stop114a

Bread & Kaya: Tracing someone online

Bread & Kaya: Tracing someone online
Nov 17, 2014

– Getting the IP address is one way, but may not always be possible
– On issue of defamation, Section 114A has been applied retrospectively

ONE of the most difficult issues to deal with in cybercrime or cyber-bullying cases is finding the perpetrator online. My years of blogging have brought me some experience in dealing with this issue, especially when dealing with ‘trolls.’

I am glad to say that it is not impossible. Some guesswork is needed. Normally, such a perpetrator is someone you know, although he or she may or may not be close to you. Sometimes, however, it would be just a stranger.

There was one case where the perpetrator was found to be a friend’s spouse whom the victim had only met a few times. Strangely, there was no animosity between these parties.

In one case which I was personally involved, I made a guess on the possible perpetrator and worked from there. Eventually, the person confessed after being confronted.

Getting the Internet Protocol (IP) address of the perpetrator is one of the conventional ways to track someone down. Internet service providers (ISPs) assign unique IP address to each user account. However, IP addresses may not be retrievable if the person is on a proxy server.

Another problem is the jurisdictional issue. Many servers storing such IP addresses may be located overseas and owned by foreign entities. One may have to initiate legal action overseas to get such data, and many of these service providers do not release their user information easily due to data protection laws or their strict privacy practices.

In the recent case of Tong Seak Kan & Anor v Loke Ah Kin & Anor [2014] 6 CLJ 904, the Plaintiffs initiated an action for cyberspace defamation against the 1st Defendant.

In tracing the perpetrator, who had posted defamatory statements on two Google Blogspot websites, the Plaintiffs filed an action called a John Doe action in the Superior Court of California. In compliance with the Court order, Google traced the blogs to two IP addresses which were revealed by Telekom Malaysia Bhd to be IP addresses belonging to the 1st Defendant’s account.

In the same case, the High Court had held that the controversial Section 114A (2) of the Evidence Act 1950 applied retrospectively.

S. 114A (2) provides that the burden of proof lies on the subscriber of an ISP to prove that a certain statement was not published by him or her. The 1st Defendant failed to convince the Court that s. 114A (2) does not apply because the defamatory statements were published before the enforcement date of s. 114A(2).

This retrospective stand however was not followed in the case of PP v Rutinin Bin Suhaimin [2013] 2 CLJ 427 as the High Court held that s. 114A does not apply retrospectively.

Perhaps the distinguishing factor between these cases is that the first case involved a civil dispute whereas the latter is a criminal prosecution.

Readers may recall that the #Stop114A campaign was initiated to get this law repealed. I am proud to say that Digital News Asia (DNA) was one of the organisers and participants in shutting down its website for one day. The campaign attracted the attention of Prime Minister Najib Razak but unfortunately, the law remained.

Going back to the case, the Court held that the 1st Defendant had failed to prove that he was not the publisher of the content. The 1st Defendant is now liable for a payment of RM600,000 (US$180,000) as damages to the Plaintiffs.

Not all tracing of a perpetrator requires an IP address. In Datuk Seri Anwar Bin Ibrahim v Wan Muhammad Azri Bin Wan Deris [2014] 3 MLRH 21, Opposition leader Anwar Ibrahim (pic) sued Wan Muhammad Azri Bin Wan Deris, allegedly a well-known blogger called Papagomo, for defamation.

In proving the identity of Papagomo, instead of tracing the IP address of Papagomo, the Court relied on the statement of a person who had met Papagomo in person before. The former also took a picture with Papagomo and this picture was tendered in Court.

There are other unconventional methods to identify a person online. I have heard of a private investigator entering a person’s home without knowledge to gain access to the computer of that person.

Many people do not password-protect their home computers and leave their email and other online accounts still logged into. This allows the private investigator to easily access a person’s emails and other online accounts without any technical skills.

One method that I always use is to find something unique in the content posted by the perpetrator. For example, I recently concluded that a website was held by a cyber-squatter by doing a Google search on certain sentences that appeared on the website. The cyber-squatter’s website looked like a legitimate website, but the search revealed that the same facade had been employed by the cyber-squatter on several websites using well-known brand names.

If there are images involved, a Google Image search would be useful to find whether other websites are hosting the same image.

It is of utmost importance that one must have reliable evidence to prove the identity of a perpetrator before suing or charging them. The person doing such investigation should be knowledgeable enough to conduct the investigation, know the rules of producing evidence and testifying in Court, and to thwart all challenges by the perpetrator’s lawyers.

Failure to do so would result in the case being dismissed or in a worst scenario, an innocent person being charged or sued in Court.


First published on Digital News Asia on 17 November 2014.

Netizens v the Government

2012 saw the intensified battle between netizens and the authorities. The former desires protection of their right to freedom of expression and anonymity whereas the latter desires control and governance. Through this battle, the authorities introduced many new legislations to govern the use of internet.

