EVALUATION OF CYBERCRIME REGULATION IN SOUTH AFRICABY MURDOCH WATNEY
Why the topic: Evaluation of Cybercrime Regulation in South Africa?
INDEX INTRODUCTION 2. DEFINING CYBERCRIME What is understood with the term ‘cybercrime’? What are the characteristics of cybercrime that distinguishes it from crimes committed in the physical world? REGULATION OF CYBERSPACE/ELECTRONIC MEDIUM Can cyberspace be regulated/controlled? THE EFFECTIVENESS OF CYBERCRIME REGULATION FOR LAW ENFORCEMENT AND NATIONAL SECURITY PURPOSES Cybercrime regulation consists of not only laws criminalizing conduct but also laws providing for the prevention, detection, investigation, prosecution and sentencing of an accused. 4.1 Cybercrime regulation by means of national laws in South Africa Is cybercrime regulation in the format of conduct regulation by means of the common law and legislation sufficient? Problems experienced with cybercrime prevention, detection, investigation and prosecution. 4.2 Cybercrime regulation by means of transnational laws 4.3 Cybercrime regulation by means of the international law CONCLUSION REGARDING CYBERCRIME REGULATION Cybercrime regulation must be seen within a comparative and global context.
INTRODUCTION When it comes to the evaluation of cybercrime regulation, it must be seen within the context of a growing dependence on information and communications technologies. Regarding internet penetration South Africa: increase in access to bandwidth: 2011: 2, 69 terrabits per second 2012: 11, 9 terrabits per second December 2011: 139 million citizens of Africa had internet access,
In May 2012 it was reported that internet penetration is now nearing 20%. • 6 million South Africans access the internet on computers, laptops and tablet devices. • Out of this group 5, 42 million also have internet access by means of cellphones. • 7,9 million South Africans connect to the internet using cellphones. • Of this group 2,4 million do not have internet access via computers. • Dependence on ICT today cannot be measured statistically, e.g. government, companies/organisations and consumers alike are dependant on ICT’s, e.g. electricity grid, water supply, air transport, using ATM etc.
The growth in internet penetration and ICT dependence are positive developments, but with it comes the following concerns: • Firstly security measures must be in place but it is not infallible and breached, the • The conduct must be criminalized and there must be laws in place for crime prevention, detection, investigation and prosecution. • The dependence on ICTs result in vulnerabilities and weakness to crime. • Early 2012, Michael Moran, acting assistant director cyber security and crime at Interpol, said at a Kaspersky Lab Cyber Conference, that “ We need better laws to deal with cybercrime”. • Cybercrime has evolved into an ‘economy’ that runs ‘parallel’ to that of the (lawful) main-stream economy and is worth billions; it is referred to as a ‘shadow’ industry. • The creation of malware is financially motivated. The growth of malware is illustratedas follows: In 1994 one virus was written every hour; in 2006 it was one virus every minute and 2011 one virus every second. • Although violent, sexual and other physical crimes in South Africa need attention, cybercrime which are in many instances white-collar crimes, affect the economy, for example: where a company is subjected to extortion, then the company suffer losses which may result in job losses; where a DDoS attack is launched against the website of a bank, the credibility of the bank is affected. A lot of our socio-economic problems will be addressed if our economy is strong; investors will also not easily invest in a nation-state where cybercrime is not addressed
2. DEFINING CYBERCRIME Question: What is understood with ‘cybercrime’? Answer: • There exists no universal definition for cybercrime. • Why do one need a universal definition of cybercrime? • In 2002 when the Electronic Communications and Transactions Act 25 of 2002 was implemented, cybercrime was not defined. • I defined ‘cybercrime’ as any unlawful conduct involving a computer or computer system or computer network irrespective of whether it is the object of the crime or the instrument or incidental to the crime commission. • It is a narrow definition. • In 2012 the Draft National Cybersecurity Policy Framework (NCPFP) for South Africa, cybercrime is defined. • ‘Cybercrime’ means illegal acts, the commission of which involves the use of information and communication technologies (ICT). • ‘ICT’ means any communication device or application including radio, television, cellular phones, satellite systems, computers, network hardware and software and other services such as videoconferencing. • Problem with a wide definition: It may include conduct that fall within the physical world, for example, the so-called ‘facebook’ rapist, Thabo Bester used the social media to lure woman who were interested in the TV and entertainment industry to meet him which resulted in robbery and murder.
