South Africa gets first look at cybercrime bill that comes with 25-year jail terms

A draft bill has explicitly made phishing and ID theft crimes for the first time, but some fear the legislation could harm free speech.

South Africa is on course to become the latest country on the continent to tighten legislation around computer crime, with the publication of a draft Cybercrimes and Cybersecurity Bill.

The draft bill, published by the Department of Justice and Constitutional Development, seeks to introduce a range of new offences with explicit penalties for phishing attacks, distributing malware, and committing identity fraud, amongst other offences.

Penalties for offences under the bill range from fines to 25 years in prison for "computer related terrorist activity" and interception of confidential material.

New Nigerian law means seven years for cybercrime

Senate passes broad bill which criminalises child pornography, cyberstalking, identity theft, and hacking government computers.

Read More

In a bid to crack down on online fraud and other crimes elsewhere on the continent, Kenya introduced a similar bill in August 2014 and Nigeria passed its Cybercrimes Act into law last November.

In a discussion document published alongside the draft bill, the Justice Department says that the new offences are necessary additions to the statute books in order to update the Electronic Communications and Transactions Act of 2002, which currently governs most online crime.

The document gives several examples of where current laws are failing South African citizens. In one example it says that the bill seeks to redress the fact that legal definitions of theft require that a person be deprived of their property - something which doesn't extend to copying a database. To counter this, a new crime of "computer related appropriation" is introduced.

Other examples seem less convincing and may conflict with laws around industrial espionage. The discussion document asks us to consider:

"A person physically steals the only copy of a DVD which contains all the information about the development of a super efficient electro-active polymer which will revolutionise robotic applications which he or she subsequently sells to a country for millions of dollars... the person committing the offence will probably be prosecuted for the theft of a DVD worth R5."

The Bill, however, has been broadly welcomed by industry. Dominic Cull, Regulatory Advisor to the Internet Service Providers Association (ISPA), said that he expected implementation to be slow, but that it brings South Africa up to international standards for policing online crime.

"Aligning South Africa with global cybercrime and cybersecurity laws and processes should be welcomed," Cull said, "While the Bill must balance constitutional rights to privacy, freedom of expression and access to information against security concerns we should also recognise that cybercrime and cybersecurity are pressing issues which need to be dealt with."

As it stands, however, some critics say that the language in the bill is too broad and may have consequences beyond its remit. In particular, says Jane Duncan, professor of journalism at University of Johannesburg, the definition of 'national critical information infrastructures' could include any piece of data belonging to government departments, and criminalise journalists investigating political affairs, for example.

"The definition of critical data is also very broad, including as it does 'the personal affairs of any person' and commercial information that could cause undue advantage or disadvantage to any person," Duncan says. "These overbroad definitions could lead to legislative overreach and ultimately overkill."

State censorship is a hot topic in South Africa. A controversial Protection of State Information Bill passed by parliament two years ago and a Film and Publications Bill - which the Electronic Frontier Foundation dubbed "Africa's worst new censorship law" - have raised concerns that the government is seeking to clamp down on freedom of expression.

Duncan also warns that the Bill includes provisions for offensive cyberwarfare capabilities on behalf of the state and warrantless seizure of evidence where cybercrimes are suspected.

"There are many problems like phishing and malware that could be dealt with through an information security policy, rather than a national security policy," Duncan says, "Yet governments rush to securitise and militarise these problems to justify government control of the internet.

"There's a tendency the world over to legislate for cybercrime, and to escalate the problem to the level of national security threat. Yet governments, including South Africa's, need to acknowledge that they have helped create the very problem they are legislating against."

At a separate event about online security organised by Mimecast, Brigadier Nicolaas Theodorus Pieterse, the head of the Electronic Crime Unit within the specialist Directorate for Priority Crime Investigation (also known as The Hawks), told an audience of journalists and security specialists that the police are struggling to fulfil their role within the bounds of current legislation.

Pieterse admitted that many local police stations would be unable to help individuals reporting that their online banking profile had been hacked, for example.

South Africans have until November 30 to submit comment on the bill.

Read more from South Africa