Cybercrimes and Cybersecurity Bill: public hearings day 1
Justice and Correctional Services
13 September 2017
Chairperson: Dr M Motshekga (ANC)
Cybercrimes and Cybersecurity Bill: public hearings 2
Cybercrimes and Cybersecurity Bill: public hearings 1
Freedom of Religion South Africa submission
Internet Service Providers Association submission
Open Democracy Advise Centre submission
Right to know (R2K) submission
Michalsons Attorneys submission
South African Banking Risk Information Centre (SABRIC) submission
South African Banking Risk Information Centre (SABRIC) presentation
Southern Africa Federation Against Copyright Theft submission
Digital law Company submission
IM Governance (Pty) Limited submission
Centre for Constitutional Rights (CFCR) submission
Internet Solutions submission
The Centre for Constitutional Rights (CCR) stated the Centre largely supported the Bill. It does have concerns as certain clauses relating to fake news and revenge porn are overbroad and raise constitutional issues. The provisions could unduly limit constitutional rights to freedom of expression, privacy and access to courts. Limitation of constitutional rights should only occur when necessary and can be justified under section 36 of the Constitution. International instruments also require that limitations of fundamental rights only occur when necessary and that any limitation must be proportional.
Certain provision such as “harmful” and “distribute” are not defined in Chapter 3 of the Bill dealing with malicious communications. There are also overlaps with definitions contained in other legislation such as the Equality Act and the Hate Crimes Bill. Clause 16 deals with data messages which incite “imminent violence”. This is wider than the formulation of freedom of expression in the Constitution. The clause limits freedom of expression and the limitation must be constitutionally justified. The Regulation of Gatherings Act already addresses public violence. The Bill should not criminalise conduct which is already criminalised in other legislation. The clause dealing with fake news fails to define what “inherently false in nature” means. This should be addressed. Protection orders and much of the conduct criminalised in the Bill is already provided for in terms of the Protection from Harassment Act. There should not be a proliferation of legislation dealing with the same matter, especially if later legislation will have the effect of limiting constitutional rights.
While the Chairperson emphasised there cannot be a focus on rights alone and people must also recognise rights entail corresponding responsibilities, Members agreed that certain provisions are overbroad and that undefined terminology is problematic. The Bill must seek to balance its legitimate purpose with constitutional rights. Some Members suggested that the Centre was not in favour of the Bill at all but cybercrime is a serious issue which requires government intervention. It was suggested that a liberal conception of freedom of expression is different when it comes to African values and culture. They said it was necessary to ensure security and stability as without this, there can be no meaningful constitutional democracy.
Freedom of Religion South Africa (FOR SA) agreed that security around cybercrime must be strengthened. However, this cannot be at the expense of constitutional rights. The provisions on malicious communications in Chapter 3 are overbroad and criminalise the sending of certain data messages. The constitutional right to freedom of expression includes the sending of data messages. Parliament should be slow to criminalise forms of expression. Less restrictive means to achieve the purpose of cybersecurity must be considered. The sending of malicious communications can already be covered by the Harassment Act and various civil remedies. The common law crime of crimen injuria also covers much of the conduct criminalised in the Bill. Vague terminology such as “make available” is also problematic. People must be able to properly order their conduct in advance which is a foundational part of the rule of law.
The Chairperson reiterated that rights must be balanced with responsibilities. A Member warned against freedom of expression being allowed to permit people to encourage revolution such as what had occurred during the Arab Spring. Another did not see a problem with duplicating criminal offences in different Acts as he said it is better to put two padlocks on a door instead of one. Freedom of expression is often abused which is damaging to black Africans. This occurs when the President is criticised and humiliated. To many black Africans, it is humiliating for them even though they may not like the President. This is because he is an elder in African culture.
Some Members agreed that common-law remedies and other legislation must be considered to determine if other laws already give effect to certain aspects of the Bill.
Right to Know (R2K) said freedom of expression is a fundamental constitutional right. The free flow of ideas on platforms such as the internet is essential for democracy. It welcomed the new Bill but it still has concerns that certain provisions are overbroad and vague. Other provisions provide too much power to state security agencies. The need to regulate harmful expression is necessary but this cannot be used to infringe on freedom of expression unduly. The original Bill was completely rejected by the organisation. They welcome the fact that some of their concerns were addressed such as the removal of the secrecy clause.
Certain provisions in Chapter 3 are not properly defined. This is problematic and should be remedied. The provisions dealing with fake news should be completely removed. The state should not be permitted to police what people deem to be the truth or not. A civilian body should be established which can ensure the powers granted to state security in the Bill are not abused. The clause criminalising “incitement” to harm should be removed. Provisions should not criminalise expression which merely has the potential to create harm. The Bill expands on the provisions of the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) which is currently subject to a court challenge by AmaBhungane. This is all the more acute given that various journalists and politicians have alleged they are been spied on by state security. This is more reason to ensure a civilian body has oversight over its powers in terms of the Bill.
Members suggested that R2K focused too much on protecting rights. A Member said she had no problem with online activism but only when there is an element of criminality can online expression fall foul of the Bill. It was noted that the state can also be a perpetrator of cyber offences and specific examples were requested. It was suggested that R2K fulfils an important role but rights must be balanced with other considerations; they cannot be absolute.
The Media Law Company welcomed the Bill. It agreed with clause 18 which criminalises revenge porn as this is a serious issue which it encounters daily, which can destroy people’s lives. The requirement of “intention” should however be removed. Negligence should be sufficient to be convicted of unlawfully distributing revenge porn as many people argue they did not intend to distribute revenge porn. It is difficult to establish the legal requirement of intention. Whether a person intended to do something or not, the harm suffered is still the same. It was recommended that the requirement of “by means of a computer” system also be removed. The requirement of “nudity” should also be removed. Revenge porn should also rather be dealt with in terms of the Sexual Offences and Related Matters Act as it is, in their opinion, a sex crime and therefore should be classified as such.
Members were sceptical that removing the intention requirement would be permissible. Some felt that it would make not much difference which legislation criminalises revenge porn. The submission was valuable as it provided real world experience of the harm of revenge porn which the Bill attempts to eradicate.
Centre for Constitutional Rights (CCR) submission
Ms Phephelaphi Dube, CCR Director, said the Centre welcomed the Bill to the extent it would place South Africa in the twenty first century as far as cybersecurity is concerned. The Centre did have a few concerns. Ms Dube noted the highly technical nature of the Bill. In accordance with its mandate, CCR would confine its comments to its constitutional concerns about the Bill.
Ms Christine Botha, CCR Legal Officer, noted various amendments had been made since the draft Bill was published in 2015. The CCR welcomed the introduction of the computer espionage offence and the infringement of copyright offence amongst others. Certain clauses did raise cause for concern. The CCR believed those provisions unduly impacted on the constitutional rights of freedom of expression, privacy and access to courts. As noted by Ms Dube the CCR do not claim to be cybersecurity experts. Nevertheless, the constitutionality of certain clauses did cause concern for the CCR such as Chapter 3 on malicious communication. The Bill also fails to address various shortcomings of the Regulation of Interception and Provision of Communication Related Act (RICA).
Section 16 of the Constitution protects the right to freely impart information and ideas. Measures in the Bill should therefore not stifle the free flow of communications. Specific forms of expression are expressly prohibited in section 16 of the Constitution. Expression excluded from constitutional protection includes: propaganda for war, incitement of imminent violence and advocacy of hatred based on race, ethnicity, gender or religion which constitutes an incitement to cause harm. Any legislation which falls outside of those three exceptions limits the constitutional right to freedom of expression. Such legislation is only constitutional if it can be justified as a constitutional limitation under section 36 of the Constitution.
Section 14 of the Constitution protects the right to privacy. This includes the right not to have the privacy of one’s communications infringed. The Constitutional Court has interpreted this right to mean that the closer the infringement of the privacy right is to one’s inner sanctum of privacy, such as in one’s home, the harder it will be justify the limitation under the general limitation clause in section 36 of the Constitution.
Section 34 protects the right of access to courts. This gives everyone the right to resolve justiciable disputes in a court of law, or where appropriate another independent forum, in accordance with a fair public hearing.
Certain international principles can also be used as guidance in relation to the Bill. The International Principles of Human Rights in relation to Electronic Communications has been drafted by the United Nations. The instrument is not binding on South Africa but does highlight how human rights should be protected in electronic communications. The instrument states that limitations of human rights should only occur if necessary and should be proportional to the aim which the limitation strives to achieve.
If rights are limited by legislation, then they must be justified by the general limitation test in section 36 of the Constitution. The courts consider various factors to determine the constitutionality of limiting a constitutional right. These include: the relation between the limitation and its purpose, aim of the limitation and less restrictive means to achieve that purpose. The rule of law also requires legislation to be clear so that ordinary people can determine what conduct it prohibits.
The specific clauses which the CCR had issue with were examined:
• Clause 16 criminalises conduct which unlawfully makes available a data message which the intention to incite the causing of damage to a person or property against a specific person or group.
• Clause 17 makes it an offence to unlawfully and intentionally, make available, broadcast or distribute a data message which is harmful.
The CCR had both general and specific concerns:
A general concern is that certain key concepts are not defined. There is no definition of “broadcast” or “distribute”. There are also definitions in other Bills which can create confusion. In the Hate Crimes Bill a “data message” is defined differently to the Cybercrimes Bill. The Hate Crimes Bill criminalises data messages which “incite violence”. Section 16 of the Constitution only excludes expression which leads to “incitement of imminent violence”. Imminent violence has a specific connotation. This is conduct which is aimed at producing imminent or certain unlawful and/or violent action. This is a wide limitation of the right to freedom of expression.
Existing legislation already deals with public violence such as the Regulation of Gatherings Act and Prevention of Public Violence and Intimidation Act. The common law also criminalises malicious damage to property. Clause 16 thus creates additional criminal sanctions for conduct already criminalised. This is means the limitation is quite broad. This is a factor considered under the general limitation clause. As reasonable limitations already exist, this could mean the further criminalisation in the Cybercrimes Bill in clause 16 could be unconstitutional.
Clause 17 raised specific concerns. The drafter’s intention is not clear. The Harassment Act already has a wide definition of harassment inclusive of cyber harassment, cyber bullying and cyber stalking. The clause creates additional criminal measures. This raises the same issues as with clause 16. A further problem is that “harmful” is not defined in the Bill. In contrast, the Harassment Act has specific definitions. The Promotion of Equality and Prevention of Unfair Discrimination Act (PEPUDA) also defines ‘harmful’. This creates confusion as different definitions of “harmful” appear in different Acts. This creates problems of undefined terminology. Clause 17(1)(d) does not define what “inherently false in nature means”. “Part of a group” is also undefined. This means the provision is overly broad. It constitutes a broad limitation which is not carefully and narrowly tailored.