In July 2012, the Malaysian Government enforced s. 114A of the Evidence Act 1950 (114A). Under 114A, a person is deemed to be a publisher of a content if it originates from his or her website, registered networks or data processing device of an internet user unless he or she proves the contrary. This new law sparked a massive online protest dubbed the Malaysia Internet Black Out Day or also the Stop114A. Protesters replaced their Facebook and Twitter profile picture with the Stop114A banner whereas website operators displayed the Stop114A banner on their websites. Within two days, the Stop114A Facebook gained 43,000 likes from 400 likes (currently 49,000). It is probably one of Malaysia’s most successful online campaigns.

On the business side, the Association of the Computer and Multimedia Industry of Malaysia (Pikom), who represents the information and communications technology (ICT) industry in Malaysia, backed calls for a review of 114A whereas the Federation of Malaysian Manufacturers (FMM) has expressed concerns over the recent inclusion of 114A and its impact on businesses.

Interestingly, the Malaysian Government passed the Cyber Centre and Cyber Cafe (Federal Territory of Kuala Lumpur) Rules 2012 and Consumer Protection (Electronic Trade Transactions) Regulations 2012. The former requires any person operating a cybercafé and cyber centre to maintain a customer entry record and a record of computer usage for each computer whereas the latter requires online business owners and operators to provide their full details, terms of conditions of sale, rectification of errors and maintenance of records.

Philippines netizens also protested against their newly introduced cyberlaw. In October 2012, Philippines passed the Cybercrime Prevention Act of 2012 with the aim to prevent cybersex, online child pornography, identity theft and spamming. However, under the new act, a person found guilty of libellous comments online, including comments made on social networks such as Facebook and Twitter or blogs, could be fined or jailed. In protest against the new law, anonymous activists hacked into government websites, journalists have held rallies and many Facebook users have replaced their profile picture with a black screen. Protesters say the new law could be used to target government critics and crack down on freedom of speech.

Japan netizens on the other hand had milder protest against a new law that makes Japan-based internet users who download copyright infringing files. Violators will face up to two years in prison or fines of up to two million yen. In July 2012, about 80 masked people, calling themselves allies of the global hacker group Anonymous, picked up litter in Tokyo Saturday as a sign of protest.

In early 2012, China required users of the popular microblogging platform, Weibo, to register their real names. Subsequently, later in the year, China legalized the deletion of posts or pages which are deemed to contain “illegal” information and required service providers to hand over such information to the authorities for punishment.

On a brighter note, the South Korean Constitutional Court ruled that a law requiring South Koreans to use their real names on Internet forums was unconstitutional. The Court said that the requirement amounts to prior censorship and violated citizens’ privacy.

In the United States, a handful of US states, including Illinois, California and Maryland, passed laws making it illegal for employers to ask for potential employees’ Facebook or other social media passwords.

A person who retweets a defamatory tweet is potentially liable for defamation. In the UK, Lord McAlpine (Robert Alistair McAlpine) a former politician who worked for Margaret Thatcher, announced his intention to pursue action against 10,000 Twitter users for defamation including those who had retweeted the defamatory tweets. In this case, Lord Alphine was linked by some social media users after BBC News reported that a senior politician was involved child sex abuse. Interestingly, these users may apologize to Lord McAlphine by completing a form downloadable from his solicitors’ website!

In the UK, it is an offence to publish the identity of victims of certain offences which include rape. Footballer Ched Evans was convicted by the Court for rape of a 19 years old woman. The woman’s name was circulated on social networking sites, including Twitter and Facebook, after Evans’ conviction. 9 people were fined after admitting to revealing online the identity of the woman.

Meanwhile back home, the Kota Kinabalu High Court overturned Rutinin Bin Suhaimin’s acquittal for posting an “annoying” comment on the Sultan of Perak’s website. Rutinin was charged under s. 233 of the Communications and Multimedia Act 1998. The Sessions Court had earlier acquitted him without calling for his defence because, among others, the prosecution failed to prove that Rutinin was the person who posted the insulting comment. The Court held that, although 114A of the Evidence Act 1950 is not applicable because the alleged offending act was committed before the enforcement date of 114A, the circumstantial evidence is sufficiently strong to conclude that the accused had used the internet account that was registered in his name at the material time.

The developments in 2012 show the involvement of the authorities in clamping down the notion of the Internet being the Wild, Wild West. However, such clap down must be monitored by netizens.

In December 2012, the International Telecommunication Union (ITU) brought together regulators from around the world to re-negotiate a decades-old communications treaty. Google and 1000 over organizations around the world claimed that some governments want to use the closed-door meeting to increase censorship and regulate the Internet and had started an online campaign.

