Cybercrimes and Cybersecurity Bill: proposed amendments

Meeting report

Mr Sarel Robbertse, State Law Adviser: Department of Justice and Constitutional Development, said that Response to Submissions document had been constructed rather quickly. Various suggestions were made and some were not taken into account. The Department had considered everything the Committee had spoken about. They would first deal with submissions on the definitions in the Bill.

Chapter 1 Definitions
“access”
The South African Human Rights Commission (SAHRC) said that “without limitation” was very vague in the definition: “without limitation to make use of data, a computer program, a computer data storage medium or a computer system”. The Department found that “without limitation” was necessary as it did not want a restricted definition.

“article”
Option 1 is a proposal to address the concern. The Department noted a printing error in the Bill. The words “that are related to, connected with or used with such a device” should form a separate sentence under paragraph (e).

“computer”
Some service providers, mainly MTN, indicated that this was not in line with international definitions. The Department stated that the definition in the Bill was in line with the definition used by the South African Development Community (SADC). The Department suggested that this be amended. In simple terms, a computer is a device that does calculation. Reference to other devices that are connected or related to computers should not be in the definition. All side components should be omitted. This will bring it in line with other international law which did not strictly use SADC law.

“cybercrime”
The Committee had requested the Department look at a possible definition of cybercrime. Chapter 2 of the Bill deals with two categories of offences: offences against a computer system and offences facilitated by a computer system and recognized as a specific form of cybercrime. Clauses 16, 17 and 18 dealt with malicious communications. The Department previously pointed out that it served no purpose to define “cybercrime” as the Bill already acknowledged the investigation of other offences committed or facilitated by electronic means in Chapters 5 and 6.

“cybersecurity”
This was also not necessary to define in the Bill. Cybersecurity was a science that was changing all the time. All the necessary elements were taken into account in the Bill.

“data”
When the National Prosecuting Authority (NPA) briefed the Committee, the NPA criticized the Bill for not referring to “subscriber data”. The Bill did not need to refer to or define subscriber data or information. Other laws provided for authorities to obtain subscriber data. The Regulation of Interception of Communications and Provision of Communication Related Information Act (RICA) was one such law which gave authorities the right to obtain subscriber information. However, clause 42 could be used to obtain subscriber data. It was not necessary to specifically deal with subscriber data or information in the Bill.

“electronic communications identity number”
This was a new definition.

“financial institution”
This referred to the Financial Service Board Act, 1990. In June 2017, however, the Financial Sector Regulation Act, No. 9 of 2017 was passed which repealed the Financial Service Board Act. As such, the definition should be amended to refer to the definition in the Financial Sector Regulation Act.

“investigator”
The South African Police Service (SAPS) requested that this be amended to include digital forensic investigator. The concerns of the SAPS were addressed in Option 1. Investigators needed to be declared as peace officers to ensure that authorities could regulate their qualifications.

“output of a computer program” and “output of data”
During the development of the Bill it was proposed that definitions should as far as possible be included in clause 1 of the Bill. The Department, however, was of the opinion that the definitions of “output of a computer program” and “output of data” should be moved to clause 2 in Chapter 2, since it mainly related to that clause.

Questions
Mr L Mpumlwana (ANC) asked why the Bill referred to other Acts for definitions. Why could the definitions not be independent? He was not happy with the definition of declared peace officer. There was nothing wrong with investigator.

The Chairperson said that the State Law Adviser was making suggestions and the Committee would make the final decision.

Mr W Horn (DA) asked which one of the two options for the definition of computer the Department preferred. The second option would be a safety net.

Ms M Mothapo (ANC) asked how the “cybercrime” definition related to cyber-attack and how far the African Union (AU) Convention process was in ratifying law which dealt with cybercrime and attacks.

Mr Robbertse replied about the AU Convention that some signatories were still needed and the ratification process would take a long time. On cybercrime and cyber-attack, paragraph (b) and (c) defined attack against a computer system. This could be argued to be an electronic attack also. On the offence by means of an article, (c) was not a cyber attack. One could commit murder by shutting down a life support system.

On the definition of computer, one of the main attributes of a computer was that it was a device that performed certain operations. Input device was not very relevant to this definition of computer. Service providers referred to network virtualization. The Bill attempted to deal with crimes that attack information on a computer. If a device did not qualify as a device that did not do calculations it should not be considered or defined as computer. Many states stuck to a narrow definition of computer. Some countries had no definition because computers transformed often.

