Privacy lawyer Foong Cheng Leong told FMT that the power to intercept communications was normally only exercised in cases involving serious offences such as terrorism or organised crime.

He added that phone tapping can only be carried out with permission. For example, interceptions for cases under the Security Offences (Special Measures) Act 2012 must be authorised by the public prosecutor.

On several claims that the government was behind the purported leaked audio recording, Foong said that no one knew for sure if the authorities had tapped the conversation.

“There could also be a possibility that the phones were compromised by the installation of certain mobile applications,” he said, referring to phone hackers.

If this were true, Foong said, there may be an offence committed under the Computer Crimes Act 1997, adding that there could be a cause of action for invasion of privacy or trespassing, among others.

The post Phone tapping is the issue, not PKR-Umno pact, says Zaid appeared first on Foong Cheng Leong.

Under our law, malicious cryptominers can be punished with the Computer Crimes Act 1997, says Bar Council information technology and cyberlaw committee deputy chairman Foong Cheng Leong.

“It can be considered unauthorised access to computer material or unauthorised modification to computer material,” he adds.

If found guilty for unauthorised access, the cybercriminal can face up to a RM50,000 fine, a five-year jail term or both.

At present, digital currencies such as bitcoin are not recognised as legal tender in Malaysia.

But cryptocurrency exchangers are required to report their activities to Bank Negara.

This reporting obligation, the central bank was reported as saying, is the first step in making activities in the cryptocurrency business more transparent.

Foong says while it is not recognised as legal tender, it doesn’t mean cryptocurrency is illegal.

“You can still use digital currencies to purchase things. It is up to the buyer and seller,” he adds.

However, he points out that cryptocurrency may also be misused, particularly in the black market for illegal purposes like money laundering, purchase of drugs and other undesirable items, to avoid detection.

“I foresee more crimes and disputes may arise from there,” Foong says.

The post Hijacking hardware in stealth mode appeared first on Foong Cheng Leong.

Bar Council information technology and cyberlaw committee deputy chairman Foong Cheng Leong said somebody who impersonates another person online could be breaking the law if the actions fall within criminal activity.

“For example, impersonation to gain monetary benefit could amounting to cheating.

“Impersonation, as a prank, is not a criminal act,” he explains.

Hence, it is considered a crime in cases where the online impersonator asks for money from unsuspecting victims – or as in the case of this latest twist, tricking them into buying game credits for them.

Such an offence comes under Section 420 of the Penal Code for cheating and dishonestly inducing delivery of property.

It is a crime punishable with a jail term of between one and 10 years, with whipping and a fine.

However, even the act of hacking into a person’s social media account alone, whether it is a prank or not, crosses into the criminal realm.

Under the Computer Crimes Act, a person who gains unauthorized access to computer material is guilty of an offence.

Those convicted could be liable to a maximum fine of RM50,000, five years in jail or both.

Hacking with intent to commit further offences, including fraud, also amounts to a crime.

If found guilty, the court can sentence a person to a maximum fine of RM150,000, a 10 year jail term or both.

The post Getting ‘played’ over games appeared first on Foong Cheng Leong.

Details about the event

Cyber security is headline news almost constantly because hacks, data theft and high profile breaches are now a part of daily life and almost impossible to avoid. In 2016, a number of new laws will be enacted in the US, Europe and Asia that all have important, and potentially financially punitive, ramifications for Asian-based organizations.

However the C-Suite are not fully conversant with correct strategy by which cyber security investments should be made. This is not a business ROI that can be expected. Cyber-warfare and cyber security investments are akin to military spending. We have to do in the hope that we never use the tools.

This is anathema to many business investments, however the consequences of not taking this approach could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organization.

At this conference series, IDC and its partners will share some of the new people, process and technology strategies that the C-Suite should consider to be better prepared for future incidents, and whilst absolute security cannot be guaranteed, making your organization a hard target to breach may well be the solution for the future.

Based on the IDC IT Security MaturityScape, IDC will share how some of the best-in-class organizations globally think about managing their IT Security teams, from board-level reporting to IT operational management.

This holistic view will help the C-Suite, and those that report in to the C-Suite to more eloquently articulate the issues, challenges and requirements that will be critical to ensure that future attack surface is minimized, and suitable crisis management plans and responses are in place.

