Technological advances have been gone beyond our wildest imagination. But with great technological advances, come greater risks. Research shows that our country’s comparatively high levels of internet connectivity bring with it a higher risk for cyber-crime. Cybercrime activities are growing fast and evolving at a pace, becoming both more aggressive and technically proficient.
The development of new proposed legislation to enhance cybersecurity is a necessity. It is a milestone towards building safer communities as envisaged in the National Development Plan. We are committed to putting in place measures to effectively deal with cybercrimes and address aspects relating to cybersecurity, which adversely affect individuals, businesses and Government alike.
The Department of Justice and Constitutional Development has been tasked with the review and alignment of cybersecurity laws to ensure that these laws are aligned with the National Cybersecurity Policy Framework (NCPF) and provide for an integrated cyber security legal framework for the Republic.
The new proposed Cybercrime and Cybersecurity Bill gives effect to this mandate. Deterring cybercrime is a vital component of a national cybersecurity and critical information infrastructure protection strategy. This includes the adoption of appropriate legislation against the misuse of information communications technologies for criminal purposes. The new Bill aims to advance these objectives.
The Bill was made available for public comment in 2015. Comments were taken into account in the finalisation of a further draft of the Bill. Furthermore, a working group consisting of persons with different areas of expertise was appointed to give advice on the Bill and on how to address concerns raised in respect of the Bill.
The offences provided for in the Bill aim to protect the confidentiality, integrity and availability of computer data and systems by means of the offences of unlawful access, interception of protected data, malware-related offences, interference with data and computer systems and password-related offences.
The Bill criminalises cyber-facilitated offences by means of the offences of fraud, forgery, uttering and extortion, which were adapted specifically for the cyber environment.
Jurisdiction in respect of all offences which can be committed in cyberspace is expanded substantially in terms of the Bill, mainly to deal with cybercrime which originates from outside our borders.
The Bill aims to put in place specialised procedures, with sufficient checks and balances to protect the rights of an accused person and other users of information communication technologies, to deal with the investigation of cybercrimes. Since many cybercrimes emanate from another country, the Bill also provides for procedures which will facilitate mutual assistance with other countries in the investigation of cybercrimes.
With regards to malicious communications, the Bill aims to criminalise a data message which incites the causing of any damage to any property belonging to, or violence against, a person or a group of persons, which is harmful, which is intimate in nature, and which is distributed without the consent of the person involved. Provision is made in the Bill for an interim protection order pending finalisation of criminal proceedings. In terms of the protection order a court may prohibit any person from distributing the data message or may order an electronic communications service provider or person in control of a computer system to remove or disable access to the data message in question.
The Bill also inserts a new section in the Criminal Law (Sexual Offences and Related Matters) Amendment Act, 2007 to criminalise the harmful disclosure of pornography (or so-called “revenge porn”). The proposed amendment aims to criminalise the disclosure of pornography, threats to disclose pornography and disclosure or threats to disclose pornography for the purposes of obtaining any advantage from a person.
The Criminal Law (Sexual Offences and Related Matters) Amendment Act, 2007 was passed to comprehensively deal with all sexual offences. Criticism was raised against the fact that child pornography is dealt with in a law which mainly relates to the classification of films and publications, which is the primary purpose of the Films and Publications Act, 1996. The new Cybercrimes Bill therefore repeals section 24B of the Films and Publications Act, which criminalises child pornography and the sexual exploitation of children. The new Bill further proposes various amendments to the Sexual Offences Act in order to comprehensively deal with child pornography in accordance with the proposals of the Lanzarote Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse and the Budapest Convention on Cybercrime. The Lanzarote Convention provides for conduct relating to child pornography in the real world which must be criminalised, whilst the Budapest Convention deals with virtual child pornography.
The new offences will mean that child pornography is now comprehensively criminalised in legislation and thereby addresses the current fragmentary approach.
There are some misconceptions about the Bill that we would like to address. For example, regarding the State Security Agency which has been assigned a role to co-ordinate the implementation of the cybersecurity initiative of Government: the additional structures which need to be established within the State Security Agency do not give any powers to the State Security Agency to control the Internet. In this regard, reference can be made to the functions of the Cyber Security Centre, which is a structure in command of the Government Security Incident Response Teams, and whose functions are primarily associated with the protection of Critical Information Infrastructure and Government Security Incident Response Teams, which is a continuation of the existing Government Security Incident Response Team.