Clause 19 deals with protection orders pending finalisation of criminal proceedings. The clause is very similar to the process in the Harassment Act. This creates a potential overlap between the two. The overlap does not make legislative sense and creates confusion.
Clause 17(2)(d) refers to messages which are “inherently false in nature”. There are no objective criteria to determine what this means. The causing of “mental, psychological or physical harm” is taken from the Harassment Act. The Bill thus alters the definition of what is harmful in data messages. Civil and criminal remedies already address this conduct such as the common-law crime of crimen injuria. This is an overbroad limitation of freedom of expression.
Recommendations were made to address CCR’s concerns:
• Clause 17 should be entirely deleted. It is overly broad. Existing legal remedies already address the concerns it aims to achieve. The focus should rather be focusing on preventing conduct such as cyber bullying through means such as education. The Harassment Act already addresses this issue. If the clause is retained, then key elements of the offence must be clearly defined.
• Clause 38 governs the interception of communications. It is closely linked to RICA. It also extends the scope of RICA. The constitutionality of the interception of communications order is currently been challenged in the Gauteng High Court by the amaBhungane Centre for Investigative Journalism. A key issue of the current litigation is notification of an interception order. RICA does not provide for notification of interception orders to affected parties. This means the legality of such an order cannot be reviewed because no notification of this order is communicated. Clause 37 of the Bill reiterates RICA’s prohibition on disclosure.
• Chapter 10 of the Bill introduces the concept of information sharing. CCR was concerned about how information sharing impacts on intercepted data. Chapter 10 requires the Minister of Justice to make regulations on data sharing. There is however limited information on how the information will be stored. For example: no provision is made for the destruction of intercepted data after a certain period. CCR recommends that RICA’s provisions should be reviewed in conjunction with the Bill.
• Clause 38(3)(b)(i)-(iv) deals with obligations of communication service providers. The clause reiterates and goes further than the provisions in RICA. The clause requires service providers to store information of clients but makes no differentiation for different categories of information. The vagueness of the requirement unduly limits the constitutional right to privacy. CCR recommends the constitutionality of RICA urgently be reviewed. Blanket provisions on disclosure and information sharing should also be reviewed. More detail on judicial oversight and the destruction of stored information should also be provided.
The Chairperson commented that society should move away from a focus purely on rights alone. Emphasis must also be placed on responsibilities of citizens as well as rights. Rights such as freedom of privacy can be used for negative ends such as harbouring terrorists.
Ms M Mothapo (ANC) asked if the CCR was a unit of the FW De Klerk Foundation. The CCR did not appear to be interested in the Bill coming into force. Areas of concern had been identified but not enough focus was placed on remedying these concerns. Cybercrime is a serious issue in the country. South Africa is also a signatory to the AU Convention on Cybersecurity. The Department of Justice, in her view, was passing the Bill to comply with the AU Convention obligations. It was unfortunate the submission did not provide solutions to the problems identified in more detail.
Mr S Swart (ACDP) responded that the CCR welcomed the Bill to the extent it addressed legitimate concerns of cybercrime. CCR did not thus reject the Bill in its entirety. Clause 16 and 17 are problematic because of the lack of precise definitions. Proper amendments, such as ideal definitions, should have been proposed to address that concern while simultaneously addressing the need to fulfil the purpose of the Bill. The overbreadth of the Bill has severe implications for freedom of expression. Even politicians who send data messages, such as SMSes, could contravene the Bill if enacted. The Clause 17(2)(d) phrase “inherently false in nature” is ambiguous. Either something is false or not. There was overlap with other legislation such as PEPUDA’s definition of “harm” not being in line with the definition of “harmful” in the Bill. It was positive that CCR alerted the Committee to the discrepancy. The Harassment Act already criminalises conduct identified in clause 17. The Department of Justice should brief the Committee on why the Bill should criminalise that conduct twice. The possibility of authorities abusing their authority in RICA is a serious issue. Further briefings should be conducted to address that concern.
Ms C Pilane-Majake (ANC) noted that clause 17 should be removed because other legislation already criminalises that conduct. It is however important to strengthen security measures within the country. Constitutional democracy requires promoting security to secure peace. Without stability there cannot be peace and a functioning constitutional democracy. The UN declaration of Human Rights is based on peace. The current situation in South Africa requires more measures to promote security and stability. Other Acts do provide for certain measures contained in the Act. The country must however ensure that security and peace are ensured.
The Chairperson stated responsibility naturally limits rights. There cannot be rights without corresponding responsibilities.
Mr B Bongo (ANC) said cybercrime is top priority on the continent. Parliament wants to respond to that concern in the interests of the people of South Africa. Ms Mothapo was correct that if areas of concern were identified as potentially unconstitutional then alternatives should be identified. If a law conflicts with another piece of legislation, specific recommendations should be made. The right to privacy cannot override the rights of people affected by cybercrime. Constructive recommendations should have been made to guide the Committee in addressing the concerns around the Bill.
Mr N Matiase (EFF) agreed with Mr Swart that clause 17 has various challenges. The clause is quite overbroad. Clause 17(2)(d) dealing with fake news also requires further review. He agreed with Ms Mothapo and Mr Bongo that recommendations to remedy concerns should have been provided in more detail. The Bill arose five years ago following the Arab Spring. The Arab Spring had a fundamental impact because of social media. The Bill attempts to regulate widespread social disorder arising from an Arab Spring scenario. The old generation is generally wary of new technology while the younger generation wants to embrace it. Fake news however became a popular political tool following Bell Pottinger’s media campaign in South Africa. Social media was used as tool in that campaign to spread fake news. What is CCR’s view of fake news? Bell Pottinger’s campaign had flooded South Africa social media with fake news. What should be the response of government to that type of conduct?
Mr W Horn (DA) stated the State Security Agency (SSA) was not performing its functions per its mandate. Rather it was becoming involved in political issues. The South African Police Service (SAPS) is given a wide responsibility and mandate under the Bill. At the same time, SAPS is suffering from a lack of capacity. What is CCR’s views on whether the SSA would perform its duties within the ambit of the Bill and not abuse its powers? Would the SSA perform its functions as required by the Constitution? Should Parliament rather fix abuse of power first before determining if the Bill is problematic from a constitutional viewpoint?
Ms Dube agreed with the Chairperson that there must be a balance between rights and corresponding responsibilities. Rights can be limited. The limits must however be in terms of the Constitution. Openness is a foundational value of the Constitution which must be the starting point. If freedom of expression is limited it must be within a constitutional framework and justified by the limitation clause. She noted Ms Botha did not want to convey the impression that constitutional rights are absolute. If rights are limited that must be done in compliance with constitutional principles.
The Chairperson asked Ms Dube if he did not want his children to watch sex on television did that mean that he must wait for the Constitution to be amended? Does the Constitution give a right to culture?
Ms Dube replied the best interests of the child must always be taken into consideration. What is important is to balance constitutional rights. In that case, the best interests of the child would be more important. The Constitution does give a right to culture. All the rights are subject to the limitation clause.
Mr Bongo asked if Mr FW De Klerk supports the CCR submission.
Ms Dube responded that Mr De Klerk played a fundamental role in drafting the Constitution. As a representative of his organisation, she and Mr De Klerk fully support all the rights contained in the Constitution.
Mr Mpumlwana said there are various diverse cultures in South Africa. He took issue with the response of Ms Dube to the Chairperson about culture.
Mr Horn interjected. He did not want to suppress the views of other members. Mr Mpumlwana cannot ask follow up questions. This caused the Committee to waste time.
The Chairperson noted Mr Mpumlwana had a follow up question which was permitted. He allowed him to continue.
Mr Mpumlwana stated that cultures have different values. In his culture, it is not permissible for children to be shown sex on the television.
The Chairperson stated certain forces wanted to create a permissive society with the aim of destroying humanity. The CCR must acknowledge that all rights must entail responsibilities. Freedom of expression and other rights must be balanced to prevent the destruction of society occurring.
Ms Dube stated that the starting point is the Constitution. It is the higher ideal which guides all of South African society. The Spear painting is a case in point. The Spear painting is not art she personally likes or would buy. At the same time the artist has the right to artistic expression even though it may be offensive to some. This requires a balancing act of various competing rights to determine what is constitutional or not.
The Chairperson asked if The Spear painting protects the constitutional right of the best interests of the child.
Adv Breytenbach (DA) interjected. It was unacceptable for the Chairperson to interrupt Ms Dube whilst she was replying to a question. Proper protection must be provided allowing Ms Dube to finish her response.
Mr Bongo said Adv Breytenbach did not have a leg to stand on. This is because the FW De Klerk Foundation had financed litigation against the National Prosecuting Authority (NPA).
Adv Breytenbach replied that Mr Bongo is incapable of rational thought. She was therefore unconcerned and not interested in his response and initial point.
Ms Dube said Mr Bongo’s recommendation of concise solutions to identified concerns was valid criticism. CCR maintains that clauses 16 and 17 should be deleted in its entirety. If the clauses are retained precise definitions should be inserted. Congruence with other legislation should be considered. If the Chairperson permits it, CCR would submit further recommendations on how to address its concerns.
The Chairperson responded the Committee would welcome a further submission.
Ms Botha said CCR is in favour of the Bill. CCR’s concern is that certain clauses risk been declared unconstitutional by the court. The Constitution and balancing of rights must be considered. Overly broad limitations on freedom of expression run the risk of not passing constitutional scrutiny. Clauses 16 and 17 should be removed because other legislation such as the Harassment Act already fulfil the purpose of those provisions. Effort should rather be spent educating the public about the Harassment Act. This would make use of existing legislation without infringing on the freedom of expression in a potentially unconstitutional manner. Cyber bullying policies can also be considered. SAPS will have to apply the Bill. The Bill is already complicated with the potential to create issues for crime enforcement. Defences such as the public interest defence, which apply in the law of defamation, can also be considered to make the Bill constitutionally compliant. Unregulated storing of information cannot be constitutionally permissible. Rights and responsibilities are important. Limiting rights must however be done in a constitutionally permissible manner.
The Chairperson reiterated society must adopt a culture of rights and responsibilities. The best interests of a society’s children must come first. Unlimited artistic rights can destroy the future of children by creating a permissive society. Rights theory should be workshopped to ensure the safety of children.
