* Follow-up article will be published soon
The Minister of Justice is expected to table the Cybercrimes & Cybersecurity Bill before Parliament soon, with the hope that law-makers will give it the go ahead and send it off to Pretoria for the president’s signature.
As is the case with most laws, it is aimed at protecting South Africa’s sovereignty, economic integrity and most importantly, you as a citizen – the bill’s number one selling point. While South Africa already has criminal legislation, laws regulating the interception of communication and anti-terrorism legislation, this can be seen as a further digital extension of the state’s arm into South African businesses, organisations, syndicates and in some cases, private households. The Bill makes a compelling argument in some instances, but serious questions remain – the most contentious being privacy vs. security.
The bill, if signed into law, effectively helps the state at the very least, to more effectively investigate crimes, and at best, prevent crimes either committed or facilitated by electronic communications. Those involved in child pornography will have a much harder time sharing content, human traffickers will be unable to use any form of electronic communication and will have to resort to the post office or pigeons. Fraudsters can be targeted, as well as those who commit hate crimes online and terrorists planning an attack on South African soil, or on any database or computer network in the country.
The world is in the digital revolution and South Africa, along with almost every other country, is facing new challenges. “The escalation of cyber-crime and its increasing sophistication continue to pose grave challenges to law enforcement agencies,” said Justice Yvonne Mokgoro in her 2014/15 annual report. Mokgoro is the judge responsible for issuing surveillance warrants in accordance with the RICA Act.
Private businesses have been victim to breaches, while South Africa’s arms procurer Armscor suffered a hack by way of a simple SQL injection. But the strongest motivating factor to have this bill passed is the rise of terror-related scares in the country. First came the Thulsie twins, accused of plotting to attack foreign assets based in South Africa. This was followed by a terror alert by the American Embassy. And most recently, authorities managed to stop two men believed to be linked to the Islamic State group from entering South Africa. Law enforcement efforts have so far resulted in no attacks on South African soil.
But ISIS for one made most of its advances in cyber space, hence the urgency of a law that would assist authorities in policing this sphere. “Cybercrime is significantly higher than conventional crimes, reads the Discussion document on the Cybercrimes Bill, adding, “The use of the internet to facilitate and commit acts of terrorism is a real occurrence.”
But how will South Africa limit and police its own surveillance? Will authorities be able to follow through on all offences, if it declares almost anything remotely linked to illegal activity as a possible offence?
The bill lists 20 different sections of possible offences. These range from intercepting or sharing personal or sensitive information, advocating for violence and committing copyright infringements to computer related fraud, forgery and terrorism. The penalties could include a fine of up to R5 million or a maximum prison sentence of five years or both, and in some cases up to R10 million and jail time of up to 10 years. Certain offences could be prosecuted in line with existing legislation and in a case of terrorism, up to 25 years behind bars.
This is reassuring for the law abiding citizen, but somewhat of a concern for activists and others who tend to upset the state.
In obtaining search or interception warrants, could the state justify monitoring #FeesMustFall activists for example – especially in cases where the protests have turned violent or a shutdown of campuses pose a risk to South Africa’s economy? Could they then monitor all student leaders and activists, and by definition, everyone they are in contact with? Would the state under no circumstances use confidential information of a certain campaign or movement to its own advantage?
It becomes more concerning for whistle-blowers and investigative journalists, especially when it comes to ‘top secret’ information. “Any person who unlawfully and intentionally possesses; communicates, delivers or makes available; or receives data which is in the possession of the State and is classified as top secret, is guilty of an offence,” the bill states. That means the whistle-blower (the person who communicates or makes available the information) as well as the journalist (the person who receives and by default also possesses the information) are both guilty and could be sentenced up to 15 years in prison. Meanwhile the bill makes no provision for information that is overwhelmingly in the public interest, even if it exposes another, more serious crime – such as the unlawful surveillance of a civilian population.
Would such an unlawful act or the possibility thereof further warrant continuous surveillance of either party?
And to be clear, spooks will not only have access to Facebook posts or Tweets. They will be able to intercept phone calls, messages and other forms of electronic communication using, among others, a grabber device. Even worse, if the president decides to enter into a cooperation agreement with another state, which the bill allows, South African intelligence officials could have access to technology used by British or American intelligence agencies. Thanks to Edward Snowden we know they have the ability to access the cameras and microphones on almost any electronic device connected to the internet.
In her annual report, Justice Mokgoro expresses concern over the public perceptions that agencies or officials abuse interception methods or sometimes bypass her office.
Her concern is supported by the fact that throughout the 2014/15 and 2013/14 financial years there were 1213 interception applications. But in 2010, the former director of the Office for Interception Centres told the Joint Standing Committee on Intelligence it made over 3 million interceptions in the first three years of the OIC’s existence.
If the just over 1200 interceptions were in fact the only ones conducted over the period of two years, there has been a drastic drop in interceptions from a period where only 23% of South African households had access to the internet, to a time where close to half of South African households could go online.
If for some reason that is the case, it begs the question: why the need for a Cyber Bill? If not, there are millions of unexplained and possibly unauthorised interceptions.
The financial shortcoming notwithstanding, there is also very limited civilian oversight mentioned in the bill. The proposed structures to deal with cyber security all have to submit annual reports to Parliament’s Joint Standing Committee on Intelligence. But as the Director General already pointed out, he was unable to collect all the necessary information as much of it was classified as top secret.
Similarly, the directors of some of the news structures, including the Cyber Security Centre and the Cyber Response Committee must have security clearance. They, along with their organisations are directly accountable to the Minister of State Security who also has the sole responsibility of appointing them. “The Cabinet member responsible for State security exercises final responsibility over the administration and functioning of [the structures],” the bill reads.
Difficult questions lie ahead for South Africa. Not only the question of security, against cyber criminals and terrorists vs. privacy. But the bill could further ensure various political scandals or even crimes committed by the state never reach the public. All while the state could, hypothetically at least, become the very intruders we wish to be protected from. And not just for civilians, but for others like activists, whistle-blowers, politicians and lawmakers themselves – should they choose to approve it.