Prof M Gerckewho compiled a report commissioned by the International Telecommunications Union (ICT) Development Sector’s ICT Applications and Cybersecurity Division titled: “Understanding Cybercrime: A guide for developing countries” which was published in March 2011 confirmed the lack of an uniform recognised definition of cybercrime but suggested: • Cybercrime should be seen as an umbrella concept that includes various forms or categories of unlawful conduct. • A distinction between the different categories of cybercrimes are importantwhen it comes to deciding whether instituting investigation is for law enforcement or national security purposes. Defining cybercrime
When defining cybercrime, the characteristics of cybercrimemust be kept in mind as it differs from a physical crime and present investigative challenges. • It is committed within an electronic medium (cyberspace) with the emphasis on the intangible. • In many instances the investigating agency needs the assistance of an intermediary, for example the service provider to investigate the crime. • How is the evidence within an electronic medium collected? • Conduct regulation alone is ineffective when it comes to cybercrime investigation. • A country cannot only have substantive laws, that provide for conduct regulation, but need also procedural laws that provides for the collection of the evidence. • Traditionally a re-active approach to crime commission, but today a pro-active approach to crime commission which may result in violation of human rights. • Cybercrime is the consequence of globalisation; in many instances the perpetrator of the crime is not within the borders of South Africa but the effect of the crime is felt in South Africa. • Due to the borderless nature of crime, many issues inherent to the borderless crime commission have to be address, for example: • If the perpetrator committed the crime from within the South African borders and the effect/result was felt outside South Africa, may South Africa prosecute or must the perpetrator be extradited to the country where the effect of the crime was experienced? • If a cyber-attack is launched against South Africa, may South Africa retaliate by launching an attack itself? Defining cybercrime
REGULATION OF CYBERSPACE/ELECTRONIC MEDIUM Question: Can cyberspace/electronic medium be regulated? Answer: • The draft NCPF refers to ‘cyberspace.’ • ‘Cyberspace’ refers to the space where communications take place. • ‘Cyberspace’ denotes the “place” where communication on the internet takes place. It is “a place without physical walls or even physical dimensions – where ordinary telephone conversations “happen, where voice mail and email messages are stored and sent back and forth, and where computer-generated graphics are transmitted and transformed, all in the form of interactions, some real-time and some delayed among countless users, and between users and the computer itself.” Cyberspace exists everywhere that there are telephone wires, coaxial cables, fiber-optic lines or electromagnetic waves. • Cyberspace/electronic medium contrasted to physical world. • It is not cyberspace but the physical infrastructure within South Africa that enables the electronic medium that is regulated, the internet. • A nation-state such as South Africa can only regulate the internet (infrastructure) within its territorial borders. • As soon as a crime is committed across the South African borders, South Africa will need assistance in the collection of evidence and prosecution of the perpetrator.
THE EFFECTIVENESS OF CYBERCRIME REGULATION 4.1 Cybercrime regulation in South Africa by means of the common law and legislation Question: Do the common law and legislation in South Africa provide for cybercrimefor LAW ENFORCEMENT PURPOSES? Answer: • Regarding the common law in respect of cybercrime: In respect of common law crimes, the crimes of fraud or theft will mostly be applicable. • Initially I was of the opinion that the common law was not flexible enough to accommodate ICT. • Case law and the interpretation of the relevant sections in the Constitution confirm that I was wrong in my assumption. • In Nissan v Marnitz NO and Others2005(1) SA 441 (SCA) held that a person who receives money into his bank account in his name, knowing that he is not entitled thereto and who uses it commits theft. The transaction is done electronically and the credit which is owned by the bank, exists electronically and constitutes a cash value in money. • What is the position if the bank customer accidently transfers the money to the wrong account? • In S v Ndebele and Another (SS 16/10)  ZAGPJHC 42the court stated that the property, electricity is intangible and can be stolen. • Wherean employee emails information to the competitor, did the employee commit theft of information? • If A takes B’s SIMcard out of her cellphone and make phone calls using the SIMcard in her phone, did A commit theft of airtime?