Freedom of Religion in South Africa (FOR SA) submission
Adv Nadene Badenhorst, Legal Counsel: FOR SA, accompanied by Ms Daniella Ellerbeck, Legal Advisor, FOR SA, focused specifically on freedom of expression and religion. FOR SA was largely in alignment with the comments of the CCR. The legitimate aims of the Bill are commended. Legislation is needed to combat cybercrime. Constitutional democracy and security must be strengthened. That must however occur within the boundaries of the Constitution. Certain clauses are overbroad.
Malicious communications in Chapter 3 of the Bill are of concern, in particular, clauses 16 and 17. Section 16 of the Constitution protecting freedom of expression must be the starting point. This includes the right to share information and ideas. Digital communications fall within the ambit of section 16 of the Constitution.
The Arab Spring communications inciting violence would not be constitutionally protected. This is because section 16 of the Constitution does not protect such expression. Other limitations must however be justifiable in terms of section 36 of the Constitution. Less restrictive means must also be considered. As raised by the CCR, other legislation and common law remedies such as interdicts and damages, must therefore be considered. Criminal law measures already cover conduct which the Bill aims to criminalise such as incitement and conspiracy.
Criminalisation is a fundamental restriction on freedom of expression. Parliament must be slow to limit freedom of expression through criminal law. Clause 16 criminalises forms of expression which encourage damage to property or violence to property by means of distributing data messages which incite such conduct. Vague terminology in clause 16 is problematic. Terms such as “make available” and “broadcast” are not defined. The clause should be made consistent with definitions in other legislation such as the Hate Speech Bill.
Clause 16 is broader than section 16 of the Constitution. Freedom of expression is limited to incitement of violence alone. Only if the incitement causes imminent harm is it excluded by the Constitution. Clause 16 is overbroad because it makes an offence to distribute messages which cause “violence” without the qualification of “imminent harm”.
The Intimidation Act already covers conduct which the Bill seeks to criminalise. The publication of words which have the effect, or which reasonably have the effect, that a person fears for their safety or property is criminalised under that Act. The Intimidation Act also defines that offence more narrowly than the Bill. Under the Act a contravention can lead to a fine of up to R40 000 or imprisonment not exceeding 10 years. “Violence” is also properly defined in that Act. This achieves largely the same purpose as clause 16 of the Bill.
The Protection from Harassment Act also achieves the same purpose. The courts and Parliament are generally slow to criminalise forms of expression. A preferable route to follow is that of protection orders. Harassment also has a specific definition which includes the sending of electronic communications.
If the Committee believes existing legislation is insufficient, then FOR SA suggested a narrowing down of various clauses should be considered. This would make the definitions of the Act more consistent with the Constitution and other legislation. This is important for legal certainty and proper law enforcement.
Clause 17 is similar to clause 16. Both deal with damage to property and incitement but clause 17 does not cover the threat of violence. Threats of violence are already covered by the Intimidation and Harassment Act. Clause 17 criminalises the potential of harm. The clause should be amended to cover only “actual” harm not merely the “potential” to do harm. This could result in satirical or political speech been criminalised by clause 17. This can have a chilling effect on freedom of expression. Clause 17(1)(c) could have the effect of restricting freedom of religion. A church has recently been taken to the South African Human Rights Commission for preaching about child discipline with corporal punishment. A possible reading of clause 17(1)(c) could be interpreted as encouraging a person to harm oneself or a group of persons. The definition of “harm” should be tightened to avoid that unintended consequence.
The Chairperson said various scriptures often say conflicting things on various issues. Which religious beliefs should the Committee follow if they were to amend those provisions?
Ms Badenhorst replied that the Constitution protects a multitude of beliefs. This should not mean that people can hide behind religion to engage in harmful or illegal acts. The Constitutional Court has stated that people should have the freedom to determine the true meaning of God’s word. This is provided it does not cause harm to others. This applies even if those beliefs may be seen strange to others.
The Chairperson noted Mr Swart had disclosed he is close to FOR SA. The Chairperson disclosed he is also a Christian. He does however still believe in ancestors but he qualified this, saying he is better described as spiritual rather than religious.
Mr Swart agreed that clauses 16 and 17 must be more narrowly circumscribed. Common law defences should also be included. Sufficient checks and balances must also be put in place to prevent potential abuse.
Mr Matiase asked why the submission referred specifically to harm of farmers. He personally has issues with farmers. Mr Swart he is aware is friends with many farmers. The land issue does however remain a burning question. The Bill is intended to regulate statements and messages conveyed through electronic means. Would it not then exclude sermons in a Church? It is only if a harmful expression is converted into a data message will a person fall foul of the Bill. Why then would they be concerned of the impact of the Bill when dealing with sermons in an open church? Surely such sermons would not be applicable to the problematic clauses?
Ms Badenhorst replied she could have mentioned a number of groups, not limited to farmers, who could suffer harm or hate speech. The intention was to refer to an example which is currently topical in the news. She could have pointed out various groups such as journalists or LGBT people. The sermon on child discipline was placed on the internet alongside a parenting manual. Liberal activists, who have an anti-religious agenda. had obtained those documents. This illustrates how the Bill could potentially be abused.
Mr Mpumlwana noted FOR SA was worried about duplication of existing legislation. In his view, there is nothing wrong with putting two padlocks on one door. FOR SA appears to want to assist the courts in interpreting the law, as if they would have trouble doing so. He took issue with the submission that clause 17 should only criminalise actual harm and not also potential harm. If a person hears something harmful through WhatsApp that causes them actual harm and not potential harm. The African religion had been distorted for over 200 years when missionaries arrived in South Africa. In 1994 the culture of civilised culture took root in society. There is now an overemphasis on freedom of rights and expression and religion. The Constitution protects freedom of religion but it depends on which religion. It is painful for African people who belong to religious cultures which are oppressed. In his culture status is based on age and not wealth for example. In a liberal culture a person can say anything they want to someone else. When the President is insulted, people get upset because he is an elder. For African people who hold those value systems, it is very painful to see such conduct. The issue is what kind of conduct the Constitution deems acceptable or not, and from what perspective?
Ms Badenhorst replied that FOR SA has no issues with cross-references to other Acts. It must however be made clear with concise definitions in the Bill. This is also required for legal certainty. For SAPS and NPA to properly prosecute offences, the legislation must be clear and congruent. The possible interpretation of legislation by the courts should be taken into account during the drafting process. A failure to do so, could lead to abuse from the bench in the form of judicial activism or other functionaries abusing the law for their own ends. Her point about “potential harm” is that the legislature must be slow to criminalise expression when existing legislation already covers that conduct. The Constitution affirms itself to diversity and protection for a multitude of religious and cultural beliefs inclusive of African religious beliefs. The freedom to believe must be constitutionally protected provided it does not cause harm to other people. A conversation should be had to foster a culture of diversity and mutual respect.
The Chairperson said he still believes in ancestor worship. Many churches preach against ancestor worship. This affects many people and children psychologically. Do the submissions of FOR SA properly address those concerns?
Ms Badenhorst referred to an incident with an Idols judge who is LGBT and a Christian. After hearing a homophobic sermon, he tweeted about the incident and refused to return to that church. This is what the Constitution protects by allowing him to exercise his freedom of expression to criticise the Church and freedom of association to join a different church. Some churches do interpret the Bible as placing a prohibition on communications with the dead. There should however be a mutual respect for those who choose to believe in ancestor worship.
Ms Pilane Majake suggested the submissions that follow should indicate up front if aspects of their submissions have been covered by other submissions. This appeared to be accepted by the Committee.
Right to know (R2K) submission
Mr Murray Hunter, Ms Karabo Rajuili and Mr Azhar Desai presented, saying R2K advocates for freedom of expression and free flow of information. This is a fundamental right in democracy to advance other freedoms and is essential for accountability and transparency. R2K has engaged with the Bill process since 2015. The first draft Bill was completely rejected by them. It fundamentally undermined the free flow of information in the democratic space especially in relation to the internet.
The amendments have been favoured largely. The removal of the secrecy clause is welcomed. They acknowledge the need to regulate harmful expression. The internet must be allowed to be a free flow platform. The Bill in its current form undermines such freedom. Overly broad powers are given to the Executive to stem internet freedom. If the current Bill is passed into law it will infringe those rights.
The Bill must be more narrowly crafted and tailored. This is especially so with the definitions. Stronger safeguards on privacy must be implemented to prevent abuse by State Security. A public civilian body should be given powers of oversight to prevent abuse of process and to ensure the powers under the Bill are properly controlled and not abused.
The submission had three parts: freedom of expression; privacy; cybersecurity.
Freedom of expression
Chapter 3 of the Bill regulating malicious communications is problematic. The definition of “harmful” is not properly defined. Legislation must be drafted to balance other needs of society. “Harmful content” is also not defined. The Minister of State Security has recently suggested regulating social media. This led to a huge outcry, ironically on social media.
Clause 16 and 17 are problematic. In principle, any law prohibiting speech for simply causing harm should be rejected. Online harassment is covered in clause 17 which is overly broad in its current wording. It does not sufficiently engage with protecting robust political discussion which can subjectively be viewed as harmful. The Harassment Act already sufficiently regulates this. Failure to comply with an harassment order is already a criminal offence. Introducing additional criminal liability is unnecessary.
Clause 17(1)(d) attempts to deal with fake news. This should be completely removed. It could allow the state to police the truth. The state should not be allowed to determine what is true. This undermines democracy. The current political climate could allow this cause to be abused for unlawful ends. Clause 17(1)(2) fails to address the question of intention when sending potentially harmful messages.
Both clause 16 and 17 should be removed in their entirety.
Clause 18 is welcomed to the extent it deals with revenge porn. However, revenge porn is currently been dealt with by the Film and Publication Amendment Bill, thus clause 18 should be removed.
RICA is currently problematic because the exercise of the surveillance powers is not being properly overseen by independent authorities. The Bill is intended to protect people from cybercrimes from other individuals. However, in many cases the government itself can be the perpetrator.
Clause 38 replicates and expands on RICA. That clause is currently the subject of a court challenge by AmaBhungane. Court documents have revealed abuse by state agencies who are unlawfully intercepting the communications of journalists. Whistleblowers have faced similar threats. The political climate means this affects not only private people but also potentially political leaders. The Bill attempts modest reforms of RICA. The reforms they recommend for RICA are on page 9 of the written submission.
Clause 38 requires both internet service providers and communication providers to store private information. This can led to potential abuse if not properly overseen. Cell phone records can detail numerous aspects of your private life such as with whom you communicate and where you visit. In the European Court of Human Rights, the unchecked preservation of such data has been declared unlawful.
