“Dearest Sir / Madam, I am a wealthy foreigner desirous of urgently transferring $100 000 000 into your account and to do so I need your assistance in the form of a small deposit, your banking details and identity number. This is 100% legitimate.”
Does this sound familiar? It probably does. Messages like these, commonly known as 419 or advance-fee scams, are just one example of computer related crime (in this case fraud) which the new Cybercrimes and Cybersecurity Bill (“the Bill”) seeks to regulate.
Recent articles on cybercrime in South Africa report almost unbelievable statistics; we lose over R2.2 billion a year to cybercrime and have the dubious honour of having the third highest number of cybercrime victims in the world, largely, it appears, because people just aren’t aware of the risks inherent in cyberspace.
The legal framework regulating cybercrime and cybersecurity is a patchwork of common law and statutes which, as it currently stands, fails to adequately deal with the complexities of cybercrime. Data for example is, under South African law, incapable of being stolen, given that it is neither corporeal nor a credit. For further practical examples of how the current legal system fails to provide for instances of computer related appropriation, see paragraph 3.2.10 of the Discussion Document that accompanies the Bill.
The Bill seeks to address the current legal position by, amongst other things, creating offences and imposing penalties which have a bearing on cybercrime, establishing various structures to deal with cybersecurity and amending over sixteen existing laws (including the National Prosecuting Authority Act of 1998, the Copyright Act of 1978 and the Criminal Procedure Act of 1978).
While the need for the revision of cybercrime and cybersecurity legislation is undoubtable, the Bill’s over-broad definitions, lack of certain exemptions and the worrying similarities between it and the notorious “Secrecy Bill” mean that, in its current form, the Bill could be far more hazardous than it is helpful. Some critics have gone so far as to warn that enacting the Bill would effectively hand indirect control of the internet to the State Security Ministry and Agency.
The Law Society of South Africa has also voiced its concerns. In November 2015, in its submissions regarding the Bill, it warned that: “if the civil liberties of citizens are ignored and the powers of national security and law enforcement (which we believe to be unconstitutional as currently provided in the Bill) are institutionalized, we are going back to earlier, darker times and run the risk of being excluded from the greater information society.” For more information regarding the risks posed by the Bill, see the “Seven Deadly Sins” identified by the Right2Know campaign and the calls for the withdrawal of the Bill which are being shared on social media under the hashtag #HandsOffOurInternet.
One of the Bill’s stranger aspects is its definition of, and the obligations it imposes on, electronic communications service providers (“ECSPs”). An electronic communication is defined by the Electronic Communications Act 36 of 2005 (“EC Act”) as the emission, transmission or reception of information by means of magnetism, radio waves, optical or electromagnetic systems. Traditionally, communications service providers would include telecommunication companies and ISPs like Telkom, Vodacom and Afrihost who, in terms of the ECT Act, need to comply with various regulatory requirements such as the requirement to obtain an electronic communications licence through ICASA (the Independent Communications Authority of South Africa).
However, the Bill’s proposed definition of an ECSP takes a worryingly different approach. Should the Bill be enacted in its current state, an ECSP would include any:-
- person who provides an electronic communications service under and in accordance with an electronic communications service licence issued to such person under Chapter 3 of the EC Act, or who is deemed to be licensed or exempted from being licensed as such in terms of the EC Act;
- “financial institution” as defined in section 1 of the Financial Services Board Act, 1990 (Act No. 97 of 1990); or
- person or entity who or which transmits, receives, processes or stores data -
- on behalf of the person contemplated in paragraph (a) or (b) or the clients of such a person; or
- of any other person;
At first glance, the above definition seems innocuous enough. However, when regard is had to subsection (c) (ii) it seems that the Bill intends extending the definition of an ECSP, as improbable as it sounds and absent any indication to the contrary, to include any person or entity which is in possession of data that could arguably belong to anyone else. The overly broad nature of this subsection, and the fact that it strains the general understanding of what an ECSP is, has been noted by the Internet Service Providers’ Association in its submissions regarding the Bill.
What is perhaps the most disturbing aspect of the definition is the fact that the inclusion of subsection (c) (iii) is not a mere oversight on the part of the drafters of the Bill; the discussion document that accompanies the Bill specifically recognises the incredibly broad ambit of this definition and addresses it as follows:-
“For purposes of the Bill, electronic communications service providers are defined broadly so as to encompass other persons and entities, which are not traditionally regarded as electronic communications service providers.”
The Bill goes on to state that an ECSP is under the obligation to:-
- take reasonable steps to inform its clients of cybercrime trends which affect them;
- establish procedures for its clients to report cybercrimes;
- inform its clients of measures which a client may take in order to safeguard against cybercrime; and
- as soon as it becomes aware that its computer network is being used to commit an offence under the Bill, immediately report any such use to the to-be-established National Cybercrime Centre and to preserve any information which may be of assistance to law enforcement agencies in investigating the offence.
Should an ECSP fail to comply with any of the above obligations it will be guilty of an offence and liable on conviction to a fine of R10 000 for each day it continues to fail to comply.
The wording of the above obligations implies that the Bill contemplates that only companies will be considered to be ECSPs, despite use of the words “person or entity” in the definition section of the Bill. However the obligations sought to be imposed on ECSPs are still problematic, even if the Bill intends to impose them only on juristic persons. For example, these obligations would apply to a company which does not provide a communications service but which nevertheless has an internal computer network, as most companies do, which is capable of being misused by its employees.
This raises a myriad of concerns; for example, the preservation of information by the ECSP might mean that a company has to retain malware and viruses on their network – a potentially costly and dangerous exercise – for an indefinite period of time. Confidentiality might also be an issue; the disclosure of information relevant to the offence might involve the incidental disclosure of confidential client or customer information. Furthermore, as pointed out by ISPA, the Bill has not clarified the reporting requirements of ECSPs and the circumstances under which it can be said that ECSPs are aware of the use of their services for the commission of a crime.
In the State Security Agency’s budget vote speech on 26 April 2016, Minister David Mahlobo confirmed that the Bill had been presented to Cabinet. Cabinet does not appear to have given the nod to the Bill as yet. Hopefully the delay is an indication that Cabinet is reconsidering some of the objectionable sections of the Bill.
Written by Cristy Lelean, associate (Litigation), Knowles Husain Lindsay