation which can be misused by the powers-that-be to prohibit or curtail legitimate freedom of expression by its opponents is, in essence, a bad law. Should ever Pakatan Rakyat successfully occupy Putrajaya, they could just as easily turn the tables on the Barisan Nasional politicians and supporters by abusing this same law.

A lawyer-cum-blogger-cum-Tweeter Foong Cheng Leong dissects the presumption of fact relating to criminally libellous or seditious publication, explaining why repercussions for Internet users are indeed grave.

On the controversy surrounding the Act, Foong writes:

In summary, the new amendments force an innocent party to show that he is not the publisher. Victims of stolen identity or hacking would have a lot more problems to fix. Since computers can be easily manipulated and identity theft is quite rampant, it is dangerous to put the onus on Internet users. An Internet user will need to give an alibi that it wasn’t him. He needs to prove that he has no access to the computer at that time of publication and he needs to produce call witnesses to support his alibi.

His article can be read in full at the Loyar Burok website.

Finally, it is necessary to ask the Prime Minister Najib Razak the question as to why he has reneged on his word. Only last year he had repeated the Mahathir era promise made when Cyberjaya and the Multimedia Super Corridor were launched – that Malaysia will never censor the Internet.

The article stated that the Bill will be in force on 1 June 2012. I don’t think the Bill will be in force on 1 June 2012 but the Evidence (Amendment) Act 2012 [A1424] will be in force on 1 June 2012.

 Scroll to top