At the end of the closed-door meeting, 89 countries including Malaysia signed the treaty, while 55 countries said they would not sign or that additional review was needed.

With the new technology, websites and novel functions, all Governments will have to step out their game to protect the rights of netizens and businesses. New laws must not be onerous but in the same time protect victims of cybercrimes and preserve the right of freedom of expression.



This article was supposed to be published in the Putik Lada of The Star Newspaper. It was also supposed to be the 2013 installation of my yearly social media update articles. Unfortunately, The Star Newspaper discontinued the Putik Lada column before my article could be published.

GE13 Candidates and 114A

Published on LoyarBurok on 16 April 2013.



I am no expert in election laws but GE13 Candidates should take note of this. If you are running a blog, I suggest you moderate or close the comments section until and after the 13th General Election.

The reason why I say so is because s.114A(1) of the Evidence Act 1950 and the Election Offences Act 1954. S. 114A(1) provide the following:

“A person whose name, photograph or pseudonym appears on any publication depicting himself as the owner, host, administrator, editor or sub-editor, or who in any manner facilitates to publish or re-publish the publication is presumed to have published or re-published the contents of the publication unless the contrary is proved”.
In simple words, if your name, photograph or pseudonym appears on any publication depicting yourself as the aforesaid persons, you are deemed to have published the content unless you prove otherwise.

Also, if you have in any manner facilitated to publish or re-publish the publication, you are presumed to have published the content of the publication.

This means that website owners are deemed to be publishers of contents of a publication although the author of the publication is someone else.

Further, it is not possible for website owner to prove that he is not a publisher due to the wording of the section i.e. the words “in any manner facilitates to publish or re-publish the publication”. By providing a virtual platform, the website owners facilitate to publish or re-publish a publication.

In this regard, you will potentially commit an election offence if someone posts a comment which falls within the scope of corrupt practice. If found guilty of an election offence, the election of a candidate will be declared void (s. 32 of the Election Offences Act 1954).

What I have mentioned is not without basis. A similar scenario had happened after the 12th General Elections. In Kho Whai Phiaw v Chong Chieng Jen (Election Petition No.: 26-01-2008-I), an elector in the Bandar Kuching constituency presented an election petition to have Mr. Chong Chieng Jen’s (representative of the Democratic Action Party (DAP)) election declared void.

The elector sought to have Mr Chong’s election avoided on the ground that the latter had engaged in the corrupt practice of (i) undue influence and (ii) bribery, to procure his victory in the election. The elector alleged, among others, that a letter from one Mr Smith published on the comment section of Mr Chong’s blog site is said to contain certain threatening statement. The elector alleged that Mr Chong had exercised undue influence over the non-Muslim voters in the Bandar Kuching constituency through Mr Smith’s letter appearing on his blog site.

Fortunately for Mr Chong, the High Court held that Mr Smith’s letter was posted by one commentor by the name “Responsible Christian Voter” (‘RCV’). Mr. Smith was the author of the letter and it was RCV who published that letter through Mr Chong’s blog site. The Court held that Mr Chong is therefore not the publisher of the letter. The case is later upheld by the Federal Court. (see Kho Whai Phiaw v Chong Chieng Jen [2009] 3 CLJ 201)

But Mr Chong’s case is pre-114A case. If s. 114A applies, Mr Chong is considered as the publisher of the letter as his blogsite had facilitated the publication of the letter. Mr Chong could potentially commit an election offence if 114A applies. That is the effect of 114A. It creates liability on a virtual platform provider.

This, of course, is not tested in our Courts yet. One may argue that it is the blogsite provider (e.g. Google who owns Blogger.com) but this is only provided that such blog is hosted by such blogsite provider.

Nevertheless, as an abundance of caution, GE13 candidates should close their blog comments section to avoid such actions. Interestingly, Mr Chong’s blogsite has closed its comments section.

A Facebook Page is also another concern. It may be arguable to say postings made by users on a Facebook page is not published by the Facebook page administrator as it appears on a separate page. (Illustrated below).

However, Facebook comments appearing together with the postings by the Facebook administrator (illustrated below) is different. It is arguable that such comments are published by the Facebook page owner.

With this risk of having an election declared void, I hope that the new Parliament will relook into 114A when it convenes in the future.

It’s time to #stop114A.

What the hack happened?

The Star quoted me in the following article on 19 August 2012:-

Sunday August 19, 2012

What the hack happened?
By LISA GOH
lisagoh@thestar.com.my

Losing your personal particulars to hackers can lead to financial losses, heartaches, loss of reputation – and sometimes friends, too.

IT starts out so innocently. A simple vote request by an acquaintance for a competition on Facebook; one click and law student Sharlyn J. discovers she has been hacked and locked out of all her social media accounts emails, Facebook, Twitter, Skype and MSN Messenger.