On the Financial Sector Regulation Act, the problem was that when one dealt with certain regulations it was usually prudent to include reference to that Act. What a financial institution is, if it was limited, could be amended in that Act which would mean that the definition in the Bill would not be in line with that Act.

On investigator, the fact that persons were appointed as investigators was to ensure that they could investigate. Ordinary people did not have the function of search and seize. Police had the general functions to investigate cybercrimes. The Bill needed to include ordinary people to help the police. On peace officers, this did not limit the powers of the police. Investigators would act under the control of police officers. Peace officer would mean that persons could be regulated based on qualifications to work as peace officers.

Mr Mpumlwana said he was concerned about the use of peace officers. Why was the word “not” in the definition of investigator? Did this not limit police officers?

Mr Robbertse replied that the police had powers to investigate cybercrime and any other crime. What the Department tried to do was indicate that certain people could perform this function of the police. The word “not” did not prohibit a police officer to act as an investigator. People that were employed as investigators could help the police. It did not prohibit the police.

Mr Dingaan Mangena, State Law Advisor: Department of Justice and Correctional Services, said that the Bill did not exclude the police. In the event that police were not competent in a specific domain they were not prohibited in finding experts to assist in investigations.

Mr Mpumlwana, said that “not” in the definition of investigator needed to be changed to “not necessarily”. This gave a very clear explanation.

The Chairperson noted Mr Mpumlwana’s concerns and asked Mr Robbertse to continue with the definitions.

Chapter 2 Cybercrimes
Personal and financial information or data related offences
Mr Robbertse said a new offence was proposed by cellular operators. It was necessary to create an offence that would provide for criminalization of personal and financial information related offences. Provision was made for this request. Personal and financial information was defined. Various criminalized personal and financial related offences were provided for in the Bill. Financial related offences could be covered by clause 7 and the ambit of clause 7 was restricted. To criminalize financial information offences could be an adequate step in intervening in personal and financial information offences.

Mr Horn said that he was worried that these two options hinted that the acquiring of this information needed to relate to specific cybersecurity. This was very broad. Could it be narrowed and specified.

Mr Robbertse replied it was intentionally left neutral. Information that was acquired in the real world could be used to commit crimes in the cyber-world. The means were broad and as such the Bill did not specifically deal with the means to find the information.

Mr G Skosana (ANC) asked if Identity Document (ID) numbers were considered financial information. ID numbers contained serious information, even banking details.

Mr Robbertse replied that the Protection of Personal Information Act (POPIA) was not adequate in dealing with other cybercrime offences. It was proposed by the Department that the criminalization of the use and abuse of financial information was important. Many people said POPIA dealt with this and as such it was left out. It had been requested that offences be in line with international trends. There was provision for the internationally acceptable definition of “access” in the Bill. There were certain shortcomings however. One needed to overcome protection measures such as passwords. The UK legislation on the matter was used and handled the inadequacy of international definitions. More definition options needed to be made for “access”. The Committee had the option of the UK based or international trends for “access”.

Unauthorised [securing of] access
What remained important was dealing with “unauthorised access” as the court dealt with other matters of unlawful action.

Unlawful acquisition of data
The Committee had suggested that they follow international definitions. The Department attempted to accommodate this request. Provision was made for additional offences such as provision of data to commit offence and a person which had unlawful data who could not explain why this was the case. “Offence” in the tabled Bill was broad enough to deal with electric magnetic omissions.

Unlawful acts dealing with software and hardware
Mr Robbertse said security experts needed hardware and software tools to do daily work. Clause 4(1) could criminalize conduct which was applicable. The Department thus proposed that 4(1) be deleted and 4(2) be amended to accommodate criticisms against the Bill. There was a small amendment to the definition of software and hardware tools. The words “acquire and use” were adequate. On the other offences, there was not much comment or criticism.

Mr Mpumlwana said that he had some problems with “protection measures” and “output of data”. Would it not be better if there was a distinction between (a) and (b). Could (b) and (a) stand each on its own?

Mr Robbertse replied that the decision was for an option based on the criticism to the Bill. This related to penetration testers and other persons who did such work. People who did such work were very uncomfortable with this as it could lead to selective prosecution.

Mr Mpumlwana said that he agreed with Mr Robbertse. The phrase “unlawfully and intentionally” covered their concerns however.