Attend this event to learn more about how to deflect the latest attacks and what more you can do to deliver a more secure environment to your business.

Speakers

David Rajoo
Director, Systems Engineering, Symantec Malaysia

Foong Cheng Leong
Advocate and Solicitor, Foong Cheng Leong & Co

Javenn Ng
DPtech Lead & Business Development Director, DPtech

Jayan Arunasalam
Head of Technology & Innovation, Tune Protect Group Berhad

Marcus Lai
Vice President, International Business, DPtech

Peter Leong
Head, Regional IT – Asia, PETRONAS Lubricants International Sdn. Bhd.

Simon Piff
Associate Vice President, Enterprise Infrastructure & Head of IT Security Research, IDC Asia/Pacific

Thillai Raj T. Ramanathan
Chief Technology Officer, MIMOS Berhad

For more information, please visit here.

The post Event: ASEAN IT Security Conference 2016 appeared first on Foong Cheng Leong.

(Click on image for larger view)

The post Upcoming Event: Cyber Laws and Digital Forensics appeared first on Foong Cheng Leong.

– No specific Malaysian law that criminalises stalking or harassment
– Singapore has enacted such laws, and Malaysia should follow suit

THE recent case of a blogger complaining that she had been harassed and stalked by a fan got me thinking about the law in Malaysia with regards to stalking and harassment.

I think this would depend on the acts of the stalker. There is no specific Malaysian law that criminalises stalking and harassment, but there are provisions of law that prohibit certain actions that border on stalking and harassment.

For example:

– Hacking into someone’s computer or mobile device or online account, or installing any trojan or tracking device is a crime under the Computer Crimes Act 1997;
– Sending messages threatening to harm a person – depending on the content, this may amount to a criminal offence under the Communications and Multimedia Act 1998 or Section 503 of the Penal Code (criminal intimidation); and
– Breaking into someone’s home amounts to trespass (installing a closed-circuit TV as in the Nasha Aziz case).

There are many forms of stalking and harassment. I’ve heard of cases where a person would call someone numerous times a day – and in some such cases, keeping silent or even make heavy breathing sounds.

Other cases include following a person from time to time; loitering outside a person’s home (which is a public venue, for example a road); downloading someone’s picture off Facebook and publishing it on blogs or online forums with degrading messages; and even frequently posting annoying or insulting comments on a person’s Facebook page, blog or Instagram account.

A police report would be useful to ward off these people but not all reports will be acted on. Sometimes no threat is made, and there’s ‘only’ persistent annoyance.

One blogger showed me some persistent emails from an alleged stalker, who also contacted the blogger through phone calls and SMS.

However, the nature of the contact was not a threat but merely invitations to go out, despite the fact that the blogger had expressly asked him to stop contacting her. Such contact would stop for a short period, but return thereafter.

One email from the alleged stalker was just a reproduction of chat messages between the alleged stalker and his friend.

A police report was made but the police could not take any action as there was no threat involved.

In such cases, I think that the police should take proactive action by contacting the alleged stalker and warning him against pursuing the matter further. A lawyer’s letter of demand may be useful too.

If all else fails, a restraining order may be obtained from the courts.

The victims are not only women. Vancouver teacher Lee David Clayworth was ‘cyberstalked’ by his Malaysian ex-girlfriend. She posted nude pictures of him and labelled him all sorts of names, according to a CNET report. He commenced legal action against his Malaysian ex-girlfriend (Lee David Clayworth v Lee Ching Yan (Kuala Lumpur High Court (Civil Division) Suit No. 23NCVC-31-2011)) and obtained judgment against her. She was later found to be in contempt of Court as she failed to comply with the Court order.

A warrant of arrest was issued in Malaysia against his ex-girlfriend but she had reportedly left the country.

Many victims suffer in silence. They try to ignore their stalkers and hope that they go away. Sometimes this works, sometimes it does not.

It is noted that s. 233 of the Communications and Multimedia Act 1998 criminalises harasses but such harassment must be in a form of electronic harassment which is obscene, indecent, false, menacing or offensive in character.

Our Parliament should introduce a new law to criminalise stalking and harassment. Singapore recently introduced the Protection from Harassment Bill 2014. This new law will provide protection from harassment and anti-social behaviour, such as stalking, through a range of civil remedies and criminal sanctions.

It’s time for our Parliament to look into this before it’s too late.

