Cybercrimes Bill [B6B-2017]: public hearings day 2

Meeting report

Briefing by Commission for Gender Equality (CGE)

Ms Keketso Maema, CEO, CGE, stated that the CGE was a Chapter 9 institution with a mandate to promote and protect gender equality. The CGE had made a submission relating to cyber-violence against women and girls. Violence included unsolicited/non-consensual pornography, cyberstalking, slut-shaming and other issues.

Ms Marissa van Niekerk, Director: Legal Services, CGE, explained that cyber-harassment could take many forms, including use of social media, direct personal threats. Non-consensual pornography (“revenge porn”) involved the distribution of sexually explicit material of someone without their consent. While the perpetrator was often a former partner, it could also arise through hacking or theft of personal data.

The CGE proposed the definition of “minor” should be reflective of the Children’s Act and should read as such in the Bill, i.e. “any person under the age of 18”.

Cyber-extortion (S10) should be extended to include sexual harassment and non-consensual pornography.

In terms of Section 11 aggravated offences: a person infringing on the dignity, privacy or integrity of a person should be found guilty of an aggravated offence.

Regarding Section 16, CGE supported the spirit but proposed a broader scope.

In terms of Section 17, the CGE proposed inclusion of cyber-harassment and cyberstalking.

On S18 offences of distribution of intimate images without consent, the CGE suggested a new sub-clause: a person who makes or distributes intimate images of a child even with their consent must be guilty of an offence. The distributor should take reasonable steps to ascertain age of person involved and depicting an adult as a child should also be an offence.

Discussion
Mr Sarel Robbertse, State Law Advisor, Department of Justice of Justice and Constitutional Development (DoJ&CD), pointed out that the CGE had not addressed the offences in the schedules to the bill, which explicitly dealt with revenge pornography, including extortion relating to pornography. He submitted that the Bill therefore did not need to be amended, as the CGE’s issues were dealt with by the schedules and Sexual Offences Act. On Section 11, since specific offences were dealt with in the Sexual Offences Act, his contention was that Sections 5 & 6 should not be applicable to cyber violence/extortion. The CGE had incorrectly cited S16 which was actually S14. He proposed that there were already laws that dealt with harassment, and reading S14 & 15 in conjunction with these laws probably went wide enough. In respect of trafficking, the Prevention and Combatting of Trafficking in Persons Act already explicitly prevented messages relating to human trafficking. On S18: The Sexual Offences Act pertaining to child pornography contained an extremely wide definition already. He argued that the names of offenders in terms of the sexual components of the Bill would automatically qualify for inclusion in the register of sexual offenders.

The CGE replied that amendments to Sexual Offences Act came in after the CGE’s submission on the Cybercrimes Bill, which explained the overlap. Nevertheless, GBV was a crisis in South Africa, and the more that could be included in legislation the better. Amendments to the Sexual Offences Act were just proposals, and implementation was not certain. Protection from Harassment and Domestic Violence Acts are not wide enough in SA. Shouldn’t all the cyber-related crimes all be under one umbrella?

Mr K Motsamai (EFF, Gauteng) noted an issue of concern over the mention of “women & girls” and not inclusion of “boys”, as they were also vulnerable and victims of frequent sexual offences.

The Chairperson thanked the Commission.

Briefing by MTN

Mr Rakesh Ishwardeen, Senior Management: Law Enforcement Liaison, MTN, thanked the Committee for the opportunity to present. He commended the DoJ&CD for the positive changes brought about by the bill. Cybercrimes were on the rise and it was up to role-players to work together with the government to aid and address that scourge.

Nevertheless, he stressed the need to be cognisant of the implications of the bill for electronic communication service providers. There may be material impediments to them in this regard.

The first issue was the harmonisation of the bill with other laws and practices. Insofar as the bill was concerned, the submission of electronic evidence had to be considered. The Bill did not sufficiently harmonise with the Electronic Communications and Transactions Act. He proposed a harmonisation of standards in terms of submission of electronic evidence. The Bill did not take into account data protection laws that existed, as well as the fact that certain aspects of the bill may lead to breaches of confidentiality/privacy, especially in terms of provision of information to law enforcement. The Bill gave easier access to law enforcement to real time information. In this regard, there were significant implications for rights to privacy and freedom of expression.

On the definition of certain offences in the Bill, MTN submitted that some of the definitions be reworded to consider that some definitions create offences that should not be an offence, especially if they involve lawful processes in terms of systems maintenance. The definition of word “article” was too broad, which could lead to confusion and an unfairly broad application of rights and powers in the bill. The definition of “computer” was also too broad, which could lead to vague and broad seizure and searches. This permitted law enforcement to seize any object involved in computing, which could lead to adverse consequences for MTN as well as its customers. “Output of data” – this definition should be revised as it could also include the continuous transmission of data. Cognisance must be taken that data has sources (a start and end point).

