Cybercrime and cybersecurity bill – stop the ANC government from breaking the Internet

The government published the Cybercrimes and Cybersecurity Bill (CAC) draft for public comment on 28 August, proposing a number of measures to combat computer-related crimes in South Africa.
Its broad approach to information and communication technology crimes was roundly criticised, with the Electronic Frontier Foundation weighing in on the copyright infringement portions of the bill.
Columnist Ivo Vegter recently wrote an article for the Daily Maverick on the matter, titled Government is breaking the Internet.
In the column he highlights the following problems with the bill:
- Too-broad, and useless definitions for copyright infringement.
- Creation and use of tools used by network engineers and security professionals, such as Wireshark, nmap, and aircrack-ng, is criminalised.
- Whistleblowing and investigative journalism will be criminalised.
Specialist lawyers Lisa Thornton and John Giles told MyBroadband that they mostly agree with Vegter on the point that the draft bill is too broad.
Here’s what they had to say on the matter.
You have to take a nuanced approached – Lisa Thornton
Thornton – a consultant specialising in electronic communications, new media policy, and regulatory issues – agreed with Vegter on almost all points.
She said such a bill is needed, its provisions have to be more nuanced, though.
“I lost quite a lot when someone took over my identity in South Africa several years back,” said Thornton, adding that she was given the run-around by the bank and bank ombudsman.
“No-one seemed to know whether a crime was committed or what to do about it.”
She also agreed that copyright protections belong in the copyright laws, and that network monitoring falling afoul of the new bill is problematic.
“The draft bill isn’t perfect, but it’s a good thing that a comprehensive law has been put out there. It is a good thing that comments are going to be accepted, and hopefully taken into account.”
“I hope the industry continues to engage within the process. And I hope the media continues to call a spade a spade.”
Copyright protections are needed, serious implications for whistleblowers and security researchers – John Giles
Giles, a managing attorney at Michalsons Attorneys, disagreed with Vegter and Thornton on the issue of copyright protections.
“Copyright protection is very necessary. There is an overlap with the Copyright Act or the recent Copyright Amendment Act, but both should exist,” he said.
On the topic of network monitoring and packet sniffing tools, he said it was important to remember that such utilities must be used unlawfully and intentionally for it to be a crime under CAC.
He warned that if someone unlawfully accessed critical data in a national-critical database, they could be fined R10 million or face up to 10 years in prison.
However, he did agree with Vegter and Thornton that exclusions for whistleblowers and investigative journalists need to be added to the bill.
“CAC crimes are defined very broadly,” he said.
“For example, if someone does anything with state secret information, they could go to jail for 10 years. There is no public interest defence.”
Similarly, someone who reports security flaws to the media could be seen as aiding others to commit cyber crimes, and will earn the person reporting the crime the same sentence as the person committing it.
The bill defines Security Incident Response Teams that the issue should be reported to, if not directly to the provider of the service or site with the security flaw.
A site that has been alerted to the fact that it has a security flaw would need to report it, or they would be guilty of a crime and face a fine of R10,000 per day.
“CAC is necessary, but it goes overboard. It is too broad and complex. As a country, we don’t have the skills or the budget to implement it. It could have serious consequences for people who are unaware of what CAC means for them.”
Giles said Michalsons is running public workshops on the Cybercrimes and Cybersecurity Bill during February 2016 in all the major centres.
Those interested in submitting comments on the bill have until 30 November to do so, using the SA government’s website.
More on troublesome South African laws
South African Cybercrime Bill would nail copyright infringers
Cybercrimes and cybersecurity bill for South Africa
South Africa’s “worst ever Internet law” needs to be fixed
Worst ever Internet censorship law planned for South Africa