A welcome amendment is the covering of the section 205 loophole of the Criminal Procedure Act. Magistrates and judges can provide for the interception of communication by law enforcement if people are suspected of committing offences. RICA closes that loophole which is welcomed. A concern however is that the RICA provisions do not provide for proper oversight of those applications. Magistrates issue around 50 000 warrants a year for such interceptions. This is a large number of interceptions. This could require a dramatic restructuring to protect against abuse.
The Chairman noted that cyber terrorists use electronic means to further their aims.
Mr Murray responded that additional submissions would be made on that point. Their concern is that an appropriate balance between freedom of expression and crime control is not being properly met by the Bill.
Mr Desai outlined the general expectations of privacy when using cyber technology. The FinFisher program can violate those expectations. There is evidence it is currently been used in South Africa by the government. This was leaked by WikiLeaks. This software is specifically designed to hack into technology such as emails and cell phones for surveillance purposes. This is disconcerting for whistleblowers and political leaders. If the program is used, then appropriate oversight must be put in place as it is currently underregulated.
Mr Hunter said the Bill gives too much power to intelligence agencies to engage in surveillance of electronic communications. Critical information infrastructure permits the State Security Agency to declare such an entity a critical information infrastructure. Due to time constraints this was not fully canvassed. Mr Hunter referred to page 16 of the submission for details on this point.
Mr Horn noted the submission was helpful. However, the submission was focused solely on rights. He is familiar with the limitation clause but a purpose of the limitation in the Bill could be to reinforce the foundational values of the Constitution. What if a situation occurs where fake news could accelerate to the extent that it can influence the outcome on an election? In such a situation, would the limitation clause not require measures to be taken against fake news? However, R2K outright rejects the fake news provision.
Mr Matiase said that the digital divide between the old and young generation can be used as an enabler to bring gaps in society. The majority of presenters have had issues with clause 16 and 17. R2K’s three main points are: the Bill attempts to prevent online harassment by criminalising malicious communications. This raises freedom of expression problems but what problems are those? Second, the cyber space regulations are both positive and negative. The state can also be a perpetrator. Is there any example of the state been a perpetrator in that regard? Third, R2K claims to be from an activist civil society organisation. They should be his natural ally. What can they recommend to enable citizens to criticise government without becoming victims by violating the Bill? This must however be within the confines of what is acceptable by not advocating violence or revolution.
Ms Mothapo noted R2K mentioned online activism. She has no objection to that. However, a consideration must be had of the fact that if online activism has an element of criminality, only then the Bill will be applicable. The Bill does not, in her view, preclude online activism. From the 12 to 15 May 2017 a cyber attack occurred which affected around 200 000 people and infected 300 000 computers. The Bill is therefore necessary to address such pressing issues. South African is a signatory to various international conventions dealing with cybersecurity inclusive of the Budapest and AU conventions on cybersecurity. The Bill is long overdue. The President in his State of the Nation Address already made mention of the Bill. The Department of Justice has been moving at a slow pace in giving effect to international obligations to enact the Bill. The fact that SASSA is now moving grant payments online makes cybersecurity all the more relevant.
The Chairperson reiterated it is an important that an act is unlawful to fall foul of the Act.
Ms Pilane Majake said there must be a balance between constitutional rights of privacy and security interests. R2K had focused its submission on the targeting of civilians. Who should and should not be targeted? R2K fulfils an important role by ensuring that everyone’s voice is heard. The right to privacy is a fundamental right but to what extent is that right realised by the majority of citizens?
Mr Mpumlwana wanted to know if R2K belongs to any liberal organisations. They seem to share similar views on these issues. In every country, it is necessary to have some sort of limitation on rights. Advances in technology have enabled people to access information in countries across the world. It is important to protect privacy interests. What liberal viewpoint is R2K protecting? Once constitutional democracy was created in 1994, many civil society organisations had emerged which seemed to focus only on rights. Fake news should be regulated as people should not be allowed to gossip and spread falsehoods. Why should people who lie be given protection under the banner of those rights? Spreading false information can have very harmful effects. He disagreed with the excessive focus on rights alone, but he would consider the submission. He was not however completely convinced by the proposals which R2K made. The Bill, in his view, actually stopped short of providing adequate cybersecurity measures. Even the USA is suffering from serious cyber attacks. Some measures have to be put in place to protect citizens from cyber attacks. This includes those within the country who may want to destabilise the government. There should not be an unqualified right to gossip or spread false information. Regardless of who is paying R2K and their objectives in their formation, they should focus on what is necessary to protect South Africa. How would they respond if their own organisation was subject to a cyber attack?
The Chairperson stated that the country had been built by secret organisations. They wanted to subjugate the indigenous people. One way they aimed to do this was creating a permissive society. This is equivalent to national suicide. People should not be allowed to hide behind their rights to override the public rights of the people.
Mr Matiase said the former Deputy President, Mr Motlanthe, had said it would be good if the ANC lost power. Could this be interpreted as a statement promoting violence therefore violating the Bill?
The Chairperson replied the Bill is about society as a whole and not the ANC.
Ms Pilane Majake noted a tendency in the Committee to raise issues which misrepresent ANC leaders. The Committee is about Parliament not the ANC. Members should refrain from quoting ANC leaders for those ends. ANC leaders are being quoted out of context in the Committee.
Mr Horn said Ms Pilane Majake’s statement is ironic. This is because her comments infringe the freedom of expression which is the subject of the hearing.
The Chairperson requested that Members focus on the issue at hand and not get involved in settling their personal differences. It is however important to emphasis a culture of rights and responsibilities. The Committee should not focus on political point scoring.
Ms Rajuili responded that the Bill in clause 17(2)(d) is overbroad in terms of criminalising fake news. This is because legitimate freedom of expression could fall foul of the Bill. Information in a political context could be deemed criminal thus in turn shutting down legitimate debate. In the USA election, false information had played a role in influencing the outcome. A proper approach is to educate citizens on how to scrutinise and evaluate such information as opposed to criminalising forms of expression. This would also create a more democratic spirit within society. Whistleblowers could also fall foul of various clauses. It could also impact on journalistic freedom. It infringes on the ability to engage in robust discussion. If we truly value robust discussion and dissent within society, then Bill should not be passed in its current form.
Mr Hunter responded to Mr Matiase’s question that there are insufficient measures in place to inform people who have been subject to surveillance after the fact. Mr Sam Sole of the Mail & Guardian had recently discovered he was subject to surveillance only due to a court case. Security agencies had listened to a number of his private communications for a number of months. Two journalists from the Sunday Times had recently discovered they had been subject to surveillance whilst they were reporting on the police in 2010. Senior politicians and union leaders had also raised concerns that their communications had been spied upon. People who are subject to surveillance should be informed after the fact to permit them to challenge the legality of that surveillance if they wish.
The Chairperson asked if there is a reasonable suspicion that a person wishes to blow up Parliament, should that person’s communications be subject to surveillance.
Mr Hunter replied he accepted there must be limitations on privacy to protect security interests. At the same time, there must be proper measures put in place to prevent surveillance powers from been abused by the state. A higher threshold should be put in the Bill before surveillance orders can be authorised by judges or magistrates. If a reasonable suspicion exists that a person is engaging in unlawful activities, then the law should provide lawful means for the interception of their communications. However, that interception must result either in the institution of criminal charges or the dropping of the investigation. Once that decision has been made, then the law enforcement agency loses nothing by informing that person that their communications have been intercepted. As with the Sunday Times journalists, no charges were brought against them. This shows that surveillance can be used for ends not authorised by the empowering legislation. There should be a duty to inform after the fact that their communications were subject to surveillance. This is necessary to avoid the abuse of power and to allow such a person to challenge the legality of that surveillance if they wish in a court of law. Rogue agents within intelligence agencies can abuse those powers. There are not adequate safeguards currently in place to protect that abuse occurring. State security does have a role to play in ensuring cybersecurity. However, the nature of those agencies is to see issues through the framework of evaluating threats. This is not necessarily appropriate for the internet. A better approach would be to have civilian oversight and then to engage with state security in an advisory capacity.
Mr Mpumlwana asked if education should rather be used in place of cybersecurity legislation.
Mr Hunter responded that user education is important but cannot be used by itself in the place of law, to guard against cybersecurity threats. The central priority should be about empowering users to protect themselves. State security should play a role but should not police information and expression from a top down approach.
The Digital Law Company submission
Dr Lizzie Harrison, social media consultant at Digital Law Company, stated that Emma Sadleir, media law consultant at the Digital Law Company, was unfortunately unable to attend. Dr Harrison would give the submission in her place. The Digital Law Company deals with various matters relating to media law and social media. They also focus largely on education and the proper use of social media. The submission focused specifically on clause 18 which deals with revenge pornography.
Communication has changed dramatically because of technological advancements. This has various positive developments but can also be quite damaging. Revenge pornography is an issue the company deals with on a frequent basis through their pro bono practice. They fully welcome clause 18. Few countries internationally actually criminalise revenge porn.
Various people, inclusive of children, are often lured into online relationships. People often coerce those people into taking photographs or videos of themselves in comprising positions. They are then blackmailed and often have to pay high amounts of money. This also occurs often with cell phones. When cell phones are stolen the content of those devices are then uploaded onto the internet. Once this occurs, it can be next to impossible to remove that information. This is because that information is uploaded onto internet cloud servers.
It is not possible to delete social media content completely. Even if a user deletes an image or video, social media companies still maintain records of that information. In addition, that information is often shared multiple times. This can have devastating effects. Some people have had to leave their jobs as a result. In some cases, children even have had to leave their school. In one instance a client had to change her name to escape compromising pictures and texts which had been taken from her phone without her consent. Contact details of people are also unlawfully placed on sex sites without their consent. Revenge porn can have serious and permanent consequences for those who fall victim to it.
The revenge porn clause is welcomed. However, there are a few concerns Dr Harrison wished to raise:
It is not clear the Bill is the correct piece of legislation to regulate and criminalise revenge porn. This is because, in their view, revenge porn should be classified as a sex crime. It would be better to regulate this offence in terms of the Sexual Offences Act. That Act criminalises incitement and conspiracy to commit a sexual offence. It also provides the SAPS with new tools to investigate sexual offences to minimise and eliminate secondary traumatisation. Proceedings in that Act are also held in camera, to protect the dignity of the complainant. Ms Sadleir had given representations to the Film and Publication Board on this issue. If the option is between the Film and Publication Amendment Bill and the Cybercrimes Bill, it would be better to regulate this conduct in terms of the Cybercrimes Bill. However, it was submitted it would be preferable to explore the option of regulating this offence in terms of the Sexual Offences Act.