There are also misconceptions around the interception of data and allegations that the Bill increases the state’s surveillance powers. It is incorrect to equate search and seizure under clause 27 of the Bill as an extension of “surveillance powers”. Data is merely a means to commit offences such as fraud, damage of programs or computer systems, extortion, forgery and uttering etc. It can also be used to commit murder (remotely switching of a respiratory system) or terrorism (overloading the centrifuges of a nuclear station or remotely opening the sluices of a dam which causes large scale flooding). In order to prove an offence in a court of law, data must be seized as evidential material. If the State cannot seize evidential material to adduce as evidence it is impossible to prove the guilt of an accused person.
The Criminal Procedure Act, 1977 is currently used to investigate cybercrimes. Data relevant to a cybercrimes is thus seized in terms of a warrant issued in terms of section 21 of the Criminal Procedure Act. If the proposed clause 27 is compared with section 21 of the Criminal Procedure Act, there is no real difference regarding the powers to search and seize, except that clause 27 specifically accommodates electronic searches and seizures. The same principles of interpretation developed by the courts in respect of section 21 of the Criminal Procedure Act, will apply in respect of a search and seizure in terms of clause 27 of the Bill. The seizure of data in terms of a search warrant thus cannot be regarded as a form of surveillance, which by implication implies the surreptitious monitoring of the communications of a person.
The Regulation of Interception of Communications and Provision of Communication-related Information Act, 2008 (“RICA”), when enacted, did not primarily deal with the investigation of cybercrimes but was more concerned with the interception of fixed line and mobile communications.
Serious cyber offences have been committed since the enactment of the RICA. Amendments which the Bill aims to effect to the RICA fall within the general principles which were put in place to protect persons against unlawful interception of communications and are specifically aimed to address the increase of cybercrimes, there is thus no extension of the so-called “surveillance powers” of the State.
It is important to stress that South Africa is a constitutional democracy. All legislative provisions are measured against the Constitution, and if found wanting, will be ruled as unconstitutional. Neither the Bill nor the NCPF gives the State Security Agency any powers to censor or suppress what can be accessed, published, or viewed on the Internet or to monitor communications without judicial sanctioning.
The Bill contains a number of new criminal offences. The conduct which the Bill aims to criminalise is substantially in line with cybercrime legislation of various countries, the African Union Convention on Cyber Security and Personal Data Protection, the Budapest Convention on Cybercrime and various model laws such as the Common Wealth Model Law on Computer and Computer-related Crime, the SADC Model Law on Computer Crime and Cybercrime; the HIPCAR Model Law and proposals made by the International Telecommunication Union.
It must also be pointed out that most of the criminal offences contained in the Bill are already, to an extent, criminalised by other laws on the Statute Book. If a person is prosecuted for an offence in terms of the Bill, the State must prove the elements of an offence beyond reasonable doubt. In an open and democratic society that has an adversarial criminal justice system, the presumption of innocence has been emphasised over and over by the courts.
A group of persons raised a concern that some of the offences in the Bill may adversely affect the work of computer professionals since the Bill criminalises the manufacturing, use and distribution of hardware and software tools that are used by these persons. It must be stressed that the Bill can never be interpreted to prohibit the lawful use of such hardware or software tools or lawful conduct which is aimed at identifying security flaws. The restricting factor of this offence is the fact that the State must prove beyond reasonable doubt that the hardware and software tool was manufactured, used or distributed for the purposes of committing offences which are criminalised elsewhere in the Bill. There is therefore no risk whatsoever to ICT professionals who use such software or hardware tools for a legitimate purpose.
The original Bill proposed amendments to the Protection of Personal Information Act, 2013, in order to address identity theft. However, these amendments were removed from the Bill on the basis that the proposed amendments may be too wide and may have unintended consequences. The criminalisation of identity theft will further be researched and its criminalisation may at a later stage be considered.
In conclusion, cybersecurity plays an important role in the ongoing development of information communication technology. Enhancing cybersecurity and protecting critical information infrastructures are essential to each nation's security and the economic well-being of a country. Making the Internet safer and protecting the users of Information Communications Technologies have become integral to the development of new services as well as governmental policy.
We are confident that the Bill will, to a large extent, address the current shortcomings in our law and will facilitate the effective prosecution of cybercrimes. The Bill will put in place the required building blocks necessary to address cybercrime in South Africa.
The Bill will be introduced in the next few weeks into Parliament. As you are aware, Parliament is required to solicit views from the public on legislation and so there will be a further opportunity to make submissions on the Bill.