South Africa’s cabinet has approved the Cybersecurity Bill. If the Bill becomes an Act there will be very definite changes to the legal landscape for all businesses – partly because the cybersecurity bill is a very wide (in other words ‘over-broad’) and introduces a whole raft of new criminal penalties.
Comments by the Right to Know Campaign (R2K) put it quite nicely:

‘This Bill creates a regime that is so broad and overarching that almost all possible crimes that could exist on the internet are dealt with using the same set of tools – from the risk of terrorist cyberattacks to the imagined crimes of an ordinary Facebook or BBM user. In attempting to police practically all of the internet, the Bill hands wide-ranging powers to state-security structures to secure vast parts of the internet as assets of state-security, rather than common spaces for the good of all. The Bill would put in place new offences which are over-broad and open to abuse. These would criminalise a range of lawful activities and place dangerous penalties on freedom of expression and access to information, while also giving the state new invasive surveillance powers with little protection for ordinary people’s privacy.’

The interesting part about the Cybersecurity Bill is that the South African Police Service clearly does not have the capacity to actually implement it. For example it would now be a crime (section 20) to be part of a Bittorrent network which would allows you to download copyrighted content such as movies or music. Clearly policing the end user in this case is an exercise in futility. The only way that this part of the Bill could be successfully policed is by placing the duty to protect copyrighted content on the Internet Service Providers. Even then there would be limited success as all that needs to happen to bypass any restrictions by the ISP is for the file-sharing site to use SSL encryption. (There are more actions and counter-actions to combat this, but essentially what this ends up being is a digital arms race between the security agencies vs the pirate content providers).

The real tragedy here is that the Cybersecurity Bill is a good idea. We actually need it – but it needs to be practical and target criminal activity while still allowing whistle blowers to root out corruption, journalists to protect their confidential sources and for us to be free to air our opinions without fear of being censured. The Cybercrime bill is a classic example of inexact drafting which in turn leads to unenforceable legislation.

If only we can say what we truly mean…