[UPDATE 19 JANUARY 2017 — the Department of Justice has unveiled a new, redrafted version of this Bill approved by Cabinet. The guide below reflects the 2015 version of the draft Bill, not the new version]
What’s wrong with the draft Cybercrimes Bill? A lot. But these are its Seven Deadly Sins. Click on each item to get more info:
1. Hands over control of the internet to the Ministry of State Security!
This draft Bill would create a range of structures with massive powers to police the internet – nearly all of them report to the Ministry to State Security. Stewardship of the internet should rest with a civilian agency with a mandate to promote freedom of and access to communications systems. Where a role for the security structures is necessary, it should be narrowly defined and subject to strong and independent civilian oversight.
s51 – Cyber Response Committee
s52 – Cyber Security Centre
s53 – Government Incident Response Teams
s54 – National Cybercrime Centre
s55 – Cyber Command
s57 Private Sector Security Incident Response Teams
2. Gives the state security structures the power to effectively declare ‘national key points’ of the internet — and potentially grants backdoor access to any network!
State-security structures have the right to declare any part of the internet to be ‘National Critical Information Infrastructure’ – this could include any privately owned data, device, network or physical infrastructure or building, and all government networks, devices and infrastructure. This effectively creates ‘national key points’ of the internet, and s58 gives the government far-reaching powers over them, including regulations to classify certain information on these networks, and ‘access’ to the networks. This paves the way to government getting a ‘backdoor’ to private networks.
Offending clauses: s1 – definition of NCII; s58(2) – powers to declare NCII; s58(5) – powers to regulate NCII
3. Criminalises journalists and whistleblowers by sneaking in the worst parts of the “Secrecy Bill”
Section 16 of the draft Bill introduces a range of offences under the banner of “computer-related espionage” that are practically a copy-and-paste of the worst parts of the Protection of State Information Bill (“the Secrecy Bill”). These provisions make it an offence to “unlawfully and intentionally” possess, communicate, deliver, make available, or receive data “which is in possession of the State and which is classified”.
There is no public interest defence or protections for whistleblowers and journalists. The penalty is anywhere from 5 to 15 years in jail with no option of a fine.
The Bill also requires civil servants to sign an oath of secrecy that is unlawful in terms of South Africa’s whistleblower law, the Protected Disclosures Act.
Offending clauses: s16(5)b – info classified “confidential”; s16(6)b – info classified “secret”; s16(7)b – info classified “top secret”; s41(7)c – oath of secrecy
4. Increases the state’s surveillance powers and is even more invasive than RICA
The Bill would in fact make a bad surveillance law worse, by creating a parallel procedure to run alongside RICA. This goes beyond the mere interception of communication-related data (e.g. a call or email), to apply to interception of practically any possible data that may exist. Where RICA would only allow such an invasion if you are suspected of a serious offence, under the Cybercrimes Bill it can be related to any offence – including one in which you are not a suspect.
To do this, it hands over significant powers to “investigators” who are not public officials, but private individuals who are not subject to adequate oversight.
Like RICA, the Bill forces your service providers to give up your privacy, and gags them from telling you when it happens.
Offending clauses: See Chapter 4, especially: s26 – definition of “article” includes data related to “any offence”; s29 – extremely broad provisions on search warrants; s26 – definition of “investigator”; s64(2)(a) – reporting crimes; s38 – prohibition of disclosure
5. Undermines South African’s civil liberties and particularly the constitutional right to privacy. It is contrary to global developments in the protection of personal information.
In the absence of the implementation of the POPI Act (enacted in 2013 but delayed by the Department of Justice and Parliament) and the establishment of an independent information regulator, there is little protection for citizens’ constitutional right to privacy.
Particularly in light of the overbroad provisions granting powers to national security agencies and the current crisis in the SAPS and NPA, this will allow overzealous authorities to abuse their powers without recourse to citizens.
This is contrary not only to the National Cybersecurity Policy Framework but also to global developments and the conventions to which South Africa is signed, which demand that the development of cybersecurity is balanced by privacy legislation.
Section 3 should not be dealt with in the Bill at all, as it merely expands the criminal provisions in the POPI Act and should form part of that Act. To treat it otherwise is inviting unnecessary confusion.
Offending clause: s3 – Personal information and financial information related offences
6. Contains 59 new criminal offences involving computer usage – many of which are so broad that they could ensnare ordinary computer users. The Bill considers suspects guilty until proven innocent.
The Bill creates a string of offences, with harsh penalties, for “unlawfully” accessing, intercepting altering data, and so on. The only thing that protects millions of ordinary users of the internet is that it must be “unlawful”. The Bill is vague and open to interpretation. What does unlawful mean? It could be lawful if “written authority is granted by the person who has the lawful authority to consent to such an act”.
So even where there are no bad intentions and no harm done, an ordinary internet user who is not authorized by law to access, navigate, draw on or alter data that exists anywhere on the internet may be committing a crime.It will become illegal to use many software and hardware tools. The Bill’s offences relating to malicious use of software and probing of security flaws is broad enough to criminalise the work of ICT professionals and a global community of security analysts and researchers who test these systems as a civic duty, in order to point out and fix security flaws that put the general public at risk. They will be considered guilty, until proven innocent.
Offending clauses: s4-s22 – various offenses; s6 – “unlawful acts in respect of software or hardware tools”.
7. Contains anti-copyright provisions so harsh you could be criminalised for even posting a meme.
The Bill criminalises selling, offering for download, distributing or otherwise making available a copyright work online, on the vague grounds that the user knows the work is under copyright and the act “will be prejudicial to the owner of the copyright.” In any case, copyright infringement is already prohibited through existing copyright law, which is under review by the Department of Trade and Industry.
The penalty is a fine or up to three years in jail.
Offending clauses: s20 – infringement of copyright
What’s the solution? Scrap the Bill and start again – this time with the proper public participation and the need to protect and preserve the democratic spirit of the internet and ordinary users’ right to privacy at the heart of any drafting.