Earlier this month the South African department of Justice and Constitutional Development published a draft version of its Cybercrimes and Cybersecurity Bill.
The bill, according to the preamble and explanatory notes, is designed to bring South African law into line with international standards and create specific offences for internet-related crime.
For example, it would be illegal for the creating, selling, purchasing, possessing, or using malware for the purposes of causing damage to data. It would also make it illegal for anybody to be in possession of passwords that they are not authorised to have.
While large portions of the draft legislation make sense, some experts are wary that the bill encroaches on constitutional freedoms.
Jane Duncan, Professor of Journalism at the University of Johannesburg and an outspoken advocate of media freedom told htxt.africa that on her first reading there are parts of the draft that are concerning.
“Given that the Ministry of State Security will be the lead department in cybersecurity matters, we should be concerned if the power and functions to be exercised in terms of the Act are over-broad, as this may lead to the undue curtailment of online speech on national security grounds,” said Duncan. “The Bill does, in fact, suffer from overbreadth in a number of areas.”
As an example, Duncan says that the current draft doesn’t include legal safeguards present in related acts.
“The definition of cyberterrorism is very broad and doesn’t include the qualification in the ‘Anti-terrorism Act’ excluding advocacy or acts of dissent. It also doesn’t include the qualification excluding acts committed in the context of legitimate struggles for national self-determination or national liberation.”
“These qualifications should apply to the online space too. Given that cyberterrorism acts can land you up in jail for up to 25 years, we should be concerned,” Duncan said.
“The definition of ‘critical data’ is also very broad,” she added. “Including as it does
‘the personal affairs of any person’ and commercial information that could cause undue advantage or disadvantage to any person. These over-broad definitions could lead to legislative overreach and ultimately overkill.”
Duncan also raises concerns that the definition of a National Critical Infrastructure is too broad. In the draft, this is laid out as:
“National Critical Information Infrastructure” means any data, computer data storage medium, computer device, database, computer network, electronic communications network, electronic communications infrastructure or any part thereof or any building, structure, facility, system or equipment associated therewith or part or portion thereof or incidental thereto—
(a) which is specifically declared a National Critical Information Infrastructure in
terms of section 58(2) of this Act; or
(b) which, for purposes of Chapters 2 and 4 of this Act, are in possession of or under
the control of—
(i) any department of State or administration in the national, provincial or
local sphere of government; and
(ii) any other functionary or institution exercising a public power or performing
a public function in terms of any legislation,
irrespective whether or not it is declared a National Critical Information Infrastructure
All of that could be interpreted as offering any data owned by any government department or public body protection with criminal consequences for unauthorised viewed (described later in the Bill). We first raised this issue here.
Duncan also warns that with its current wording, the Cybercrimes Bill may infringe freedom of speech online, as its definitions of impermissible speech go beyond those laid down in the constitution.
“The prohibition on the dissemination of racist and xenophobic material is also problematic,” Duncan says, “In that the definition of what constitutes impermissible speech is broader than the constitutional exclusion for hate speech.”
“This means that constitutionally permissible speech may be criminalised, even if it is offensive. The clause on prohibition of incitement to violence suffers from the same defect of overbreadth: the constitutional test requires the test of incitement to imminent violence.”
In her view, Duncan says that the Bill is typical of legislation being proposed or enacted around the world giving governments excessive powers over internet communications – including, under section 31 of this draft, the proposed ability for warrantless seizure of evidence where cybercrimes are suspected.
“There’s a tendency the world over to legislate for cybercrime, and to escalate the problem to the level of national security threat,” she says.
“Yet governments, including South Africa’s, need to acknowledge that they have helped create the very problem they are legislating against. Governments have chosen to promote communications networks that are built for vulnerability rather than for resilience. This is because they want to maintain their ability to surveill networks and to prevent them from ‘going dark’. As a result, they have insisted on vulnerabilities being architected into the network.”
She continues: “the problem is that these vulnerabilities can be exploited by governments and by criminals alike. Governments then seize on criminal exploitation of vulnerabilities and argue for the problem to be solved through the intervention of the police, intelligence and the military.”
“This process is known as securitisation; it involves taking a social problem, that could be dealt with differently, and escalating it into a national security threat, to justify the intervention of spies. This process is dangerous for democracy and online freedom.”
The draft bill also contains aspects that may be of interest to ISPs and anyone in the habit of using torrent sites:
(2) An electronic communications service provider that is aware or becomes aware that its computer network or electronic communications network is being used to commit an offence provided for in this Act must—
(a) immediately report the matter to the National Cybercrime Centre; and
(b) preserve any information which may be of assistance to the law enforcement agencies in investigating the offence, including information which shows the communication‟s origin, destination, route, time date, size, duration and the type of the underlying services.
To make this an actionable offence, network operators would have to monitor network traffic, but is this possible? Currently ISPs only monitor the volume of traffic from subscribers, and even then it only keeps the data for six months.
Dominic Cull from Ellipsis Regulatory Solutions and a board member of the Internet Service Providers Association, ISPA, is more upbeat about the draft but says that there are issues that need working through.
Generally, he says, the Bill should be welcomed for bringing South Africa into line with international standards on Cybercrime prevention. Primarily, he says, the requirement for ISPs to report any illegal activity detected on their network or face a fine may need work.
Section 64.1 of the draft Bill states:
64. (1) An electronic communications service provider must— (a) take reasonable steps to inform its clients of cybercrime trends which affect or may affect the clients of such an electronic communications service provider; (b) establish procedures for its clients to report cybercrimes with the electronic communications service provider; and (c) inform its clients of measures which a client may take in order to safeguard himself or herself against cybercrime.
“The Bill does not alter the current position set out in section 78 of the Electronic Communications and Transactions Act 25 of 2002 which states that ISPs are not under an obligation to monitor traffic flowing over or hosted on their networks or located through an information location tool,” Cull says, “An ISP would be obliged to report an offence under the Act when it becomes aware of such offence and must thereafter preserve evidence and cooperate with law enforcement authorities. There may be some concern about whether an ISP is able to recognise an offence given the number of offences created under the Bill and the complexity of some of these.”
Security in cyberspace is necessary and citizens do need to be protected in some shape or form from malware, unauthorised access and unscrupulous behaviour. But there needs to be clear distinctions on what the government wants to achieve and what is a workable solution in the public’s interest without infringing on any constitutional rights.
The draft version of the bill is no doubt a contentious issue, even in its current form, and with the department of Justice seeking public comment on the matter, it’s likely a number of changes and amendments will be made before it’s finally approved to come into action.
Even the United States has been struggling to get its Cybersecurity Information Sharing Act (CISA) voted on by the Senate since it was first introduced in July last year. CISA would allow for the sharing of internet traffic information between the U.S. government and technology companies, so that the parties involved can keep track an monitor cyberthreats. The act also allows for provisions in which personally identifiable and irrelevant information to cyber security is left out.
The public and any interested parties can lodge comments about SA’s draft Bill until 30th November by writing to the Department of Justice and Constitutional Development. Submissions can be made to [email protected], or faxed to (012) 406 4632.
//Update – A reader alerted us the fact the definition of “critical data” appears to have changed in a revision to the Bill before it was released.[Image – CC by 2.0/Christiaan Colen]