“I clicked on the link and a new window popped up. It looked exactly like Facebook – the colour and the fonts – but I didn’t double check the URL. That was my mistake.

“The site required me to type in my email address and password. I was a little reluctant at first but the girl kept pleading for me to vote for her so in the end, I did. Right after that, I knew something was wrong. I got locked out of all my accounts,” says Sharlyn, 19, of the incident last May.

If that wasn’t bad enough, within the hour, she received a text message that said “Hi Sharlyn. Your full name is , your IC number is , your IP address is , you are a student at college etc.” The hacker demanded money in exchange for getting her accounts back.

Gone in a second: It’s a nightmare for anyone who has discovered that his or her personal particulars have gone into the wrong hands.
“He/she even said I’m not asking for much, just RM300. You can report to the police, but there’s no point. I can’t be tracked.’

“That person had all my personal particulars. I was really freaked out. I had just started college and was living on my own. What if he had my home address as well?”

Failing to get a response from Sharlyn, the hacker then sent another text message, offering her a discount of RM150.

“I called my mum and told her what happened. I was really scared but I ignored him. I lodged a police report and opened new accounts the next day to tell all my friends to delete the old ones,” she says.

However, even weeks on, the hacker was still assuming her identity and chatting with her friends – as she found out later. She never got any of her accounts back.

In other instances, the identity thief doesn’t come to you for money. He goes to your friends, as local film producer Wendy Wong discovered.

Early last month, Wong sent her notebook for servicing. After getting her notebook back two weeks later, her problems started. When she logged into her email account, there was a prompt saying that the account was in use.

She didn’t think much of it, but then came phone calls asking if she was all right and if she was stranded in Spain.

Her email account had been hacked. Assuming her identity, the hacker emailed all her contacts to tell them she had lost her wallet and asked them to send money so she could settle her hotel bill in Spain. The hacker asked her contacts to send her RM10,929 (2850) via Western Union to an address in Madrid.

“I was in Kuala Lumpur all the while. Good thing some of my friends called me to check before sending money over. I had friends who were already planning to transfer the money,” Wong says, adding that she was alerted of the situation by an mStar journalist who had called her to ask if she was indeed stranded in Spain.

Several attempts to change her password failed as the hacker made repeated assaults on her account. Wong has since lodged a police report and alerted the customer service of her email account provider.

“This has affected my reputation. Those who know me well would know I would never go around asking people for money. But what about those I have just met, or are just starting a business partnership with? What would they think of me?”

For that reason, Wong held a press conference early this month to clear her name and to alert all her contacts of her predicament.

“It’s not so easy for me to just get another email address as that’s where my contacts reach me. But it looks like I don’t really have much choice now,” she laments.

When it comes to hacking and identity theft, the most important thing is doing everything you can to make sure it doesn’t happen in the first place. – Nigel Tan

Symantec Malaysia systems engineering director Nigel Tan says that when it comes to identity theft, more often than not, it’s an opportunistic crime, and it’s a two-step process.

“Someone steals your personal information, then uses that information to impersonate you to commit fraud. It’s important to understand this two-step approach, because your defences also must work on both levels,” says Tan, who is Symantec’s principal consultant for Asia South.

According to the Symantec Internet Security Threat Report for the year 2011, a total of 232 million identities were breached worldwide, and of that, 80.5% were by hackers.

In 2011, the Malaysian Communications and Multimedia Commission (MCMC) recorded a total of 199 hacking complaints, and six identity theft complaints. For this year up till Aug 9, MCMC recorded 141 hacking complaints, with no identity thefts as yet.

Under the law, hacking itself is an offence under the Computer Crimes Act 1997, says KL Bar Information Technology Committee co-chairman Foong Cheng Leong.

Section 4 of the Act, for example, finds “unauthorised access with intent to commit or facilitate commission of further offence” a crime, whereby a person convicted could be liable to a fine not exceeding RM150,000, or to imprisonment for a term not exceeding 10 years, or both.

Further offences, such as cheating, can be pursued under the Penal Code, Foong explains. Victims can also file civil suits if the perpetrator is known to them.

However, identity theft could prove to be more than a mere inconvenience for victims, in light of Section 114A of the Evidence Act 1950, as it holds the account owner responsible for any material published from his/her account, “unless the contrary is proved”.

This amendment to the Act, passed in Parliament in April this year, drew heavy objections from various quarters.

On Thursday, Information, Communications and Culture Minister Datuk Seri Dr Rais Yatim announced that the Cabinet has decided to maintain it.

Hacker’s victim: Wong is worried that her reputation may have been marred by the stranger’s doings.

But what drives hackers to hack and steal another person’s identity?

Where previously the motive would have been to gain fame, Tan says more often than not these days, it’s for financial benefits. Social media sites have also not been spared.

