Cybercrimes and Cybersecurity Bill: public hearings day 2

Meeting report

Liquid Telecom submission
Mr Mike Silber, Liquid Telecom senior legal advisor, said that the Bill anticipates electronic communications service providers (ECSPs) as infrastructure providers and creates a balance between that role and their duty to cooperate with law enforcement. Liquid Telecom supports the general intention of the National Cybersecurity Policy Framework which is the centralisation of the coordination of activities, strengthening intelligence and investigation and prevention of cybercrime. To this effect, the Bill has created new and more relevant offences and crimes and increased cross-border enforcement and prosecutorial powers. Chapter 9 poses obligations for ECSPs and is in line with the constitutional right to privacy by prohibiting the unlawful monitoring of data in their networks. However, ECSPs have an obligation to report if their network is involved in the commission of any offences listed in the Bill.

Although the Bill plays a vital role, Liquid Telecom raised concern about its far-reaching powers of search and seizure afforded to the police which need to be realigned with the Regulation of Interception of Communication Act (RICA).

Discussion
Mr S Swart (ACDP) on the issue with the amendments to RICA, he asked on whether there was a reason as to why the proposed amendments to the Judicial Matters Act did not go through as they would help with the alignment with the Bill. He expressed his concerns regarding the phrasing and the penalties of the penalties in section 53 of the Bill and RICA

Mr W Horn (DA) said that Liquid Telecom identified problems with the implementation of the Bill and its alignment with RICA but gave no specifics. He requested a further submission on whether RICA or this Bill should be amended so they can be aligned.

Mr L Mpumlwana (ANC) asked for clarification on the clauses in the Bill that should have been excluded so as to align it with RICA.

Ms C Pilane-Majake (ANC) said that there is a need for interception of communications as a matter of state security and she supported the ‘double-padlocking’ by using both this Bill and RICA.

Mr Silber clarified that Liquid Telecom is not advocating for removal of any clause in the Bill but only to add focus by avoiding the addition of extraneous provisions dealing with crimes not related to cybercrimes.

Mr Swart said that the Sexual Offences Act already includes some of the concerns expressed by Liquid Telecom.

Bowline Security submission
Mr Carl Heinz Uys, CEO: Bowline Security, said that cyberspace should be safeguarded. The Bill should be improved around breach notification. The obligation of private and public institutions to notify about internal breaches should be more pronounced. They should notify the Department of Communications when a breach takes place in their organization. The Bill is too lenient on internet service providers and financial institutions in taking responsibility as they are the primary infrastructural institutions. There should be dedicated information security officers in private and public organizations rather than the burden being placed on ICT departments as this leaves organisations vulnerable and ineffective to cybersecurity threats. CEOs and relevant board members should be held accountable in their personal capacity for abuse of consumers’ personal information.

Discussion
Mr Swart (ACDP) asked if the provisions in the POPI Act were adequate to address the concerns raised about the personal information risk and information security officers.

Ms M Mothapo (ANC) requested recommendations to make the Bill balanced and not too lenient on CEOs and the relevant board members.

Ms Pilane-Majake asked for clarification on the proposed sanctions against board members and CEOs.

Mr Carl Heinz Uys replied that the POPI Act has provisions on information but not specifically on the cyberspace environment. The CEO and the board must ensure that there is a proper structure that caters for cybersecurity risks. If those preset structures are found wanting, they should be held liable.

Information Regulator South Africa submission
Mr Sizwe Lindelo Snail Ka Mtuze, Information Regulator member, said that every person has the right to privacy that extends to not having their communication violated and any personal information held by another person. The Bill should appreciate this right and balance it with the constitutional right to access information. The Regulator has a keen interest in crimes dealing with malicious communication, malicious data and unlawful interceptions as well as theft of data since it deals with the theft of personal information.

The extended powers for the extra territorial jurisdiction of courts and referencing of cross border information of personal information for international co-operation should be extended only to countries with the same legal regime.

The Regulator, in accordance with its mandate to protect personal information and promote access to information, should participate actively in the proposed government structures dealing with cybersecurity and provide solutions in line with the Constitution. The Bill should be amended to give effect to certain sections of the POPI Act so as to be in line with the constitutional right to privacy. The Information Regulator would wish to participate in the proposed cybersecurity governing structures to offer advice on less intrusive measures that will not violate the right to privacy while at the same time appreciating the right to access information. The Regulator should be included in the cybersecurity response committee.

Clause 43 which allows SAPS to receive information without a warrant or due legal process should have safeguards to avoid abuse. Clause 62 which creates general obligations on electronic communications service providers for certain information should also be revised to be in line with the right to privacy. Any form of information sharing invites the intervention of the Information Regulator. Clauses 57 and 58 raise concern since it gives the State Security Agency an unfettered discretion to declare any information infrastructure of national importance and thereby allowed to inspect it.  

