Tagged: Privacy

Stop the draconian Cybercrime Bill

IN OCTOBER of 2015, I warned readers of the many dangers inherent to the deeply flawed and draconian Cybercrime Bill, Medialternatives was one of the first publications in the country to break the story, followed by an opinion piece written by myself and published by the Cape Times, I therefore feel obligated to respond to the latest round of publicity on the subject.

The bill continues to threaten the ‘fundamental democratic spirit of the Internet and increases the state’s surveillance powers.’ The allegations have been denied (but not refuted) by deputy minister of justice and constitutional development, John Jeffery, at a media briefing on the Bill in Pretoria last week.

Although the latest version of the bill that will be introduced to Parliament is ‘considerably different in many respects to the Bill that was issued for public comment,’ it still contains provisions which are highly problematic from a civil rights perspective, in particular the erosion of the communications rights in our Constitution which favour individual data gathering and information sharing.

Advocacy group Right2Know Campaign (R2K), which is opposed to the Cyber Security Bill and has called for it to be scrapped, says via ITWeb, that despite the revisions, the fundamental fatal flaws of the Bill are still there.

R2K advocacy coordinator Murray Hunter says the organisation recognises the Department of Justice has made some important revisions in the Bill:  “But as far as we can see, the fundamental, fatal flaw of the Bill is still there − it would hand over the keys of the Internet to state security minister David Mahlobo.”

Particularly worrying is the bill criminalises the modification of computer programmes by users, in effect open intellectual inquiry is outlawed by a presumption that any curiosity for instance, is evidence of an ulterior motive. Why would users want to gain access to their operating systems, if only to engage in crime?

The bill is thus an amalgamation of paranoid and securocratic concerns about potential, online criminal activities, From hacking to interception of data, from forgery and uttering, to  extortion and even terrorist activity. And most certainly there are very real reasons to be afraid these days of unwanted intrusions such as identity theft, fraud and surveillance, but should modifying computer data be grounds for the presumption of criminality?

Similarly, the use of common network tools, such as ping, finger, netstat and so on, would under the current version of the bill, also incur the legislators wrath.  Why would anyone wish to analyse network traffic if only to commit crime? The mind boggles at the scope and sheer over-reach of the contemplated new statute.

Removing bloatware, adware and other unwanted intrusions by software companies, will not surprisingly, also run the risk of offending the new proposed law. There are many articles available online, on the issue of whether computer software users do have or ought to have the right to modify legally-obtained software, either themselves or through the services of another party.

“Private software consumers should have those same modification rights under intellectual property law that are recognized when the government is a consumer of software” says Pamela Samuelson of Berkeley Law Review. The Free Software Foundation has long campaigned for user rights to modify and alter computer programmes. The entire open source movement is predicated on the rights contained in the GNU/Linux General Public License (GPL), which expressly allows such modifications.

One of the novelties inside the bill is the new delict of “theft of an incorporeal”. One can only presume this is meant to convey the idea of virtual objects, which may be copied without permission and thus also “stolen”. In legal tradition the crime of theft usually deprives the owner of property, not simply by leaving behind the original and making a digital copy, which has lead many internet rights activists to point out the inherent contradiction.*

The overly-broad definition of “computer” by the bill, leaves much to be desired, and opens up users to unwanted litigation merely for possession of a personal computer, and thus an unnecessary attack against general purpose, personal computing. In today’s interconnected and networked world, it is often difficult to determine where an intrusion or ‘cyberattack’ originates, and what exactly is being conveyed by the noughts and ones of machine code.

Turning victims into criminals isn’t the solution.

You can read more about this debate on  Itweb, with an excellent contribution by Simnikiwe Mzekandaba

See my separate article on how internet rights were included in South Africa’s Constitution.

(*NOTE: In 1991 South Press carried a pioneering article by myself, pointing out the problem of defining property in the computer age, the M&G refused to run a follow-up citing concerns to do with property-ownership. I later participated in the campaign to include Internet rights in the Constitution)

How Internet rights were included in our constitution

IT WAS in 1995 that I returned from self-imposed exile and America’s West Coast. Having launched what would be the very first online act of mass civil disobedience against John Major’s Criminal Justice Bill the previous year. The Distributed Denial of Service (DDoS) attacks against Whitehall were launched from a techno party at the 181 Club in San Francisco, followed by a landmark Digital Be-In ‘CyberSafari’ videoconferencing event, linking the continent of North America with Africa — that I embarked on a series of public happenings in South Africa, culminating in several inaugural cyber-rights events at the iCafe in Long St, Cape Town.

david-netdemo-event2A photograph from the period shows me at a terminal, wearing a Mondo 2000 t-shirt, at the very first NetDemocracy event in the country hosted by Nodi Murphy and Stephen Garrett.  A simple information activist, participating in an online Internet Relay Chat (IRC) chat with Minister Pallo Jordan alongside 120 citizens from around the country, all of whom happened to be online.