“Hackers want to get into the social media because they want to exploit that circle of trust. When you see an email or link sent by someone you know, you’re more likely to respond,” he says.

His advice?

“Never ever click on links. Open a new browser and type in the URL. If you get a phone call from a bank saying your account has some issues, and they require your personal information, hang up and call the bank directly and ask them if they really have a problem with your account,” he says. (Refer to chart for more Do’s & Don’ts.)

He also advocates using different passwords for different accounts and changing them regularly (once every 90 days is ideal). Using the two-factor identification facility (where both a password and a code sent to your mobile is needed to access an account) where available would also act as a deterrent.

“It’s important to understand how easily personal data is linked these days. Information that can be easily found on Facebook can include your place of birth, your mother’s name and other personal details. And these are usually the security questions banks use.

“Personal information flows so easily from one thread to another, and hackers are always waiting to exploit that,” he says.

And sometimes, it’s all a matter of being aware of the personal information you give out. “When a site or a person (even in legitimate circumstances) asks you for certain personal information, just stop and just ask yourself, Do they really need that information and am I comfortable in giving that information?’

Give it some consideration, and if you don’t think they do, then don’t give it. “When it comes to hacking and identity theft, the most important thing is doing everything you can to make sure it doesn’t happen in the first place.”

Tweetjacked

This article appeared on Rage following my interview with The Star.

Tweetjacked

By KEVIN TAN and PHYLLIS HO

alltherage@thestar.com.my

ONE fine day, Chee Yun Sam, a 22-year-old model, started getting a barrage of angry tweets and messages from his friends.

Apparently, Chee had posted something rather racist on his Twitter account, and a lot of people weren’t taking too kindly to it.

Only problem was – and you guessed it – he had no idea what he had supposedly posted.

Chee had become a victim of “tweetjacking”, the popular new prank that’s making stuff like wedgies and the ol’ chalk-on-the-chair trick like SO last millennium.

What happened was a friend of Chee’s managed to get his hands on his smartphone, and used Chee’s Twitter account to post a joke.

That’s how most tweetjacks happen. You “hijack” someone’s Twitter account (or Facebook) and post something embarrassing, making it seem like it came straight from the account holder.

It’s usually innocent stuff, like confessions of love for a mutual friend (or Rebecca Black, which is equally embarrassing), or probably something gross like “I smell my socks every morning”.

But unfortunately for Chee, his friends didn’t just post some innocent joke.”It wasn’t a laughing matter at all,” he said. “My friend posted something that was quite racist. And people didn’t know I was being tweetjacked! Some of them took it really seriously and were very upset.”

While we at R.AGE always love a good, harmless prank (like the time we moved Sharmila Nair’s car to a different basement level. That sure taught her not to leave her keys lying around…), it seems tweetjacking, Facebook-jacking (which goes by a rather more unsavoury term on the Internet) and all kinds of social media-jacking can quite easily get out of hand.

And given how integral social media has become to so many of our lives and careers, your next tweetjack might not turn out to be so funny after all.

Protect yourself!

Denielle Leong, 18, has been Facebook and Twitter-jacked many times by her college buddies and even her boyfriend.

“Well on Facebook you’d normally see pretty disgusting stuff like ‘I like to lick my armpits’. Or sometimes it’ll be openly praising someone who is hot. It’s very different on Twitter, for some reason,” she said.

On Twitter, her account has been hijacked by her friends several times to post some flirtatious tweets, which obviously led to some rather awkward responses from her male friends.

“Some people really do retweet and buy everything they see, even the most random things. It just shows how people online are so gullible,” she said.

But probably the main reason why social media hijacking is becoming so common, is simply because the opportunities are everywhere now. An idle smartphone at a party, a Facebook account logged-on at the college library, an iPad that isn’t password protected… They’re all hijacks waiting to happen.

Despite having been hijacked so many times, Leong admits that she doesn’t always log off her accounts after using them on laptops and computers. She might be making herself a prime target for another prank, but she says she doesn’t mind – as long as it’s nothing harmful.

Lawyer Foong Cheng Leong, 31, the Kuala Lumpur Bar Council’s IT committee co-chairman, agrees that social media-jacking is actually “harmless”.

The problem is – as it is with all pranks – some people tend to go overboard, inadvertently posting things that are too sensitive, or sometimes even unlawful. “Publishes that are unlawful include posts that are deemed as defamatory, seditious, obscene, malicious – the breaking of the law in section 233 of Communication and Multimedia act,” said Foong.

Basically that means if you post something as part of a tweetjack that breaks those laws, you – and the friend whose account you jacked – could potentially face a fine of up to RM50,000, a jail sentence of up to one year, or both.

And with the recent amendments to the Evidence Act, Foong says that social media users should protect their accounts and monitor their publishes even more carefully. “Now, all the more young people have to be aware of their publishes, because every post will hold the publisher (account owner) accountable,” he said. “Only the account owners will be considered as the publisher until proved otherwise.