Clause 18(1) requires the person to intentionally distribute the data message without a person’s consent. The requirement of “intention” should be re-examined. This is because it is very difficult to establish a person intended to distribute revenge porn with the legal requirement of intention. In the majority of cases the person who distributed the image denies they intentionally distributed it without consent. In most cases, the person who shared the data message simply states the image or video was distributed unintentionally. It was suggested that negligence should be included as an additional fault element. This is the same fault requirement that applies when dealing with confidential information in companies. In that context, even if a person negligently distributes company secrets they are still liable. This is because the consequences are the same in that confidential information is unlawfully leaked. The same applies with revenge porn because even if an intimate image is shared negligently, the consequences for the victim are still the same.
The qualification of “by means of a computer system” in clause 18(1) should be removed. This is because in many cases images are shared by other means such as printing pictures and then placing them in a public place. If the qualification is retained a person in such a case would not have legal redress because it would not be distributed by means of a computer system.
The definition of “intimate image” in clause 18(2) should be removed. It should be replaced with the definition of “pornography” in terms of the Criminal Law Amendment Act which is a broader definition. This is because pornography’s definition in the Criminal Law Amendment Act is broader than simply an “intimate image”. Sexting for example would not constitute an intimate image. Unlawful sharing of sexts without consent should be criminalised as revenge porn. To share sexts without consent also constitutes an invasion of privacy even though it is not an intimate image.
The phrase in s18(1) of “knowing a person did not give consent” should be removed. This places a high onus on the victim to prove they did not give consent. A better formulation would be to place the legal onus on the perpetrator to show consent was given.
Dignity should be added to qualification of “intimate image” in clause 18(2)(a) which only refers to a “reasonable expectation of privacy”. Revenge porn infringes not only privacy but also dignity. Nudity should not be a requirement. This is because many images, such as when a person is in a bathing suit, would not qualify as nudity but could still qualify as revenge porn if it is distributed without their consent. In that case, their dignity and privacy will also be infringed.
The Chairperson thanked Dr Harrison for the submission which illustrated the serious issues which revenge porn creates in society.
Mr Mpumlwana stated the submission was helpful. He was unsure if it would be acceptable to remove the intention requirement for the offence of distributing revenge porn without consent. It would not make much difference, in his opinion, whether revenge porn is criminalised in terms of the Cybercrimes Bill or the Sexual Offences Act.
Mr Horn agreed that the submission had raised important issues. To remove the phrase “computer system” would not make much sense, as the Bill specifically deals with cybercrime. It could however be preferable to deal specifically with that aspect in another piece of legislation.
Mr Bongo said the submission was very helpful and would greatly assist in further drafting of the legislation.
Ms Pilane Majake said Dr Harrison’s real world experience was invaluable. If loopholes do exist in the Act, because of certain wording, those loopholes should be dealt with by the Department as raised by the submission.
Dr Harrison said revenge porn is a cybercrime. It is not a major issue if revenge porn is regulated by the Cybercrimes Bill or the Film and Publication Amendment Bill. It was simply a pertinent issue which they wished to raise for consideration. If revenge porn is regulated by multiple Acts, that could lead to people being acquitted on technical grounds due to differential wording in different legislation.
South African Banking Risk Information Centre (SABRIC) submission
Ms Susan Potgieter, SABRIC General Manager: Information Hub, said SABRIC was formed by the banking sector to combat financial crime. The company collects information, compiles reports, makes public submissions and engages in education campaigns for that purpose.
SABRIC supports the Bill. Cybercrime is a consequence of a lack of cybersecurity which is very important to the banking and financial sector. The South African banking sector deals with many of the same threats as other banks throughout the globe. Cybercrime also affects ordinarily citizens. Many citizens do not know the threats of cybercrime. This is especially true when it comes to paying ransoms in bitcoin which is extorted from people when their computers are infected with the Pink Princess virus programme. There is however a lack of local information on cybercrime statistics. SABRIC is attempting to fill this gap.
Most attacks are still focused on targeting individuals. A recent analysis had shown that both malware and cybercrime had become a popular modus operandi for many criminals. This has become a major focus for SABRIC. Cybercrime also has a highly negative effect on the banking sector especially when it comes to card skimming. The Electronic Communications Act (ECT) has played a valuable role in combating this. Cell phone blockers are often used by criminals to engage in violent crime such as when robbing banks to disable their alarm systems. Overall, SABRIC welcomes the Bill and is very pleased with the progress that has been made thus far.
A question SABRIC is often asked is what constitutes a cybercrime. Criminals drill physical holes into ATMs. Most people think this is simply malicious damage to property. In reality it is actually a preparation for a cybercrime. The point is that it is often complex to properly define what cybercrime is. Another issue is how to quantify the harm of cybercrime in monetary terms. For example, it is difficult to quantify the financial harm that a person suffers when their password is compromised.
The Bill consolidates various pieces of legislation which are currently fragmented. It gives effect to international best practice which will aid in the fight against cybercrime. It is positive that the Bill makes provision for the police to engage with the private sector. The penalties are more severe than those contained in the ECT Act which is also positive.
A few suggestions were however made by Ms Potgieter on behalf of SABRIC:
Greater collaboration with the private sector should be provided for. The private sector has a huge contribution to make in the fight against cybercrime. A structure should be considered where the private sector can engage with the state on a policy level. SABRIC has a high amount of expertise in this regard which could be of great assistance.
A caution was made against over-regulation. A better approach is one of collaboration. This is preferable to a box ticking exercise. Mutual collaboration will assist both the state and the private sector in strengthening security against cybercrime and sharing information and resources. It is hoped that information can therefore flow both ways. Both sectors have the same vested interests on this matter.
International collaboration cannot be overemphasized. Both the private and public sector must be part of the international community. Cybercrime is a global issue and does not discriminate between different countries.
There is a still a lot of work that needs to be done in terms of appropriate skills. This is especially so when it comes to law enforcement. The Committee should apply its mind to determine how the skills gap can be closed.
In closing, even if there is a strong legal framework, it will fail if citizens do not have sufficient information about cybercrime. Many of the banking industry customers are targeted by cybercriminals. This is because many criminals exploit the knowledge gap of people about cybersecurity and the fact that they do not often invest in proper cybersecurity.
The Chairperson thanked SABRIC for the concise and informative submission.
Ms Mothapo herself had been a victim of cybercrime in the banking context. What measures has SABRIC taken to educate people, especially rural people, about the dangers of cybercrime and banking? How does the public get access to the services which SABRIC provides? 19 banks belong to SABRIC. What do the other financial service providers do about the matters SABRIC deals with? This is especially true when it comes to cell phone banking which is becoming increasingly prevalent.
The Chairperson asked if the South Africa Social Security Agency (SASSA) uses SABRIC services.
Mr Matiase said R2K was very passionate in appealing to an arrangement where the Bill would not impose a top down emphasis of regulation. Does SABRIC have any engagement with R2K? If R2K’s recommendations are granted in terms of an education campaign, how should that be implemented? Practically, what can SABRIC contribute to educate people about the dangers of cybercrime?
Ms Pilane Majake said it was important to deal with the pertinent issues which SABRIC had raised. What practical measures could be put into the Bill to deal with issues such as ATM crimes?
Ms Potgieter noted card skimming is unfortunately a widespread reality. Pin numbers for banking can be accessed using infra ray systems. It is fortunate that those devices have not, to the knowledge of SABRIC, yet been used in the South African context.
Part of the SARBIC mandate is to assist the banking sector with consumer education. Community radio is used to cover as many languages as possible. Experience shows that to communicate in a person’s home language is a more effective learning tool. SABRIC does not have a public call centre. People do use their website and phone them directly. Social media is used extensively to create consumer awareness. They also direct consumers who have issues to engage their own banks. This is because the member banks of SABRIC have quite robust consumer protection and awareness mechanisms internally as well.
If a bank is a member of the Banking Association South Africa (BASA), they are entitled to become a voluntary member of SABRIC. With the change to the twin peak model which is about to implemented, the SABRIC board may or may not take that as a consideration for membership going into the future. BASA is the parent company of SABRIC.
On the safety of mobile and internet banking, the security measures used by banks are continually being reviewed. Criminals however follow the route of least resistance. This occurs where criminals phone people and trick them into disclosing personal information. This requires constant review of security mechanisms and protocol. The banks place a high priority on this.
SABRIC does not have a permanent relationship or a memorandum of understanding with SASSA. They have worked with SASSA in the past on various investigations. Where there is a common opportunity to collaborate, and share information with SASSA they have done so in the past.
In terms of their public partner relationships, they engage with departments who have a vested interest in combating specific crimes of mutual interest. They are very supportive of law enforcement efforts to combat cybercrime. Where they can contribute to capacity, they offer those services as far as possible.
On the R2K recommendations, it is largely a matter of balancing human rights and consumer rights. SABRIC believes there must be a balance. The rights of the citizens must be protected and upheld. But at the same time those citizens also expect protection from the industry. Without proper information, it can be very difficult to combat crime effectively. They will continue to engage in information and education initiatives to improve consumer knowledge on cybercrime.
Michalsons Attorneys submission
Mr John Giles, Managing Attorney at Michalsons Attorneys, said he has extensive experience in the area of law and technology, legal drafting and the compilation of the King Code of Corporate Governance. He welcomed the Bill. It is important to have a mechanism to combat cybercrime effectively and prosecute cyber criminals. The Protection of Personal Information (POPI) Act also plays a role in protecting the personal information of people generally.
Mr Giles explained the difference between something being unlawful and something being illegal. Data is accessed using authorisation. Personal information is then processed unlawfully if a person accesses information without authority. There must be a balancing between crime control and the rights and individual freedoms of people.
Conduct is lawful when it is permitted or allowed by law. Unlawful conduct is then conducted which is prohibited by law. This does not mean that an unlawful act is a criminal act. In POPI Act, for example, some things are unlawful but not necessarily criminal. The onus in criminal trials is that every person is presumed to be innocent until proven guilty. If a person accesses information in violation of POPI Act, that is unlawful but not necessarily criminal. However, if a person access the data and information of a bank without authorisation, that is criminal and not merely unlawful. Criminal behaviour does however have certain defences. For example, a person can show they did have authorisation to access the information of a bank, which then means their conduct is lawful and therefore not criminal.
