Subscribe

The long arm of the cyberlaw

Proposed legislation could discourage hackers from breaking into computers, but if the law is too broad, even a technology columnist could end up in a little cell in a big jail.
By Jason Norwood-Young, Contributor
Johannesburg, 13 Jun 2001

Proposed legislation could discourage hackers from breaking into computers, but if the law is too broad, even I could end up sharing a cell with Baba.

Until recently, I always believed that SA had no anti-hacking laws. Thanks to one of our on-the-ball readers, I have discovered the error of my preconception. We do, in fact, have one law that prohibits hacking in SA.

Soon I`ll be singing "Nobody knows the trouble I seen," and rattling my tin mug against the bars.

Jason Norwood-Young, Technology editor, ITWeb

An insertion into Section 40A of Act 32 of 1998 (the Prosecuting Authority Act) states that foolish hackers who mess with a computer which is under the control of the South African Prosecuting Authority can spend the next 25 years writing out C++ code on the walls of their new home - a little cell in a big jail. Those interested in the amendment can find the act in the Prosecuting Authority Amendment Act of 2000 (Act number 61, section 18).

Hackers will note that everything else out there not in the care of the Prosecuting Authority is fair game. Your biggest risk is a civil case for damages or loss of revenue, and perhaps a criminal case if you manage to actually steal something of value (such as a few million rand from your favourite banking establishment).

Legal recourse

Fortunately for the innocent public and businesses on the Web, legal protection is on its way. The Law Commission has put forward a fairly broad paper entitled the "Proposed Computer Misuse Bill", which, if passed, could give serious legal recourse to those at the painful end of hacking attacks.

While the Prosecuting Authority Amendment Act is way too niche to be considered of any use to anyone apart from the Prosecuting Authority itself, the new proposed bill is, in my opinion, a little too broad.

Please note that I am not a lawyer, and I read the proposal with my layman`s glasses on.

One issue that becomes immediately apparent on reading the proposed bill is a lack of certain definitions. Under the definition and interpretation section, the bill does well to succinctly define a computer, application and data, but fails to define the often-used term "authority".

Much of the bill is based on the concept of performing actions, such as accessing data or a computer or even passwords, without "authority".

Implicit authority

The concept of authority on the Internet in particular seems a little hazy. At what point of viewing data on a computer that could be on the other side of the globe do you lose authority? Who gives anyone authority to look at any particular Web site in the first place? Many sites still do not have acceptable usage policies, and therefore cannot really revoke authority at any particular point.

So if I theoretically have implicit authority to view a Web page, who says I don`t have implicit authority to have a look at the code within the global.asa file, for instance? And while I`m there, I may as well connect to the back-end database through the login details I may find in the global.asa. Well, nobody has revoked my authority yet, so I might as well change some of this information, or maybe just grab these credit card numbers and expiry dates.

If authority to view other people`s information is implicitly denied (the bill doesn`t really state which way authority swings), then I can`t view any Web pages. I`m left with a large paperweight on my desk shaped like a PC.

Even e-mail is too risky - what if someone sends a message to a news group with one of those company disclaimers attached? My authority to have that e-mail on my computer has been explicitly revoked, since I was not the addressee of the e-mail. Soon I`ll be singing "Nobody knows the trouble I seen," and rattling my tin mug against the bars.

I`m sure that many of these problems will be addressed before the bill - or any other computer crimes legislation that may appear in other bills or acts - gets gazetted.

Anything less than meticulously prepared legislation written by experts with a multitude of talents - legal, networking, hardware, software and security - could result in my future columns being scrawled on toilet paper and smuggled out of jail by carrier pigeon. "Nobody knows my sorrows."

Share