“That’s when tweet-jacking can be a problem – if the tweetjacker does not own up and admit that he or she is the person who published the (unlawful) post,” he added.

But even if you aren’t breaking the law, a social media hijacking can still do a lot of damage. Imagine for instance, if your employer stumbles upon a tasteless joke on your Facebook or Twitter account.

Joshua Desmond, 26, who, funnily enough, works as a social media planner in a digital advertising firm, was the victim of one particularly tasteless tweetjacking.

“I don’t get tweetjacked very often, but it happens from time to time,” said Desmond. “The tweets are normally just for laughs.”

But then one day, the stuff got real.

A friend used Desmond’s account to make a joke about his sexuality, which most of his followers understood to be a tweetjack. But there was one friend who didn’t get the joke, and decided to tell Desmond’s parents about it.

“My dad just rang me up one day and asked me about it, and he sounded very serious,” said Desmond. “I still remember how upset he was when he called me.

“Even after I convinced them it was only a prank, they were still upset and told me not to let it happen again. It wasn’t something funny to them at all.”

Password protection

Apart from the odd prank that gets really embarrassing, or the unlawful post that could get you in trouble with the law, social media hijacking could also put your personal safety at risk.

Foong advises people to keep personal information like house addresses, mobile phone numbers, and PIN numbers off social media, because if someone was able to hijack your account to make a silly joke, someone could also potentially access that information for something more malicious altogether.

In any case, it’s important to not only protect your smartphones and to always log out from your social media accounts, but also to make sure you have a safe password.

According to Foong, there is actually a rather common set of passwords which people tend to choose from.

“Many people use common passwords like ‘abc123’, and those passwords are easy to crack,” said Foong. “Believe it or not, the most common password in the world is ‘password’.”

Unfortunately, Sarenraj Rajendran, 22, an American Degree Programme student, had to learn that lesson the hard way.

One of Sarenraj’s friends somehow managed to guess his Facebook password, but that wasn’t such a big deal. Things turned ugly when he found out that Sarenraj used the same password for his Internet service account.

As a prank, the friend made all kinds of changes to his account settings, and even purchased some upgrades – additional email storage and an online anti-virus package. They were only 17 back then.

“I got to know about it when my ‘hijacker’ friend went around telling other friends, and even presented the proof of purchase to brag about what he had done.”

Social media expert David Lian, the Asia Pacific Digital Lead of PR agency Text 100, says the integration between all the different forms of social media makes these hijackings potentially much more damaging.

“These days, all your social networks are connected. Facebook, Foursquare, Instagram… Even your email addresses. If someone has access to one of your accounts, they could easily have access to all your accounts.

“They could even have access to credit card information on some of these applications,” said Lian.

The problem with us running this story, of course, is that people now know that “Tweet-jacking may not be dangerous if people know the limit. But at the end of the day, everyone should prevent themselves from the risk of the dangers of it. This really taught me to really be careful when it comes to protecting my personal social media. I can’t let things like that happen again,” said Chee.

牵制互联网自由 赛夫丁支持废114 A条文

Following the Stop 114A forum, the Nan Yang reported the following:-

牵制互联网自由 赛夫丁支持废114 A条文

 2012-08-11 21:07

(吉隆坡11日讯)高等教育部副部长拿督赛夫丁博士今日表明支持废除1950年证据法令下增设的114A条文,因为此条文有牵制互联网自由之意。

将向首相传达

他说,巫青团长凯利也对这项于今年在国会下议院通过的修正法令有微言,所以他将跟凯利讨论此问题,再设法向首相拿督斯里纳吉传达。

赛夫丁今日在大马律师公会礼堂出席1950年证据法令114A条文论坛时,表达了本身的立场。

这项论坛是大马律师公会年轻律师委员会、大马宪法主义及人权中心(MCCHR)和独立新闻中心(CIJ)所主办的系列批判思维论坛之一。

赛夫丁是论坛主讲人之一,另3名主讲人是律师冯正良(吉隆坡律师委员会资讯科技委员会联合主席)、宪法及人权律师K山姆卡及律师费沙慕丁。主持人马哈乐朱米。

条文一“网”打尽

114A条文的重点在于“假设出版内容是事实”(presumption offact in publication),阐明网络或网站的主人、管理人、主机、编辑订户,或者电脑或流动设备的主人,假设出版或再出版其内容。

