Coders have never been more important to the security of the Internet. By identifying and disclosing vulnerabilities, coders are able to improve security for every person who depends on information systems for their daily life and work. Yet this week, the South African's Department of Justice and Constitutional Development is closing its open invitation to comment on a vague and sweeping draft computer crime bill that threatens to create legal woes for security researchers who expose security flaws—and in addition, create disproportionate new penalties for online hate speech and copyright infringement.
Threats to Coders
EFF has provided expert opinion on the draft text of the Cybercrimes and Cybersecurity Bill. In our submission (PDF), EFF opposed the wholesale criminalization of software and hardware tools that can be used to simulate attacks or demonstrate a particular vulnerability against computers, devices or electronic communication networks. While they can be used for malicious purposes, they are also crucial for research and testing, including for "defensive" security efforts to make systems stronger and to prevent and deter attacks. The draft, as currently written, might severely curtail commercial “penetration testing” firms that are critical for the modern economy, academic scholarship, legitimate security research, and other activities that benefit society.
EFF told the South African Justice Department that the draft bill must not criminalize the creation, possession and distribution of tools that are fundamentally designed for the purpose of carrying out an attack. These tools have legitimate, socially desirable uses, such as identifying a practical vulnerability.
Another major problem with the draft bill is its impact on the ability of coders to access computers, devices or electronic communication networks for security testing without explicit permission. Examining computers without the explicit permission of the owner is necessary for a vast amount of useful research, which might never be done if permission were required. If the South African government moves to enact this clause, researchers who study others’ systems in the course of good faith for legitimate research (including to test the security of their own data) may become criminals. The proposed text should affirmatively protect access for purposes of security testing even if the security researcher does not have a written or oral authority to access the system.
Clause 2 of the proposed text is too broad and vague regarding what constitutes an offense. The proposed Bill should affirmatively protect good faith activities that are need for security testing even if the security researcher does not have a “written authority" to access the system. It's very important that criminal law be precise on what constitute both unlawful and criminal malicious intent (mens rea).
Crackdown on Online Hate Speech
The proposed Cybercrimes and Cybersecurity Bill also unfairly imposes harsher penalties for the dissemination of hate speech when it occurs online.
South Africa's Promotion of Equality and Prevention of Unfair Discrimination Act (2000) already excludes hate speech from free expression, prohibiting the publication, communication, or other dissemination of speech that could be reasonably construed to demonstrate a clear intention to 1) be hurtful 2) be harmful or to incite harm or 3) promote or propagate hatred.
According to the 2000 Act, cases involving hate speech are to be referred to the equality court, which is authorized to hold an inquiry and make an "appropriate order." The Act lists a number of possible orders which the court could make, ranging from an "unconditional apology" to payment of damages.
South African common law also provides for penalties for "crimen injuria," or "unlawfully and intentionally impairing the dignity or privacy of another person."
The proposed Cybercrimes and Cybersecurity Bill would automatically impose criminal penalties (of a fine and/or up to two years imprisonment) for the unlawful and intentional distribution of any "data message which advocates, promotes or incites hate, discrimination or violence." This treatment of online speech as inherently separate from speech which takes place offline.
The imposition of harsher penalties for online speech has become common as states attempt to grapple with the expansion of the public sphere into cyberspace. In the aftermath of the horrific attacks on Charlie Hebdo this past January, France proposed an anti-terrorism bill that would provide for harsher penalties for the glorification of terrorism if it took place online. Similarly, the rationale that online speech is inherently more dangerous has been used to push for laws restricting anonymous online speech in a range of countries.
The criminalization of demonstrating or testing for vulnerabilities gives vendors of flawed products the ability to deny the existence of those flaws, even months or years after those flaws have been discovered, or to wrongly suggest that the vulnerabilities are merely theoretical. This will put the personal information of many South Africans at risk. We need to fix this.
The provision also provides vendors with enhanced legal leverage to frighten researchers into silence. This will harm the public by allowing insecure and broken technology to remain unpatched and be used, sometimes by millions of people.
The wording of the bill must not criminalize the legitimate activities and use of tools needed for independent security research, academic study, and other good-faith activities that serve the public interest and ultimately make the public more safe.
These problems are compounded by two provisions that treat online offenses more harshly than similar offenses committed off-line; the automatic criminalization of online hate speech covered above, and a provision that would criminalize many non-commercial acts of copyright infringement that we covered earlier in Deeplinks. We must be wary of any attempt to impose additional penalties on speech due purely to the medium through which it takes place.
South Africa's Right to Know coalition has just launched a Change.org petition asking for the Cybercrimes and Cybersecurity Bill to be withdrawn. Unless the significant concerns that we have expressed above can be addressed before the draft becomes law, we agree that its withdrawal is the best option for South Africa.