28 July 2017
This is the second part of a two-part series on the problems with the Cybercrimes and Cybersecurity Bill. Parliament has given the public until 10 August to comment on the Bill. Read Part One Cybercrimes Bill threatens our freedom if you missed it.
The government says that the Cybercrimes and Cybersecurity Bill is needed to help fight cybercrime and to make South Africa’s cyberspace more secure against attempted crimes. But some of the provisions it puts in place could make us less secure.
This is important, because we all have the right to cybersecurity. When we use computers or phones, and send messages on WhatsApp or Facebook, or browse websites, we need protection for our right to privacy, our right to freedom of expression and our right to access information.
But sometimes when it comes to your cybersecurity, the government agency is not just the protector – but also the threat.
The Bill tries to protect us from people who want unauthorised access to our devices. Section 2 creates a new crime in this regard, which is intended to criminalise people who get access to your data without your permission.
Sound good, right? Unfortunately not, because this provision is so broad that it criminalises people who may mishandle other people’s personal data through carelessness, not through deliberate hacking attempts.
South Africa already has a pretty good, pretty new data protection law – the Protection of Personal Information Act, which exists to protect your data and make sure companies and individuals who handle other people’s personal data don’t misuse that information or violate their privacy. But POPI, which was signed in 2015, has not yet been fully rolled out.
The new Cybercrimes Bill will tread all over POPI’s legal territory. The state should put resources into making POPI work. Instead it is creating a law that overlaps with and undermines our new data protection law. This makes us less secure.
The Bill tries to make sure that people who have the technology to break into our devices are stopped. Section 4 of the Bill, titled Unlawful acts in respect of software or hardware tool, makes it a crime to have any software that is used to overcome the security measures of a person’s device.
Sounds good, right? Unfortunately not, because this misunderstands the nature of providing internet security. This provision is the same as making it illegal to have a set of lockpicks or a crowbar. The people who test the security of our systems do so by trying to break those systems from the outside, using software that could now be criminalised by this Bill. Many times, they do so without the authorisation of the owner of that network or software, because it’s usually a company or government institution that thinks it knows better. This kind of security testing has made us safer, and prevented many acts of cybercrime. Because this Bill can’t tell the difference between actual cybercriminals and security testers, it will discourage people from testing internet security systems, and ultimately make the internet less safe.
What the Cybercrimes Bill doesn’t do, and can’t do, is develop the expertise inside the police to detect and solve cybercrimes, and the expertise in the state to create better defenses to cybercrime.
Nonetheless, the legislation tries to ensure that the private sector secures its networks, and that where it does not, the state can step in. One way the Bill tries to do this is by giving State Security structures the power to declare any device, network, database or other infrastructure a “critical information infrastructure” and put legal obligations on these entities (including private companies) to meet government security standards and submit to security audits.
Once an entity has been declared “critical information infrastructure”, the State Security Minister can issue directives on the classification of data held by that entity, the storing and archiving of that data, physical and technical security standards, and “any other relevant matter which is necessary or expedient in order to promote cybersecurity”.
There’s a lot of devil in this detail. Among other things, it could mean that information held by the company that connects you to the internet could now become classified as a national security secret. The “any other matter” provision could mask serious misdeeds that undermine privacy and internet freedom: most notably, the risk that State Security could grant itself backdoor access to private networks or give itself new surveillance and monitoring powers.
One red flag: this provision bears some resemblance to the ‘critical information infrastructure’ policy in article 31 of China’s new cybercrimes law.
Right2Know has shown the widespread abuse of communications surveillance in South Africa: the state is spying on its own citizens and failing to respect people’s privacy. Our main surveillance law, RICA, is meant to ensure that state surveillance operations only happen with the approval of a specially appointed judge. But Right2Know has criticised RICA for lacking transparency, having faulty oversight, requiring the storage of everyone’s communications metadata for years, and, most importantly, enabling a number of very dodgy surveillance operations that targeted journalists and other individuals.
The Cybercrimes Bill tries to do one thing that makes us safer from surveillance abuses: it closes a loophole in RICA that has allowed magistrates to authorise interceptions of thousands of people’s cell phone records, bypassing the specially appointed RICA judge. This form of surveillance happens many thousands of times a year. The Cybercrimes Bill tries to close the loophole to ensure the protections in RICA, however weak, apply to all the information that your network provider has about you, including who you called and messaged as well as what you said in the call or message. But because tens of thousands of surveillance warrants are issued by magistrates every year, compared to just a few hundred a year by the RICA judge, the Bill will simply result in swamping the RICA judge and undermining his or her oversight.
The Cybercrimes Bill fails to take other meaningful steps to fix the loopholes in RICA and other harmful provisions that have enabled the state to spy on its citizens and use surveillance as a tool for repression. Until it does that – it does not protect us against surveillance abuses.
There are some “cybercrimes” that make society better: the leaking of secret government information that exposes human rights abuses, or the leaking of the Panama Papers that exposed money laundering and tax evasion, are clearly in the public interest. Any cybercrimes law should also have a public interest defence, to protect those who breach systems in order to serve the public, expose wrongdoing, or challenge abuse of power.
South Africa needs policies, laws and practice that actively promote cybersecurity, protecting ordinary internet users against both private cybercriminals and state-sponsored surveillance programmes. This Bill may have some of the right intentions, but it doesn’t get us there.
Views expressed are not necessarily GroundUp’s.