Discussion
Mr Swart requested suggested amendments to improve the interpretation of the Bill. He asked for comments of section 205 of the Criminal Procedure Act, which offers law enforcement sweeping powers and which could also be used to grant access to information. He asked if the Information Regulator could provide input on the necessary checks and balances in the Bill to eliminate potential abuse of power. He asked if the Information Regulator had noticed the broadness of Clauses 16 and 17.

Mr Horn expressed his concerns with the use of the word ‘unlawful’ in expressing various criminal acts in the Bill. He asked if the Bill, in its present state, would criminalise the organizations that fail to implement fully the obligations bestowed upon them by the POPI Act.

Mr Mpumlwana asked if the Information Regulator could assist in the improvement of the Bill’s drafting.

Ms Pilane-Majake asked how clause 43 could be revised to safeguard the right to privacy of South Africans.

Mr N Matiase (EFF) said that the submission of the Information Regulator was imaginative and beyond the Regulator’s mandate as envisaged in the POPI Act. He asked how the Information Regulator would deliver on its mandate as an independent regulator and also play an active role in the proposed governing structures of this Bill.

Mr Snail Ka Mtuze replied cybercrime and cybersecurity share some similarity despite the fact that they have different objectives. Copyright infringement should not however be reflected in the Bill and should be catered for in the copyright legislation. The Bill should not stretch out to related matters of cyber criminality but concentrate on unlawful access and interception among its primary concerns. The Office of the Information Regulator gazetted its draft regulations on 8 September and for the last few weeks it has been conducting regular interviews for the key staff required. Its proposed involvement in the structures of the Cybersecurity Bill is not imaginative but creative. The Information Regulator will still be acting within its mandate by ensuring compliance and offering valuable legal advice in the interest of not only the government but the public as well. The Information Regulator would wish to have an advisory approach to the matter through engagement with departments to prevent infringement of the POPI Act.  The Information Regulator would like to actively participate within these structures rather than instruct them on what to do.

Cell C, Telkom SA, Vodacom joint submission
Adv Jacqueline Fick, Cell C Executive Head, Forensic Services, said that there was a need to create a centralized point for prosecuting cybercrimes. The prosecution of cybercrime is fairly new and she suggested that clause 3(a) should be moved to clause 2 dealing with unlawful securing of access and should also include offences of interception of communications, in line with the Budapest Convention amongst other international conventions. RICA should be amended to align with the Cybercrimes and Cybersecurity Bill.

She proposed that there should be a maximum amount for a fine to act as a deterrent against cyber fraud and cyber forgery. There should be an amendment of clause 34 on investigation, search, access and seizure of articles, and proposed that there should be safeguards to prevent abuse of warrants.

Clause 46 requiring the preservation of real-time communication-related information will have huge storage and cost implications. There should be an inclusion of identity theft as a punishable offence in the Bill. The POPI Act deals only with the information of living persons; however, identity theft needs to extend to the use of deceased persons’ identities to transact. The Bill will assist law enforcement in prosecuting international revenue sharing fraud schemes as under the current legislative framework such prosecutions have been frustrated.

Discussion
Mr Matiase asked on how telecommunication consumers could protect themselves from fraudulent callers and how the service providers deter such activities. He asked if the telecommunication service providers were advocating for fixed mandatory fines and how much would be desirable as a fine to deter criminality.

Adv Fick replied that consumers could protect themselves from telecommunication fraud by securing their communication devices and server end points. Consumer awareness and education is important although such crimes pose as a worldwide concern.

Mr Matiase asked if the provisions relating to the fines in the Bill should be prescriptive.

Adv Fick requested to respond in a further submission so as to seek the opinions of the other telecommunication service providers.

MTN submission
Mr Moses Mashisane, General Manager; Regulatory Affairs, MTN, said that the Bill has significant implications for electronic communication services providers and potentially, material, adverse and unintended consequences.

Mr Robby Coelho, Executive Legal: Digital, MTN, said that there should be references to international best practice standards in the Bill so as to give guidelines on operating procedures. There should be clarification and caution exercised with regards to the definition of crimes in the Bill so as to prevent inadvertently creating offences for innocent conduct. The scope of the Bill is exponentially wider than some international treaties such as the Budapest treaty. There should be safeguards to qualify the application of the broad definitions in the substance of the Bill.

The Bill needs to be strengthened to ensure that broadcasters and electronic communications service providers continue to have, and surpass, the protections currently afforded by the ECT Act. The Bill’s focus should be broadened to encompass computer networks adequately in favour of broadcasters.

The right to search and seize is broad and cannot be applied generally to ECSPs. There is lack of specificity and proportionality in the exercise of these powers by law enforcement. There is a lack of provisions addressing a situation where the exercise of these powers is challenged. With regard to evidence preservation and reporting, an interpretation of the provisions obligating ECSPs to block certain communications is impractical in certain instances. There is a need to address the practicality of some of the obligations placed on ECSPs as they should be subject to technical constraints.

Discussion
Mr Horn said that there is no duty on Parliament to perform a regulatory impact assessment. He asked if a cost assessment on compliance could be conducted. The relevant ECSPs could provide assistance in providing the real costs to the respective companies and the end users of their products.