It was important to note that data traffic as it was broadly defined harmed electronic service provider. ESPs were not holders of information, but merely conduits for access to electronic communication networks. ESPs did not have control of information being transmitted through their services. They did not monitor information being transmitted. Law enforcement may obtain warrants that allow them to involve electronic service providers when they should not be through the Bill.

In Chapter 4 and Section 29, the Bill still made reference to a judge or magistrate as being given authority to authorise a search and seizure warrant. MTN proposed that this person may only be the designated judge in the case, as they would be better placed to assess the merits of the granting of the warrant, and this would help protect privacy. There had been issues relating to RICA, meaning that, to further safeguard individual’s right to privacy, only RICA judges should be allowed to grant warrants.

Insofar as the bill created the right for law enforcement to seize information required, MTN submitted that the current wording created a suggestion that the state may seize the actual electronic communication network of the service provider, which would be unnecessary and detrimental to the ESP. Extensive seizure powers could harm MTN and its customers. MTN proposed that, as opposed to seizure of the network, that law enforcement opts to obtain digital information while working with ESPs. ESPs were willing to work with the state. Preservation orders may come into effect after this. This would cause less damage to the ESP and be = beneficial to the state. MTN could work with law enforcement to furnish it with required information. There needed to be limitations in the warrant on access to information. The rationale for this was that any cybersecurity threat or incident incurring on an ESP’s network will be detected by ESP itself anyway.

Regarding the distribution of messages that contravened the bill, the current bill provided that any person may approach a court to prevent ESPs from allowing dissemination of offending messages. But ESPs were not custodians or distributors of these messages. For ESPs to comply with this court order they would have to monitor, identify and target the messages. This would be particularly onerous on ESPs.

Furthermore, MTN submitted that ESPs were willing to provide the state with assistance provided to continue its investigations. In this regard, it would not be necessary for law enforcement to seize the ESP’s network. The law already criminalised hindering a police officer in an investigation. MTN argued that seizure of its network would hinder its day-to-day operations and be detrimental to our customers.

In conclusion, MTN agreed that the creation of offences through the bill in relation to cybercrime is necessary. It suggested cooperation between ESPs and law enforcement would promote addressing the issue of cybercrime.

Discussion
Mr Robbertse responded to MTN’s concerns. The Criminal Procedures Act definition of “article” currently included safeguards built into legal provisions, i.e. that a warrant should be narrowly framed and the state may only search articles implicated in the offence. These safeguards should be sufficient to ensure MTN were protected. In the Cybercrimes Bill, there were various clauses that limited powers and how they can be used. Would this not provide protection from seizure of MTN’s system? Hypothetically, if there was a network that had as primary purpose the distribution of illegal material – should it not be lawful to seize this? There was a provision that provided for disclosure of data which should protect ESPs and banks from search and seizure.

“Article” defined the boundaries of what could be searched and seized. In terms of the Criminal Procedure Act, the police could already search and seize anything. If one did not include all cyber-related areas in the definition of “article”, there would be a serious lacuna in the act. In drafting cybersecurity legislation, the guidelines must be in line with international standards to facilitate international cooperation. Definitions in the Bill were in line with these international cases.

Mr Robbertse submitted the definitions should thus not change. He did have a concern– in dealing with cloud computing - that there was no physical location from whence data could be seized. MTN and other ESPs had dealt extensively with the Protection of Personal Information Act (POPIA) in submissions, but POPIA did not apply where there was a case of search and seizure. In the EU, there were certain data protection laws in terms of retention of data that was seized. In SA, there was no legislation in this regard. The previous day, Telkom also referred to its preference for designated judges in the issuance of warrants. The Criminal Procedure Act allowed a magistrate to issue warrants.

Mr Robbertse indicated that the bill would have extensive application, and would likely necessitate 30-40 designated judges just to deal with warrant issuance, which was not functional or practical. Regarding protection orders and the obligation on ESPs to either remove data from the system or take measures to ensure people could not access it: obviously, the legislation had to be functional. He proposed that a court could never put the onus on an ESP to remove information it did not control.

Mr Ishwardeen replied that it would be prudent for him to respond in detail in writing. With regards to designated judges in RICA warrant issuance, MTN had found that magistrates authorised with issuing S205 subpoenas had become rubber stamps, and did not apply their minds. Case law suggested that S205 subpoenas had to be properly considered. If magistrates were tasked with this process, there could be a situation where no application of the mind would happen and it would end up in a position where the subpoena process could be abused. In terms of computer storage media, he supported Mr Robbertse’s submission on cloud computing. This was why MTN had submitted that it was important to include in definitions the issue of location of digital information. Nevertheless, MTN proposed that the offender’s equipment had to be seized, and not the network of the ESP that permitted access. Concerning the disclosure of data directives, the Bill, especially S44, did support the disclosure as opposed to the seizure route – perhaps regulations drafted in line with bill would give guidance to both ESPs and law enforcement in terms of the difference between search & seizure and disclosure of data.