Mr Robbertse replied that a lot of countries followed what was stated in clause 4(1).

Mr Mangena said that people in the industry were concerned about the broadness of clause 4(1) which included manufacturing. After consultation, it was agreed to limit it to acquisition and usage for the purpose of unlawful conduct. Production of products was not illegal but if one intended to use it illegally, it was dealt with under the law. In the past it was very broad to include manufacturers.

Mr Mpumlwana said that he did not understand. One became ‘bad’ only when one used software with the intention of ‘unlawful conduct’.

The Chairperson said the Committee could not limit the right of people to manufacture. The law stepped in only if there was an intention to use it criminally.

Mr Mpumlwana said that this was different. One made software for the specific purpose of hacking a computer. How was this dealt with?

The Chairperson asked how lawmakers regulated something which pre-empted illegal use.

Mr Horn agreed with Mr Mpumlwana about “intentionally unlawful”. There could be other ways to accommodate the fear of the stress testers.

Mr Mpumlwana said that he agreed with Mr Horn. Software for hacking was specific. Software is never for dual processes.

The Chairperson asked how the law could be formulated in a way that one could outlaw people which manufacture software for intended unlawful conduct. The formulation needed to be left to the experts.

Cyber fraud
Mr Robbertse  said that SAPS had asked why cyber elements were not included. The Department said that it followed international trends on the definition of cyber fraud. Offences needed to be adapted to cater for shortcomings in common law. Fraud was extended to several other misrepresentations such as cyber extortion. It was not necessary to define each and every offence. On the offence of fraud, two amendments were proposed dealing with data and interference with unlawful use of data.

Aggravated offences
Mr Robbertse said that there was not much comment on aggravated offences but it was revised. A specific knowledge or intention requirement was inserted. Restricted computer system was dealt with in paragraph (b). The Department submitted that this was too broad. This whole reference needed to be taken out of the definitions.

Discussion
The Chairperson asked how long would this Bill take and what other experts were needed to assist the Committee and the Department.

Mr Robbertse replied that the Department could go through the Bill if it were given four days of meetings in a row. Certain expertise needed to be available. Expertise in South Africa was not adequate.

The Chairperson said he was worried to legislate outside the competencies of both the Committee and the Department. There needed to be people to help the Committee deal with this.

Mr Horn said that he did not disagree but that he believed that the Portfolio Committees on Police and Telecommunications would have to be involved at some stage in developing the Bill. He did not know if they had been briefed.

Mr Mpumlwana said that the only thing that he saw was the technicalities. A minimal level of information was needed to deal with the Bill.

The Chairperson said he did not disagree with him but Mr Horn’s suggestion was good. Other committees needed to be involved.

Ms Mothapo said that consultation with other committees was needed. This Bill was very difficult and MPs were not technically informed on the topic. The presentation document was very thick. How long would it take to deal with the matter? The Telecommunications Committee was dealing with the same issues and even the Committee on Police. Joint meetings were needed with various committees. It was unfortunate that the Department was saying that there was no expertise in the country.

Mr Skosana said that he agreed that the Bill appeared to be too technical. The issue of technology needed to be looked at. People who had technical knowledge needed to be acquired to assist the Committee. The Committee needed sessions with experts and the other committees.

Mr Mpumlwana asked if ordinary IT experts could clarify certain things. He said that he was not sure about the assertion that there was no one in the country to deal with this.

The Chairperson agreed with Mr Skosana and Ms Mothapo about a joint sitting with other committees.

Mr Horn said that the Committee had come some way with the Bill. A briefing needed to be conducted with other committees

Mr Robbertse replied that he had compiled an extensive document which was given to the content advisors. This referred to a vast number of legislation. He suggested that if one took a model law, and the Bill was more or less in line with model law, it would be effective in dealing with cybercrime in South Africa. On the IT people, it would not be able to tell you how to act. But this was worth the shot.

The Chairperson said that the Department had done their best but that there were other stakeholders. Before finalization, sister portfolio committees needed to be engaged with. Joint meetings needed to be held.

Ms Mpumlwana asked if the document given to the content advisors could be circulated, and any other relevant information.

The Chairperson said that Mr Robbertse had done his best. Other committees would be spoken too.

The Committee deliberated on their programme, which had no major changes, and the meeting was adjourned.