“Internet Cafe expert gets in touch with Posts and Telecommunications Ministers Dr Pallo Jordan via the Internet relay chat held in the city yesterday. More than 120 people from around the country asked him questions about the Green Paper on telecommunications policies.” opined the Cape Times.

Jordan would later the same day, accept a complimentary copy of the Virtual Community,  Homesteading on the Electronic Frontier by Howard Rheingold, as I proceeded to also fax Minister Jay Naidoo, with demands that we resist the urge to simply usher in the Internet Age, but also take proactive steps to protect user’s rights online, rights such as the right to privacy, right to not have one’s communication intercepted, right to receive and impart communication electronically, right to cryptography and pretty good privacy (PGP), the right to download and upload information, the right to copy data and so on.

Successive events the following year in 1996 held during the constitution-building process, charted new territory and included a CuSeeMe video-call with columnist and digital rights advocate Douglas Rushkoff from New York, a public IRC session with the editor of Future Sex Magazine, Lisa Palac , and a controversial session on Martinican poet Aimé Césaire, Léopold Sédar Senghor and Léon Damas entitled ‘Negritude on the Net’, and other such interventions.

The somewhat crude outcome wasn’t exactly what we all intended, in the end, there was unfortunately, no single article in our constitution entitled ‘Internet Rights’, but instead, as fate would have it, the authors of the Constitution and our Bill of Rights achieved the same. By engaging in public consultation, by utilising the very same tools we, as net activists, were advocating, the constituent assembly effected an astonished feat and made good on many promises. Eventually including a suite of astonishing information and communication rights, many of them applicable and ready-to-wear or subsumed under other legal headings.

wired-mag-1996

Wired Magazine information byte on the BoR

The historically important result was noted by Wired Magazine, who reported on the landmark inclusion of information and other rights. A first for any country on the planet.  Thus, article 14 ‘Right to Privacy’, has the crucial right to not have the privacy of our communications infringed.

Article 16 Freedom of Expression aside from granting individuals the freedom to blog, tweet and produce electronic media, contains the all important ‘freedom to receive or impart information or ideas;’

and,

Article 32 Access to Information, guarantees ‘access to information held by the state, or required for the exercise or protection of any rights.’

These three foundational rights or ‘spheres of responsibility’, when read together form an important guarantee of online freedoms and cyber-liberties, and must be seen against the backdrop of the constitution’s formation, as a secular document enshrining civil liberties for the digital age. One can thus be proud of the 21st century wording, which is both progressive and future proof.

For our nation’s founder Nelson Mandela, it was a major milestone in constitution building and alongside the rise of the Internet as the World Wide Web, which had came in the aftermath of our very first democratic election, we had collectively opened the doors of technological progress.

South African’s can be grateful we all have a digital-ready constitution and that the country has one of the most strident and open information provisions anywhere on the globe. Municipal, provincial and national government all actively share information online with voters and taxpayers.

Our taxes are now accessed via an online portal operated by the South African Revenue Service (SARS), as are other government services. A public campaign to provide free and open access to internet and data has been gaining steam, and many metros are now providing wifi for gratis.

Despite the enormous progress and despite such guarantees, as I write this, there are still several current legislative threats before the House of Assembly, pitted against our hard-won freedoms, and include the Film & Publications Amendment Bill, the Copyright Amendment Bill and Cybercrime Bill, all introduced by the ruling party, and all containing wording, stratagems and concepts which run counter to the spirit of the constitution and the nation’s legacy of cyber rights.

It thus remains up to the generation of today, the millennials and especially the new crop of digital activists and open access cadres, to defend online freedom and African cyberspace, to make good on the many promises contained in South Africa’s Constitution.

Reports of the death of communications privacy are greatly exaggerated

This is a guest post by Jane Duncan who is a member the Right 2 Know Campaign, a South African campaigns group that is a member of the Privacy International Network.