Criminalising certain conduct is necessary but does have potential dangers. One danger is overcriminalising conduct. The Bill will introduce approximately 57 new crimes. This means there will be little unlawful conduct but a large amount of criminal conduct. There must be a balance between unlawful and criminal conduct. A reverse onus should also not be introduced. This is where a person is forced to prove their innocence. In the context of revenge porn as raised in the Media Law Company submission, a reverse onus could however be justified.
A public body can only act if authorised by law to act. If the Bill criminalise conduct that should only be unlawful, then that conduct becomes a crime resulting in overcriminalisation which should be avoided. Generally speaking, the requirement of intention is a good requirement to include.
The words “unlawfully” and “intentionally” in clause 17(1) of the Bill are problematic. This is because it is difficult to understand how those words relate to one another. If a person must have “intentionally” acted unlawfully, this means they must know all the laws in South Africa. This is problematic on the plain reading of the clause, as no person can really be said to know all of the laws in the country.
Since “unlawfully” is included in every section that means all conduct regulated by the Bill will become criminal and not merely unlawful conduct. This cannot be the case in terms of the objects which the Bill seeks to achieve. There should be a distinction between “unlawful” and “criminal” conduct explicitly in the Act. Whilst all criminal conduct is unlawful, not all unlawful conduct is criminal. The POPI Act illustrates this well. This is because the unlawful processing of certain information, in violation of POPI, is often unlawful but not always criminal. This is furthermore in line with international trends. This Bill should be no different. A risk of the Bill in its current form is that it could criminalise conduct in the POPI Act which is unlawful but not criminal. This would give rise to civil and not criminal liability.
A possible solution is to introduce lawfulness as a defence to certain conduct and not to become part of the description of the crime itself. The reverse onus in instances where it is not appropriate should also be removed. Cybercrime and cybersecurity are two different concepts and therefore should be dealt with in different legislation.
Three clauses in the Bill relate specifically to the unlawful interception of data. The ECT Act makes no mention of “unlawful” access but only “intentional access”. The AU convention mentions only “unauthorised access” and no mention of “unlawfulness”. The same applies for the Budapest Convention.
The Chairperson commended Mr Giles for giving his time to make the submission. It is welcoming to see attorneys wanting to give back to the community and assisting the public interest by briefing the Committee on important matters by offering their expertise.
Mr Matiase had a question about separating cybercrime and cybersecurity. The intention of the Bill is to criminalise and regulate cybercrime. If that is the intention, then why should cybercrime and cybersecurity be separated into different pieces of legislation? Dr Harrison from the Media Law Company had recommended removing the requirement of “intention” from clause 18(1). She argued that it would be difficult to establish intention when dealing with the requirement of establishing guilt for revenge porn. Does Mr Giles share Dr Harrison’s views? Would it be difficult to establish intention in that regard?
Mr Horn said that in criminal law, unlawfulness is an element of criminal liability to establish guilt. How can this then be addressed if the requirement of “unlawfulness” is removed from various provisions of the Bill?
Mr Bongo agreed with the comment of Mr Matiase. In his view, the aim of regulating cybercrime and ensuring cybersecurity are almost intertwined. Why then should the two aims be separated and then regulated in different legislation? He agreed with Mr Horn that unlawfulness is always a requirement of criminal liability. If the requirement of unlawfulness is removed, then the Bill will be simply academic as it will not criminalise the behaviour which the Bill endeavours to criminalise. Cybercrime is a billion-rand industry. It is important to properly criminalise that conduct. Regardless, he commended by Mr Giles for his submission as a lot of work had been put into the submission.
Ms Mothapo was also concerned about the feasibility of removing the unlawfulness requirement from certain clauses in the Bill.
Mr Giles replied that it is not necessary to include unlawfulness to make conduct an offence. This is because the requirement of “unauthorised” already includes the requirement of unlawfulness. The Bill aims to criminalise the harming of people by cyber criminals. It does should not criminalise the unauthorised access of information alone. POPI already requires people to secure information. That Act requires people to take reasonable measures to secure information. The harm only arises when that information is used for harmful purposes. If a person accesses information without authorisation in terms of POPI, that unauthorised access is not a crime. It will however subject the unauthorised accessor of information to civil sanctions such as an administrative fine. By removing “unlawfulness”, the Bill will not then not criminalise the conduct which it seeks to regulate. Rather, it will only not criminalise conduct which is supposed to only be unlawful and not also criminal. A defence to such conduct would include “unlawfulness” but it should not also be part of the definition of the crime. Intentionally and unlawfully should not be used as part of the requirement of every crime in the Bill. Mr Giles said it could however be desirable to remove the intention requirement from the revenge porn clause but not necessarily for other offences.
Mr Giles noted the suggestions he had made did involve several technical elements. He would be very happy to continue to engage on those technical aspects of his submission. As raised before, the ECT Act and the AU Convention do not have the requirement of “unlawful”. This is because those legal instruments realise the importance of not equating unlawful behaviour with criminal behaviour.
In his response about separating cybercrime and cybersecurity into different legislation, he said there is a difference between protecting the state versus protecting people from cybersecurity. It is important to protect national state interests from cyber criminals. The two regulatory regimes do not often work well in practice and should be separated in his view.
Ms Mothapo asked if cybersecurity and cybercrime are separated into different pieces of legislation what should the current Bill then be called?
Mr Giles responded the appropriate name for the Bill would then simply be the Cybercrimes Bill. It would then be unnecessary to include the additional phrase “and Cybersecurity”.
The Chairperson said security would nevertheless still be dealt with in the content of the Bill. Should it then not still include the phrase “and Cybersecurity”?
Mr Giles responded that cybersecurity is already dealt with in terms of the POPI Act. There has been confusion between POPI and the Bill. It is important, in his view, to keep the legislation separate. The POPI Act deals with protecting information whilst the Bill deals with criminalising certain conduct.
Mr Bongo noted that the POPI Act had been passed by the Committee recently. The POPI Act deals with personal information. The Bill deals with broader issues inclusive of personal information. The POPI Act does provide for criminal sanctions in certain sections. How does POPI, to the extent it only relates to personal information, then also implicate cybersecurity which this Bill aims to regulate?
Mr Giles responded that POPI deals only with personal information. The Bill deals with all data. The Bill does not require any person to actually secure data, which POPI does. POPI does create various offences but those offences relate to very specific kinds of conduct. If a person fails to protect an account number or give false evidence in terms of the Act, those are offences. But the rest of the Act simply deals with unlawful and not criminal conduct. The amount of conduct which POPI criminalises is quite small.
The Chairperson thanked Mr Giles for his submission. Department of Justice officials who were present would take his comments and recommendations into consideration going forward.
Internet Service Providers Association (ISPA) submission
Mr Dominic Cull, IPSA Regulatory Advisor, said ISPA welcomes the Bill. Originally IPSA had a number of issues with the draft Bill. Subsequent engagements with the Department of Justice over the past three years had addressed many of its concerns. There are however a few concerns which IPSA still has around the Bill.
Chapter 3 dealing with malicious communications is the biggest concern. How cyber bullying, revenge porn, fake news and sexting is dealt with from a legislative viewpoint is a concern around the world. It is not an easy issue to solve. The South African Law Reform Commission is currently reviewing the legislation around this matter, particularly as it pertains to child pornography. The outcomes of that review will probably be of interesting assistance to the Committee.
The ISPA submission is narrow. It is related to the role of internet service provider interactions with SAPS regarding the investigation and prosecution of cybercrime in the country. ISPA also has a role in ensuring cybersecurity. It liaises with the cybersecurity hub which is currently a developing competence within government. ISPA has no issues with the clauses of the Bill that relate to those issues.
In Chapter 9 of the Bill, clause 52(4) restates certain provisions of the ECT Act that provide that an electronic service provider or internet service provider is not required to monitor all the information which flows through its network. This is an important principle which is restated in the Bill and the ECT Act. This does not require such providers to actively seek out conduct which may be unlawful and conducted through its services. This reflects a broader reality of the internet service provider industry. Vodacom is currently the largest internet service provider. Millions of instances of information are conducted through its network in a variety of different languages. It would be unrealistic to expect service providers to monitor all that information. It would also unlikely not constitute a justifiable limitation on the constitutional right to privacy.
A wording issue was raised in Clause 52(3) which provides that an internet service provider or institution who contravenes clause 52(1) will be subject, on conviction, to a fine of R50 000. This should be changed to a “fine up to R50 000”. This is common practice in most legislation. It reflects that there is a discretion on a presiding officer to determine the appropriate fine, up to the stipulated maximum amount of R50 000.
The definition in the body of the Bill defining “electronic communication service providers” is slightly different to the one contained in the appendix to the Bill dealing with proposed amendments to the Sexual Offences and Related Matters Act. ISPA does not have a particular preference for one definition over another. It is simply a matter of principle whether the same definition will apply universally for all legislation such as RICA, the Film and Publication Act and the Harassment Act.
The heart of ISPA submission relates to child pornography. IPSA had a similar issue as Dr Harrison raised earlier. Should the criminalisation of revenge porn be classified as one of cybersecurity or should it rather be regulated as a sex crime in terms of the Sexual Offences and Related Matters Act? ISPA does not believe that the Film and Publication Act should criminalise conduct. It is primarily a piece of regulatory information which is fleshed out in terms of administrative regulations. The Film and Publication Act, and by extension the Film and Publication Board, should attempt to deal with issues which primarily fall under the mandate of SAPS and the NPA.
The Bill speaks to the deletion of section s24B of the Film and Publication Act. That provision deals with the criminalisation of the creation, distribution and possession of sexual abuse material. If child pornography is going to be criminalised by the Department of Justice that legislation must fall under the mandate of SAPS and NPA. It is wholly inappropriate for child pornography to be criminalised in terms of the Film and Publication Act.
The Cybercrimes Bill is being dealt with by the Justice Portfolio Committee whilst the Film and Publication Amendment Bill is being dealt with by the Portfolio Committee on Communications. This creates a degree of overlap between the two Bills and the two Committees. A series of meetings had been held between the two departments to deal with the fact that revenge porn is criminalised in terms of the Cybercrimes Bill and the Film and Publication Amendment Bill.
The outcomes of those meetings were summarised by Mr Cull:
First, the criminalisation of child pornography and revenge porn should not be dealt with in terms of the Film and Publication Act but rather in terms of the Sexual Offences Act. The current tendency to regulate such conduct which does specifically deal with criminalisation of conduct, hampers the further development of criminalising such conduct and gives rise to a fragmented legislative approach. The Regional Court Magistrates, SAPS and the NPA had requested the Department of Justice to deal with child pornography in terms of the Sexual Offences Act. This is because South African is probably the only country in the world which deals with child pornography in a law that primarily deals with the classification of media. In almost all other countries, that offence forms part of their substantive criminal law.
