Understanding the Cybercrimes and Cybersecurity Bill

by on in News

The Cybercrimes and Cybersecurity Bill aims to address the shortcomings in South African legislation in order to tackle offences committed through the communication and storage methods of the digital age. Having been approved by Cabinet, the Bill is due to be tabled in Parliament.

The availability, use and access to information in the digital space is nothing short of staggering. According to a Financial Times report, the threat of cybercrime is increasing globally. In fact, the total global written premium for insurance against cybercrime is currently estimated at $2.5 billion – a figure which is expected to reach $20 billion by 2025.

Deputy Justice Minister, John Jeffery, noted at a media briefing on 19 January 2017, that the development of new legislation to enhance cybersecurity in South Africa is a necessity. “We are committed to putting in place measures to effectively deal with cybercrimes and address aspects relating to cybersecurity, which adversely affect individuals, businesses and Government alike,” reads the Deputy Minister’s statement.

 

In search of legal certainty

Historically, South Africa has dealt with cybercrime by adapting common law to deal with different offences. However, the rapidly changing environment and terminology does not lend itself to legal certainty in cyber related litigation.

Internationally, cyber legislation flows from the original Budapest Convention, which establishes the need for regulatory measures within countries as well as co-operation across borders to facilitate the fight against the multitude of offences that may be committed – both of a legislated as well as common law nature.

As noted by the Deputy Minister, the Criminal Procedure Act, 1977, which is currently utilised in the investigation of inter alia cyber related crimes does not deal adequately with the specialised procedures which are required to investigate the incorporeal nature of cybercrimes.

 

The Deputy Minister has highlighted the following key challenges in relation to cybercrime in this country:

 

  • There are no obligations on electronic communications service providers and financial institutions to report cybercrimes and to preserve evidence of cybercrimes on their systems;
  • No coherent and organised approach in South Africa to deal with cybercrime and cybersecurity;
  • The capacity to deal with cybercrimes and cybersecurity is limited with few true specialists in the field;
  • Information sharing about cyber incidents is limited;
  • Critical information infrastructures are not adequately protected.

 

Toward a robust framework

The Bill is the culmination of a number of year’s work and external consultation by the Justice, Crime Prevention and Security Cluster to review and align the cybersecurity laws of the Republic and provide a coherent and integrated cybersecurity legal framework.

It aims to collate the laws of South Africa to deal with cybercrime and cybersecurity in a single Bill. The main aims of the Bill are to:

 

  • Define offences and impose penalties which have a bearing on cybercrime.
  • Criminalise the distribution of malicious communications and provide for interim protection measures.
  • Regulate jurisdiction to provide for the transnational dimension of cybercrimes.
  • Regulate the powers to investigate cybercrimes.
  • Regulate mutual assistance to deal with cross-border investigation of cybercrimes.
  • Provide for the establishment of a 24/7 Point of Contact to facilitate mutual assistance in the investigation of cybercrime.
  • Regulate the proof of certain facts by affidavit.
  • Impose obligations on electronic communications service providers and financial institutions to assist in the investigation of cybercrimes and to report cybercrimes.
  • Provide for the establishment structures to promote cybersecurity and capacity building.
  • Provide for the identification and declaration of critical information infrastructures and implementation of measures to protect such infrastructure.
  • Allow for the Executive to enter into agreements with foreign States to promote cybersecurity.
  • Provide for the repeal and amendments of certain laws.

 

Offences covered

The Bill does not give a general definition of cybercrime – a wise decision as the nature of the beast is particularly wide and far-reaching. It does however, cater for broad categories of criminal offences and vastly broadens the reach of the Electronic Communications and Transactions Act, 2002. Offences provided for in the Bill include:

 

  • Offences against the integrity, confidentiality and availability of data, computer programs, data storage mediums and computer systems.
  • Offences committed or facilitated by means of data, computer programs and computer systems.
  • An interesting addition, referred to as “aggravated offences”, to protect essential digital infrastructure, life, physical harm, property, as well as physical consequences of cybercrime computer systems and life, limb, property, essential services, the economy or the interests of the Republic, against criminal conduct in cyber space or an attempt to or conspiring to commit such an offence. These offences are punishable with a sentence as provided for in Section 276 of the Criminal Procedure Act (Act No. 51 of 1977).
  • An aspect that has been long debated and now provided for by the Act is that the common-law offence of theft must be interpreted so as to include the theft of an incorporeal item to which value can be given.
  • Malicious communications are criminalised and specific requirements are met in relation to their purpose as well as guidance on when a message will be considered harmful. The section enhances the Harassment Act, 2011. The retention of this type of data by service providers, limitation of further distribution, destruction and disabling access to such communications are all addressed by the Bill. This will have far-reaching implications for cyber-stalkers, malicious communications and especially cyber-bullying.