On 23rd March the United Nations Human Rights Committee released its assessment on South Africa’s compliance with the International Covenant on Civil and Political Rights (ICCPR). The report includes a blistering attack on the Government for failing to respect the privacy of the communications of users and makes recommendations to reform the laws and practice of surveillance in the country.

The Committee’s findings repudiated the Government’s claims that its surveillance practices, based on the Regulation of Interception of Communications and Provision of Communications-related Information Act(or, RICA, as it’s commonly called in South Africa), are justifiable, given the country’s extremely high crime rate and the global terrorist threat.

RICA makes it illegal to intercept communications without a warrant from a designated judge (the “RICA” judge). Law enforcement and intelligence agencies are authorised to use the Act to assist investigations, providing they follow the procedures in the Act.

South Africa’s Parliament passed RICA into law along with other anti-terrorist laws in the wake of the September 11, 2001 attacks on the US. The world was in shock at the brutality of the attacks, and in South Africa, citizens were also crime-weary after a massive crime spike in the late 1990’s. As a result, many were more open to rights-reducing laws like RICA. But more people are realising that, in their freedom, they may have given an important element of their freedom away, namely the privacy of their communications.

In the past, when there has been political ferment in the ruling party, different factions have abused their access to the communications surveillance capacities of the state to spy on their perceived opponents. The full extent of these problems came to light in 2008 when a ministerial report into these abuses was leaked to the press (known as the Matthews Commission report).

The Matthews Commission proposed wide-ranging reforms to prevent similar abuses from occurring again. However, there is little reason to believe that these reforms have been implemented. One of the practices the Matthews Commission criticised was that mass surveillance did not fall under RICA. The UN Committee has amplified this criticism in its report.

There are two interception centres in South Africa: The Office for Interception Centres (OIC), which is established by RICA to undertake communication interception, and The National Communications Centre (NCC), which undertakes mass surveillance, and which isn’t established or regulated by any law. This lack of regulation and oversight renders such mass surveillance unlawful and unconstitutional. After the Matthews Commission report was released, the-then Ministry of Intelligence developed two Bills to regulate the activities of the NCC. However, once the Jacob Zuma Presidency assumed office, both Bills were shelved.

This means that the most powerful mass surveillance machine of the state is the one that is least regulated: an issue that should concern South Africans greatly, as the Government has a track record of abusing such power.

Other abuses have come to light, despite of the lack of transparency around government spying. Sunday Times journalist Mzilikazi wa Afrika, had his communications intercepted by members of the Crime Intelligence Division of the police, on suspicion that his frequent trips to neighbouring Mozambique meant that he was gun-running. Yet in fact, he was pursuing a story for the paper.

Perversely, the Inspector-General of Intelligence – tasked with oversight of South Africa’s intelligence services – declared the interception of wa Afrika’s communications legal, as the police had followed the RICA process. This situation arose because the grounds for the issuing of interception warrants in RICA are vague and speculative. This was another concern in the UN Committee report.

The Committee also expressed concern over weak safeguards, lack of oversight, and lack of remedies against unlawful interference. The RICA judge marks his or her own homework, in that s/he signs off on interception applications, while also being the sole party responsible to report on such decisions in an annual report to Parliament’s intelligence committee.

The Committee also noted that RICA is also weak on metadata protections. RICA requires communications service providers to retain all metadata (or what it calls communications-related information) for 3 to 5 years.

Blanket retention of metadata has become a hugely controversial issue. In 2014, the European Court of Justice struck down the European Union Data Retention Directive saying such retention was  disproportionate to the aim it sought to achieve. South Africa remains out of step with this important development, and blanket retention of metadata persists.

Another controversial feature of RICA is the requirement of Subscriber Information Module (SIM) card registration. This is a de-facto violation of privacy because it limits the ability of mobile phone users to communicate anonymously. A growing body of international research also suggests that this measure is useless as a crime-fighting tool, which raises the question of why such a requirement persists in South Africa. More worrying, mass surveillance technologies can also be bolted onto the SIM registration database.

While the Committee did not pronounce on all issues of concerns, such as South Africa’s possible use of IMSI Catchers, and RICA’s lack of user notification, the Committee’s recommendations are a major advancement in the struggle for privacy of communications in South Africa. It is now up to civil society and popular movements to pick up the cudgels and ensure that abuses – to the extent that they exist – are stopped.

Many have argued that in the age of the internet of everything, privacy is dead. Those who make this argument, including in South Africa, appear not to be aware that the struggle for privacy is, in fact, alive and well, and even gaining ground.  Happily, the Committee’s report on South Africa shows that reports on the death of privacy are greatly exaggerated, to paraphrase Mark Twain.

