The Committee held public hearings on the Cybercrimes Bill. The Bill was introduced because existing laws did not address cybercrime effectively. The Committee heard from Telkom, Michalsons Attorneys and Power Singh Attorneys on behalf of Media Monitoring Africa. All three organisations acknowledged the necessity of the bill and broadly welcomed it.
Telkom’s submission related to the definitions in the Bill, its alignment with the Regulation of Interception of Communication Act (RICA), and the responsibilities of electronic communication service providers. The company suggested revising the definitions of ‘computer,’ ‘traffic data’ and ‘interception of data’ in the Bill, and stressed the need for consultation with industry in the development of standard operating procedures. It drew attention to the technical issues associated with storing the massive amounts of data generated by digital communications in the current era. It further highlighted that there were some overlaps in the SOPs of RICA and the Cybercrimes Bill which should be looked at to avoid duplicating costs.
Michalsons Attorneys raised questions about the police’s ability to investigate and prosecute cybercrime, and the relation of the Bill to the Protection of Personal Information Act.
Media Monitoring Africa proposed certain specific additions to the Bill to protect citizens’ rights, such as an exemption for breaches in the public interest, and recognition of the best interests of the child.
Various matters were raised during the discussion. Members asked about the nature of the data storage obligations that the Bill would place on service providers like Telkom. Would they be expected to store all the data on their networks for a certain period all the time (a highly onerous technical task), or would they only be expected to store it on request? The discussion also covered the promulgation of standard operating procedures, the necessity of references to the Protection of Personal Information Act and problems associated with policing cybercrime.
Briefing by Telkom
Dr Aniel de Beer, Executive: Regulatory Legal, Policy & Compliance, Telkom, said that the company’s comments concerned some definitions in the Bill, its alignment with the Regulation of Interception of Communication Act (RICA), and the responsibilities of electronic communication service providers.
Dr de Beer said that the definition of ‘computer’ in the Bill needed to be future-proofed. Not all computing devices were computers.
Mr Steve Jump, Executive: Corporate Information Security Governance, Telkom, explained that the definition in the Bill simplified things in a way that would impede its usefulness in the future. It did not adequately account for the ubiquity of computers today. Any object with software running on it could have its communication with other devices intercepted. The definition was too abstract, masking the real complexity of the situation.
Dr de Beer said that the definition of ‘traffic data’ needed to be clarified too. Did it include metadata? The definition in RICA was better fit for purpose. The definition shouldn’t be too broad because it could pose some serious technical problems for operators.
Mr Jump explained that defining ‘traffic data’ was a highly technical problem because of the number of connections between devices, and the wide range of data types (for example video, voice, or text) that were ordinarily being transmitted, which were often segmented or encrypted. Any constraints on how this kind of traffic was handled and collected by electronic communication service providers, could prove to be a very onerous technical task.
Dr de Beer said that the definition of ‘interception of data’ in the Cybercrime Bill needed to be aligned with its definition in RICA. The reference to interception ‘through the use of a hardware or software tool’ might turn out to be limiting in the future.
Dr de Beer said there were some overlaps in the Standard Operating Procedures (SOPs) of RICA and the Cybercrimes Bill which should be looked at to avoid duplicating costs, and the concerns of Judge Sutherland about the appointment of the designated judge for RICA and the Cybercrimes Bill should be considered. Three years could be too long to expect data to be stored, as data storage had notable cost implications.
Mr Sarel Robbertse, State Law Advisor, Department of Justice and Constitutional Development, asked if the Bill might not make it cheaper to store certain data.
Mr Jump replied that RICA obliged electronic communication service providers to store metadata and make it available. The issue was that modern communications were extremely high volume and storing all of it in anticipation of a request to intercept it would be very difficult from a technical standpoint, and also created the possibility of it being intercepted illegally.
Mr Robbertse said that RICA imposed an obligation to store metadata on fixed-line and mobile telecommunications operators, but not internet service providers (ISPs), even though this was international best practice. Wasn’t it preferable, as per the Bill, to ask internet service providers to provide metadata on a case-by-case basis, rather than oblige them to store it?
Dr de Beer said if a blanket obligation to store data was imposed, the nature of the data included needed to be very carefully defined.
Mr Jump added that in many cases, an ISP had no idea what was actually being communicated over a network. The information it had access to was minimal, and much less than in the past. The guidelines for ISPs needed to take this into account. A case-by-case system would be preferable, given the logistical challenges that the greater complexity of modern communication raised.
Mr Robbertse said that the Bill would only become relevant when there were search and seizure orders or retention orders on data. It would not impose extra obligations on ISPs who were compliant with RICA. What onerous obligations was Telkom referring to?
Dr de Beer replied that the concerns were about retention of data. The ambit of communications referred to in the Bill could be clarified, with reference to the definitions in RICA.