 

Broader jurisdiction

Much wider jurisdictional power over the matters to be adjudicated in terms of the Bill is also provided for (including the usual jurisdictional factors over offences) but it also extends to persons as well as legal persona in or connected to the Republic – and it extends the definition to include aiding and abetting and attempting such an offence.

Consider for instance Clause 43, in relation to searching for publicly available information. Our courts will have extra curial jurisdiction over South African Citizens or Companies committing these offences abroad or persons committing them against the Country or it’s citizenry. This is very much in line with the Corruption Act and leaves very little room for jurisdictional issues to be argued.

 

Handling digital evidence

Standard Operating Procedures in relation to digital evidence is further addressed by the Act and aligns with International Standards in order to maintain the integrity of evidence. This includes the requirement that only a competent person should access and handle possible evidence and the retention of an audit trail.

It would appear that the Bill is pre-empting the amendment to Rule 902 of the United States Federal Rules of Evidence Federal Courts, which enumerates a number of documents to be accepted by its mere production. This means they are self-authenticating, requiring no further extrinsic proof on the basis of a presumption of authenticity.

 

Search and seizure shortcomings

The Bill addresses some shortcomings in the Search and Seizure processes as per the Criminal Procedure Act, 1977, in relation to the “premises” and type of articles which are defined as, in most instances, a duplicate original of the items taken as opposed to the actual device.

One of the interesting aspects addressed by the Act is an oral application by a Police officer for a search. It is unclear if the safety measures protecting the rights of innocent third parties, or where privileged information is concerned, and if these parties may have legitimate grounds to oppose such an application, is fully addressed with the measures mentioned further below.

One can, for example, foresee a situation where the validity of the seizure and a subsequent search may be placed in dispute in its entirety. That is unless the oral application is fully recorded and available, and protective measures in relation to the rights of all individuals are in place. That would include the rights of the party served, and especially innocent third parties whose data may be intermingled with that of a suspect person – which could become an issue limiting the expeditious access to and investigation of offences due to litigation in this regard.

The powers of a Police official, who may be assisted by a competent person are also extended, and goes further to place an obligation on the person or service provider responsible for the infrastructure of the premises to assist members of the SAPS.

 

Civil liability and Constitutional scrutiny

Although the majority of these sections will be of great assistance and clarity to law enforcement, whether all these sections will withstand Constitutional scrutiny remains to be seen. This is because they include access to information, especially that of innocent third parties, and may be privileged, confidential or private.

The test will, however, be how the relevant investigator handling the evidence conducts him or herself and protects the rights of those involved during and after seizing and searching the data.

The Bill further criminalises wrongful searches, access and seizures, and obtaining or using of any instrument, device, password, decryption key or other information that is necessary to access data, a computer program, a computer data storage medium or any part of a computer system. The clause further provides for civil liability which may result from a contravention of the clause.

Giving false information resulting in the issuing of a search warrant, a search, preservation of data direction, preservation of evidence direction or a disclosure of data direction is also criminalised and can even lead to civil liability which may result from a contravention of the clause. Disclosure of any information obtained in any of these processes is also criminalised.

 

Broader RICA implications

The operation of the Regulation of Interception of Communications and Provision of Communication-related Information Act, 2008 (RICA), is extended to include some service providers who are not compelled to retain information or to be interceptable in terms of the Act.

These additional service providers may find themselves with an added burden in relation to archiving and other forms of data retention and access, which will have extensive cost-implications for these entities (and their clients) in relation to security, hardware and software.

