The draft Cybercrimes and Cybersecurity Bill currently out for public comment is timeous in that it proposes legislation that will bring South Africa in line with international laws governing internet-based crimes. However, the Bill is excessively far-reaching – beyond practical plausibility in many instances – and it grants a concerning level of discretion to the State’s security cluster. By Mongezi Tshongweni, executive: legal and regulatory affairs at Internet Solutions
At present, South Africa has no legislation that addresses cybercrimes, whether it is to describe what constitutes a cybercrime, how to enforce the law governing cybercrime, or to determine appropriate correctional sentencing for those convicted of offences in this realm.
There are clauses that make good sense, for example Section 3 very specifically addresses the unlawful acquisition of personal and financial information with the intention of committing an offence, and it is linked to the Protection of Personal Information Act of 2013. Similarly, Section 9 addresses unlawful acts in respect of malware, Section 10 addresses the unlawful acquisition or access to passwords and access codes, and Section 20 addresses copyright.
While these clauses, and many others, are most welcome, there is concern that the Bill gives the South African Police Service and the State Security Agency overly far-reaching powers to investigate, search, access and seize just about anything, with verbally granted search warrants being deemed sufficient for them to take action they deem appropriate.
While it is obviously hoped that these bodies would adhere to the Sections that in turn govern their behaviour, there has been much concern expressed at the potential for abuse.
As an electronic communications service provider, Internet Solutions will be subject to Section 64 of the Bill. Many of these requirements are solid, and make good sense for us and our customers, although they do place an additional financial burden on us.
For example, while there is no doubt that it is wise for an organisation like ours to keep our customers updated about cybercrime trends, there is no guidance as to how frequently we should do this – or what mode of communication we should employ.
Would we be deemed to be non-compliant if our customers exercised their rights to privacy described in the Protection of Personal Information Bill, and expressly stated that they do not want to receive communication from us?
We are happy to inform our clients of measures that they can take to safeguard themselves against cybercrime – but would we still be held liable if they ignored this advice?
This section also requires that we preserve any information that may be of assistance to the law enforcement agencies investigating an offence, including origin, destination, route, time, date, size, duration and type of services. If our infrastructure is not able to track those – or if the offender is using technology that is not yet overcome by security innovation, would we still be held accountable?
The Bill is not clear on these matters, and we can only hope that they are interrogated and resolved during the comment process. It would be disappointing and potentially calamatous if the Bill, which, in a revised form will help South Africa comply with international norms, have unintended consequences.
Every measure taken to address cybercrime related issues should be within the confines or ambits of the Constitution of the Republic.