ISPA completely endorses this view. However, it is not sufficient to simply repeal the provisions of section 24B of the Film and Publication Act. This will create confusion for electronic service providers, SAPS and the NPA on how those offences are investigated and prosecuted. A copy of the ISPA submission on this had been circulated amongst the Committee. A proposed definition of child pornography, to be included in the Cybercrimes Bill, has been formulated in that written submission. The proposed definition is extremely comprehensive. It refers to comparative law and complies with all of South Africa’s international conventions and obligations. There is no good reason why a deficient definition should then be retained in the Film and Publication Act. Should the Film and Publication Board require further guidance on the definition of child pornography, they should refer to ISPA’s proposed definition in their written submissions to the Committee.
The Committee should consider the deletion of section 24A of the Film and Publication Act. That provision requires internet service providers to register with the Film and Publication Board to combat child pornography. The proposed definition to be inserted in the Sexual Offences Act already gives effect to that purpose. A duplication of those provisions has created a number of challenges for SAPS, the NPA and magistrates in investigating, prosecuting and adjudicating child pornography offences.
The Chairperson asked if ISPA would not then be accused of forum shopping by the Department of Justice and/or the Department of Communications? This is because they have already had an opportunity to make submissions on the Film and Publication Amendment Bill? They had already made submissions on this issue before the Portfolio Committee on Communications. Could they not be accused of forum shopping because they had failed to prevail in their submission before the Department of Communications and now want a second bite at the apple by attempting to have those submissions accepted by the Portfolio Committee on Justice? Would it be in the interests of the Committee to reopen what could be considered a closed issue?
Mr Cull responded that ISPA was not forum shopping. These issues were raised with the Department of Communications when they were deliberating on the Film and Publication Amendment Bill. They had also been raised with the drafters of the Cybercrimes Bill. Subject to the confirmation of the Department of Communications, it is not a case of the submission being rejected. It was rather a case of the submission had been accepted but not fully implemented. There is no reason why the Department of Justice would have any objection to further implementation given that the Department of Communications had accepted the submissions in principle. It was simply a matter of giving full effect to the principles which were accepted.
In conclusion, IPSA supports the Bill. It creates a welcome and comprehensive mechanism to ensure interaction between internet service providers and law enforcement providers to achieve the objects of the Bill. There is a constructive relationship between IPSA and SAPS about investigation and education on cybercrime. Both the SAPS and IPSA agree the exchange of personal information must however take place within a lawful framework. The current framework in terms of the Criminal Procedure Act to regulate such an exchange is insufficient. What is set out in the current Bill is a vast improvement and will greatly assist in the prosecution of crime where an internet service provider is either implicated or can be of assistance. It may be necessary to bring the issues around “harmful” in Chapter 3 to light for a wider audience. That Chapter deals with a number of tricky issues which may require greater public involvement not limited to technical arguments and discussions by lawyers alone.
Mr Bongo agreed it was important that the legislation criminalising revenge porn and cyber bullying should enable the proper and effective investigation and prosecution of those crimes. It was agreed the specific amendments suggested should be investigated. It could be necessary for the Bill to even more expansive to cover issues such as theft of litigation papers, academic work or building plans. For example, would the theft of electronic evidence fall within the ambit of the Act? It could be beneficial for the Committee to receive a briefing from a person who has been prosecuted and convicted in terms of cybercrime legislation.
Ms Pilane Majake stated the purpose of the Bill is to protect South Africans from cyber related crime. The submission seemed to deal particularly with the internet service provider industry. All sectors have an obligation to ensure security and development for all people. It is important to understand the intention of the Bill in advancing the lives of all people by taking into consideration the purpose of the Bill.
Mr Matiase said the IPSA submission was very relevant. This is because they represent the sector which is integral to the very purpose of the Bill. IPSA has a duty to be part of the broader campaign to educate the South African people and make access to the internet as cheap and accessible as possible. Social responsibility should form part of their mandate in bridging the digital divide. What specific measures should be put in place to bridge that gap? How can greater internet access be provided for the majority of people? What provisions can or should be placed in the Bill to enable such access?
Mr Cull responded that the internet industry can be used for both advancement and disadvantageous purposes. In response to Mr Bongo, he stated that the conviction rate under the ECT Act is currently 98%. It would not be difficult to find a person convicted under that offence. The broadness of certain provisions of the ECT Act however could mean a far greater number of people could actually be cyber criminals. For example, in terms of s98(1) of the ECT Act if a person uses their wife’s phone without permission they will be guilty of an offence. News 24 had disabled their online comments section because of the negative and hateful comments which users posted daily. Such conduct must be properly regulated. The same applies for other social media sites such as Twitter and Facebook.
The Chairperson responded that such people could not then be convicted unless they have an intention to commit an offence.
Mr Cull responded that if a person comments on an article by calling people hateful names or racial epithets they are intentionally defaming that person. Such a person could not argue they did not intentionally harm another person. The criminal law which we currently use would not necessarily translate well into the online world. However, it would be necessary to have broad legislation to properly criminalise online harassment and offences in terms of the Act as they occur online.
The Bill does deal with electronic evidence. It does not however really speak to the securing of information rather establishing various security structures such as rapid response teams in different areas of government. It would be necessary to put in place various structures to implement both a top down and bottom up form of regulation.
Mr Cull reiterated ISPA is not concerned about the Bill in terms of its own self-interest. Their primary concern is to consolidate the law to properly investigate and prosecute child pornography. Internet service providers receive requests for assistance to investigate such offences daily.
Every stakeholder has a role in bridging the digital divide. ISPA has provided education initiatives throughout the country. A super teacher award had been created to recognise excellence because of their training programmes throughout the country. ISPA intends to bring 3-4 million South Africans online to have internet access within 3-4 years. A greater problem however is digital literacy. Users of the internet who are not properly internet literate are the primary targets for cyber criminals.
The Chairperson said the Department of Justice had noted the high level of debate on the Bill. It is necessary to have more youth become part of the larger debate around bridging the digital divide. It is necessary to ensure that all people are properly digitally literate. It is not clear that these debates are currently being had in the classrooms at a grass roots level. It is necessary to keep young people abreast of modern technological developments.
Mr Mpumlwana noted that a clause related to the theft of intellectual property had originally been inserted into the draft Bill was now removed. Was that correct? Should the Committee request the Department of Justice to reinsert that clause?
Mr Cull responded that the provision had been removed, as far as he was aware. He did not however advocate reinserting such a clause. That issue is currently being dealt with in the Copyright Amendment Bill.
Open Democracy Advice Centre (ODAC) submission
Ms Alison Tilley, Head of Advocacy, ODAC, stated cybercrime does not necessarily fall within the ambit ODAC. ODAC did however work extensively on POPI and became highly familiar with information legislation. Through that process they had subsequently participated with the technical committee in consultation with the Department of Justice on the Cybercrimes Bill.
ODAC welcomes the legislation. It is necessary and legislation is needed to combat cybercrime. Cybercrime is not however only the responsibility of law enforcement alone. All people must take an active stance in defending against cybercrime. The subsequent amendments do protect the rights to privacy and to a lesser extent the right to freedom of expression as contained within the Constitution.
Ms Tilley agreed with the submissions made by Mr Giles from Michalsons on the use of the word 'unlawful'. This can be viewed in both a positive and a negative way. To say a person is guilty of a cybercrime offence, the issue is then what is the aim which the offence attempts to achieve. The Bill is properly concerned about criminalising the intentional and harmful use of information and not merely gaining unauthorised access to information per se.
Clause 2 is of slight concern in this regard. This is because it is essentially drafted backwards. It talks about unlawfully and intentionally securing access. The issue of entitlement and consent is only dealt with at the end of the legislation. It would be preferable to define the offence more clearly which is the way conduct is dealt with in criminal law. Clear and concise language is very important in this regard.
Clause 4 dealing with software tools attempts to criminalise the possession of certain tools which can be used to gain unauthorised access to digital information. The problem with such an approach is that it is simultaneously necessary for certain IT specialists to have such software for security purposes. This could create issues for professionals who need such tools in order to properly perform their job.
Ms Tilley agreed with the earlier submissions on clauses 16 and 17. The clause dealing with revenge porn is welcomed. Some colleagues at ODAC had however questioned if the phrase “revenge porn” is the correct terminology to be used for that offence.
Cyber bullying is severely traumatic for people victim to it. The section however does not expressly state it is dealing with cyber bullying. This is different to the legislation in foreign jurisdictions. In the USA for example, schools are mandated to have internal policies dealing specifically with cyber bullying. Certain amendments to the language of that provision could make the position clearer by clearly spelling out that the provision deals with cyber bullying. That is an education issue and it could be necessary to expressly spell out what the clause criminalises.
Ms Tilley raised ODAC’s concerns with the Bill:
Clause 38 had been raised as a point of concern by R2K. It attempts to fulfil a useful purpose. However, as with the clause on cyber bullying it is not entirely clear what the clause attempts to achieve. Once one begins to question the actual purpose of the clause, then it becomes more problematic. As raised by R2K, once both section 205 of the Criminal Procedure Act and RICA are used to obtain evidence related to phone calls and communications, the disjuncture becomes problematic. In terms of section 205 of the Criminal Procedure Act, the authorities must approach an ordinary magistrate to intercept such communications which is then either granted or refused. However, in terms of RICA, a special RICA judge must be approached in order to intercept communications subject to RICA. What has occurred now in practice is that magistrates are approached to obtain metadata. This means that the RICA protections do not apply to applications for the interception of communications in terms of section 205 of the Criminal Procedure Act. The fact that the RICA judge is then no longer, in practice, approached for such interception applications means that communications can be intercepted in terms of the Criminal Procedure Act without the additional RICA safeguards for people subject to such interceptions. This is because magistrates are bound to apply the provisions of the Criminal Procedure Act and cannot apply the provisions of RICA. The RICA reform process is welcomed which could properly address that issue. It was submitted that clause 38 should be considered in terms of the RICA reform process instead.