Ms M Mmola (ANC, Mpumalanga) asked what happened if an investigating officer needed an S205 subpoena and didn’t get the information required.
           
Mr E Mthethwa (ANC, KZN) asked what was meant by MTN’s contention that it was just a conduit for data. He enquired whether MTN believed in judicial independence.

Mr S Zandamela (EFF, Mpumalanga) assured MTN that the committee knew ESPs ewer not directly involved in how offenders were using data. He enquired as to how unregistered SIMs ended up on the streets.  

Mr K Motsamai (EFF) asked where these unregistered SIM cards originated, if they were from service providers (note: this is a rough translation provided by Ms Mmola).

The Chairperson noted that parliamentary interpreting services had not provided an interpreter for Mr Motsamai.

Mr G Michalakis (DA, Free State) requested a timeframe on written responses.

Mr A Gxoyiya (ANC, Northern Cape) proposed a need to have more extensive engagements with ESPs, as he noted a common thread between Telkom and MTN’s presentations. In the use of data, whose responsibility was it to prevent criminal use of data? Should this not be the responsibility of the data provider? On the issue of SIM cards, it was not as if SIM cards were not RICAed, they were bought in bulk and RICAed in bulk, and then sold without exposing buyers to the registration of SIMs. In townships, one could buy a SIM card without ID or proof of address. How did one help curb the challenge posed by this?

Mr Gxoyiya would assume that ESPs know who got which SIM card, and therefore could aid in holding SIM card sellers accountable. He stressed the bill would be operating in a global space: maybe as one make recommendations, one needed to make reference to international cyber network protocols, so that the committee did not create something not aligned to the global network.

Mr Ishwardeen reiterated that it would be best for MTN to respond in writing. He proposed he could have the submission ready by the following Monday.

The Chairperson gave MTN 5 days to respond.

Briefing by Centre for Applied Legal Studies (CALS)

Ms Basetsana Koitsioe, Fellow, CALS at the University of the Witwatersrand noted the CALS’ submission would focus on domestic and sexual violence and harassment. The submission was focused on Chapter 2 of the Bill.

On the scope of the bill, CALS was of the opinion that the kinds of messages included in Chapter 2 of termed “malicious communication” were only a small part of the broader ambit of cybercrime. Online sexual harassment was a well-documented phenomenon. Online harassment fell into two broad categories: direct messages to victims, or messages about victims posted online. The criminal offences emerging from the act were too narrow.

There were also issues with penalties imposed: any person who contributed to S14-16 offences was liable to a fine or 3 years in prison (or both). CALS was of the opinion that none of the offences should result in a fine: all sexual offences were serious and should be part of minimum mandatory sentencing. Some jurisdictions, including the USA, had proposed that committing sexual crimes on an online platform required enhanced, not reduced, sentences.

On the language of the bill, CALS proposed the bill could benefit from a more inclusive use of language. The use of the word “female” was a biological category and excluded gender non-conforming people, and also was applied to children whose sex or gender may not be obvious.

CALS proposed a distinction between cybercrime on one hand, and cyber-enabled crime on the other. Cybercrimes were technological in nature, whereas cyber-enabled crimes were existing crimes that were now carried out in whole or part through cyber technology. CALS proposed that the Cybercrimes Bill be confined to cybercrimes, whereas other legislation should be amended to include cyber-enabled crime.

CALS proposed amendments to Sections 10, 12, 14, 15, 16, 19(7), 20(1) and 22(1).  

Discussion
Mr Robbertse noted that, in the schedule to the bill, the Sexual Offences Amendment Act was amended to specifically provide for revenge pornography and extortion based on pornographic images. He therefore proposed that S10 of the Bill should remain as it was. CALS referred to two manners of distribution of communication. CALS said that the bill provided for direct communication but not for communication passed on. The bill seemed to cater for this concern already. The Prevention and Combatting of Trafficking in Persons Act had a specific clause criminalising advertisement or promotion of traffic in persons. Was it not best for this provision to stay in the Prevention and Combatting of Trafficking in Persons Act? Regarding various sexual offences against the child: myriad offences relating to crimes against the child already existed – was it necessary to refer to them in the bill? Cybercrimes and cyber-enabled crimes was a correct distinction, most protocols and schedules on the matter include this distinction. CALS said the bill only needed to deal with cybercrime, the only non-cybercrime in the bill related to malicious communications, should the Committee remove all of these references? On theft of intimate image, S12 was an instruction to the court to interpret theft. The theft of an intimate image would not only generate an offence of theft but also 3 other cybercrimes for which the perpetrator may be held accountable. S14 and S15 also dealt with incitement, whereas S16 dealt with direct threats of violence. The term “sexual conduct” could be interpreted to be included in S14 & 15 of the bill. Mr Robbertse referred to an example of posting of a photo of a woman on the internet inciting rape in exchange for monetary return, this would be dealt with by S14&15.

