Clueless officials hamper cybersecurity law-making

Governments need to know what problems the cybersecurity legislation is meant to address, or they will face public backlash over the possible intrusions to their personal rights.
Written by Ellyne Phneah, Contributor

Governments need to determine the purpose of any proposed cybersecurity law and what problems it is supposed to address before approving the legislation. Those that fail to do so will experience backlash from their citizens, which is something countries such as the Philippines and India are going through.

Dan Auerbach, staff technologist at the Electronic Frontier Foundation (EFF), said a good piece of cybersecurity legislation is one that is careful, well-researched, specific, and with consideration for citizens' freedom of expression and privacy.

Lack of understanding detrimental
However, in many countries, there is often a lack of clarity surrounding the issues that the law is supposed to resolve. This is due to the lack of technical understanding on the part of lawmakers, Auerbach noted.

For instance, in today's security climate, there are cyberattacks and online crimes. The former involves sophisticated malware introduced to the networks of mission-critical systems to damage them irreparably, while the latter involve perpetrators using scam Web sites to steal small amounts of money from people.

These are two separate issues that require different solutions, and enacting a bill to try and address both is equivalent to having an open-ended bill entitled "Combating crime: terrorism, shoplifting", he pointed out.

Auerbach also spoke out against laws looking to attribute actions on the Web to an individual, noting it is "absurd" to assume this and how the Internet is a space for people to speak anonymously.

"Such outlandish proposals often come from uninformed politicians looking for easy answers, but the reality is their implementation will be incredibly dangerous to citizens," he said.

Then there is the issue of cybersecurity laws that bestow the government and public sector agencies with wide-ranging powers, which might stir citizens' concerns on how it might be used, noted Koh See Khiang, senior associate of information technology and communications at law firm Baker & McKenzie.Wong & Leow.

Citing the example of Singapore's recently proposed bill to amend the Computer Misuse Act to the Computer Misuse and Cybersecurity Act, Koh said the changes would give the government powers to order pre-emptive measures against planned attacks on critical national infrastructure. Given its range of impact, Singaporeans may be concerned over how the law might be used, and whether it could suppress privacy and free speech, he explained.

Philippines is one Asian country facing challenges in implementing its Cybercrime Prevention Act. The law, which was signed into being on Sep. 12 this year, was originally intended to fight online pornography, hacking, identity theft and spamming after local law enforcement agencies complained they lack the legal tools to combat such crimes.

However, the final legislation included tougher legal penalties for Internet defamation compared to traditional media. It also gave authorities the permission to collect data from personal user accounts on social media and listen in on voice and video apps such as Skype without a warrant.

Since its inception, though, multiple petitions were filed by various groups in the country and these protests eventually caught lawmakers' attention. The Philippine Supreme Court decided on Oct. 10 to suspend the Cybercrime Prevention Act while it determines whether the law violates civil rights.

Some intrusion permissible
Not everyone is against sacrificing some civil liberties to enhance the country's security though. Singaporeans ZDNet Asia spoke to acknowledged that some form of freedom has to be compromised in order to ensure better national security.

Toh Geok Boon, a civil servant said she was "supportive" of governments having the right to use personal online footprints to gather evidence, or conduct analysis of people's online behavior to prevent crime. In fact, she would "feel safer" if the government did so.

However, any government intrusion into people's personal space should not resemble that of the Chinese government, said Peace Chiu. She said China's control over its citizens, particularly on their freedom of speech, is "stifling" so lawmakers need to ensure to balance security needs with discretion.

Ultimately, country's legislators will need to make an effort to canvass the opinions of most citizens before enacting any cybersecurity laws, stressed Auerbach.

"Legislators must listen past the cacophony of fear and constant lobbying of law enforcement [agencies], and instead seek out technologists with subject-area expertise and civil society groups who fight for citizens," he said.

Editorial standards