这项广义的条文,几乎“一网打尽”个人及商业电脑用户。

除了费沙姆丁持不同看法外,赛夫丁、冯正良和K山姆卡,都认为114A条文对互联网用户造成巨大的冲击。

赛夫丁说,他支持首相倡导的政府转型计划及政治转型计划,不过却认为114A条文是问题条文。

难向民众交代

他说,政府曾经承诺不会审查互联网,但现在却实施114A文条,因此他在向民众解说时也感到棘手。

他说,在反应民众和本身对此条文的立场时,也必须同时考虑其他替代的法令,以在互联网资讯和个人利益上取得平衡。

针对费沙姆丁指有关条文,将在资讯自由流通于个人利益之间取得平衡点,赛夫丁说:“能够平衡当然是好事,不过我不确定,我们是否做到平衡,还是失衡。”

若出版内容属实 难给答辩人定罪

律师费沙姆丁认为,证据法令114A条文并非创建罪行或施加有罪的假设。

他说,假设出版内容是事实(presumption of fact in publication),是可以被推翻的,这项假定不足于证明答辩人有罪。

“如果控方或起诉人无法证明罪行的其他元素,案件一样是不能够成立的。

从“后门”送人入狱“

我不否认,条文中的一些字眼过于广义,尤其是‘提供出版便利’(开设面子书户口)这点。”

K山姆卡说,根据有关条文,被告者必须证明自己的清白,是一种由“后门”送人入狱的做法。

冯正良视有关条文为攻击互联网使用者的工具。

14日互联网中断日

他说,为了抗议此条文,多个团体将在本月14日展开互联网中断日(InternetBlackout)运动。

国内一些组织认为,114A条文颠覆了“定罪前皆属无辜”的法律原则,这法令也可能被有心人滥用来陷害他人,特别是大选即将来临之际。

净选盟受促国庆 勿在独立广场办活动

赛夫丁在回应有关净选盟计划于国庆日前夕在独立广场静坐的问题时说,当晚民众都准备欢庆国家独立纪念日,所以他请求净选盟的成员不要在当晚在独立广场举行活动。

黄衣庆国庆引混乱

他说,如果当晚恰巧着黄色衣服前来庆祝国庆日,到时将会引起混乱。

“所以,我希望净选盟不要选择在国庆日前夕及同一个地点进行活动。”

律師:被控者需負舉證責任‧114A條文太廣泛存爭議

Following the Stop 114A forum, the Sin Chiew reported the following:-

律師:被控者需負舉證責任‧114A條文太廣泛存爭議
國內 2012-08-12 09:35

(吉隆坡11日訊)多名律師認為,2012年證據法令114A條文存在許多爭議,除了可能箝制互聯網言論自由、被控者需負上舉證責任外,該條文用詞上語義過廣,涵蓋範圍也過大。

在律師公會年輕律師委員會、獨立新聞中心及大馬憲法與人權中心(MCCHR)聯辦的“證據法令114A條文:互聯網自由的終結?"論壇上,邀請了多名律師與高等教育部副部長拿督賽夫丁擔任主講人發表對該條文的看法。

【新潮】你相信超自然力量嗎?她的照片帶有某種黑色力量…

馮正良:轉發留言或會惹禍

吉隆坡律師公會資訊工藝委員會主席馮正良指出,假設任何人利用他人電腦、互聯網戶口、wifi無限寬頻、部落格發佈違法內容,如涉及誹謗等,作為網頁設立與管理人,互聯網戶頭擁有者,就算有關內容未經同意或不知情,都會被視為內容發表者。

“一旦在114A條文下被追究責任,有關人士必須舉證證明自己清白,甚至如果你是轉發推特、面子書留言內容都可能惹禍。"他說,在此條文下,該條文範圍過廣,無論是民事或刑事案件,舉證的責任不再歸於原告與檢控官,而是必須由被告舉證本身沒在互聯網上發表任何涉及誹謗、中傷等內容。

他呼吁反對114A條文者,參與獨立新聞中心8月14日(下週二)舉辦“網絡黑屏日"(Internet blackout day)運動,表達不滿之聲。

山慕根:法令忽視匿名者駭客

律師、部落客及著名網站LoyarBurok創辦人K.山慕根作為論壇主講人之一就指出,114A條文的語句用詞不當,語義過廣,忽視了互聯網上存在許多匿名者,利用假戶口在留言、評論,以及存在互聯網騙案、駭客等問題。

“尤其是駭客,一旦駭入其他網民電腦或網絡戶口,利用他人的戶口進行違法事項,無辜者可能會成為代罪羔羊。"他認為,該條文可能會被有心人士尤其是匿名者利用來進行惡意攻擊,或成為過濾互聯網內容的“工具",因為有關人士可針對誹謗內容對特定單位提告,而被告本身證明本身沒發佈違法內容。

法依沙:推定事實非假定有罪

另一名主講者Moideen &Max律師樓合夥人法依沙律師認為,114A條文並不全然滿佈問題,該條文確實在字面上過於廣義,但該條文只是建立一個事實推定(presumption offact),並非假定有罪。

他指出,114A條文假定這個電腦與互聯網戶口既然在某人名下,那麼利用這些通訊器材發表的內容也是由該人發表。

(星洲日報)

Grave repercussions for internet users

Published on LoyarBurok on 24 April 2012.