Regarding the recent Kuantan road rage case, I was asked whether doxing or document tracing by netizens amounts to harassment.

From what I read, some netizens had posted her name, company name and pictures on the Internet, created Facebook pages about her, and also created all sorts of memes featuring her. Some even started bombarding her mobile phone with SMSes and left numerous comments on her company’s Facebook page.

As mentioned, we have no specific law to govern harassment, thus it is difficult to determine whether such acts amount to harassment without a legal definition here.

In my personal opinion, I think there is nothing wrong in exposing the identity of the driver to the public. The lady had posted her own personal information online, thus there is no expectation of privacy with respect to that posted information.

The Personal Data Protection Act 2010 only applies to commercial transactions. But the extraction of her personal information through her licence plate number may be an issue if someone had unlawfully extracted it from a company’s database.

Some messages that were posted may also be subject to the Communications and Multimedia Act 1998 provisions on criminal defamation. Tracking her home address and taking photographs of it may be considered a form of harassment.

She also has rights (that is, copyright) to the pictures that she has taken (selfies especially), but she will not have rights to her modelling pictures if those were taken by a photographer – in that case, the photographer usually has rights to the photographs.

First published on Digital News Asia on 17 July 2014.

[Edited on 7 July 2019 to include the Court order of Lee David Clayworth v Lee Ching Yan]

The post Bread & Kaya: Cyberstalking, harassment … and road rage appeared first on Foong Cheng Leong.

Sunday August 19, 2012

What the hack happened?
By LISA GOH
lisagoh@thestar.com.my

Losing your personal particulars to hackers can lead to financial losses, heartaches, loss of reputation – and sometimes friends, too.

IT starts out so innocently. A simple vote request by an acquaintance for a competition on Facebook; one click and law student Sharlyn J. discovers she has been hacked and locked out of all her social media accounts emails, Facebook, Twitter, Skype and MSN Messenger.

“I clicked on the link and a new window popped up. It looked exactly like Facebook – the colour and the fonts – but I didn’t double check the URL. That was my mistake.

“The site required me to type in my email address and password. I was a little reluctant at first but the girl kept pleading for me to vote for her so in the end, I did. Right after that, I knew something was wrong. I got locked out of all my accounts,” says Sharlyn, 19, of the incident last May.

If that wasn’t bad enough, within the hour, she received a text message that said “Hi Sharlyn. Your full name is , your IC number is , your IP address is , you are a student at college etc.” The hacker demanded money in exchange for getting her accounts back.

Gone in a second: It’s a nightmare for anyone who has discovered that his or her personal particulars have gone into the wrong hands.
“He/she even said I’m not asking for much, just RM300. You can report to the police, but there’s no point. I can’t be tracked.’

“That person had all my personal particulars. I was really freaked out. I had just started college and was living on my own. What if he had my home address as well?”

Failing to get a response from Sharlyn, the hacker then sent another text message, offering her a discount of RM150.

“I called my mum and told her what happened. I was really scared but I ignored him. I lodged a police report and opened new accounts the next day to tell all my friends to delete the old ones,” she says.

However, even weeks on, the hacker was still assuming her identity and chatting with her friends – as she found out later. She never got any of her accounts back.

In other instances, the identity thief doesn’t come to you for money. He goes to your friends, as local film producer Wendy Wong discovered.

Early last month, Wong sent her notebook for servicing. After getting her notebook back two weeks later, her problems started. When she logged into her email account, there was a prompt saying that the account was in use.

She didn’t think much of it, but then came phone calls asking if she was all right and if she was stranded in Spain.

Her email account had been hacked. Assuming her identity, the hacker emailed all her contacts to tell them she had lost her wallet and asked them to send money so she could settle her hotel bill in Spain. The hacker asked her contacts to send her RM10,929 (2850) via Western Union to an address in Madrid.

“I was in Kuala Lumpur all the while. Good thing some of my friends called me to check before sending money over. I had friends who were already planning to transfer the money,” Wong says, adding that she was alerted of the situation by an mStar journalist who had called her to ask if she was indeed stranded in Spain.

Several attempts to change her password failed as the hacker made repeated assaults on her account. Wong has since lodged a police report and alerted the customer service of her email account provider.

“This has affected my reputation. Those who know me well would know I would never go around asking people for money. But what about those I have just met, or are just starting a business partnership with? What would they think of me?”

