Long-anticipated law expected to pass by end of year

Businesses in South Africa are reporting economic crime rates higher than any other country in the world, with cyber fraud cases expected to rise significantly in the coming years.

That stark reality is one that worries a quarter of the organizations currently operating within Africa’s second largest economy, as laid out in a 2018 survey by British accountancy firm PwC, which also found only a third of industry are actively defending against cyber-threats.

This landscape will remain unprotected if no mechanisms are brought into place – tools that, attorney Lisa Emma-Iwuoha thinks, begin with drafting cybercrime legislation. 

“In South Africa, as in most countries, we have specific crimes related to fraud, which are already established in our law,” Emma-Iwuoha, who works with Cape Town-based Michalsons corporate law firm, told The Daily Swig.

“But there’s a gap where we can’t deal with crimes in the cyber environment.”

A 2018 report by McAfee puts the global cost of cybercrime at an approximate $600 billion – a figure that has jumped from the $500 billion estimated in 2014.

While crimes bear resemblance to illicit activity in the physical realm – whether it’s extortion, stalking, or forgery – the use of technology for offending has made clear the lack of tools available for prosecution.

“Especially in relation to bank fraud,” said Emma-Iwuoha. “Or when people are buying houses and sending the transfer cost to an attorney.”

Emma-Iwuoha explained how one all-too-common crime sees fraudsters spoof property attorneys’ email addresses in order to trick prospective homeowners into transferring money.

“This is one example of where cybercrime law is necessary, as it would make it easier to catch cybercriminals and to stop them from stealing from people,” said Emma-Iwuoha.

Data security and the access of data are other factors that do not measure up to their present-day definitions in legislation.

For instance, the five sections dedicated to cyber offences in South Africa’s much-dated Electronic Communications and Transactions (ECT) Act.

Hoping to expand on that, the South African government made an attempt at reform in 2015 with the Cybercrimes and Cybersecurity bill, using frameworks from the 2004 Budapest Convention on Cybercrime.

It was quickly shot down by business and civil rights organizations.

“They [lawmakers] were just trying to find a basis to have some kind of legislation in South Africa because there was a need for it,” said Emma-Iwuoha, explaining how the bill simply tried to do too much, from copyright infringement and hate speech, to terrorist activity.

“There was a big emphasis on both national and cybersecurity in the early versions of the bill,” she said.

“We [proponents of the bill] suggested that this was the wrong way to deal with the security aspect, and to split up the bill so that it just dealt with cybercrimes.”

As disastrous as the initial bill was, the extensive public comment period at least demonstrated a multi-stakeholder approach to getting the law right, Emma-Iwuoha said, with a new version published last October.

“But with how the bill is drafted currently, there may be some negative effects in the future,” Emma-Iwuoha said.

“Of course we want to catch criminals but we don’t want this bill to be used for selective prosecution of innocent people who are doing things with data and computers.”

She added: “It’s too broad.”

The latest draft criminalizes activity such as hacking, unlawful interception of data, ransomware, cyber forgery, and cyber extortion. Conviction of these charges can lead to a fine or imprisonment of up to 15 years.

A wide berth in language, however, has left few protections for ethical hackers tasked with keeping the systems of organizations, and general global network, secure.

Possession of certain hardware and software for instance – defined as “any electronic, mechanical, or other instrument” used to secure, acquire, or copy data – does not take into account consensual instances where these tools would be used.

“If you’re a penetration tester, you would need to have these kind of tools, which can also be used for cybercrimes,” said Emma-Iwuoha.

“And the onus is now on the person, who may be charged with the cybercrime, to prove the reason why they have the tools, in the sense that they’re almost seen as guilty before proven innocent, as opposed to how it actually is in the law.”

The concept of unlawful access shares a similar loose interpretation.

“It’s trying to catch everything but not doing it in a correct and informed way,” said Emma-Iwuoha.

“I believe that each crime should be specific.”

Where the bill finds success is through the establishment of a cybercrime point of contact to help police assess and investigate digital wrongdoing.

This should help facilitate training officers who lack the technical knowledge required for digital forensics.

The legislation seeks to additionally help investigators deal with the global nature of cybercrime – easing the process of cross-border data sharing and extradition.

“I think they [lawmakers] tried to take South African circumstances into account when they drafted this [latest] bill,” Emma-Iwuoha said.

“But I also think that they’re aiming to strike a balance between what’s happening both locally and globally, and that there’s an attempt to try to get some middle ground in that aspect.”

South Africa is expected to pass the bill by the end of 2019.

RELATED Kenya passes controversial cybercrime bill