|South Africa's draft Cybercrimes and Cybersecurity Bill is open for debate.|
“Cybercrime perpetrators no longer require complex skills or techniques."
“The potential impact of a malware is limited only by the skills, resources and imagination of the programmer who creates it."
“User interaction with computer devices produces a wealth of computer generated digital traces."
Bleak is the picture painted of the current state of South African cybersecurity by the discussion document accompanying a draft of the country’s 2015 Cybercrimes and Cybersecurity Bill. If length is any indication of necessity, then the 128-page bill and its accompanying 80-page discussion document are proof that such legislation is long overdue.
The Bill addresses previous cybercrime loopholes with measures such as clause 13, which reverses the notion that immovable property cannot be stolen. It also establishes much-needed critical infrastructure: a Cyber Security Centre (clause 52), a Government Security Incident Response Team (clause 53), a Cyberwarfare Strategy (clause 55), a Cybersecurity Hub (clause 56) and a National Critical Information Infrastructure Fund (clause 59).
Regardless, several clauses of the Bill extend well beyond cybercrime protection and into an ambiguity that invites infringement upon freedom of expression and the right to privacy. Our main concerns include:
According to the Bill, possessors of software and hardware tools that could be used to commit cybercrimes are guilty unless proven innocent:
Clause 6(3): Any person who is found in possession of a software or hardware tool in regard to which there is a reasonable suspicion that such software or hardware tool is possessed for the purposes of contravening [certain provisions], and who is unable to give a satisfactory exculpatory account of such possession, is guilty of an offense.
The Bill broadly defines terrorism and consequently limits free speech for internet users. The discussion document acknowledges that South Africa’s Constitution prohibits the freedom of expression that many nations enjoy:
Clause 15(5): For purposes of this section, “computer related terrorist activity” means…that which is intended, or by its nature and context, can reasonably be regarded as being intended, in whole or in part, directly or indirectly, to— (i) threaten the unity and territorial integrity of the Republic; (ii) intimidate, or to induce or cause feelings of insecurity among members of the public, or a segment of the public, with regard to its security, including its economic security, or to induce, cause or spread feelings of terror, fear or panic in a civilian population; or (iii) unduly compel, intimidate, force, coerce, induce or cause a person, a government, the general public or a segment of the public, or a domestic or an international organisation or body or intergovernmental organisation or body, to do or to abstain or refrain from doing any act, or to adopt or abandon a particular standpoint, or to act in accordance with certain principles.
Clause 17(1-3): Any person who unlawfully and intentionally— (a) makes available, broadcasts or distributes; (b) causes to be made available, broadcast or distributed; or (c) assists in making available, broadcasts or distributes, through a computer network or an electronic communications network, to a specific person or the general public, a data message which advocates, promotes or incites hate, discrimination or violence against a person or a group of persons, is guilty of an offence. (3) For purposes of this section “data message which advocates, promotes or incites hate, discrimination or violence” means any data message representing ideas or theories, which advocate, promote or incite hatred, discrimination or violence, against a person or a group of persons, based on— (a) national or social origin; (b) race; (c) colour; (d) ethnicity; (e) religious beliefs; (f) gender; (g) gender identity; (h) sexual orientation; (i) caste; or (j) mental or physical disability.
The Bill sets in place a mechanism to search for, access and seize articles without a warrant:
Clause 30(1): An application referred to in section 29(1)(a), or an application for the amendment of a warrant issued in terms of section 29(1)(a), may be made orally by a specifically designated member of a law enforcement agency, if it is not reasonably practicable, having regard to the urgency of the case or the existence of exceptional circumstances, to make a written application.
Clause 32(1): (1) On the arrest of any person on suspicion that he or she has committed— (a) an offence under this Act; or (b) any other offence, a member of a law enforcement agency may search the arrested person and seize any article referred to in section 28 which is in the possession of, in the custody of or under the direct control of, the arrested person.
The Bill calls for Internet Service Providers to preserve data traffic and stored information when requested. The discussion document acknowledges this and similar measures as attempts “to bring the law of the day in line with the international position regarding the investigation of cybercrime,” a position that frequently finds itself under attack:
Clause 40(3): An expedited preservation of data direction must direct the person or electronic communications service provider affected thereby, from the time of service of the direction, and for a period of 120 days— (a) to preserve the current status of; (b) not to deal in any manner with; or (c) to deal in a certain manner with, the data referred to in the direction in order to preserve the availability and integrity of the data.
Public comment on the Bill is welcome until November 30 via mail, email, fax or in person; further information is available at http://www.justice.gov.za/legislation/invitations/invites.htm.
Exercise your rights, surf secure and stay Rando!