For that reason, Wong held a press conference early this month to clear her name and to alert all her contacts of her predicament.

“It’s not so easy for me to just get another email address as that’s where my contacts reach me. But it looks like I don’t really have much choice now,” she laments.

When it comes to hacking and identity theft, the most important thing is doing everything you can to make sure it doesn’t happen in the first place. – Nigel Tan

Symantec Malaysia systems engineering director Nigel Tan says that when it comes to identity theft, more often than not, it’s an opportunistic crime, and it’s a two-step process.

“Someone steals your personal information, then uses that information to impersonate you to commit fraud. It’s important to understand this two-step approach, because your defences also must work on both levels,” says Tan, who is Symantec’s principal consultant for Asia South.

According to the Symantec Internet Security Threat Report for the year 2011, a total of 232 million identities were breached worldwide, and of that, 80.5% were by hackers.

In 2011, the Malaysian Communications and Multimedia Commission (MCMC) recorded a total of 199 hacking complaints, and six identity theft complaints. For this year up till Aug 9, MCMC recorded 141 hacking complaints, with no identity thefts as yet.

Under the law, hacking itself is an offence under the Computer Crimes Act 1997, says KL Bar Information Technology Committee co-chairman Foong Cheng Leong.

Section 4 of the Act, for example, finds “unauthorised access with intent to commit or facilitate commission of further offence” a crime, whereby a person convicted could be liable to a fine not exceeding RM150,000, or to imprisonment for a term not exceeding 10 years, or both.

Further offences, such as cheating, can be pursued under the Penal Code, Foong explains. Victims can also file civil suits if the perpetrator is known to them.

However, identity theft could prove to be more than a mere inconvenience for victims, in light of Section 114A of the Evidence Act 1950, as it holds the account owner responsible for any material published from his/her account, “unless the contrary is proved”.

This amendment to the Act, passed in Parliament in April this year, drew heavy objections from various quarters.

On Thursday, Information, Communications and Culture Minister Datuk Seri Dr Rais Yatim announced that the Cabinet has decided to maintain it.

Hacker’s victim: Wong is worried that her reputation may have been marred by the stranger’s doings.

But what drives hackers to hack and steal another person’s identity?

Where previously the motive would have been to gain fame, Tan says more often than not these days, it’s for financial benefits. Social media sites have also not been spared.

“Hackers want to get into the social media because they want to exploit that circle of trust. When you see an email or link sent by someone you know, you’re more likely to respond,” he says.

His advice?

“Never ever click on links. Open a new browser and type in the URL. If you get a phone call from a bank saying your account has some issues, and they require your personal information, hang up and call the bank directly and ask them if they really have a problem with your account,” he says. (Refer to chart for more Do’s & Don’ts.)

He also advocates using different passwords for different accounts and changing them regularly (once every 90 days is ideal). Using the two-factor identification facility (where both a password and a code sent to your mobile is needed to access an account) where available would also act as a deterrent.

“It’s important to understand how easily personal data is linked these days. Information that can be easily found on Facebook can include your place of birth, your mother’s name and other personal details. And these are usually the security questions banks use.

“Personal information flows so easily from one thread to another, and hackers are always waiting to exploit that,” he says.

And sometimes, it’s all a matter of being aware of the personal information you give out. “When a site or a person (even in legitimate circumstances) asks you for certain personal information, just stop and just ask yourself, Do they really need that information and am I comfortable in giving that information?’

Give it some consideration, and if you don’t think they do, then don’t give it. “When it comes to hacking and identity theft, the most important thing is doing everything you can to make sure it doesn’t happen in the first place.”

The post What the hack happened? appeared first on Foong Cheng Leong.

The explosion in Internet-based social networking – fuelled by ease of DIY publishing – is throwing up new challenges, business and legal, to the online community.

THE year 2009 marked an important year for social media networking. It brought change to politics, society and business.

Many politicians set up their own Twitter accounts to connect with the masses.

Many companies – from multinational companies to our local restaurants – set up accounts on social media networking websites to publicise their business, and even to manage consumer complaints.

Malaysian company MOL Global Pte Ltd entered into an agreement with Friendster, Inc to acquire 100% of Friendster.

Also launched was Project Alpha, Malaysia its first online TV show about Malaysian bloggers.