[Ed note: This piece first appeared as: Reports of the death of communications privacy are greatly exaggerated: reflections on recent UN Human Rights Committee’s findings on South Africa, by Privacy International.]

Nedbank’s Biometric Bungle exposes Personal Info Bill shortcomings.

South Africa’s constitution may have guarantees against the invasion of one’s body in addition to strong privacy protections, but corporations perceive a future in which article 12 and 14 will be amended by simple legislation. Nedbank for instance, has already installed biometric scanning equipment in the expectation of the eminent passing of the so-called “ Protection of Personal Information Bill” (POPI) . A piece of post-RICA and 911 legislation drawn up by government securocrats that could open the doorway to intrusive gathering of biometric information by private companies under the pretext of new privacy protections in the “interests of the consumer”.

Rights Violation?

The new bill  may authorise “a responsible party” to process personal information, even if that processing is “in breach of an information protection principle.” According to the Bill, ‘biometric’’ data means “a technique of personal identification that is based on physical characteristics, including fingerprinting, DNA analysis, retinal scanning and voice recognition.”

Although already aware of the bill due to  my ongoing lobby work for the People’s Health Movement and the Right2Know Campaign — I have submitted concerns related to the problem of securing patient records under the new NHI –  I only became aware of the breadth of the new legislation being contemplated by our government, upon encountering Nedbank’s Guardian system during the festive season

The bank has already rolled out its biometric fingerprinting and security device “pursuant to legislation” being passed.

The issue of consent, which is also covered by the proposed act proved a lot more trickier to navigate than Nedbank had contemplated.

Upon entering the double-door security system which is de rigeur even at the post office, I was assaulted by the new guardian system which at the time, had been programmed to bar entry unless one “consented” to being fingerprinted and photographed.

I immediately objected and complained to management. Surely this was a violation of my constitutional rights, a biometric assault in fact, that could in no way  imply consent?

After numerous phone-calls and a few tweets later, I received the following letter, in which it appears Nedbank capitulates, customers will be requested to use the system on a voluntary basis for the time being, at least until the legislation is passed:

We refer to your complaint regarding the use of fingerprints at Nedbank branches in the Nedbank Guardian biometric system, in particular during your visit to Nedbank Salt River on 21 November 2011, and advise as follows.

You are correct in stating that the Constitution provides a right to privacy for all citizens.

As is indicated on the poster wording outside the Nedbank Salt River branch door, use of the Nedbank Guardian system is optional, however, and you may enter a participating Nedbank branch whether you choose to provide your fingerprints or not. Should you not wish to provide your fingerprints, you are welcome to speak to the security guard on duty or contact branch management. Branch management will then arrange for your access to the branch, as is also indicated on the poster wording outside the Nedbank Salt River branch door.

The wording in the notices placed on posters at Nedbank branch doors is based on the wording of the Protection of Personal Information Bill (“the Bill”). The Bill has not been enacted yet, but Nedbank is already striving to embrace the spirit of the Bill by using the appropriate wording in anticipation of this enactment.

Consent would be required for the use of biometrics at branch after enactment of the Bill, since other exemptions in the Bill which would allow Nedbank to process personal information without consent would not necessarily apply to the processing of personal information of visitors to its branches.

“Consent” is defined in the Bill as “… any voluntary, specific and informed expression of will….”  This would include cases in which visitors voluntary elect to enter participating branches and provide their fingerprints.

The sole purpose of the fingerprinting is to match the identity of visitors to branches with records kept by the Department of Home Affairs, and will only be disclosed to the Department of Home Affairs, the South African Police Service, the South African Fraud Prevention Services, and to Nedbank’s security services providers, or when Nedbank is compelled under law to disclose this information to other parties.

We confirm that Nedbank Guardian records and stores biometric data and photographs of visitors to the branch confidentially and in accordance with applicable legislation.

Nedbank Guardian uses the Advanced Encryption Standard specification for the encryption of electronic data, and we attach a link in the event that you would like to obtain more information in this regard:

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Nedbank will not sell your personal information to third parties.

Nedbank strives to provide the best customer service possible, and to protect its clients and members of the public against criminal activities. It is with this in mind that it has introduced the Nedbank Guardian biometric system at branch doors.

We trust that our response is satisfactory to you.

If not, please do not hesitate to contact the undersigned so that we can follow up on this matter.

Yours sincerely

Edwin Smerdon

Read the Bill