Cyber Crimes Bill still makes criminals of most of us
This law is analogous to banning knives because they could be used in the commission of a crime, writes Ivo Vegter.
The scope and wording of the most recent draft of the Cyber Crimes and Cyber Security Bill remain far too broad, according to Lisa Emma-Iwuoha, an attorney specialising in ICT law at Michalsons, speaking in a panel discussion at ITWeb Security Summit 2017. In particular, the section about software tools that can be used for hacking systems applies to anyone who works in information security. Worse, it is likely to make criminals of ordinary people.
The tools that you need to secure a system against hackers are often the very same tools that hackers use. Port scanners, password crackers, web vulnerability scanners, and tools to sniff data on open connections are all used by attackers and defenders alike. Many of them are also included by default in modern operating system distributions.
The Cyber Crimes Bill makes it illegal to make, advertise, provide, obtain, sell, buy, possess or use any tools that can be used to commit cyber crimes. Such crimes include not only fraud, extortion, damage to property, disruption of essential services, or endangering the lives of people. They include basic network operations such as gaining access to systems, acquiring or interfering with data, bypassing any security measure (however flimsy), or acquiring, possessing, providing, receiving or using a password or similar access code for data or devices.
The law does not specify in which circumstances such actions may be taken, or who may possess and use such tools. Instead, it makes provision for providing a "satisfactory exculpatory account" of a breach of its provisions. This turns an ancient legal principle on its head: citizens are now to be considered guilty until they can prove their innocence.
I possess prohibited hacking tools, some of which came with my operating system. I could argue that I use them to secure my own system, or to learn about how networks and operating systems work. However, since I do not work in information security, and cannot prove that I am qualified to use these tools, my exculpatory account would not likely be satisfactory. That would make me a criminal by default, without having committed any crime.
Even bona fide information security professionals would be considered criminals until they prove themselves to be otherwise. It also sweeps up vendors of network security products, who cannot foresee how their tools will be used. The penalty in each case is up to 10 years in prison.
This law is analogous to banning knives because they could be used in the commission of a crime. If you own a knife, without a "satisfactory exculpatory explanation", you'd be considered guilty of a crime without ever having committed one.
Even bona fide information security professionals would be considered criminals until they prove themselves to be otherwise.
Besides network security tools, the Cyber Crimes Bill also presumes guilt in other cases. If you cannot ex-plain your possession of personal data, for example, the mere belief that such data could have been ac-quired illegally would make you a criminal.
Not only will password cracking tools be illegal to possess, but if you simply give out a password to a computer or a PIN for a bank card, both you and the person you give it to could be found guilty of a crime, whether or not they even use it. The maximum penalty is 10 years in prison. If you are merely found to be in possession of a password, there is "reasonable suspicion" that such a password might be misused, and if you cannot explain it, you could sit for up to five years. It remains to be seen whether downloading hacked password lists, for purposes such as checking whether you've been hacked, analysing the quality of pass-words, or assessing the impact of a hack, will be considered sufficient exculpatory explanations.
There's a further threat to companies and individuals, which arises from encryption. The Cyber Crimes Bill empowers officials to obtain decryption keys or security devices needed to "search for, access or seize" articles pursuant to a search warrant. The mere use of encryption will become grounds for "reasonable suspicion". What's worse, the Bill does not provide for any way to protect private information in the search and seizure process. This will certainly expose sensitive corporate information, sensitive private information, and confidential dealings between lawyers and clients or doctors and patients, whether or not it is relevant to the case under investigation.
Badly written laws are good for nobody except lawyers. The Cyber Crime Bill, as it stands, will lead to a great deal more lawyering, because it makes criminals of almost all of us.