Cybercrime Bill stated as invasive
…sent to clients 28 Jan… A new law to assist in enforcing South Africa’s fight against cybercrime, hacking and unlawful interception of data is about to be tabled in Parliament. As expected, the proposals are not without considerable misgivings in the private sector and involve claims that the state may have designs upon the control of free speech and/or are intent upon the control or manipulation of cyberspace.
The draft Cybercrime and Cybersecurity Bill (C&C Bill) has now been approved by Cabinet, the draft having been published for comment as far back as September 2015. Industry players are deeply involved and the next platform for their involvement moves to the actual wording of the document that will form the basis for regulations.
Agents for the state
The legislation states that the proposals are designed to give powers to the State Security, Defence, Police and Telecommunications Ministers, which powers will not only extend into many aspects of South Africa’s key economic, financial and labour environments but will impose responsibilities on service providers.
The Bill clearly states it will call upon the private sector for compliance into order to meet its objectives and will also change the way the public service goes about its business to reflect the call for security. Cross hairs are to zero in on the criminalisation of cyber-facilitated offenses including circulation of messages aimed at economic harm, contain pornography or could cause mental or psychological harm.
The next stage of public sector involvement will be extensive parliamentary hearings, no doubt involving joint portfolio committees, to cover the many aspects involved. Also to allow for further submissions on deep concerns in the private sector regarding compliance and intrusion of free speech rights.
The long and quite complicated process of drafting such legislation has been undertaken by the Department of Justice and Constitutional Development. It is stated that the proposals are of an umbrella approach towards legislation already in the ambit of the new Bill, the objective of which is to extend any new regulations over a wide range of business endeavours and activities “in the public interest”.
The process started at a point in the cybercrime history log which seems a century ago. A government gazette articulated what was necessary. “I, Mbangiseni David Mahlobo, Minister of State Security, hereby publish the National Cybersecurity Policy Framework as approved by Cabinet in March 2012 for public information.”
The long journey has finally resulted in a 130-page draft which firstly creates offences, prescribes penalties and regulates for powers to investigate, gain access, search and seize items. It gives such powers to the South African Police Service (SAPS) and the State Security Agency (SSA).
The Bill then proposes that structurally the Minister of Police establish both a National Cybercrime Centre and appoint a director in charge – a person currently serving with the SSA – and similarly appoint such a director in charge for a “point of contact centre” for cybercrime activity, outreach and contact.
Monitoring all structures will be a Cyber Response Committee (CRC) made up of 13 experienced persons chaired by the DG, Dept. of State Security.
Any interventions at this level will be, by nature of the vastly changing business environment and the global challenge of the subject matter of the Bill, “which will form the critical point of balance between the forces of state control and public endeavour”.
Initially, the Minister of State Security is to appoint a director in charge of a proposed Cyber Security Centre, such person also serving with SSA and for the Minister to establish Government Security Incident Response teams, also appointing a person from the State Security Agency as the head of each specialised investigating team.
Finally, on structures, the Minister of Defence is to establish and operate a Cyber Command and appoint a General Officer Commanding.
Furthermore, provision in the Bill is made for the Minister of Telecommunications and Postal Services to establish and operate a Cyber Security Hub and appoint a director of same. It is in this area that assumedly the main interface between private and public sectors will take place.
An example of a database to be protected is given in the Bill as the Home Affairs database and the mandate for dealing with cybercrime clearly includes the fact that foreign states and South Africa will be co-operating to investigate possible offences.
Also, powers are granted to the President who may enter agreements with foreign states to promote cybersecurity. The proposals make it quite clear that international crime fighting and the local protection of cyberspace are to be woven together. This will involve changes to the anchor Electronic Communications and Transactions Act, particularly where the Act deals with attempts to deal with abuse of information systems.
The nitty gritty
Where the C&C Bill ventures into the private sector there will no doubt be, and certainly has been to date, plenty of debate. The Bill as proposed, broadly and perhaps too grandly, allows for the imposition of obligations on electronic communications service providers (ECSPs) and financial institutions in respect of aspects “which may impact on cybersecurity”.
The difference between obligations and compliance seems a fine line but already the Dept. of Telecommunications has set up a website on https://www.cybersecurityhub.gov.za/ to try and clarify issues.
At what point?
The general obligations of ECSPs are a set out in the draft bill but an obligation is proposed that as soon as a ECSP “becomes aware of an offence being committed on its network”, the matter must be declared to the National Cybercrime Centre.
The offences are enumerated in the Bill but it is possible that clarity is required, according to stakeholders who have voiced opinions so far, as to who decides at and at what level the retention of a suspicion becomes an offence or to restate the problem, at what point does a suspicion become a reportable fact.
Proposed offences include unlawful interception of data; unlawful access, personal information and financial information-related offences; unlawful acts in respect of software or hardware tools; unlawful acts in respect of malware; unlawful acquisition, possession, provision, receipt or use of passwords, access codes or similar data or devices; computer-related fraud and computer-related extortion.
