Another law that can make it “illegal” for journalists and others to own sensitive information has seen the light.
A new bill that aims to crack down on cyber crime, will, in its current format, provide detailed power to the State Security Agency, including the classification of information and information storage devices of individuals.
It contains provisions reminiscent of the controversial secrecy bill and the National Key Points Act.
The Cybercrimes and Cybersecurity Bill was announced in August by Michael Masutha, minister of justice and constitutional development, and proposals closed on Monday.
Civil rights groups have expressed their concern about the bill.
What is the purpose of the bill?
When Masutha introduced the bill, he said: “It was estimated that cyber-related crime was on the increase, and its value has grown to more than R1 billion a year.
“The draft bill proposes putting a coherent and integrated framework in place to deal with several shortcomings regarding cyber crime.”
The bill would replace various other laws that currently regulate cyber crime, in order to capture it all in one piece of legislation.
Good, but what is cyber crime?
It refers to the use of data, a computer device, a computer network, a database or an electronic communication network to commit a crime.
According to the bill this includes procurement, supply or use of personal and financial information without written consent, as well as the use of malicious programs (malware).
The discussion document that the Department of Justice and Constitutional Development has made available with the bill, states: “Offenders who are guilty of cybercrime, do not require more complex skills or techniques. Globally, cybercrime acts show a broad distribution across financial driven actions as well as acts against the confidentiality, integrity and accessibility of computer systems.”
What is cyber security?
It refers to the protection of computers and computer systems, and the information in it.
Who will investigate cybercrime?
The bill provides that a 24/7 contact point for cyber crime should be created. A police member with appropriate expertise should be the director of the unit.
The director must be assisted by:
» Appropriately qualified members of the South African Police Service;
» A member of the National Prosecuting Authority who has particular knowledge and skills in respect of any aspect dealt with in this Act and who is seconded or designated to the 24/7 point of contact to assist the director; and
» Persons or entities who are, from time to time, appointed to assist the director.
The bill also makes it possible for the police to establish a National Cyber Crime Centre – a unit focusing only on cyber crime.
Who looks after cyber security?
Under the bill, a dedicated cyber security response committee would be established.
The State Security Agency will chair the committee, while various heads of government departments would serve on the committee. The chairperson would be the director-general of state security.
The committee would report to the minister of state security.
A Cyber Security Centre would be established. Its responsibilities would include:
To develop measures to deal with cyber security matters impacting on national
» To facilitate the identification of and protection and securing of “national critical information infrastructures”; and
» To respond to and to provide coordination and leadership.
A national strategy for a cyber war should be developed.
What are “national critical information infrastructures”?
As the bill stands now, they are whatever the minister of state security says they are.
The Bill defines a “national critical information infrastructure” as “any data, computer data storage medium, computer device, database, computer network, electronic communications network, electronic communications infrastructure or any part thereof or any building, structure, facility, system or equipment associated therewith”.
This includes private property.
The use of and access to “national critical information infrastructure” are governed by regulations that are determined by the State Security Agency.
Thus, in the (hopefully) unlikely event that the agency classifies my computer as “national critical information infrastructure”, I will have to apply to a court to have this classification set aside.
According to the Right 2 Know Campaign (R2K) this creates, in effect, “national key points” for the internet and gives the government power over it, including regulations to classify certain information.
“This paves the way to government getting a ‘backdoor’ to private networks,” said R2K in a statement.
But if I were a journalist or someone who wanted to reveal corruption, the bill would surely not curb me?
Not if R2K is correct. According to the watchdog, the bill would criminalise journalists and whistle blowers by “sneaking in the worst clauses of the ‘secrecy bill’ by the back door”.
“Section 16 of the draft bill introduces a range of offences under the banner of ‘computer-related espionage’ that are practically a copy-and-paste of the worst parts of the Protection of State Information Bill (“the secrecy bill”).
These provisions make it an offence to ‘unlawfully and intentionally’ possess, communicate, deliver, make available, or receive data ‘which is in possession of the state and which is classified’,” said R2K’s statement.
As with the draconian secrecy bill, which is still on President Jacob Zuma’s desk, waiting for his signature, there is no public interest defence or protections for whistleblowers and journalists.
“The penalty is anywhere from five to 15 years in jail with no option of a fine. The bill also requires civil servants to sign an oath of secrecy that is unlawful in terms of South Africa’s whistleblower law,” said the statement.
What do others say?
The Electronic Frontier Foundation, an international cyber watchdog organisation that is campaigning for civil liberties in the digital sphere, said the bill could “scare researchers into silence” .
“The wording of the bill shouldn’t criminalise the legitimate activities and use of tools required for independent security research, academic research and other activities that are carried out in good faith and serve the public interest and in the end make the public safer,” read the organisation’s statement.
The organisation is concerned that the bill has heavier penalties for online crime than similar crimes not committed in cyberspace.
The bill must still go through the parliamentary process. The Electronic Frontier Foundation and R2K have asked that the law be redrafted and R2K has set up an online petition in this regard.