The Cybercrimes and Cybersecurity Bill set for promulgation in 2016 is comprehensive, and in fact overly so in addressing issues that are not appropriate to the legislation. It is very broadly drafted and fails to take proper cognisance of many issues that are facts of 21st century life.
This is according to Mark Heyink, attorney at Mark Heyink Attorneys, who adds that there are many consequences to the Bill, which are hopefully unintended. "However, if they are intended, as I cynically believe they are in some cases, our open democracy is in greater danger than ever."
Heyink will be taking a controversial look at the Bill during his presentation at the ITWeb Security Summit 2016, to be held at Vodaworld in Midrand from 17 to 19 May 2016.
The Bill, which aims to give SA a co-ordinated approach to cyber security and will create several new offences related to data, messages, computers and networks, has been the subject of immense scrutiny over the past few months, as experts and security professionals in SA weigh its pros and cons.
That cybersecurity legislation and the addressing of novel crimes is desirable is incontestable, says Heyink. "I have been a strong proponent of appropriate legislation of this nature for about 15 years. However, the Bill goes far further than what is necessary and is clearly the product of the justice, crime prevention and security (JCPS) cluster - often referred to as the government 'knuckle-duster'."
Causes for concern
He says the primary objections that make the Bill more alarming than the Protection of State Information Bill are as follows:
Despite the fact that the majority of ICT infrastructure and information is in the private and all credible cybersecurity frameworks in democratic societies emphasise the importance of public /private partnerships in combating cybercrime, there has to date been no proper consultation with the private sector.
"Further, the bill does not create the structures for this to occur. On the contrary it is framed in a very dictatorial as opposed to consultative fashion."
Secondly, Heyink says the importance of the protection of personal information as a check and balance against over-broad law enforcement and national security powers or their overreaching these powers, is conspicuous by its absence.
"This in itself renders the Bill, as currently drafted, contrary to the protection of privacy enshrined in our constitution. Further, the reluctance of government to implement POPI despite it being enacted in 2013, is completely contrary to the expressed intent of the National Cybersecurity Policy Framework to encourage and nurture a cyber-security culture in all citizens.
It is clear that the countries that have been most successful in doing this are those that have had privacy legislation in place and implemented its provisions through the means of an independent regulator. It seems that government does not wish to have an independent regulator or be accountable for its actions in this sphere."
Thirdly, he says the Bill creates 57 new crimes with over-broad and ill-considered wording, but most frighteningly it effectively shifts the onus of proof from "innocent until proven guilty" to "guilty unless you can provide satisfactory exculpatory reason" - essentially subverting the very essence of criminal justice.
"So, as it stands, we will criminalise actions or omissions of citizens, in many circumstances without their even realising that they may have committed a crime, and then ask them to explain why they are not guilty."
Next, he says, it allows for government to have a backdoor into technology (access must be given to government if required) and creates the platform for mass-surveillance (in the name of security) that is being fought against in democracies worldwide. "Do you want law enforcement in your bedroom?"
Finally, Heyink says the issue that makes the Bill almost laughable, if it were a funny issue, is the demonstrable lack of capacity and competence in government, the SAPS and the NPA to properly deal with the crimes that it creates.
"This will open the door to allow law enforcement to do what it wishes, but it is unlikely that the protection that government has promised in addressing the issue will be forthcoming. After all, government still has in place, as its sole measure of information security, the MISS (Minimum Information Security Standard) that was published in 1996 and has never been amended or updated to address the frenetic pace of change in technology."
Yes, says Heyink, government has abdicated its leadership role in ICT since coming into power and now wishes to assume the role of knowing best with regard to cybersecurity. "The indecent haste that is evident in trying to ram through the legislation and attribute to itself powers that it failed to achieve with the secrecy bill is a display of arrogance that is truly astounding."
Share