Clause 57 is essentially a form of the National Key Points Act as it applies to technological information. The National Key Points Act permits areas to be designated as national key points which then imposes additional security obligations to secure those areas. The same is envisaged to apply to technological devices and communications in terms of the Bill. This is welcomed to the extent that certain technological systems do require additional security measures to remain secure. This is especially so when dealing with fragile systems in protecting national security. The danger is that unlike the National Key Points Act, it is far more difficult to show a person that the obligations to create certain safeguards with regards to computer systems have been complied with. In addition, in order to show the authorities that the obligations in terms of the Bill have been complied with, it will be necessary to actually give access to that system to an outside party. The National Key Points Act deals with this by sending an accredited auditor to inspect those sites to ensure the security obligations are being complied with. There is however no corresponding accredited auditor type person or body which can perform the same task when it comes to inspecting computer systems. It is also unclear why it would be necessary or desirable to declare things such as municipal computer systems as national key points. In those cases, such computers would already be subject to minimum security standards because they would be operating inside of government. It could also require telling people to put systems in place without providing funding for that system. A final concern is that the provision is overbroad.
In conclusion, the following recommendations were made:
Clauses 57 and 58 should be diverted to other processes currently dealing with those issues. Clauses 16 and 17 should be removed and dealt with in terms of the Hate Crimes legislation being proposed. Clause 2 and 4 should be redrafted.
Mr Horn referred to the meaning of “unlawfulness”. Mr Giles had stated that unlawfulness should not be used as a requirement of the definition of certain offences. If an institution is required to store information and they unlawfully do not do so, if they do not do so with intention, would that not then negate a finding that they acted in an unlawful manner? Is unlawfulness not always linked to the intent to commit a crime? What suggestions does Ms Tilley have in that regard?
Mr Mpumlwana appreciated the comments on clause 38. Is ODAC recommending that clauses 16 and 17 be completely removed? If so, what alternative provision should be used to regulate cybercrime and revenge pornography? He did not agree with all of the arguments made. He maintained his position that two padlocks are better than one.
In response to Mr Horn, Ms Tilley stated unlawfulness is often used in the context of administrative law. If the state is required to act in accordance with a particular law and fails to do so, that act is invalid because it is unlawful. It can then be set aside but the failure to comply with the law in that context is not necessarily criminal. In a criminal context, the situation is more difficult. Definitions of crimes must include an unlawfulness element, including knowledge of unlawfulness and a fault element either in the form of intention or negligence. If the only element of a crime is intention, then that is a problem.
Digital Forensics submission
Mr Jason Jordaan, forensic scientist at Digital Forensics, said that prior to private practice, he worked in law enforcement for several years. Practitioners are limited by the legislation at their disposal. The ECT Act provided an improved framework to combat cybercrime but it is not perfect. It is however preferable to the position before the ECT Act where cybercrime was prosecuted based on common law offences such as fraud, which was far from ideal from a law enforcement perspective.
South African has adopted a progressive perspective. This is due to the ratification of the Budapest Convention on Cybercrime. This Bill will allow South Africa to properly ratify that treaty. This is important because cybercrime is an international crime which operates across the borders of countries. This is especially so when it comes to phishing attacks on bank accounts.
Most offences which he deals with usually have some form of electronic evidence involved. This is even so with murders, sexual offences and other property related offences. However, to make effective use of digital evidence, effective use of digital forensics is required to properly make use of that evidence per legal standards in a court of law.
As with all sciences, digital forensics is dependent on the qualification and expertise of practitioners. There is an international move towards improving the quality of forensic scientists. Proper regulation and control of digital forensic work is essential. This is because of the increased use of digital evidence in criminal trials generally. In the USA for example several issues had arisen. For instance, many people have been wrongfully convicted due to poor digital forensic work being done.
International standards for digital forensics have been developed and adopted worldwide. South Africa played a leading role in that regard. However, there are various capacity issues for practitioners dealing with forensic evidence. Generally, most practitioners in SA do not meet the minimum requirements for competency standards. This is partly due to a lack of effective training in how to use digital forensic tools and programmes. Most people believe that competency is a matter of having the latest technology and tools. This is unfortunate because it has led to a situation where people are placing higher value on the tools of trade as opposed to properly developing the skills of digital forensic science practitioners.
This is especially important when it comes to leading expert evidence in court. Currently the profession is not regulated to the same extent as other professions which give expert evidence. In his experience, he has seen numerous instances of poor digital forensic work which has fundamentally undermined criminal cases. In other cases, it has led to innocent people being charged with offences which are then simply thrown out of court. The point, is that poor digital forensic work can have a severely negative impact on people’s lives.
Some clauses do address concerns about proper qualifications and quality control of digital forensic work. Clause 24 deals with standard operating procedures which is welcomed. This is an innovative provision which places South Africa at the cutting edge internationally. Only the Netherlands and the UK have embarked on a similar process to properly regulate who may be recognised and practice as a forensic scientist.
Clause 24 is welcomed. However, there several concerns from a legal perspective and from the perspective of a practitioner: Clause 24 speaks to the development of standard operating procedures. Whilst he is not a lawyer be profession, there appears to be no legislation currently which deals with standard operating procedures. Generally, standard operating procedures are dealt with by means of subordinate legislation. This can cause confusion.
A second issue is that clause 24 applies only to the state. There is however a large amount of digital work being done in the private sector. Ultimately if that evidence is going to be used for prosecutions then the NPA will have to rely on that evidence. The clause should therefore apply equally to the private sector. There should not be a higher onus on the state than the private sector in relation to standard operating procedures.
The following recommendations were made for clause 24. It should be re-titled. An amended title was provided which would be more congruent with international licensing standards. All reference to procedures should be replaced with regulations. Clause 24(1)(c) should then be inserted to make those regulations to be subject to all forensic practitioners and not only those employed or retained by the state. This will ensure the legality and value of the evidence will not be compromised should the evidence obtained later go to trial per the discretion of the NPA.
Clause 51 deals with the submission of affidavits as proof of facts in court. The clause is fundamentally in line with section 212 of the Criminal Procedure Act. The purpose is to speed up the submission of forensic evidence in court. However, there are some concerns in clause 51.
The definition of a person competent to give evidence under clause 51 is too broad. A person with little to no experience and poor qualifications could then be permitted to give evidence. The clause should also be applicable to all practitioners and not just the state. There is also no obligation on practitioners when giving evidence to detail the different procedures and methodology which they used in compiling that evidence. This contrasts with section 212 of the Criminal Procedure Act which requires the person making the affidavit to fully document the scientific methods used in reaching their conclusions. Clause 51 should be amended to create such an obligation in line with section 212 of the Criminal Procedure Act. There is also no automatic right to cross-examine such a witness. This means the judge or magistrate must authorise the cross-examination and a refusal to do so, means the evidence is then not tested.
The following recommendations about clause 51 were made:
Clause 51(1)(ii) should be amended to cross reference clause 24, as requiring relevant expertise, qualifications and experience per the regulations promulgated in terms of clause 24.
Clause 51(1)(iii) should be amended to require that facts are established by a scientifically recognised examination or process which is fully documented in an affidavit. That wording would make the provision congruent with section 212 of the Criminal Procedure Act.
Clause 51(1) should also be amended to include a private practitioner as appears by a notice per the gazette following the Minister’s approval.
Clause 51(1)(d) should be introduced to state that an opposing party may request a person making an affidavit as a forensic scientist submit themselves to cross-examination.
Mr Swart noted Mr Jordaan was involved in the drafting of the Bill. If he was involved, then surely, he made his suggestions during the initial drafting process? Mr Jordaan’s real world experience is however invaluable. The potential for abuse is wide and proper regulations must be put in place to guard against such abuse occurring. The Bill must provide for proper regulation of experts to guard against that.
Mr Bongo welcomed the submission. Research in South Africa shows that cybercrime is very high both in South Africa and the whole continent. What comments does Mr Jordaan have on that? Criminal syndicates operate throughout the world to commit cybercrime. Will the Bill properly assist in combating cybercrime? What other measures should be taken on a continent-wide level to combat cybercrime?
Mr Mpumlwana asked if Mr Jordaan’s concern with clause 24 related to clause 24(1)(b). Are his concerns not properly covered by sub clause (b) which would make the insertion of sub clause (c) redundant? He agreed that the phrase “relevant qualifications” should be inserted as a requirement to give expert evidence as a forensic practitioner. The phrase is however somewhat vague as it is not entirely clear what “relevant qualifications” specifically means. What would be the correct definition of “relevant qualifications”? The phrase “scientifically validated process” should also be defined to make that phrase clearer for when judicial officers are required to interpret that clause.
Mr Jordaan replied he had been involved in the drafting process through the Department of Justice when the second iteration of the Bill had been drafted. By that stage many of the issues he is currently raising had already being dealt with. On the potential for abuse he agreed that there have been instances where there is a complete breakdown in the gathering and submission of digital evidence. This is especially so, when digital forensic practitioners do not have proper qualifications. It is a mistake to think that because a person is proficient in IT that they will necessarily be able to properly present and compile digital evidence. Digital forensics is a highly specialised area whilst IT is more generalised. Where a professional is unsure of a point they have a duty to inform the court of their uncertainty as an expert witness. Introducing regulations on proper qualifications would assist in ensuring this is avoided. Regulations are preferable because they can be amended far easier than legislative provisions. The content of those regulations can be compiled with the input of all relevant stakeholders such as the Police and the NPA.
Mechanisms are beginning to be established to align digital forensics at an international level. Many countries approach South Africa because South African practitioners are widely regarded as having a certain level of expertise, at least in most cases. South Africa has an opportunity to play a leading role by strengthening international cooperation in the fight against cybercrime.
In response to Mr Mpumlwana, Mr Jordaan noted that science is a discipline which uses objectively verifiable scientific processes. The privilege to set out findings in a court of law should be a privilege which should be reserved for qualified practitioners alone.
Mr Mpumlwana questioned what guarantees could be put in place that such an expert witness will then not be used to help guilty people escape conviction.
Mr Jordaan replied this was a valid point. In the USA, people often retain gun experts to escape conviction. It is a worrying trend that people are essentially selling their ethics for money. By designating certain professional bodies and persons to ensure proper oversight and quality control that can provide guarantees against that phenomenon occurring. However, the state can also abuse that process which must also be kept in mind.
Mr Mpumlwana requested Mr Jordaan make an additional written submission on this point.
Mr Swart noted the Minister of Justice has quite a small role to play in promulgating legislation in the Bill. The primary administrative authority falls under the Minister of State Security. It could be preferable for other departments to become involved especially in relation to information sharing.
Mr Jordaan replied that most other countries situate their cybersecurity responsibilities under Justice or the Police. South Africa is in the minority by situating this responsibility under State Security. It is positive if structures are put in place to mandate those bodies to report to Parliament on cybercrime activities and law enforcement. There are very few statistics on cybercrime at present. The creation of those structures will assist in filling that information gap.
The meeting was adjourned.