South Africa is the latest country taking measures to tighten up on cyber crime. In the draft of their Cybercrimes and Cyber Security bill, are included explicit penalties for cyber crimes, ranging from fines to a maximum of 25 years in prison.
The draft includes mention of areas where the current South African laws have failed to properly address cybercrime; such as the current legal definition of theft covering only physical property, not electronic property such as data.
There are some concerns with the new bill, with criticism targeting some of the broad definitions used in the document. There have also been comments that this bill might give too much legislative power to the state, which has been of concern with other bills introduced in recent years including one titled ‘Protection of State Information’ and another concerning TV and Film.
There have also been comments about the section of the bill addressing copyright issues; noting that crimes as diverse as ‘sells’, ‘downloads’, ‘distributes’ or ‘otherwise makes available’ are all placed under the same umbrella of potential punishments which are given as a fine or anything up to 3 years in prison.
A huge amount of emphasis has been placed on any crimes affecting state data, which comes under both ‘terrorism’ and ‘espionage’ with specified punishments ranging from 5 to 25 years imprisonment. Where state property is concerned, there are no fines, punishments escalate directly to a prison term of up to 25 years.
What’s odd about the bill is that it also includes some crimes that are not only related to data, such as the above-mentioned copyright section. There is a section devoted to ‘hate crimes’ on issues such as race and gender, but specifically targeting those crimes carried out online. On this list is also ‘harbouring’ an offender of any of these crimes and violence or damage to such property. It’s clear that this bill has been formulated to address loopholes in current laws and clarify the punishments which may be given for any ‘computer-related’ crimes. There is a lack of technical specifics in the bill, with one of the few specific terms being in relation to malware. It would appear that ‘cybercrime’ has been poorly defined in the drafting of this bill, with it being wide-ranging but lacking in technical substance.
An entire chapter is devoted to outlining the powers the authorities have to investigate, search, access or seize property, material or electronic. At a recent conference, the head of South Africa’s Electronic Crime Unit had admitted that the police force is struggling to act against cybercrime within the current legislation, so no doubt this chapter is part of efforts to redress this issue. Fortunately, at least the authors had the foresight to include a section on ‘Prohibition of Disclosure of Information’ which directly applies to anyone working with data in a professional capacity, including as an investigator or police officer.
The bill also lays out the new structure to be put into place to address cyber security issues, including a cyber response committee, a cyber security centre, government security incident response teams, a national cybercrime centre, cyber security hubs, a cyber command and private sector incident response teams. The roles and powers of each of these is individually detailed, including functions such as implementing policy, promotion of cybersecurity, develop measures to deal with cybersecurity, analysing vulnerabilities, carrying out audits and numerous other matters relating to cybersecurity.
The bill itself is very lengthy, comprising a total of 122 pages but it is a draft and as such is open to comments. A ‘discussion document’ is available for this purpose with the deadline set at November 30. The bill and discussion document are available here.