Mr G Michalakis (DA; Free State) noted that Telkom supported the Bill and had pointed out some problems. What were its suggestions? What should be changed to make it acceptable to Telkom?
Dr de Beer replied that there were three points. First, the ambit of communications expected to be stored needed to be clarified. Second, the time period during which these communications needed to be stored needed to be clarified. Third, the SOPs needed to discuss practical issues such as how to mitigate disruptions to telecommunications services. Would operators be notified in advance when a request for data would be made? Would search and seizures take place during office hours?
Ms Z Ncitha (ANC; Eastern Cape) asked Telkom to elaborate on the problems associated with storing data.
Mr Jump replied that Telkom already kept certain data for 90 days. On request, Telkom was able to store all the traffic data on its network for a short period. However, storing all the traffic data for 90 days at all times would require ten times as much storage.
Mr K Motsamai (EFF; Gauteng) asked a question in Tswana.
Mr A Gxoyiya (ANC; Northern Cape) was asked to interpreted Mr Motsamai’s question. Mr Motsamai thought Telkom was only bringing problems and no solutions, he said.
Mr Motsamai was not satisfied with the interpretation and expressed his frustration with the lack of proper interpretation.
Dr De Beer suggested that regulation could be promulgated from time to time to deal with unexpected future changes in technology.
Mr Michalakis said that leaving it to regulation gave a lot of power to the Minister.
Mr Robbertse replied that there were rules governing the promulgation of regulations. He did not think it gave too much power to the Minister.
Mr Michalakis asked Mr Robbertse if Telkom’s requests were unreasonable.
Mr Motsamai asked a question in Tswana.
Mr Gxoyiya interpreted for Mr Motsamai. He was asking what was being done about the widespread availability of non-RICA-compliant SIM cards.
Mr Motsamai was not completely satisfied with the interpretation.
Mr Robbertse explained that there was an obligation on ISPs to register all SIM cards upon activation, but a provision allowing a SIM card to be transferred to another person was abused by resellers. It was technically a crime but it was not sufficiently enforced. RICA was being revise and this area would be looked at.
Mr Gxoyiya said he had expected to hear about international best practices on the issues being discussed, in particular regarding storing and making available to the state information relating to crime. Maybe increasing Telkom’s data storage capacity would be necessary to bring it into line with international best practices. ISPs had a role in preventing crime.
Mr Robbertse replied that international best practices were always followed in the drafting of cybercrime law, to enable co-operation. The definitions of ‘computer’ and ‘traffic data’ in the Bill were in line with international best practices. He also noted, in response to the presentation, that the Chief Justice had to nominate two designated “interception judges” between whom the Minister had to choose. This would ensure impartiality.
Mr Jump added that the distinction between telecommunications providers and ISPs was disappearing. Almost all countries had a requirement for all digital communications data to be interceptable and preserved as evidence. However, the difficulty of distinguishing legal and illegal data was a very difficult problem. It was widely acknowledged that there was a need to find a balance between technical and financial constraints on the one hand and the need to make data available for law enforcement on the other. In some countries, there were partnerships between telecommunications providers and law enforcement agencies.
Briefing by Michalsons Attorneys
Ms Lisa Emma-Iwuoha, Attorney, Michalsons Attorneys, noted the necessity of the Bill in the light of the increase in cybercrime in the last few years and made a few suggestions about areas that could be addressed.
- SOPs needed to be issued without delay. The Bill had included them as a requirement since 2015 but as yet none had been made public.
- Law enforcement agencies needed to increase their ability to investigate and prosecute cybercrime. It was unclear if it was a capacity or a skills problem. At present, private investigators ended up handling cybercrime.
- Police also faced challenges in handling electronic evidence. The South African Law Reform Commission’s work on the law of evidence should be considered.
- There were delays involving related legislation such as the Protection of Personal Information Act (POPIA). The right to privacy was protected by the Constitution, and the protection of privacy went together with the prevention of cybercrime, since personal information was often the raw material of cybercrime.
The Chairperson asked Ms Emma-Iwuoha if there were specific amendments she was proposing.
Ms Emma-Iwuoha said that Section 1(2) should reference POPIA as a whole, not just specific sections, to deal with all kinds of data.
Mr Robbertse explained that SOPs had been drafted but they could not be finalised until the Act was finalised. He was aware of the South African Law Reform Commission’s report on electronic evidence, but noted that its recommendations were not universally accepted. The Electronic Communications and Transactions Act currently regulated electronic evidence, but he acknowledged that it probably needed to be updated. He also said that according to POPIA, Section 6, it applied, to the exclusion of other legislation wherever it relates to the processing of personal information. This implied that Section 1(2) of the Cybercrimes Bill was not really necessary anyway.
Mr Michalakis said that Section 1(2) gave clarity. Was there any reason why it couldn’t be included as suggested by Ms Emma-Iwuoha?