Mr Mpumlwana reiterated that there was a need for a implementation cost assessment to be done so that the Committee could know the real cost.

Mr Mashisane replied that they are still conducting a cost analysis. Although, it is not an exact science and some of the costs may not be known at all, from the data analysed, it shows that the costs are still escalating.

Media Monitoring Africa (MMA) submission
Mr William Bird, Executive Director: MMA, said that due to the cross cutting nature of cybercrime, it cannot be left to one department. There needs to be an inter-departmental steering committee and multi-stakeholders to build a response team for cybercrime. There needs to be a socio-economic impact assessment on the Bill. The best interest of the child is not considered in the Bill and there needs to be provisions addressing cybercrime relating to children. The Bill lacks provision for rights discourse to address challenges and creates a new crime of distribution of a harmful message which is a disparity since it is a crime online but not offline. It should deal with the ‘fake news’ provision as clauses 16,17 and 18 may have potential unintended consequences.

There should be an overarching internet governance management node within the state to ensure swift and effective response to cybercrime. An impact assessment should also be conducted by the Socio-Economic Impact Assessment System (SEIAS) and its results made public to allow stakeholders an opportunity to make submissions on it. A new section should be drafted to deal with criminal sanctions relating to the exposure of children to pornography, the use of technology to groom and exploit children, and the need to develop curricula informing children about cybercrime.

A cabinet member responsible for the Department of Justice and Correctional Services, as opposed to the cabinet member responsible for State Security, should oversee and exercise control over the operation of the Cyber Response Committee. There should also be independent members of the Committee outside of government.

Discussion
Mr Horn asked why there needed to be more provisions in the Bill on criminal sanctions relating to child pornography since this is already dealt with under section 19A of the Sexual Offences Act.

Mr Mpumlwana asked for clarity on the exact clauses of the Bill that should be amended with recommended proposed amendments and the suggested way forward for the Bill.

Ms Pilane-Majake asked for clarity on the proposed socio-economic impact assessment study of the Bill.

Mr Bird replied that the Bill needs to be halted until the impact assessment test has been done to enable the Bill to be passed on an informed basis. The proposed diversity of the inter-departmental steering committee will eliminate potential risk for confusion as it will enhance better communication.

Mr Swart said that there already exists a reporting mechanism that is very broad which addressed the expressed concerns. The Child Justice Act accommodates the vulnerability of children and protects them.

Credit Bureau Association (CBA) submission
Ms Alison Magrath, CBA Executive Manager, said that there is ambiguity in some of the provisions that enable the Minister of State Security to declare any information infrastructure, or category or class of information, as a National Critical Information Infrastructure (NCII) including any infrastructure that any interference with may cause major economic loss or cause the destabilisation of the economy.

This provision does not identify to whom the major economic loss may be caused and leaves the interpretation of the destabilization of the economy, solely upon the discretion of the Minister. It also does not allow for companies to be represented by a representative body such as the CBA and thereby obligates all the members of the CBA to individually appeal any such declaration by the Minister. This could potentially lead to economic loss. The issue of warrants for seizure of information would need to be very specific to prevent the disruption of the working of the credit bureaus.

With the enactment of the Protection of Personal Information Act, the credit bureau, being a processor of personal information, will also be regulated by the Information Regulator thereby resulting in the industry being regulated by two regulators.

The definition of ‘critical data’ is too broad and includes the personal affairs of any person and commercial information that could cause undue advantage or disadvantage to any person. Credit bureaus hold commercial information on data subjects and such over-broad definitions have the potential to lead to legislative abuse for ulterior motives.

It is recommended that Credit Bureau Association members should be specifically excluded from the definition of an NCII or be exempted from being declared an NCII. The definition of an electronic communications service provider (ECSP) is currently too broad and may inadvertently include registered credit bureaus as subject to all provisions applicable to an ECSP.

The general obligations of ECSPs set out in clause 64 are likely to have little effect as far as credit bureaus are concerned thereby rendering them superfluous.

Discussion
Mr Mpumlwana requested concrete recommendations directly speaking to the provisions of the Bill to assist the Committee to make informed decisions on the Bill.

Mr Horn said he agreed with the concerns on the role of the state security, however the exemption sought by the CBA from certain provisions would defeat the objective of the Bill on one hand and thereby frustrate prosecution of certain crimes. He said on the verbal warrants that  the application for the warrants may be oral, however, the warrants are written, Also, there has to be the existence of exceptional circumstances which will be adjudicated upon under the rules of the Court.

Ms Magrath replied that their intention is not to be excluded from the exemption of the Bill. Any interference in the credit bureaus work would significantly and adversely impact on the country’s economy. If their incoming data was stopped as provided for in the Bill, nobody would be able access the records in the credit bureaus. The CBA is willing to enter into an agreement with the eventual enforcer of the Act to ensure that the principles are adhered to without stopping the working of the credit bureaus. However, most of the state security provisions in the Bill have the potential to interfere with the work of the credit bureaus. This interruption would most likely have a negative impact on the economy.

The meeting was adjourned.