The South African department of Justice and Constitutional Development has just published a draft version of its Cybercrimes and Cybersecurity Bill, upon which it is inviting public comment, covering new offences relating to computer security.
The bill covers everything from online copyright infringement to malware distribution, and includes a breakdown of penalties for contravention and the requirements around obtaining a search warrant in order to seize computers or storage devices. At over 120 pages long there’s a lot of clauses to go through, but at first glance our thoughts are that much of it is sensible, but some is going to be highly controversial.
Two points in particular stand out.
Under section 64 of the bill, ISPs and network providers will be required to
monitor for and report any criminal activity on its network – which looks like it would include filesharing – or be liable for an R10 000 per day for each day it doesn’t report that activity.
Chatting with the folk from ISPA (the ISPs Association), my initial reading of section 64 is slightly wrong – it doesn’t actually require ISPs to monitor traffic and doesn’t supercede the clause in the Electronic Communications Act of 2002 which says that ISPs are not required to monitor network traffic. However, the wording of section 64 might make that defence harder if it came to court. Section 64 (2) reads:
An electronic communications service provider that is aware or becomes aware that its computer network or electronic communications network is being used to commit an offence provided for in this Act must—
(a) immediately report the matter to the National Cybercrime Centre; and
(b) preserve any information which may be of assistance to the law enforcement agencies in investigating the offence, including information which shows the communication‟s origin, destination, route, time date, size, duration and the type of the underlying services.
What constitutes an ISP being aware than an illegal activity is taking place on its network and that it must turn on full logging? Certainly we know many ISP employees who discuss Netflix, Unotelly and the like in public forums, so they are aware copyright infringement is going on. Does that make them aware under teh terms of this new act?
More critically, section 5 of the bill describes unlawful interception of data. Worryingly, it classifies the interception of data as:
The acquisition, viewing, capturing or copying of data through the use of a hardware or software tool contemplated in section 6(5) or any other means, so as to make some or all of the data available to a person other than the lawful owner or holder of the data, the sender or the recipient or the intended recipient of that data
Furthermore, it defines all government agencies – no matter how small – as National Critical Information Infrastructures (NCII), and appears to say that any data belonging to an NCII is automatically covered by clause 5.
We’re going to spend the weekend getting some more legally minded folk to look at the bill, and reading through more of the small print. Feel free to share more of your interpretations below.
You have until 30th November to submit comments to the DOJ, contact details below.
Advocate Mthunzi Mhaga
Spokesperson for the Ministry of Justice and Correctional Services
Cell: 083 641 8141
E-mail: [email protected]