Regulation of Interception and Provision of Communication-Related Information Act 70 of 2002 provides for the use of surveillance methods to collect evidence and statutory crimes. • If A is arrested at the ATM where A inserted a skimming device, then A may be prosecuted for the following: a statutory offence in terms of s 86(3) read with s 89(1) of the ECT Act and s 49 (unlawful interception) read with s 51 (penalty clause) of RICA. Other legislation: • Criminal Law (Sexual Offences Act and Related Matters) Amendment Act 32 of 2007 provides inter alia for sexual offences against children and specifically sexual grooming via for example facebook. • Child pornography defined in the Films and Publications Act 65 of 1996 as well as Sexual Offences Act. • Protection of Harassment Act 17 of 2011 came into operation end of 2011 provides for protection against harassment (stalking) where the complainant for example receives emails that the complainant feels may be harmful. • Online gambling in terms of the National Gambling Act of 2008 has not yet been implemented. • Illegal since no online gambling provider has been issued with a license.
Question: Does legislation in South Africa provide for cybercrime FOR LAW ENFORCEMENT PURPOSES? Answer: • Regarding legislation for law enforcement purposes: There is a variety of legislation that provide for different statutory crimes, for example: • Electronic Communications and Transactions Act 25 of 2002 provides in chapter 13 for 3 categories of statutory crimes; aimed at conduct criminalization. • If A is found with 5 counterfeit (cloned) credit cards, then prosecute A for the following statutory offences: in terms of 86(1) (unauthorised access) read with s 89 (1) (the penalty clause) as well as s 88(2) aiding and/or abetting person(s) unknown to the state) read with s 89 of the ECT Act? • Problematic is the sentencing penalty which is very lenient. • May A be charged for the common law crime of theft of identity of the person(s) whose cloned credit cards he has in his possession? • South Africa may have to consider possible legislation governing theft of identity in line with US; also being investigated by the EU.
Regarding legislation FOR NATIONAL SECURITY PURPOSES • Protection of Constitutional Democracy Against Terrorist and Related Activities Act 33 of 2004 protection of national security, such as terrorism. • Here one will have to keep in mind the proposed National Cybersecurity Policy Framework Act. Question: What about the proposed draft National Cybersecurity Policy Framework (NCPF) for South Africa? Answer: • The purpose of the NCPF is to protect the national cybersecurity by securing the national critical information infrastructure. • The key focus areas will be matters related to cyber warfare, cyber intelligence and cybercrime. • The NCPF will be established by the Justice, Crime Prevention and Security Cluster (JCPS) which will be responsible for measures to address national security in terms of ‘cyberspace’; measures to combat cybercrime, overview and updating of existing substantive and procedural laws; and measures to build confidence and trust in the secure use of ICTs. • The Department of State Security will establish a central authority, the Cybersecurity Coordinating Centre where all computer incident response teams (CSIRTs) in South Africa will report incidents. • When it comes to national security, a multi-layered approach must be employed with different role-players such as companies, private persons being involved but human rights protection in still paramount. • Take note of the USA position in respect of national cybersecurity legislation.