CALS proposed they would provide a written submission.

The Chairperson thanked CALS and asked it to respond within 5 days. 

Mr Gxoyiya noted his personal discomfort over CALS’ approach to the sex-gender terminology. Maybe there was a need to consider the phraseology in this regard. When CALS told the Committee to amend sections, it should preferably include the wording it would like to see in the bill as it helped the Committee to formulate the legislation.

Briefing by Freedom of Religion South Africa (FORSA)

Adv Nadene Badenhorst, Legal Counsel, FORSA, stated that FORSA was a non-profit working to protect and promote the constitutional right to freedom of religion in South Africa. This included the right to freedom of religious expression, which was the organisation’s interest in the bill.

FORSA’s submission was restricted to Chapter 2, Part 2: “malicious communications”, i.e. clauses 13-16, and clause 19(7). There had, since FORSA’s first submission made in March, been a Constitutional Court ruling in Moyo vs Minister of Police that could impact the legislation.

FORSA welcomed improvements seen in the bill since the first draft, including the removal of the “harmful messages” and “fake news” clauses in the bill. FORSA’s concerns remained that the provisions under malicious communications:

• May be unnecessary as there were already many laws dealing with malicious communications (incitement to commit any crime was already punishable by law, the Intimidation Act 72 of 1982 – which certain provisions of were struck down by the Constitutional Court)
• May be overbroad (going further than the Constitution)
• May have unintended consequences (i.e. criminalisation of communication that was not the target)

Freedom of speech was a broad and critical right – the Bill should be careful to not make unnecessary infringements on it.

In S13-15, FORSA’s issue was that the clauses were in some respects narrower than S16(2) of the Constitution (on unprotected speech), on which it is very specific (propaganda for war, incitement to imminent violence, advocacy of hatred that constitutes an incitement to cause harm). The Bill read differently from the Constitution, not providing for propaganda for war or advocacy of hatred, but broader in the sense that it only mentioned “incitement to violence” without the imminence component. FORSA’s recommendation was the removal of clauses, or to follow the constitution more closely through the amendment of clauses. FORSA also recommended the inclusion of juristic persons in the scope of S15(1).

Discussion
Mr Robbertse reported that this year there was a full bench decision by the Western Cape High Court related to incitement to commit an offence. According to the Court, incitement per se could not be limited by the imminent harm factor. In the judgment, the court referred to a number of other forms of speech that were not referred to in S16(2) of the Constitution but were dealt with by other forms of law, like crimen injuria. Could there be an imminent threat of violence through cyber-communication? He accepted that juristic persons could probably be included in S15(1). Regarding the overlap with various other laws, there was the Protection from Harassment Act, which does not create criminal offences for incitement but provides protection orders to potential victims. Certain types of speech could cause serious harm, but fell outside of the Riotous Assemblies Act – this should be addressed at some point by legislation. S14 & 15 were necessary. Most other laws did not provide a measure where one could press for criminal charges, get an interdict to remove malicious communication and request the court’s assistance. The Protection from Harassment Act, read with other acts of law, may substitute somewhat, but did not deal with the imminent communication.

Adv Badenhorst stated she would have to check if the Constitutional Court judgment contradicted the Western Cape High Court judgment, and whether there could be threats of imminent violence through cybercommunication. She had read that the Cybercrimes Bill could apply across jurisdictions which was commendable. She agreed that malicious communications could be distributed through the internet and could constitute imminent violence, but questioned whether it met the Constitutional threshold. It would have to be dealt with on a case-by-case basis. On the overlap of laws, indeed the Protection from Harassment Act provided only some relief. But in any cases where damages had been suffered there were civil remedies available, and applications could be made for criminal damages to be awarded. If one was arguing S14&15 were unnecessary, then C16 had to be removed as well: while there is a need to deal with offences included in the legislation, the question was whether they had to be addressed by the Cybercrimes Bill. Should they not be included in the Sexual Offences Act or POPIA?

The Chairperson thanked FORSA for its input, and gave it 5 days to provide submissions in writing.

The meeting was adjourned.