How government is forcing ISPs and mobile operators to hand over private information

·3 Aug 2017

Government recently extended its deadline for written submissions on the Cyber crimes and Cyber security Bill until 10 August 2017.

The Bill aims to “create a uniform framework for the detection, combating and prosecution of cyber crime, and the promotion of a cyber security culture in South Africa”.

It also introduces a number of new privacy concerns surrounding access to personal information. Notably, it raises questions about how it plans to track South African citizens online to determine whether or not a cyber crime has been committed.

“The Cyber crimes and Cyber security Bill will impact all industries, although there are specific obligations imposed on financial institutions and electronic communications service providers to report certain offences. If you commented on the previous draft, you may be interested in the substantial changes in the current draft and wish to comment on these,” said law firm Norton Rose Fulbright.

“If you haven’t yet considered the Bill, now is your chance to think about its impact and submit comments.”

This sentiment was echoed by law firm Cliffe Dekker Hofmeyr in a media statement.

“Electronic communications service providers, Telco’s, banks and financial institutions, in particular, should be cognisant of the new responsibilities and requirements that will be placed on them to assist law enforcement with the investigation of cyber crimes, should the Bill be enacted in its current form,” it said.

“In this regard, the Bill also requires significant alignment with the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) and the Protection of Personal Information Act (POPI).”

What Telco’s and ISPs have to say

Following the announcement and ensuing coverage of the Cyber security Bill earlier this year, BusinessTech reached out to a number of operators and ISPs to ask how these companies will hand over information and what information government is likely to ask for.

Vodacom, MTN and Afrihost offered direct responses on the issue.

Vodacom

1. What is the new Cyber crimes Bill asking Vodacom to hand over in the case of a possible offence being committed?

“The new Bill will require that all information involving Cyber crime and /or Cyber Security incidents must be shared with the Cyber Security HUB.”

2. How much input has Vodacom had in the formation of the Bill and with regards to consultation with government?

Vodacom and all the other operators in South Africa were invited to provide input into the drafting of the Cyber crimes Bill.

3. What type of information will be shared and how will this information be stored?

Information that will be shared includes the identification on new viruses, hacker IP addresses identified, new mail phishing attacks and any other information that can cause damage to any other organisation or Government computer infrastructures.

The storing of this information is done by the Cyber Security HUB which is accessible to public and private security cluster co-coordinators.

4. Could you elaborate on positives of the bill as well as perceived negative?

Research shows that the cyber crime trend is on the rise in South Africa. For instance, in September 2015, Vodafone released the findings of global survey spanning 11 countries, including South Africa, which revealed that more than half of teenagers think cyberbullying is worse than face-to-face bullying.

In addition, 43% of those surveyed would find it hard to support a friend who had been bullied on social media, as they ‘could not find the right words’ to show support. Therefore, for a country like SA where cyber bullying over social media is prevalent, the bill is a step in the right direction as it aims to criminalise cyber bullying and stamp out malicious communication and harassment on social media.

The other positive outcome of the Bill is the establishment of the National Cyber Crime Centre, Cyber Security HUB and the Public sector Incident Response Teams. The Bill also provides better guidance than the Electronic Communications and Transactions Act, 2002.

Naturally there will be the perception by the general public that Government will be spying on them.

MTN

MTN acknowledged our questions but opted to issue a direct release detailing its stance on the proposed Cyber crime Bill.

“MTN welcomes the announcement of the Cyber crime Bill as a major step forward in the fight against cyber crime. Prior to the enactment of the Bill, there was no piece of legislation that governed cyber related crimes.”

“The Cyber crime Bill criminalises cyber related offences and defines and classifies each offense appropriately.”

“MTN is encouraged by the inclusion of specialized procedures with checks and balances, and believes this will go a long way towards protecting the rights of user of information communication technologies, especially when dealing with the investigation of cyber crimes.”

Afrihost

1. What is the new Cyber crimes Bill instructing Afrihost to hand over in the case of a possible offence being committed?

The Bill has not been enacted by parliament, and we believe there will be a few revisions to align the bill with overlapping legislation before this happens.

At present we only have the Bill as it stands to go by, which does not specify which records can be requested, so we’ll wait until there are clearer guidelines from the revised Bill and the relevant Ministries.

As it stands, any personal or confidential information can only be handed over on receipt of a court order.

2. How much input has Afrihost had in the formation of the Bill and with regards to consultation with government?

We understand that ISPA is working with government on behalf of ISPs to ensure that the interests of service providers are taken into account.

3. What type of information will be shared and how will this information be stored?

This follows on Point 1, it would depend on the final guidelines that are included when the Bill is signed into legislation. We expect that this would balance the need for privacy, as protected by the CPA and POPI, with the growing threat of cyber crime and identity theft.

4. Could you elaborate on positives of the bill as well as perceived negatives?

We are increasingly concerned by the proliferation of cyber crimes. While many discussions around this topic seem to focus on digital piracy, there are more serious crimes like identity theft, cyber attacks and fraud, which we take very seriously for the well-being of our clients and our business.

These are crimes that not only result in losses of billions of rands to the economy, but also potentially ruin the lives of individuals and families. We believe that adequate, balanced legislation will benefit the industry and the public by giving investigating agencies the ability to respond appropriately to these threats, and to keep pace with the new technologies and methods being used.

However, these broad powers must be balanced against the right to privacy for both service providers and clients, to ensure that this does not impact law abiding citizens in a negative way, or restrict their freedoms unnecessarily.

Read: Here’s how government plans to track South Africans leaving the country for longer than 3 months