Page last updated on
Preliminary Comments on the South Africa Cybercrimes and Cybersecurity Bill (Draft for Public Comment)
Submitted independently by Alex Comninos (MsocSci International Relations – University of Cape Town), Independent Researcher and Doctoral Candidate Justus Liebig University Giessen.
I am a South African citizen and information and communication technologies researcher. I have published and spoken at international fora on cybersecurity, and my publications can be found at http://www.comninos.org.
I welcome the invitation for public comment on the Cybercrimes and Cybersecurity Bill by the Department of Justice and Constitutional Development. A cybercrimes and cybersecurity bill is much needed in terms of making South Africa a safer place online. Furthermore cybersecurity is essential for the exercise both online and offline of the enabled by the constitution particularly as it relates to privacy and the protection of personal data. I agree with the concerns about the Bill posed by the Media Monitoring Africa, the Right to Know Campaign, the Association for Progressive Communications, and the Electronic Frontier Foundation. I would suggest however for reasons presented in the points below that the Bill is rejected in its current form.
1. I note that the Bill is extremely complex and agree with the Right to Know Coalition’s concerns about the deadline of the 30th of November and request to extend the deadline for public comment. I hereby make preliminary comments on the Bill, in the hope that on more substantial examination I may be able to make more substantial comments at a later date.
2. In Section 3, subsection (4) the phrases “reasonable suspicion” and “unable to give a satisfactory exculpatory account of possession of such information” are broad and could be open to abuse. Subsection (4) is perhaps also redundant as similar offences are already mentioned in Subsections (1) and (2). The maximum penalty in subsection (5) of imprisonment terms and/or fines of 5 years and 5 million Rand suggested in section (5) is are particularly onerous for possession of information that has not been used in commission of an offence. No distinction is made between offences in which information that was intended for commission of an offence – in subsections (1) and (2) – and information that is suspected to be intended for commission on a offence – in subsection. (4). The maximum imprisonment terms (10 years) and fine 10 million listed in subsection 6 may be particularly onerous in cases where little or no physical or financial harm was made to victims. The punishment should be proportional to the harm caused by the crime, and subsection (6) should reflect that principle.
3. Section 6 is extremely problematic from a cybersecurity perspective and could be harmful to cybersecurity practice and the cybersecurity industry in South Africa. Subsection 6 may criminalise a lot of everyday computing activities and tools that are essential for cybersecurity professionals and cybersecurity, academic and scientific researchers. While the control of the sale and export of hacking and surveillance software is in principle welcomed and is a positive global trend. Section 6 would if strictly interpreted make unlawful the production and possession of software, as well as the use of such software in cybersecurity research. It is commonly accepted that softwares can have a multitude of purposes, and that many softwares have dual uses. Penetration testing tools are used daily by cybersecurity professionals to test for vulnerabilities in networks (at the behest of their owners) in order to strengthen them as well as to find and to responsibly disclose and patch such software. The possession of these tools, would according to Section 6 be illegal, thus severely crippling South Africa’s cybersecurity industry. This is particularly worrying as the use of penetration testing tools are mentioned in the objectives of the Cyber Command in Section 55 (4)(e).
4. Section 9 would render the possession of malware illegal. The current state of this section does not give protections to legitimate possession of malware for research purposes. Malware can be legitimately possessed for the purposes of cybersecurity, scientific, academic, or journalistic research, provided that it is is not possessed for the purposes of infecting other users. The “reasonable suspicion” in subsection (2) does not require evidence of commission of crimes, but rather a suspicion of intention to commit crimes. This is open to abuse and misinterpretation, it is my belief that being “unable to give satisfactory exculpatory account” of possession of malware, that was not used in the commission of an offence, is questionable as an offence in itself, and should not be subject to the penalties in subsection 3(a). Furthermore, vulnerability information sharing is
mentioned in Section 55 4© as one of the aims of the Cyber Command, however such sharing would involve the possession of and the sharing of malware, rendered illegal by Section 9.
5. The definition of malware in Section 9 subsection 4 is problematic and may render a lot of personal computing use illegal. If read strictly, “malware” is anything that modifies data or a computer device. If interpreted strictly a large amount of personal computing use e.g. modifying and controlling personal data, custom system upgrades and modifications could be considered malware, as they modify data or a device and sometimes rely on the exploitation of vulnerabilities to do so. An example of this is the “rooting” and “modding” of Android phones, which unlike the “jailbreaking” of iPhones is completely legal and is used by many cybersecurity professionals, or people who wish to keep their phones secure by receiving the latest security updates.
