South Africa draft cybersecurity and cybercrime bill misses the mark
Drew Mitnick contributed to this post.
The South African government has closed a period of consultation on a draft cybersecurity and cybercrime bill that, as written, undermines the rights to privacy, lacks transparency, and chills cybersecurity research and online expression.
Access Now provided written recommendations to the South African Department of Justice and Constitutional Development on how to fix the draft to protect human rights and digital security. While increasing security online is critical to protecting internet users in South Africa, lawmakers should consider making changes to this draft so that vague language and expansive new government powers do not threaten fundamental rights.
The consultation period ended over a year after the African Union (AU) approved the African Union Convention on Cyber Security and Personal Data Protection at the 23rd African Union Summit. We congratulated the African Union on its effort to ensure digital security, but we noted that countries should recognize the flaws in the convention and implement digital security laws in an open, consultative, and multistakeholder way. Previously, we highlighted how some domestic legislation poses emerging threats to digital rights in Africa.
New crimes for unlawful activity online
The draft Cybercrimes and Cybersecurity Bill creates new structures for government management of cybersecurity and cybercrimes. It does so in part by creating a series of new crimes for unlawful activity online. The new restrictions pose a risk to freedom of expression through vague language that risks chilling cybersecurity research and other socially desirable activity, such as journalism and whistleblowing. Journalists and whistleblowers already have limited access to information in many African nations, which lack freedom of information laws. In the recent past, security research has already protected South African drivers from the release of personal information and has protected South Africans from the 2013 vulnerability on the City of Johannesburg’s online billing system website.
Fails to provide adequate privacy protections
The bill creates a new standard for searching or seizing data. The standard, however, fails to provide adequate privacy protections. We urge South Africa to follow the Universal Implementation Guide for the International Principles on the Application of Human Rights to Communications Data to bring surveillance law in line with international human rights standards. The bill also compels service providers to report cybercrime offenses to the government while preserving related data. Such mandated reporting can effectively serve as an outsourcing of communications surveillance to internet intermediaries that are frequently ill-equipped to protect user privacy.
Limits transparency on government requests for data
The bill also limits law enforcement and service providers’ ability to report on government requests for data. It does so by prohibiting the disclosure of information obtained in enforcing the bill. Service providers’ business models depend on gaining the trust of their customers, and barring companies from disclosure interferes with their ability to be transparent and build user trust. Further, reporting on government requests is critical to the public discussion about the proper role of government in providing security while protecting rights.
In response to these concerns, we made the following recommendations:
1.) do not permit the issuance of a warrant for communication surveillance unless the request satisfies the standards of necessity and proportionality;
2.) do not include a mandate that electronic communications service providers report incidents to the National Cybercrime Centre. Participation should instead be optional;
3.) clarify that law enforcement and service providers have the authority to publish records of requests for communications surveillance; and
4.) protect the work of security researchers, whistleblowers, and journalists by specifically excepting those activities undertaken in the public interest from prosecution under unlawful access and related crimes.
Improving digital security in South Africa entails increasing the internet’s viability and usefulness as a platform for communications, and as a driver of commerce, education, health, and development more generally. Security measures are an integral part of the effort to expand global access to information and communications technologies. However, the provisions in the draft law risk these goals.
You can read the full submission (PDF). Access Now will continue to engage with South Africa and countries across the continent to ensure that laws designed to protect users from cybersecurity threats do not undermine their rights.
This article was originally published on Ephraim’s professional page on Access Now.