The proposed Cybercrimes and Cybersecurity bill will make it impossible to help

[MagicDude4Eva]

It is out for comment and it will be supposedly signed into law (here is one copy: http://www.htxt.co.za/cybercrimes-and-cybersecurity-bill-full-text-and-have-your-say/)

I have not gone through it end-to-end, but it has dramatically changed from the last time I read the draft. Initially there was a provision for responsible disclosure but this seems to have been gone completely and technically any security researcher being in possession of a security leak would have committed a crime (the currently enforced ECTA is more vague/lenient in this aspect).

A pity about the way this was drafted as this now forces researchers more into the underground than engaging with companies which will ultimately mean that our data will become less secure as the consequences for researchers are unpredictable.

 

[Bizkit87]

Data message which is harmful

17. (1) Any person who unlawfully and intentionally makes available, broadcasts or distributes, by means of a computer system, a data message which is harmful, is guilty of an offence.

(2) For purposes of subsection (1), a data message is harmful when it—
(a) threatens a person with—
(i) damage to any property belonging to, or violence against, that person; or
(ii) damage to any property belonging to, or violence against, any member of the family or household of the person or any other person in a close relationship with the person;
(b) threatens a group of persons with damage to any property belonging to, or violence against, the group of persons or any identified person forming part of the group of persons or who is associated with the group of persons;
(c) intimidates, encourages or harass a person to harm himself or herself or any other person; or
(d) is inherently false in nature and it is aimed at causing mental, psychological, physical or economic harm to a specific person or a group of persons,
32
and a reasonable person in possession of the same information and with regard to all the circumstances would regard the data message as harmful.

so.. telling someone to go fck themselves online is now a crime? Telling you that i drilled your mother is also a crime now :wtf:

So far Zuma & Malema would be in contravention 2a i & ii

Distribution of data message of intimate image without consent

18. (1) Any person who unlawfully and intentionally makes available, broadcasts or distributes, by means of a computer system, a data message of an intimate image of an identifiable person knowing that the person depicted in the image did not give his or her consent to the making available, broadcasting or distribution of the data message, is guilty of an offence.

(2) For purposes of subsection (1) ”intimate image” means a visual depiction of a person made by any means—
(i) under circumstances that give rise to a reasonable expectation of privacy; and
(ii) in which the person is nude, is exposing his or her genital organs or anal region or, in the case of a female, her breasts.

So every single person that shared the 'Margharet van Wyk' photo is in contravention of the above

19. (1) A complainant who lays a charge with the South African Police Service that an offence contemplated in section 16, 17 or 18 has allegedly been committed against him or her, may on an ex parte basis in the prescribed form and manner, apply to a magistrate‟s court for an order pending the finalisation of the criminal proceedings to—
33
(a) prohibit any person from further making available, broadcasting or distributing the data message contemplated in section 16, 17 or 18 which relates to the charge; or
(b) order an electronic communications service provider or person in control of a computer system to remove or disable access to the data message in question.

I cannot see how government would/could ever abuse this !? /s

Search for, access to, or seizure of article involved in the commission of an offence without search warrant

30. (1) A police official may without a search warrant referred to in section

27(1)(a) search any person or container or premises for the purposes performing the powers referred to in paragraphs (a) and (b) of the definition of seize in respect of a computer data storage medium or any part of a computer system referred to in the definition of ”article”, if the police official on reasonable grounds believes—
(a) that a search warrant will be issued to him or her under section 27(1)(a) if he or she applies for such warrant; and

Just wow...

AGREEMENTS WITH FOREIGN STATES

National Executive may enter into agreements

59. (1) The National Executive may enter into any agreement with any foreign State regarding—

(a) the provision of mutual assistance and cooperation relating to the investigation and prosecution of—

Our chinese overlords want to see what is happening...

3. (1) Any person who unlawfully and intentionally—

(a) overcomes any protection measure which is intended to prevent access to data;

So the guy that pointed out the COJ flaw in billing system can be arrested as he 'overcame protection measure intended to prevent access'

Unlawful acts in respect of software or hardware tool

4. (1) Any person who unlawfully and intentionally possesses, manufactures, assembles, obtains, sells, purchases, makes available or advertises any software or hardware tool for the purposes of contravening the provisions of section

Better not tell people about torrent sites...

(2) Any person who is found in possession of a password, an access code or similar data or device in regard to which there is a reasonable suspicion that such password, access code or similar data or device—(a) was acquired;
(b) is possessed;
(c) is to be provided to another person; or
(d) was used or may be used,

I just scanned through it now, but boy it doesn't look good.... way to vague and open to abuse...

 

[MagicDude4Eva]

so.. telling someone to go fck themselves online is now a crime? Telling you that i drilled your mother is also a crime now :wtf:


So the guy that pointed out the COJ flaw in billing system can be arrested as he 'overcame protection measure intended to prevent access'

Whatever happened to him? I think it was awesome what he did (and girls in the office said that he is not just smart, but also super-handsome and athletic as well).

Just reading through the bill sent shivers down my spine. I hope that our friends at ISPA will assist with this as the new proposed draft seems to be an aggressive about-turn from what was initially drafted. It is drafted without fairness and regard for constitutional rights and seems to solely shift powers and oversight to the state. This is a prime example that neither ICASA nor DoC have any interest in protecting the public.

In all honesty, the legislation should ensure that proper oversight and compliance is introduced and the current (ECTA) and this new bill just does not seem to be well thought through. I am sure if you do a proper plagiarism search, you will find that large fragments of it have been a copy-and-paste from the US, Russia or China where it is quite common to infringe on citizens rights.

