Inside SA’s cyber-insecurity problem
South Africa has one of the highest rates of cybercrime in the world. So it is hardly surprising that more people are looking to the government to step in and do something about the problem.
The department of justice and constitutional development has responded with a Cybercrimes and Cybersecurity Bill, which was released for public comment in August.
At first glance, this complex 128-page draft law promises to make the internet a much safer, freer space for South Africans.
But this promise is illusory.
The Bill threatens digital rights in significant ways, especially the freedoms of expression and of association, and the right to privacy. It lacks important checks and balances and increases state power over the internet in worrying ways.
This is not to say that the Bill isn’t needed: in fact, it has important public purposes. For instance, it criminalises acts such as the unlawful interception of and interference with data, as well as computer-related fraud and cyberterrorism, and regulates foreign co-operation to fight these crimes. It protects critical information and infrastructure by making it illegal to interfere with them.
But the Bill also creates a host of new state institutions, falling under several departments, to counter cybercrime and cyberterrorism. These institutions are co-ordinated by a cybersecurity committee under the political control of the state security ministry. This means that the Bill will hand indirect control of the internet to South Africa’s spies.
State security is not the most appropriate institution to be tasked with this responsibility. It leans towards secrecy and its existing activities lack democratic controls. It operates with an overly broad mandate. Yet in spite of these systemic weaknesses, if the Bill is passed in its current form the spies will be given additional responsibilities, including the power to interfere unduly in internet governance and content.
The Bill has been in the offing for some time now. South Africa signed the Budapest Convention on Cybercrime in 2001, but the convention hasn’t been domesticated yet. Other countries have already done so, and many have used Commonwealth and International Telecommunications Union model laws that draw on the convention to different extents.
When compared with these models, South Africa’s draft law is not the best on offer, nor is it the worst. For instance, the Bill resists the temptation to overcriminalise online behaviour such as spamming. Nevertheless, there are grounds for concern.
The Bill contains an overbroad definition of computer-related terrorist activity, which should concern internet users because a person convicted of this offence could be jailed for up to 25 years.
This definition does not include the “freedom fighter exemption” in South Africa’s anti-terrorism Act (the Protection of Constitutional Democracy against Terrorist and Related Activities Act), which excludes advocacy or dissent. Acts committed in the context of legitimate struggles for national self-determination or national liberation should not be considered terrorist acts. Yet the Bill fails to distinguish between cyberterrorism and cyber-dissent, when people use digital networks for activism and civil disobedience.
The Bill criminalises unlawful interception of, and access to, online information, and prescribes particularly harsh penalties for computer-related espionage. In doing so, it mirrors the controversial Protection of State Information Bill (informally known as the “secrecy Bill”) and entrenches some of its most worrying features.
Neither of these Bills includes defences for those who disclose information on public interest grounds. This means that whistle-blowers who exfiltrate data, and the journalists who report on them, could well be criminally prosecuted.
The Bill’s definitions of critical data and “national critical information infrastructure” are overbroad; for instance, the latter includes any government or state communications network. In contrast, the International Telecommunications Union defines critical infrastructure narrowly, as being what is so vital to the country that its incapacity or destruction would have a catastrophic impact.
This means that infrastructure could be declared critical to keep information about it away from the public. The government could well use this Bill and the “secrecy Bill” to reduce transparency and intensify secrecy.
At first glance, the Bill’s prohibitions on the dissemination of hateful and inciting material are reasonable. But its definition of hate speech is broader than that contained in the Constitution, in that it does not contain a harm test and extends the grounds for hate speech beyond race, gender, ethnicity or religion.
The prohibition of incitement to violence is also overbroad. The constitutional test requires the threat of violence to be imminent. These provisions could well lead to constitutionally indefensible censorship of internet content.
The Bill amends the Regulation of Interception of Communications Act (Rica) by adding additional offences. Its drafters argue that it and the Criminal Procedure Act do not contain adequate measures to investigate cybercrimes.
In a preliminary analysis, watchdog Privacy International has pointed out that the Bill insists that government departments still need to seek directions from the designated judge in terms of Rica for the interception of indirect communications.
Yet, according to the organisation’s Tomaso Falchetta, “the Bill seems to create a parallel procedural system to Rica for investigation, search and seizure of electronic communications/data … [which] provides wider surveillance powers with fewer checks and balances than in Rica”.
Privacy International has also pointed out that the Bill’s grounds for the issuing of a search warrant are even more vague than Rica’s already vague grounds for the issuing of interception directions. An investigator in such cases doesn’t even have to be a law enforcement officer: he or she can merely be an “appropriately qualified, fit and proper person”, although operating under the supervision of a law enforcement officer.
Like Rica, the Bill doesn’t make provision for the user to be notified after a warrant has been issued, in violation of their rights. It also gags people connected to cyber-investigations from speaking about them, which is likely to reduce transparency and increase the scope for abuse.
A law enforcement officer may issue a direction for the expedited preservation of data to prevent information from being destroyed during an investigation, but the grounds for doing so are worryingly vague. An officer may also forward information to a foreign state on the approval of the national director of public prosecutions, but does not require judicial authorisation to do so. These provisions reduce accountability.
The new state entities the Bill creates have broad and open-ended mandates relating to national security – which is not defined – as well as defence and law enforcement. These entities are responsible for warning the government about network vulnerabilities and potential threats to cybersecurity, responding to them reactively, developing plans to ward them off proactively and ensuring private sector co-operation.
In the case of the defence ministry’s mooted cyber command (inspired by a United States body falling under the National Security Agency), this entity must report on efforts to “co-ordinate and implement cyber-offensive and -defensive measures as part of its defence mandate”. An offensive mandate is inappropriate, and could quickly lead to a militarisation of the internet and increasing online insecurity.
Canadian political scientist Ronald Deibert has argued that there are two diametrically opposed approaches towards cybersecurity: securitisation and stewardship.
Securitisation involves defining online threats primarily as threats to national security, thereby allowing intelligence agencies to lead the fight against them.
Stewardship, on the other hand, rejects securitisation as being dangerous for online freedoms. Those favouring stewardship point out that many online problems (such as phishing and malware) could be dealt with through collaborative efforts between the state, industry and society. They argue that an information security policy, rather than a national security policy, is adequate.
Yet governments rush to securitise and militarise these problems to justify government control of the internet. They gain public acquiescence by creating a moral panic and convincing the public that there is no alternative but to accept government intervention.
On a broader level, governments, including South Africa’s, need to acknowledge that they have helped create the very problem they are legislating against. They have a vested interest in promoting communications networks that are built for vulnerability rather than for resilience, because they want to maintain their ability to spy on their citizens.
For instance, Rica forbids the rolling out of communications surveillance that is not capable of being surveilled itself. The problem is that these security holes can be – and are – exploited by governments and criminals alike. Communications users must insist on resilient networks as a matter of public policy.
Governments also tend to over-hype national security threats, though there is very little empirical evidence of cyberattacks leading to lasting damage to critical national infrastructure or threats to life and limb – issues explored at length by academics such as Myriam Dunn Cavelty and Thomas Rid.
Though there are elements of stewardship in the South African government’s approach to cybersecurity, it is largely statecentric and leans towards securitisation.
If netizens want to live free from fear and want, offline and on, then they will not achieve this by handing decision-making about the internet to increasingly secretive, unaccountable governments. Trading freedom for security is no security at all.
Professor Jane Duncan works at the University of Johannesburg. She is author of The Rise of the Securocrats (Jacana) and a member of the Right-2Know campaign’s secrecy focus group. The deadline for comment on the Cybercrime and Cybersecurity Bill is November 30