 

Balancing rights

The Act has a number of measures built in which appear to be designed to balance the rights of the SAPS to investigate crime and parties who inadvertently may be affected by the collection and retention of data in terms of the Bill. In this instance, Constitutional scrutiny may not allow for the wide discretion granted for some intrusions authorised in terms of the Bill. Clause 39, 40 and 42, are some of these clauses. In terms of clause 43 a police official may:

 

  • Search for, access or seize publicly available data regardless of where the data is located geographically, without any specific authorisation; or
  • Receive non-publicly available data, regardless of where the data is located geographically if the person, who has the lawful authority to disclose the data voluntarily, and on such conditions regarding confidentiality and limitation of use which he or she deems necessary, discloses the data to a police official.

 

While sharing of information with due regard to processes to be followed by the National Police Commissioner and the National Director of Public Prosecutions is streamlined, challenges remain. The process of Mutual Legal assistance remains a cumbersome and time consuming exercise for the information obtained to be utilised as evidence, and the sharing of information will probably mostly benefit the very high profile matters.

 

Facts by affidavit

Clause 51 (broadening the application of section 212 of Act 51 of 1977) aims to regulate the proof of certain facts by affidavit. In terms of the clause, whenever any fact established by any examination or process requiring any skill in; the interpretation of data; the design of, or functioning of data; a computer program; a computer data storage medium or a computer system; computer science; electronic communications networks and technology; software engineering or computer programming, is relevant to criminal proceedings, an affidavit made by a person who, in that affidavit, states that he or she:

 

  • is in the service of a body in the Republic or a foreign State designated by the Cabinet member responsible for the administration of justice, by notice in the Gazette;
  • possesses relevant qualifications, expertise and experience which make him or her competent to make the affidavit; and
  • has established such fact by means of an examination or process,

 

is upon its mere production at such proceedings, prima facie proof of such fact. Any person who makes such an affidavit wilfully states anything which is false, is guilty of an offence.

The clause further provides that any court before which an affidavit is produced as prima facie proof of the relevant contents thereof may, in its discretion, cause the person who made the affidavit to be subpoenaed to give oral evidence in the proceedings in question. Similarly, it may cause written interrogatories to be submitted to such a person for reply. Any such interrogatories and any reply thereto purporting to be a reply from such person are likewise admissible in evidence at such proceedings.

The clause also prescribes specific requirements which must be adhered to if the person who has made the affidavit alleges that he or she is in the service of a body in the Republic or foreign State designated by the Cabinet member responsible for the administration of justice.

 

Proceed with caution

This section must, as per the current section 212 of Act 51 of 1977, be used with circumspection. Not all imaging processes are straightforward and each site comes with its own unique difficulties (consider raid systems, Mac acquisitions or encrypted networks). It will, however, streamline the processes where there is no dispute or peculiarity in relation to a particular case, and no action outside of the standard process with any human intervention (which may alter results or require explanation of results) is deemed relevant.

The Bill also refers to a person with requisite expertise, but does not specify the requirements in that regard (see comment above in relation to the amended article 902 of the federal Rules of Court).

 

Support structures

Notably, the Bill establishes a Cyber Response Committee (CRC) to deal with the establishment of structures which support cybersecurity and capacity building through the establishment of nodal points (structures which receive and distribute information regarding cybersecurity incidents) and the recognition of private sector computer security incident response teams (expert groups that handle cybersecurity incidents).

In terms of the clause, the Cabinet member responsible for telecommunications and postal services must, by notice in the Gazette, after following a consultation process with the persons or entities in a sector, declare different sectors which provide an electronic communications service for which a nodal point must be established.

 

Onerous requirements, escalating costs

The onerous requirements placed on critical information infrastructures, is probably the first section that may lead to challenges in terms of the Bill as the entities included or that may be included, are defined in extremely wide terms by the Bill.

One such aspect is that a critical information infrastructure must at own cost, take steps (to the satisfaction of the Cabinet member responsible for State Security) to comply with a directive. The State may recover the costs of those steps from the owner or person on whose behalf they were taken, where a directive is not complied with. Onerous auditing requirements are also included.

In a time where there is public outcry regarding current communications cost, some of these requirements may lead to further increases in service cost.

 

Laying the foundation

According to the Deputy Minister, the Bill will put the necessary building blocks in place to address cybercrime in South African. As the Bill is introduced into Parliament, there will still be further opportunity for the public to make submissions. The full Bill in its current form can be viewed here.