This is a commendable proposal. • However, South Africa must look at the protection of the national information infrastructure comparatively and from the perspective that the threat may come from outside the borders of South Africa. • Although South Africa must have a national cybersecurity framework in place, cybersecurity will ultimately have to be addressed on an international (global) level. • However, in respect of South Africa’s role within the African Union, the draft African Union Convention on the Establishment of a Credible Legal Framework for Cyber Security in Africa must also be kept in mind. • Part 3 provides for combatting cybercrime. • Of the 35 African countries that ratified the UN additional protocol on child pornography, only South Africa has legislation in place. • Gercke also said developing countries need to have cybercrime legislation and enforcement in place. • Also take note: It is not always easy to establish the type of cybercrime, for example regarding a ‘cyber attack’ the following will have to be addressed: • When does a ‘cyber attack’ constitute cyber-war, cyber-terrorism or information warfare? • Which type of cyber attack was launched on the nation-state, Estonia in 2007? • Some authors draw a distinction between ‘cyber attacks’ and cyber exploitation. • Cyber exploitation is for example espionage which is defined as an intelligence-gathering activity. • Motive: theft of intellectual property. • Distinguish between different types of espionage: military, political and industrial espionage. National cybersecurity
May a nation-state such as South Africa defend itself against a cyber attack? • Article 51 of the United Nations Charter provides for self-defence against an armed attack. - Debatable whether an ‘armed attack’ will include a cyber attack. - A cyber attack launched against systems that run the prisons or airports or utilities that run power grids or water systems can have devastating consequences. • Customary international law provides for self-defence. • Does self defence include a pre-emptive action, in other words may a nation-state defend itself against forces that present an imminent danger of attack? - Some nation-states today are threatened by terrorism, for example the 9/11 US attacks. • Much of the organisation of the 9/11 US attacks were done online outside the US. • The legal position in the USA regarding cyber attacks: • In 2011 the United States (US) Congress authorised the use of a military response to a cyber attack. • In Aug 2012 the Senate rejected the Cybersecurity Act of 2012 saying it infringes constitutional rights. • In 2012 Germany announced that it had a cyberwarfare unit to defend itself against hackers and attacks from other nations. • Israel and the US have admitted to creating the capacity for offensive cyberwarfare(to defend against cyber attacks). National cybersecurity
Question: How effective/successful is the prevention, detection, investigation and prosecution of cyber crime? Answer: South Africa: The problems does not lie with cybercrime laws, but the practical problems experienced with cybercrime within the territorial borders of South Africa. • Are the victims of cybercrimes reporting the crime? • A victim such as a bank would rather not report it since it will run the risk of customers losing confidence in the security of the bank and would affect negatively affect their intellectual property (trade name). • A lack of investigative enforcement capacity exists. • There is a need for a specialized police unit. • The perpetrators are in may instances more technologically advanced than law enforcement agencies.
Cybercrimes are not easy to investigate. For example: The use of skimming devices at ATMs to clone credit cards and the use of the cloned (counterfeit) credit cards are faceless crimes as the perpetrator responsible for the skimming of the card and/or the person using the counterfeit card do not interact physically with any person and therefore they are not easily identified. In many instances the crime is committed by so-called ‘card-not-present’ fraud where the fraudulent purchases are made over the internet, by telephone or fax. • At this stage it is mostly the ‘runners’ who are convicted but not the mastermind behind the syndicate. • If convicted, the light sentencing may not achieve the objectives of sentencing. • Above is exacerbated if the crime is committed across borders, e.g. so-called 4-1-9 scams (fraud). Problems experienced with cybercrime
USA: • The problems with cybercrime prevention was illustrated last year when members of LulzSec, online activists, hacked into and launched DDoSattacks against US agencies, such as the FBI and the senate. • It was reported on 18 June 2012 (press.co.nz) that US companies are taking retaliatory action by using ‘strike-back’ or ‘active defence’ technology against hackers since they feel frustrated by the legal system. • The companies have accepted that they cannot prevent hacking, but should have measures in place to detect it as soon as possible. • Experience problems with espionage and extortion (e.g. data are encrypted and the perpetrator prepared to decrypt after payment). • US security professionals want stricter cybercrime/security legislation. Problems experienced with cybercrime
4.2 Regulating cyber crime by means of transnational laws • Across borders crimes can only be dealt with by means of harmonised laws. • Countries realize that they needed transnational laws since many cyber crimes are committed outside its territorial borders (multi-jurisdictional crimes). • Espionage or terrorism or cyber-attacks. • There is no international treaty regulating cybercrime. • There is a transnational treaty, namely the CoE Convention on Cybercrime of 2001 adopted in 2001 and came into operation in 2004. • It was signed by most of the CoE member countries and 4 non-European countries, namely Canada, US, Japan and South Africa. • It is a commendable instrument as it provides harmonisation of cyber crime laws. • It provides for guidelines to establish cybercrime laws and have always available point of contact to assist cybercrime investigators in other countries.
When it comes to transnational regulation of the internet, it is increasingly clear that regulation and co-operation between states are complicated and frustrated by political, economic, diplomatic and/or cultural issues. The following examples will illustrate some of the problems experienced with cybercrime regulation on a transnational level: • Regarding the Cybercrime Convention: • The Convention of Cybercrime does not enjoy global recognition as it is perceived by some as a European instrument. • Although most CoE members signed it, Russia did not sign it. • Russia’s objection focused on its sovereignty. • South Africa may have signed it, but has not ratified it and it is unlikely it will. • South Africa joined in 2012 the economic organisation, BRICS which consists of Brazil, Russia, India, China and South Africa.