 

[Bizkit87]

The scary part [or one of] is that a police [or force] can search you without a warrant [NSA-like?] if they 'believe' a search warrant will be issued to them?

So what happens after they searched your pc, and the judge refuses a warrant, do they just go 'oops- my bad ?'

 

[WAslayer]

so all those chops who all use the same, weak password and can never remember it and writes it down somewhere can now all be suspects in a case where a crime was committed...

 

[MagicDude4Eva]

The scary part [or one of] is that a police [or force] can search you without a warrant [NSA-like?] if they 'believe' a search warrant will be issued to them?

So what happens after they searched your pc, and the judge refuses a warrant, do they just go 'oops- my bad ?'

Not sure if you guys noticed specific consideration for financial institutions and lesser focus on non-financial businesses. The conspiracy theorist in me whispers "Guptas.... Guptas"

 

[Bizkit87]

Not sure if you guys noticed specific consideration for financial institutions and lesser focus on non-financial businesses. The conspiracy theorist in me whispers "Guptas.... Guptas"

and the 'taking down information before a court case'

So you leak new 'Nkandla' - take it down
leak municipal fraud - take it down [unlawfully obtained information]

 

[LazyLion]

The proposed Cybercrimes and Cybersecurity bill will make it impossible to help

To help what?

 

[Bizkit87]

also, what happens if my facebook got hacked and someone post KILL ZUMA !?
what happens when a friend downloads a 'unlawful' piece of software on my wifi?
what happens if my pc gets infected and becomes part of botnet distrubuting gay photos of Malema and Zuma?
what happens when i'm a programmer testing code i'm writing and it breaks one of these laws?
what happens if someone uses my pc to run 'unlawful' software ? I'm i guilty because it's my property?

All this is going to do is open a market for VPN's and proxies.

 

[MagicDude4Eva]

I asked mods to merge comments from this article: https://mybroadband.co.za/news/secu...ing-surveillance-with-cybersecurity-bill.html

Comments like the following are short-sighted:

But the final draft of the bill says that journalists and whistle-blowers will now be protected by the protected disclosures act. Previous versions of the bill stated a person who did anything with state information that was classified as secret could go to jail for 10 years without the possibility of a fine.

What is not mentioned is that such "protection" of whistleblowers and security researches only applies if the disclosure is made to the "right" person. This means that if you identify a security issue and report it to a company responsibly and the company pleads ignorance and ignores it, you can very well face criminal charges.

Literally all South African security breaches of big companies have been reported by their users and in almost all cases it required leaking the information into the public domain to force companies to resolve their exposure. The act now has the potential to criminalise such reporting and at the same time unreasonably extends search-and-seizure operations for crime-intelligence.

It will just be a matter of time that with bills like this ISPs will be burdened with government surveillance requirements and police can now arrange source-and-seizure on a hunch without a warrant without much recourse. Quite scary to think that this bill just jumped through parliament (just this morning I made mention that this bill will be troublesome).

 

[PPLdude]

N O R T H K O R E A

 

[Tomtomtom]

Two basic principles of government:

1. If you have a legislature, it will make new legislation.
2. Legislation will tend to create crimes that are malum prohibitum because the common law has malum in se covered.

Ultimately, governments are succeeding if everything is criminalized, because as long as every citizen could possibly be found guilty and sentenced for something -- it doesn't matter what -- or has had to apply for express approval for his every act: then, and only then, has government properly subjugated the people, i.e. governed.

 

[Tomtomtom]

A pity about the way this was drafted as this now forces researchers more into the underground...

...or it forces them to break the law, and this is a feature, not a bug. Prosecutors can choose to prosecute, and from the legislature's perspective, it's ideal if they could choose to prosecute anyone. I suggest calling their bluff, and predict that that's exactly what will happen, until eventually one day common law and common sense and/or the constitutional court prevail. I wish the civil law had disappeared along with the Romans.

 

[ambo]

What is not mentioned is that such "protection" of whistleblowers and security researches only applies if the disclosure is made to the "right" person. This means that if you identify a security issue and report it to a company responsibly and the company pleads ignorance and ignores it, you can very well face criminal charges.

Who are the correct people to receive such disclosures?

* Affected company
* The media
* The police
* Some government department
* A lawyer
* An independent party
* Someone else
* Public discourse (wiki leaks)

What would be most effective while also being the most responsible?

 

[geezer]

Whatever happened to him? I think it was awesome what he did (and girls in the office said that he is not just smart, but also super-handsome and athletic as well).

Ha Ha! I see what you did there.....

 

[MagicDude4Eva]

Who are the correct people to receive such disclosures?

For responsible disclosure it would be first the affected party and if no response received, law-enforcement (some cybercrimes unit) and in parallel some oversight body (similar to the Electronic Frontier Foundation) and failing all of it (or if the issue is very severe) also the public.

People are misguided in thinking that just because a breach/security issue is not in the public domain, that a crisis is averted - this is not correct as it results in cover-ups and keeps consumers/citizens exposed for much longer than necessary. Think about cases where personal information has leaked and a payment gateway (and their bank) keeps mum about it for months (happened last year) - had customers known about it, they could have avoided fraud issues.

None of the above works really well anywhere and the US is an example where security researchers will not disclose information responsibly any more due to the legal consequences.

 

[Thor]

What is the chances of this getting signed in?

What does this means for a forum like mybb?

Can I now sue biometrics for harassment?

 

[biometrics]

What is the chances of this getting signed in?

What does this means for a forum like mybb?

Can I now sue biometrics for harassment?

Dude, give it a rest. I'll sue you if you keep mentioning me.

 

[Thor]

Dude, give it a rest. I'll sue you if you keep mentioning me.

^this guy