Addressing the Challenges posed by Cybercrime: a South African Perspective

• Author: Fawzia Cassim
• Position: Associate Professor of Law University of South Africa, Pretoria, South Africa cassif@unisa.ac.za
• Pages: 118-123

Page 118

1 Introduction

Most of the so-called traditional crimes such as murder, rape, theft, malicious injury to property and housebreaking all originate from the South African common law namely, Roman-Dutch law. These traditional crimes only deal with tangibles, whereas cybercrime deals with intangibles. Before the commencement of the Electronic Communications and Transactions Act, Act 25 of 2002 (hereinafter, the "ECT"), the common law and statutory law applied to online forms of offences such as inter alia, indecency (child pornography), fraud (cyber fraud) and crimen injuria (cyber-smearing). ¹ However, the common law was ineffective in addressing crimes such as theft, extortion, spamming and phishing. The perception thus arose that the common law cannot effectively deal with cybercrime. ² The courts have also held that in terms of the 'prevailing law' they could not admit into evidence disputed documents, which contained information that has been processed and generated by a computer. ³Thus, a need arose for the enactment of specific cyber legislation to address cybercrime. Page 119

2 The advent of the Electronic Communications and Transactions Act, Act 25 of 2002 (hereinafter, the "ECT")

The main aim of the ECT is "to provide for the facilitation and regulation of electronic communications and transactions". ⁴However, the focus of the ECT is to protect "data" (electronic communications) or data messages. The ECT deals comprehensively with cybercrime in sections 85-89, Chapter X111. The following offences are punishable offences in the ECT: section 86(1) criminalises unauthorised access or interference with data, whereas section 86(2) prohibits unlawful modification of data; sections 86(3) and 86(4) introduce new forms of crimes called hacking law and anti-cracking (anti-thwarting) law (which prohibits the selling, designing or producing of anti-security circumventing technology); denial of service attacks is addressed in terms of section 86(5) whereas spamming is addressed in terms of section 45; the crimes of extortion, fraud and forgery are addressed in terms of section 87. ⁵ Section 3 of the ECT provides that in instances where the ECT has not made any specific provision for criminal sanctions, then the common law will prevail. However, other statutory remedies prevail in the prosecution of other cybercrime, for example, the Prevention of Organised Crime Second Amendment Act 38 of 1999 ("POCAA") addresses money laundering. ⁶

The traditional requirement for documentary evidence is that it must be relevant and admissible, its authenticity must be proven and the original document must be produced. ⁷ This has now changed as a result of section 15 of the ECT which provides that the rules of evidence cannot be used to deny the admissibility of data messages on the mere ground that it is not in its original form. ⁸ The ECT thus creates a rebuttable presumption that data messages and printouts are admissible in evidence. ⁹ This facilitates the admission of information in electronic format which is commendable.

The Act has also created 'cyber-inspectors' who are authorised to enter premises and to obtain information that may impact on an investigation into cybercrime. ¹⁰ However, it is submitted that the provision in respect of search and seizure (namely, section 82) may infringe section 14 (right to privacy) and section 25 (right to property) of the Constitution 108 of 1996. ¹¹ The criminal sanctions in the ECT have also been criticised for being inadequate. ¹² To illustrate this, section 89(1) prescribes a maximum period of 1 year imprisonment for most crimes prohibited by section 86, whilst the crimes prohibited in sections 86(4) and (5) (denial of service attacks) and section 87 (extortion, fraud and forgery) prescribe a fine or imprisonment not exceeding 5 years. More stringent penalties are required to deter cyber criminals. Page 120

Jurisdictional issues are regulated by section 90 of the ECT. ¹³ To illustrate this, section 90 of the ECT provides that a court in the Republic (SA) trying an offence in terms of this act committed elsewhere, will have jurisdiction in the following instances:

1. where the offence was committed in the Republic;

2. where part of the offence was committed in the Republic or the result of the offence had an effect in the Republic;

3. where the offence was committed by a South African citizen or a person with permanent residence in the Republic or a person carrying on business in the Republic;

4. or the offence was committed on board any ship or aircraft registered in the Republic or on a voyage or flight from the Republic at the time that the offence was committed . ¹⁴

It is submitted that section 90(b) facilitates the prosecution of perpetrators of viruses and hackers based abroad who may damage our local computer networks as a result of their unlawful cyber activities. A South African court will thus be vested with jurisdiction provided the above-mentioned offences "have an effect in the Republic". A South African court will also be vested with jurisdiction if a South African national commits a cybercrime abroad based solely on the nationality of the perpetrator. ¹⁵ However, the jurisdictional provisions have not escaped criticism. ¹⁶

3 Recent case law

In Ndlovu v Minister of Correctional Services and Another ¹⁷ , the court had to consider inter alia, whether a computer print-out which was a copy, could not be admitted into evidence unless properly proved. The court found that as the print-out was generated by a computer, it was governed by the ECT. Thus, it examined section 15 of the ECT, and found that s 15(1)(a) prohibits the exclusion from evidence of a data message on the mere grounds that it was generated by a computer and not by a natural person, and s 15(1)(b) on the mere grounds that it is not in its original form. However, the court found that the print out was admissible into evidence not in terms of section 15 of the ECT, but in terms of the court's statutory discretion to admit hearsay evidence in terms of the Law of Page 121 Evidence Amendment Act 45 of 1988. This decision has been criticised for not providing clarity on the effect of section 15 of the ECT on the authenticity rule and the hearsay rule. ¹⁸

In S v Ndiki and Others ¹⁹ the state sought to introduce certain documentary evidence consisting of computer-generated print-outs, designated as exhibits D1-D9, during the course of a criminal trial. The court held that if a computer print-out contained a statement of which an individual had personal knowledge and which was stored in the computer's memory, then its use in evidence would depend on the credibility of an identifiable individual and would therefore constitute hearsay. On the other hand, where the probative value of a statement in a print-out depended on the "credibility" of the computer, then section 3 of the Law of Evidence Amendment Act 45 of 1988 would not apply. ²⁰ The court found that because certain individuals had signed exhibits D1 to D4, the computer had been used as a tool to create the relevant documentation. Therefore, these documents constituted hearsay. Exhibits D5 to D9 had been created without human intervention and such evidence constituted real evidence. Therefore, the admissibility of this evidence depended on the reliability and accuracy of the computer and its operating systems and processes. The duty to prove such accuracy and reliability lay with the state. ²¹ The court's progressive approach in regarding part of the computer-based evidence as real evidence has been lauded. ²²

The above discussion demonstrates that the South African courts are adopting a somewhat cautious approach in cybercrime cases. Although the Ndiki decision is encouraging, a clear and concise judicial guidance on the admissibility and evidential weight of electronic evidence is needed in future cases.

4. The South African banking sector

South African banks are also vulnerable to cybercrime. ²³ Cybercrime is said to be increasing rapidly in the banking industry. Many banks and companies have underestimated threats emanating from phishing, data loss, identity theft, information leakage and other cyber activities. Banks have expressed concern about the increase in phishing schemes. ²⁴ It is acknowledged that many of the phishing operators are part of...