Mr Robbertse explained that there were potential unintended consequences. For example, a hacker might be able to use it to argue that he was processing personal information responsibly.
Ms Ncitha asked Mr Robbertse to comment on the police’s ability to handle cybercrime.
Mr Robbertse replied that the Bill did place obligations on the Department of Police to ensure that they had the skills and capacity to enforce the Bill. Prosecutors were also being trained. Most countries had similar problems, he noted, since cybercrime was evolving so fast.
Briefing by Media Monitoring Africa (MMA)
Ms Avani Singh, Attorney, representing MMA, appreciated the importance of the Bill and made several comments on it.
- The cabinet directive to make a socio-economic impact assessment of the Bill available for public comment had not yet been followed. The impact assessment is a self-imposed Cabinet obligation and a necessary tool in better understanding internet governance proposals within the state. In the event that an impact assessment has not been completed, further deliberations on the Cybercrimes Bill should be halted until this has been done and all relevant stakeholders have had the opportunity to consider and make submissions thereon.
- The development of the Bill should follow a rights-based approach in line with international law. MMA was concerned that the Cybercrimes Bill does not adequately acknowledge that information rights are equally applicable online as they are offline, a position that has been affirmed by both the United Nations Human Rights Council and the African Commission on Human and Peoples’ Rights.4 MMA submits that information rights, and their applicability in any cyber framework, need to be fully considered and outlined in the Cybercrimes Bill. MMA proposed an addition to Section 1 to make explicit the state’s commitment to protecting individuals’ freedom of expression, access to information and privacy.
- With reference to malicious communications and the need to avoid overlap with other legislation, MMA proposed inserting the word ‘imminent’ before references to violence in Sections 14 and 15, and the inclusion of a harm threshold in Section 16 to avoid inadvertent breaches of this Section.
- MMA proposed an explicit recognition of the importance of the best interests of the child as described in Section 28 of the Constitution. On the one hand children might breach the law due to a lack of knowledge or maturity, and on the other hand they needed to be protected from exploitation through technology.
- MMA proposed an addition to Section 23 of the Bill which would exempt certain actions from penalisation in terms of the Bill if they were found to be in the public interest.
- MMA suggested the creation of a steering committee to provide overarching internet governance and oversight, similar in structure and broad participation to the Judicial Services Commission.
Mr Robbertse said a socio-economic impact assessment had been done and was available online. He clarified that there had been no obligation to publish it for public comment. He did not think it was necessary to repeat, in the Bill, rights that were enshrined in the Constitution.
Ms Singh replied that some clarity would be welcome, because rights were being pitted against each other. In POPIA, for example, there was a conflict between the right to privacy and the right to freedom of expression.
Mr Robbertse raised the question of whether any message distributed over the internet could create ‘imminent harm.’ For example, if a message promising a reward for raping a particular person was distributed, was imminent harm created? What if the intended victim was overseas at the time?
With reference to the judgement in South African National Editors Forum vs Economic Freedom Fighters, Ms Singh argued that electronic messages could create imminent harm if there was a clear causal nexus between the statement being made and the harm being contemplated.
Mr Robbertse did not think it was necessary to include specific clauses in the Bill dealing with matters that were covered in other legislation, in particular the Child Justice Act and the Sexual Offences Act.
Ms Singh replied that the Child Justice Act did not refer to the protections that should be afforded to children. She said that the Bill could rationalise various pieces of legislation connected to this issue.
Mr Robbertse thought the Bill could not include a public interest exemption. Such an idea might be considered in respect of the criminal law in general but should not be included on a piecemeal basis, with regard to certain offences. For similar reasons, a steering committee for internet governance should not be created by this Bill.
Ms Singh noted that the Bill criminalises particular types of speech. This has a direct and significant impact on specific rights; in this case the right to freedom of expression. With regards to imminent harm, certainly there are instances of imminent harm that can be caused by such messages and content as stipulated in the legislation. For example, in a recent court judgement regarding the incitement of violence, the application was unsuccessful. The court noted that even though the content was potentially harmful, there is no direct causal nexus between the likelihood and propensity of harm it may cause. So it is not just about a hateful statement or malicious communication but there also has to be a clear nexus between the harm that is being contemplated and the statement that is being made. She added that the best interest of children should be incorporated into the Bill given that it is likely to have significant implications on the rights of children inadvertently.
Mr Gxoyiya asked Ms Singh to make it clear whether MMA was in support of the Bill in general.
Ms Singh clarified that MMA broadly supported the Bill. It was just concerned about striking a balance with freedom of expression.
Mr Gxoyiya asked if MMA’s request to follow a rights-based approach was meant to imply that the Bill violated anyone’s rights.
Ms Singh said that the concern was that people could violate the Bill inadvertently whilst engaged in activities in the public interest.
The meeting was adjourned.