6. Of particular concern is Section 16 subsections (6) and (7), read in conjunction with subsection 8(f) and (g). This would introduce penalties not just for the possession of state secrets, but also for receiving and (according to a strict interpretation) even reading state secrets that are available online (regardless of whether they are from journalistic sources or released in the public interest). Offences regarding the possession and dissemination of state secrets should have a public interest defence, and should not be crimes when they are disseminated, distributed, possessed and accessed in the public interest, like for example in the instances of whistleblowers and journalists exposing corruption and abuse of power.
7. The prohibition on the dissemination of data messages which advocate, promotes, or incites hate, discrimination or violence in Section 17 worries me particularly as a Political Scientist and Geographer, who studies political violence. My current PhD dissertation focuses on the role of user-generated content in the Syrian civil conflict. I often need to access digital media that may contain hate speech, and to research it. While I do not believe that public dissemination of hate speech should be protected by the law, there are instances in which disseminating, broadcasting, or making available hate speech content is in particular circumstances in the public benefit. For example in research, to warn the public of existing threats, or in order to deconstruct, deligitimise and reject hate speech. There should be a more nuanced approach to this section, which I believe should be reviewed.
8. Section 20 on the infringement of copyright is also particularly worrying. A large amount of the content on the public internet at the moment involves work that is in some sense intentionally or unintentionally infringing copyright. Three years of imprisonment as envisaged under subsection 1 and 2 for offering for download, distributing, or making available copyrighted works is an extremely onerous and unproportional punishment, for
what may include sharing creative works with friends over social media, remixing content and sharing it. Section 20 would criminalise a large amount of non-harmful personal and social computing activity that is not designed to make profit and is not intended to harm content producers. Section 20 also fails to distinguish between copyright infringement that is intended to cause criminal gain, and copyright infringement that was conducted by individuals and may be protected by fair use doctrine in certain jurisdictions. It would be advisable in this instance to note the comments on Section 20 by Jeremy Malcom of the Electronic Frontier Foundation.
9. With regards to the Private Sector Security Incident Response Teams (PSSIRTs), Section, 57 notes that the PSSIRTs should facilitate sharing information within the sectors 4(d), and with other PSSIRTs and the Cyber Security Hub. This information should be shared according to the Protection of Personal Information Act. Furthermore, information should be shared in certain circumstances with the general public (as for example in security breaches where affected customers need to be notified, or when it is in the public interest). Furthermore there is no provision for information sharing by the Cyber Security Hub and by the PSSIRTs with civil society organisations, when relevant, or when affected by cyber threats.
10. Particularly worrying is the power afforded to the President ii Section 65(1) to “on such conditions as he or she may deem fit, enter into any agreement with any foreign state regarding- (a) the provision of mutual assistance and cooperation relating to the investigation and prosecution of” offences. It implies that the president can enter into agreements regarding judicial investigations and prosecutions without any oversight from a member of the South African Judiciary. This is particularly worrying if the President is cooperating with a state that does not have rule of law and respect for human rights in South Africa. It means that the president may facilitate the the investigation and prosecution of South African citizens in any state, regardless of the rule of law or human rights protections offered.
11. Cybersecurity is an issue that affects a multitude of societal stakeholders. The public consultations around the Bill, and the consultation around the informing document, the National Cyber Security Policy Framework (NCSPF) could have been a more open process. The few government and private sector events around the NCSPF and Cybersecurity policy in South Africa did not include civil society and netizens. Many complained that the NCSPF was a a secretive document and was only seen by government officials and a select group in the private sector and technical community prior to the drafting of the Bill.
12. Considering this, as well as the broad scope, multidimensional nature, and complexity of the Bill. It is suggested that the current deadline for public comments for the Bill be extended.
13. Finally I suggest that there are too many concerns regarding the cybersecurity Bill for it to be adopted in its current form. It is unworkable from both a cybersecurity and a human rights perspective. I suggest that the Bill be scrapped and that a new round of public consultations with the aim of producing another draft Bill be implemented instead of the Bill being sent to parliament.