Most focus on the fact that the Bill’s clause 58 gives the State Security Minister powers to determine what should be included in a “national critical information infrastructure”.
The Bill goes on to state that should it “appear” to the Minister that any information presented is of such “strategic nature” that any interferences, loss, damage, immobilisation or disruption which may result in prejudice to the “security, defence, law enforcement or international relations of South Africa; or prejudice the health and safety of the public; interfere or disrupt any essential service’, then the Minister may implement the powers granted by the Bill.
The “Apple” problem
Broadly speaking, also included is any malevolent act which “causes any major economic loss, destabilises the economy of South Africa or creates any form of public emergency’’ with the proviso that the organisation must “at its own cost take steps to the satisfaction of the Cabinet minister” to comply with a state request.
Any “affected organisation may be given the right to be afforded an opportunity to make representation” but, to repeat, players in the industry note that a great amount of responsibility has been delegated without clear definitions of what is reportable.
The seriousness of the Bill and the recognition that cybercrime must be dealt with firmly is measured by the background given to the Bill. It is estimated that cyber-related offences currently exceed a value of more than R1bn annually. This is escalating at speed, the Department of Justice states.
In general terms, one of the tasks of the Cybercrime Centre is stated in the revised draft as informing all of cybercrime trends and creating an environment which enables parties to report cybercrime without being suspected of whistle-blowing with the accompanying commercial disadvantages.
In other words, the fear with the original draft expressed by the Right2Know campaign that the draconian powers of seizure worried many in the IT industry and that lack of protection for whistle blowers was out of kilter with free speech requirements, may have to some extent been responded to.
Heavy hand of the law
Still, fines of up to R10m and/or 10 years’ imprisonment are involved following a guilty verdict for unlawfully accessing or intercepting “a national critical information infrastructure” involving “critical data”, which makes for a tricky scenario for ECSPs handling traffic and journalists handling information.
This is in the light that an ECSP could be liable on conviction to a fine of R10 000 for each day on which such failure to comply with disclosure requirements continues, it was noted. To be specific, some fifty offences are detailed in the areas of data, messages, computers, and networks.
This is serious talk. Whilst national cybersecurity needs are recognised as paramount, as the latest draft explains, the extent of state powers in the hands of uncontrolled and misdirected state effort gives concern to many in the ECSP business community, particularly in the light of the public nature of the internet.
No warrantless searches
On the other hand, whilst the C&C Bill gives SAPS and SSA extensive powers to investigate, search, access and seize assets wherever they might be located, the search powers granted are not emanating from the proposed Bill.
Search powers are only possible provided the search entity has a search warrant granted in the normal way, the department says. SSA will be purely looking, they say, for data that has a feature of malevolence and commits crime in terms of the need to protect the State and its citizens.
At a briefing for the media, the Justice and Constitutional Development Department in Pretoria Deputy Minister of Justice and Constitutional Development, John Jeffery, gave a further assurance that what is about to arrive in Cape Town “will not give any powers to the State Security Agency (SSA) to control the internet or spy on local users”.
The search and seizure powers granted in terms of the latest draft of the C&C Bill around the interception of data “do not represent increasing the state’s surveillance powers”, the Minister said.
“As part of the final draft of the bill, it says that to prove an offence in a court of law, data must be seized as evidential material. If the State cannot seize evidential material to adduce as evidence, it is impossible to prove the guilt of an accused person. “
The criminal procedure act is currently used to investigate cybercrimes, Minister Jeffery said, and to this end the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) “are already in the tool box”.
Anchor still RICA
The C&C Bill is merely extending the RICA from that aspect, he said, which already has basic general principles in place to protect persons against unlawful interception of communications. “There is thus no extension of the so-called ‘surveillance powers’ of the State”, he added.
He confirmed that previous versions of the Bill, whilst stating a person who fell foul on the issue of state information that was classified as secret could go to jail for 10 years without the possibility of a fine, now, the final draft of the Bill acknowledges that journalists and whistle-blowers have protection under the Protected Disclosures Act.
Minister Jeffrey said was satisfied that the C&C Bill, now headed towards its final shape, gives the State the tools to halt crime and bring those who used data as a tool of crime to book.
He concluded, “Data is merely a means to commit offences such as fraud, damage of programmes and computer systems, extortion, forgery and uttering. It can also be used to commit murder by remotely switching of a respiratory system or terrorism by overloading the centrifuges of a nuclear station or remotely opening the sluices of a dam which causes large scale flooding.”
Much of what will come up in the parliamentary hearings of submissions will most likely involve the space occupied by the ECSPs and their responsibilities as perceived by the State. Furthermore, the role to be played by any business institution using large amounts of data needs to be clarified as far as areas of compliance are concerned.
Previous articles on category subject