Social media, designed to be disseminated through social interaction, is created using highly accessible and scalable publishing techniques, Internet-based applications that build on the ideological and technological foundations of Web 2.0 and allow the creation and exchange of user-generated content.

Social media can take many different forms, including Internet forums, weblogs, social blogs, wikis, podcasts, pictures, videos, ratings and bookmarking (Source: Wikipedia). Examples of social media networking websites or tools are Facebook, Twitter, LinkedIn and Friendster.

With social media websites rising in popularity, there are now more content generators on the Malaysian online community. Publishing content, once a technical and time consuming task, has been simplified; users merely need to enter text and click a button to publish.

Is Malaysian law able to cope with such changes?

The law governing online activities remains the same. Content generated through social media websites are still governed by laws on defamation, trade mark, copyright, and as well as the Computer Crimes Act 1997, Communi­cations and Multimedia Act 1998, and so on.

Internet users should be vigilant when posting updates, blog entries, tweets, comments and emails.

Even a 140-character limit tweet may get you into trouble. For example, Courtney Love, the widow of Kurt Cobain, was sued by her former clothes designer for defamation, invasion of privacy and inflicting of emotional distress for “an extensive rant” on Twitter about how she was billed for custom clothing.

Social media websites or tools have also been used to attack others. Some users think they can hide incognito behind the screen. However, some were unmasked and had to endure severe punishment.

In 2008, in the case of Applause Store Productions Limited & Anor v Grant Raphael [2008] EWHC 1781 (QB), the claimants were awarded £22,000 in damages against Raphael, an old school friend, who had created a false personal profile of the claimants on Facebook.

Back home, in July 2009, a former bank employee was charged with posting vile and indecent material in a blog with intent to annoy another colleague. He was fined RM8,000, in default two months’ jail.

Making a complaint against malicious users is now fairly easy and can even be done online – at http://aduan.skmm.gov.my, the website of the Malaysian Communications and Multimedia Commission’s (MCMC) complaints bureau.

In the face of severe punishments, malicious users will take all sorts of steps to keep their identity secret. They may use fake names and emails, proxy servers, and also install devices to ensure that their identity cannot be traced. However, they are not safe from the long arm of the law.

In the case of The Author of a Blog v Times Newspaper Limited [2009] EWHC 1358 (QB), a blogger sought an interim injunction in the English court to restrain Times Newspapers Ltd from publishing any information that would or might lead to his identification as the person responsible for a blog.

The blogger argued that his anonymity protected him against any action being brought against him. His application failed. The judge commented that blogging is a public activity and any right of privacy would likely be outweighed by public interest in revealing his activities.

Anything posted on the Internet will stay on the Internet. It will travel and be read by other people. Nothing is ever private on the Internet.

A clear example is the case where a former high school teacher in the US was forced to resign over photos and expletives on her Facebook page. The page had photos of her holding wine and beer and an expletive.

Although one may argue that it is one’s right of privacy to have one’s personal activities protected, the law does not prevent others from doing so.

Trade marks and trade names have also been highly abused in social media websites. Many users register their username using trade marks or trade names of other companies or individuals.

Companies have had to seek legal advice on the available courses of action in restraining such action or in obtaining such names back. This resulted in hefty legal fees and also time.

In combating such problems, Facebook gave trade mark owners the opportunity to register their rights to the username before the launch of personalised username and URLs. In doing so, Facebook had taken steps to avoid any lawsuits over trade mark.

Twitter on the other hand was not so lucky. A well-known US sports figure, St. Louis Cardinals manager Tony La Russa sued Twitter over an account created in his name.

The false account posted updates that gave the false impression that the comments came from La Russa. The suit said the comments were “derogatory and demeaning” and damaged La Russa’s trade mark rights. The case was eventually settled.

The year 2010 will be another interesting year. Internet-enabled phones and data plans are offered at an affordable rate. Users can now access the Internet through their mobile devices whenever and wherever they are.

It will be interesting to see what are the new tools for online social networking, and the new legal challenges for the online community.

> The writer is a young lawyer. Putik Lada, or pepper buds in Malay, captures the spirit and intention of this column – a platform for young lawyers to articulate their views and aspirations about the law, justice and a civil society. For more information about the young lawyers, please visit www.malaysianbar.org.my/nylc.

The post Tweet at your own risk appeared first on Foong Cheng Leong.