After an extended period in Parliament, the Cybercrimes Act has finally been signed into law by the President. The purpose of the Act is to bring South Africa into line with international jurisprudence on the detection and prosecution of crimes which are either specific to computers, or which are perpetrated using computers. This is a very brief summary of the sections of the Act that may interest our clients.
The Act introduces several crimes into our law, and classifies them in two categories: cybercrimes, and malicious communications.
Cybercrimes
The new “cybercrimes” are:
- Unlawful access to a computer system or to a data storage medium (such as a hard drive, or flash drive, whether it is connected to a computer or not).
- The unlawful interception of data (this relates to what RICA defines as “indirect communications” and there is overlap between the two Acts).
- Using or possessing a hacking tool.
- Unlawful interference with data or a computer program on a computer or a storage medium (so in other words deleting, altering, etc. data without lawful cause).
- Unlawful interference with a computer or data storage (making any change to an IT resource or affecting its functionality a well as impinging on any of the triad of IT security – confidentiality, integrity and availability).
- Offences relating to passwords, access codes and the like: acquiring, possessing, or use in another cyber crime is an offence, as is the provision to another person for such use.
- Cyber fraud.
- Cyber forgery and uttering (the first is making fraudulent data, the second is passing it off as genuine).
- Cyber extortion (threatening a DDOS attack unless paid a demanded sum would be a good example of this; deployment of ransomware would fall under this and a number of the other crimes)
Several of these crimes are considered to be aggravated offences if committed against a “restricted computer system”, which includes banking systems, the systems of certain organs of state, and any system that is “…protected by security measures against unauthorised access and use.” This last inclusion is interesting, as almost every computer uses some kind of firewall or other anti-intrusion measure, and most smartphones (which are also computers for these purposes of course) are locked using passwords or the like. As a result, it seems that many rather pedestrian crimes would be considered to be “aggravated offences”. We will have to see how the courts apply the section.
Theft of Incorporeal Property
A somewhat awkward addition is the provision that the common law offence of theft must not be interpreted so as to exclude the theft of “incorporeal property”. By way of background, the crime of theft has always applied to moveable corporeal property only. In other words, if you can pick it up and run away with it, you can be charged with theft if you steal it (even if you need a crane to do so). Immoveable property (land and buildings) and incorporeal property have thus never fallen under the ambit of theft.
This provision has two issues. Firstly, “incorporeal property” is not defined. Does this mean any data at all, or does it mean a manifestation of something that is capable of ownership? If the second sense, then only copyrighted material could be affected by this provision. Ownership in incorporeal property is created by statute, and you cannot steal a trademark, patent, registered design or plant breeder’s right because they are all public records by virtue of being registered. That leaves copyright as the only type of intellectual property standing, and this leads us to the second issue.
Theft under the common law requires the appropriation of property. This is a fairly complex point but in essence after the crime of theft has been committed, one of the parties has control of the subject of the theft, and the other party does not. It is difficult to imagine a scenario where this could be the case with a copyrighted work. If copying of a work takes place, then BOTH parties have a copy of the incorporeal property.
Malicious Communications
There are three offences created relating to “malicious communications”.
The first is sending a message electronically with the intention to incite others to cause damage to property or to commit violence against a person or group of people. An example would be posting messages calling for violence against a particular person or group of people on Facebook or WhatsApp. Note that this section does NOT cover expressions of hatred or prejudice that stop short of inciting violence or damage to property, though this can be a difficult point to distinguish.
The second offence is sending a message electronically to a person or group of persons threatening them directly with violence or damage to property.
Thirdly, it is an offence to send an intimate image of a person electronically without their consent. An intimate image is one where the person represented had a reasonable expectation of privacy, includes the usual body parts, and which violates the person’s dignity or amounts to sexual exploitation. So, for example it is not an offence to post mainstream pornographic images on WhatsApp, but it IS an offence to take photos of your neighbour swimming nude and post those.
Commencement
Finally, note that while the Act has been signed into law, it has not yet commenced. The ministers responsible for justice and police must promulgate regulations before the Act can be commenced, and I cannot anticipate a time frame. The date of commencement will be published in the Government Gazette in due course.