Dissecting the presumption of fact relating to publication in the controversial new Bill.

The Evidence (Amendment) (No. 2) Bill 2012 was one of the bills rushed and passed by the Parliament recently. Minister in the Prime Minister’s Department, Datuk Seri Mohamed Nazri Aziz, when winding up the Evidence (Amendment) Bill 2012, said the use of pseudonyms or anonymity by any party to do cyber crimes had made it difficult for the action to be taken against them. Hence, the Evidence Act 1950 must be amended to address the issue of Internet anonymity.

The amendments introduced s. 114A into the Evidence Act 1950 to provide for the presumption of fact in publication in order to facilitate the identification and proving of the identity of an anonymous person involved in publication through the internet. In simple words, s. 114A introduces 3 circumstances where an Internet user is deemed to be a publisher of a content unless proven otherwise by him or her.

Although it is stated that the amendment is to cover anonymous persons on the internet, the effect of the amendment is quite wide. You see, we, especially social media network users, generally do not use our real names on the Internet. We use nicknames and pseudonyms. Our home addresses do not appear on our account. We sometimes use fictional characters or even digitalized images of ourselves as our profile picture. All these are done to protect our own privacy. So, if none of my personal details appear on my account, does this mean I am anonymous? If someone’s identity cannot be directly ascertained from his account, I would think that he would be anonymous.

The new s. 114A(1) states that “A person whose name, photograph or pseudonym appears on any publication depicting himself as the owner, host , administrator, editor or sub-editor, or who in any manner facilitates to publish or re-publish the publication is presumed to have published or re-published the contents of the publication unless the contrary is proved”. In simple words, if your name, photograph or pseudonym appears on any publication depicting yourself as the aforesaid persons, you are deemed to have published the content. So, for example, if someone creates a blog with your name, you are deemed to have published the articles there unless you prove otherwise. If you have a blog and someone posts a comment, you are deemed to have published it. If you have a Facebook page and an user posts something on your wall, you are deemed to have published it!

Subsection (2) provides a graver consequence. If a posting originates from your account with a network service provider, you are deemed to be the publisher unless the contrary is proved. In simple terms, if a posting originates from your TM Unifi account, you are deemed to be the publisher. In the following scenarios, you are deemed to be the publisher unless you prove the contrary:-

(1) You have a home network with a few house mates sharing one internet account. You are deemed to be the publisher even though one of your house mates posts something offensive online.
(2) You have wireless network at home but you did not secure your network. You are deemed to be the publisher even though someone “piggybacks” your network to post something offensive.
(3) You have a party at home and allows your friends to access your PC or wireless network.You are deemed to be the publisher even though it was a friend who posted something offensive.
(4) Someone use your phone or tablet to post something offensive. You are deemed to be the publisher.

As for subsection (3), you are presumed to have published a content if you have custory or control of any computer which the publication originates from. Here, you are deemed to be the publisher so long your computer was the device that had posted the content. So if someone “tweetjacks” you or naughtily updates your Facebook with something offensive, you are deemed to be the publisher unless you prove otherwise.

Admittedly, the amendments certainly saves a lot of the investigator’s time. It is very difficult to trace someone on the Internet. It will make prosecution for, among others, defamation, offences under the Communication and Multimedia Act 1998 and Computer Crimes Act 1997 and, election offences much easier. But it is not impossible to trace someone. There are many cases where perpetrators are caught and charged.

I do not see the logic to deem someone to be a publisher. If an investigator is unable to trace the anonymous internet user, then why should the innocent Internet user take the rap? The onus of proof should always be on the prosecuting side. In the English case of Applause Store Productions Limited & Anor v Grant Raphael [2008] EWHC 1781 (QB), the claimants were awarded £22,000 in damages against Raphael, an old school friend, who had created a false personal profile of the claimants on Facebook. The claimants convinced the Court that Raphael was the person who created the fake profile even though he claimed that he had a party at his house and someone in that party created the account.

In summary, the new amendments force an innocent party to show that he is not the publisher. Victims of stolen identity or hacking would have a lot more problems to fix. Since computers can be easily manipulated and identity theft is quite rampant, it is dangerous to put the onus on internet users. An internet user will need to give an alibi that it wasn’t him. He needs to prove that he has no access to the computer at that time of publication and he needs to produce call witnesses to support his alibi.

Clearly, it is against our very fundamental principal of “innocent until proven guilty”. With general election looming, I fear this amendment will be used oppressively. Fortunately, the amendment is not in force yet. I strongly hope that the government will relook into this amendment.

 

 Scroll to top