Cybercrimes Bill: Its flaws, remedies

THE Zimbabwe chapter of the Media Institute of Southern Africa (Misa-Zimbabwe), working with the Digital Society of Zimbabwe, has come up with a position paper on the Computer Crime and Cybercrime Bill, which was introduced last year by government to curb cybercrime. However, Misa, together with information, communication technology (ICT) experts, say the Bill was created for government to tighten its grip over the control of cyber space and spy on its citizens. Misa states that the Bill, which has been amended several times now, infringes on basic people’s rights, including freedom of expression. Misa is advocating for wider consultation before the Bill can be brought to parliament for debate so that the content reflects the will of the people and not the machination of a political party to maintain its grip on power. The position paper, which was formulated in November, summarised below, will form part of civil society’s talking points in coming up with a model Cybercrime law to be presented to government for debate.

Misa-Zimbabwe Advocacy group

Purpose of the Bill

The Bill’s purpose is focussed more on the criminalisation of offences against computers and network-related crimes. It has little focus on the need for protection of individual liberties, or accountability in the processes of combating the cybercrime. The absence of expressed intention to safeguard basic human rights raises fears that the Bill is solely intended to police internet use at the expense of people’s liberties.

Recommendation: Purpose of the Bill should be expanded to include the safeguarding of individual rights in the process of collection of evidence or prosecution of cybercrimes and mention of fair trial rights.

Definitions

The following key aspects should be defined to avoid wide interpretations that can infringe on people’s rights:
Computer terrorist activities and propaganda materials (Section 16): The words are used in connection with the offence of computer-related terrorism activities, which offence has no option of a fine and attracts up to 20 years imprisonment. The severity of the penalty itself begs that the offence be as strictly and clearly defined as possible.

Computer system: The Bill should include a definition of what a computer system is, especially considering that there is ample reference to such in the Bill and that the crimes provided for are committed through a computer. For example, in Sections 5 and 6, the offence of illegal access is hinged on unlawful access to a “computer system”.

Non-definition of this could lead to wide interpretation of what constitutes a computer system.

Pornography: What constitutes pornographic material is not defined, hence any material, including artistic pieces, can fall under the purview of the materials considered as “pornographic”. This definition is key in that it would provide certainty on the prohibited conduct.

Child pornography: The Bill’s definition of child pornography is of material depicting “sexually explicit conduct”, but the latter is not defined and should be, especially since the criminality is hinged on sexually explicit conduct.

Computer system: There is a need to reword the definition, adding the internet as a medium of connection of the computers.

Oversight mechanism

While the Bill establishes a Computer and Cybercrime Committee to oversee the implementation of law and policy related to cybercrimes and security, the committee, however, is composed of mainly security personnel and representatives of information technologies and computers professionals, with no representation from civil society, especially those working on relevant human rights issues and their inclusion is critical.

Illegal remaining

This offence must be done away with and only be provided for as an aggravating circumstance to the crime of illegal access. In the Cybercrime Convention, for example, illegal remaining is an extension of illegal access and should be treated as such, as opposed to a separate offence. Separating these two, as is the current case, would result in separate counts each time there is illegal remaining which also entails “illegal access”.

Illegal date system interference

These provisions (Sections 8 and 9) must be amended to include a seriousness/harm component as one of the elements of the offence.

Criminalisation of pornography

This provision (Section 18) must be removed as it threatens persons’ freedom of expression and conscience especially to the extent that it also criminalises procuring pornography for personal use or possession by consenting adults such as a married couple.

The provision has a chilling effect on individual sexuality and imposes an unduly punitive sentence of up to 10 years imprisonment. Instead, it must be replaced with the offence of violating a person’s computer system or breaching trust and sharing information over a computer system with the intention of causing harm in order to deal with the growing incidence of revenge pornography

Harrassment

This provision (section 22) is objectionable, especially to the extent that it criminalises even the “possession” of electronic communication considered to be aimed at harassing another person using a computer/information system.

This section could potentially target ordinary citizens who receive memes and other electronic communication which are deemed degrading or humiliating. Given the widespread use of criminal insult laws to clamp down on free expression, the wording of this section is overbroad.

Recommendations: The offence should be revised to comprise only of conduct that one can actually control and be confined only to the person who initiates the electronic communication with malicious intent.

Jurisdiction

Section 26 should be revised to require a harmful effect in Zimbabwe as an element of an offence or, at the very least it should require the reasonable foreseeability of harm in Zimbabwe.