Regarding the issue of ‘extradition’ of cyber crime perpetrators of across border crimes: • Why can the perpetrator not be put on trial in the country from where the crime originated and of which country the perpetrator is a national rather than the country where the effect of the crime was experienced? • International law distinguish between subjective and objective territoriality. • Section 90 of the ECT Act Justice delayed is justice denied
iii. Regarding the Draft Declaration of Fundamental Freedoms presented in 2011 at the OSCE (Organisation of Security Co-operation in Europe) summit, the following was highlighted: • The US Secretary of State presented a draft of the Declaration on Fundamental Freedoms in the Digital Age which protects freedoms such as freedom of expression in respect of Facebook and other social media. • Talking about human rights on the internet is important: • The so-called ‘Arab Spring’ revolutions started with the creation of groups on Facebook and Twitter. • But social media can be abused as was seen 2011 in London with the riots. • There is a fine line between surveillance and censorship.
Russia rejected the draft declaration. • Why would Russia reject it? • It may be speculated that some nation-states may feel that so-called ‘super-power’ nation-states are super-imposing legal issues on them. - The consequence is that legal proposals, even commendable proposals, are then in a dead-locked situation.
4.3 Regulating cyber crime by means of international law • Why do the internet-connected nation-states need regulation on an international level? • Cyber crime is a global issue and should be addressed on a global level. • It will be addressed under the auspices of the United Nations (UN) which will be a central ‘authority.’ • It has been said that cyberspace is becoming a “place where a lot of forces are fighting for leadership.” • Global intervention may address the allegation that some nation-states are trying to regulate the internet to their own benefit and super-impose their laws onto other nation-states. • Global intervention may ensure global communications on issues such as China requesting recently in 2012 an independent DNS rooter and not a central DNS rooter will have censorship implications and should be discussed on a global level.
On a global level we need harmonised cybercrime laws. • The CoE Cybercrime Convention will not provide a harmonised instrument. • As illustrated, some nation-states may oppose legal proposals made by other nation-states due to political, and/or diplomatic and/or cultural and/or economic differences. • Also some countries may have national and even transnational cybercrime laws, but it is not enforced. • Why are the laws not enforced, for example developing countries in Africa? • Not enough expertise, financial resources. • Possible solution of non-enforcement is to apply extra-territorial jurisdiction. The role of international intervention in Cyber crime regulation
Which proposals have been made on an international level? • Proposals that may be considered in the short term: 1) Code of conduct: • In 2011 nation-states such as China, Russia, Tajikistan and Uzbekistan requested the UN General Assembly for a code of conduct regarding the use of information technology. • The aim is for countries to co-operate to combat criminal and terrorist activities and for nation-states to vow not to use technology to carry out hostile acts of aggression. - Nation-state may for example give a commitment that if a national of that nation-state launches for example a cyber attack that the nation-state will prosecute such a perpetrator.
Proposals that may be considered in the long term: • Start negotiating a global Cybercrime Treaty. • There is a need for harmonised cybercrime laws; and • Co-operation between nation-states regarding cybercrime prevention, detection, investigation and prosecution. 3) Maybe discuss the possibility of an International Cybercrime Court. • Judge Stein Schjolberg of Sweden has complied a paper advocating the implementation of an International Cybercrime Court in May 2011. Proposals on an international level that may be considered
5. CONCLUSION REGARDING CYBERCRIME REGULATION • Each country must have national laws in place for the purpose of law enforcement and national security. • South Africa has it in place and is enforcing it. • If South Africa is compared within the context of the African Union, South Africa should be commended on trying to keep up to date with ICT legal developments. • However, theft of identity will have to be addressed by legislation. • Sentencing need urgent attention; it is too lenient. • The investigation will have to be re-looked: better training will have to be provided. • Cybercrime regulation must be done comparatively to ensure harmonised laws. • Across border/multi-jurisdictional cybercrime regulation is now at a cross-road and discussions regarding cybercrime and issues related to it will have to be done on a global level. • It appears that due to political, economic, cultural and diplomatic differences the global world cannot agree on a transnational level and under the auspices of the United Nations, better progress may be made.