South Africans, who already bear the brunt of rampant crime in their day-to-day lives are now faced with a surge in cybercrime which is estimated to result in significant losses to the economy. According to Control Risks, a global specialist information security consultancy firm, South Africa will be 2016’s top target for cybercrime in Africa. According to a Check Point Software Technologies report based only on the period from December 2015 to January 2016, South Africa experienced a spike in cybercrime and South Africa has moved up the ranks from a ranking of 67 to a ranking of 22 for the countries most attacked by cybercriminals.
The publication of the Cybercrimes and Cybersecurity Bill in 2015 (Cybersecurity Bill) illustrates that cybersecurity is on Parliament’s radar, with the Cybersecurity Bill being intended to regulate national and international cooperation in respect of the investigation and prosecution of cybercrimes, as well as the imposition of obligations on electronic communication service providers.
There is global consensus on the importance of cybersecurity measures and legislation. The implementation thereof and associated monitoring and interception of cyber communications in order to prevent cybercrimes, terrorism and other criminal activities from taking place is not without its challenges.
The US Government recently requested Apple to build a new version of its mobile operating system in order to extract the contents of an iPhone that was used by one of the gunmen, Syed Farook, in the San Bernardino terrorist attack. While a District Court Magistrate has ordered Apple to comply with the US Government’s request, Apple has refused. In essence, the US Government is requesting Apple to develop a version of a mobile operating system based on specifications provided by the FBI which bypasses the stringent encryption features on an iPhone. Apple’s Tim Cook has said that its refusal is premised on the risk that this new operating system will ‘…be the equivalent of a master key, capable of opening hundreds of millions of locks…’ . Apple argues that it creates the untenable scenario where the very same mechanism used to bypass the security on Syed Farook’s iPhone can be used by hackers and cybercriminals who can use and manipulate it to illicitly capture other mobile users’ information.
In the event that the US Government is successful in compelling Apple to comply with its request, this will have consequences for owners of iPhones across the world, including South Africans. It will also have bearing on the Cybersecurity Bill which seeks to foster international cooperation on cybercrime and other criminal activities, including that, South African law enforcement agencies could in future potentially be engaged by the US Government to facilitate access to a South African citizen’s data on iPhones (and potentially other devices) by bypassing the security and encryption features.
The Apple case highlights not only privacy interests, but also consequences of affording broad powers and rights to governmental agencies from a cybersecurity perspective. The powers afforded to government under the Cybersecurity Bill are also to be considered in this context. For example, s33 of the Cybersecurity Bill states that an electronic communications service provider and/ or any other person who is in possession of data and information, other than a person suspected of a crime, must provide technical or other assistance that may be required for an investigation, in order to assist the investigator with accessing such data. Any failure to comply with this section may result in an offence and a conviction of five years or a fine of up to R5 million. While this provision is subject to compliance with the laws applicable to search and seizure, it may empower South African Governmental agencies to make similar demands to those made by the US Government in the Apple case.
While the objectives of the Cybersecurity Bill are laudable and essential in a world where cybercrime is on the increase, the provisions of the Cybersecurity Bill have not gone without criticism. The rights afforded to investigative bodies and officers under the Cybersecurity Bill will need to be considered against privacy rights. The complexities and challenges on drawing a balance between fighting crime and regulating cybersecurity in a manner consistent with rights to privacy are however not exclusive to South Africa and South Africans will need to look to foreign jurisdictions when seeking solutions so as to ensure that cybersecurity measures do not circumvent basic constitutional rights.
Written by Simone Gill, Tayyibah Suliman and Keitumetse Makhubedu