Electronic evidence

There is need for more safeguards in the Bill (Section 28) to ensure that the authenticity of data or evidence collected by the police is safeguarded, given the amenability to manipulation of computer forensic data. There is a need for measures to ensure the reliability and accuracy of the data collection/forensics processes. To this end, there is need for Section 29 to include measures for the verification of the forensics process by an independent expert in the field.

Authorising search and seizure

Search and seizure can be authorised by a magistrate based on an application by the police. The standard for authorising these intrusions is “reasonable ground to suspect or to believe” that the information to be gathered by these intrusions would provide evidence of the commission of an offence. The basing of the application on “belief” is problematic in that it leaves room for applications to be made based on personal/emotional or other legally unjustified convictions and thus this ground should be revised if not removed (in reference to Section 29).

Similarly, Section 29(2) of the Bill states that if a police officer believes “the data sought is stored in another computer system or part of it in its territory …”. This is vague and it is not clear what is considered to be the “territory”.

Further, it is of concern that the bill allows investigations to be extended to other computers without having that necessity confirmed by the court. The obvious danger is that once the police get warrants, they can use these to gain access to data not provided for in terms of the warrant.

Recommendation: Police officers should not be given a licence to search beyond the clear limits of a warrant issued. This part should be amended such that police officers are obliged to seek another warrant or an extension of the one already issued should an extension of territory be required.

Assistance

This provision (Section 30) obligates any person so perceived to be in a position to assist the police in the search of a computer system to do so. Failure to assist the police as required is an offence attracting up to three months imprisonment. This is unduly burdensome and amounts to outsourcing the job of the police for unpaid labour from ordinary citizens.

The general public must not be compelled/forced to do the job of the police. Failure or refusal to assist the police as required should not be an offence, especially to the general public who must have the option to decline and should not be forced to provide unpaid labour to the police.

Disclosure of data

This section (31) requires authorisation by a magistrate to order a person to provide computer data or other information and to order an ISP (internet service provider) in Zimbabwe to produce information about persons who subscribe to or use the service.

The grounds for such authorisation of disclosure of data is very vague: that is “reasonably required” for the purpose of a criminal investigation. There is no requirement that police take into consideration other less invasive investigative methods before seeking access to data.

Recommendation: The proof or burden required for the authorisation to be granted for such should place a higher onus on the police and err on the side of protecting individual rights and privacy as provided in the constitution.

Further, the court must be satisfied that police have taken into consideration other less invasive investigative methods before seeking such an order.

Traffic and content data

Section 34 and 35 provides for authorisation by a magistrate, based on an application by the police, for the interception of data and collection of traffic data based on “reasonable ground to suspect or to believe” that traffic data or content data is “reasonably required” for the purpose of a criminal investigation.

Given the degree of interference with privacy rights, a higher standard to authorise intrusions would be more appropriate. Moreover, there is no reference to what the police application should contain in order to enable the magistrate to decide on the measures of intrusion.

Also, there is no requirement that the magistrate should be satisfied that other investigative methods have been tried and failed or are likely to fail or be ineffective.

Recommendation: The proposed Bill should empower the courts to be satisfied of the investigative methods used and safeguards that will be put in place for protection of individual rights.

The courts should also inquire of the identity of the person being targeted and the justification for such. The application of technical means envisaged by the Bill should also be subject to judicial review.The Bill should also outline the key details that should be included in such an application.

Hacking

In terms of Section 36, police can apply to a magistrate for authorisation to use a remote tool to hack into a suspect’s computer system to collect the relevant evidence.

However, there is no requirement that the court oversee closely the implementation of the authorisation and there is no clear restriction on the repeated renewal of the authorisation.

Recommendation: The provision should allow the police and the co-operating service provider to inform the court again once this process has been completed as there is potential of abuse of this remote access capability. A clear restriction/safeguard against unwarranted repeat/renewal of the authorisation is also key.

Defences

The Bill should allow for appropriate whistleblower protection for persons who publish information obtained through what might be classified as unauthorised access or entry, but with public interest at heart, exposing illegal practices, corruption, especially among elected officials. The Bill should balance issues of access to information and the perceived national security interests.

Amendment of CODE

The Bill erroneously refers to the Criminal Procedure and Evidence Act (Chapter 9:07) instead of the Criminal Law (Codification and Reform) Act in respect of sections to be amended.

A correct reference/citation of the Act to be amended is needed.

Misa is a media and free speech advocacy organisation.

Top