InternationalTelecommunicationUnion
Support for Harmonization of the ICT Policies Support for Harmonization of the ICT Policies in Sub-Sahara Africa in Sub-Sahara Africa
Name of presenter
HIPSSA ProjectHIPSSA Project
Workshop on the SADC Harmonized Legal Cybersecurity Framework for Southern
Africa
27 February to 2 March 2012
CYBERCRIME LEGISLATION IN SADC MEMBER STATES COMPARATIVE ANALYSIS
JUDITH M C TEMBO
2
SummarySummary
Context Background Overview of Existing Legislation Comparative Law Analysis - Substantive Criminal Law - Criminal Procedural Law Conclusion and recommendations
3
1.Background1.Background
Context – Development of model law on cybercrimeGlobalization has given rise to activities and transactions increasingly conducted via ICT and internet ICT applications - e-Government, e-Commerce, e-Education, e-Health and e-Environment, seen as enablers for development, as they provide efficient channel to deliver a wide range of basic servicesChallenges - attacks against information infrastructure and internet, and cyber threats (legal, technical, institutional) Risks - financial, economic, health, security, technical etc Need to protect information infrastructure and internet against cybercrime
4
1. Background1. Background
1.0 Legal measures – cybercrime legislation (as part of cybersecurity strategy)Internet borderless, challenges global, global solution needed Harmonization of legislation needed 2.0 SADC countries situation analysis as at February 2011: -countries with cybercrime laws, -countries with cybercrime laws under development - countries with cybercrime related laws2.1 Countries with cybercrime laws: Botswana , Mauritius, South Africa, Zambia2.2 Countries with cybercrime legislation under development/cybercrime related legislation: Angola, Democratic Republic of Congo, Lesotho, Madagascar, Malawi, Mozambique, Namibia, Swaziland, Seychelles, Tanzania, Zimbabwe
5
SADC Countries Cybercrime Legislation Assessment – Substantive Criminal Law
criminalized offences
Substantive Provisions
ANGOLA
BOTSW
ANA
DRC
LESOTHO
MALAWI
MAURI
TIUS
MADAGA
SCAR
MOZAMBIQUE
NAMI
BIA
SEYCHE
LLES
SOUTH
AFRICA
SWAZIL
AND
TANZA
NIA
ZAMBIA
ZIMBABWE
Unauthorized Access
X X X X X X X
Illegal Remaining
Illegal Interception
X X X X X X X X X X X X
Interfering with Computer Data
X X X X X X X
Data Espionage
Interfering with Computer Systems
X X X X X
Illegal Devices
X X X X X X
Computer- related Forgery
X X X X X X
Computer-related Fraud
X X X X X X
Child Pornography
X X X
Identity-related Crimes
SPAM X Disclosure of Details of an Investigation
X X X X
Failure to Permit Assistance
X X X
Harassment Using Means of Electronic Comm.unication
X
KEY
X countries with specific cybercrime legislation
X countries with cybercrime draft legislation
X countries with cybercrime related legislation
6
SADC Countries Cybercrime Legislation Assessment – Criminal Procedural Law investigative instruments provisions
Jurisdiction
AGOLA
BOTSWANA
DRC
LESOTOTHO
MALAWI
MAURITIUS
MADAGASCAR
MOZAMBIQUE
NAMIBIA
SECHELLES
S.AFRICA
SWAZILAND
TANZANIA
ZAMBIA
ZIMBABWE
Jurisdiction
X X X X X X
Procedural Law
Search and Seizure
X X X X X X
Assistance
X X
Production Order
X X X X
Expedite d Preservation of Computer Data
X X X
Partial Disclosure of Traffic Data
Real- time Collection of Traffic Data
X X X ?
Real- time Interception of Content Data
X ?
Forensic Software
KEY
X countries with specific cybercrime legislation
X countries with cybercrime draft legislation
X countries with cybercrime related legislation
7
3.1 Comparative Law Analysis 3.1 Comparative Law Analysis – Substantive Criminal – Substantive Criminal LawLaw
Comparisons:1.Substantive criminal law provisions – offence and acts constituting offence 2.Criminal procedural law - procedural instruments that enable
law enforcement agencies to take necessary measures to identify offender and collect the evidence required for criminal proceedings
3.1.Substantive Criminal Law provisions - Comparative Law Analysis table
Countries with specific cybercrime legislation or cybercrime legislation draft laws and cybercrime related legislation available as at February 2012
3.1.1. Similarities – 1.unauthorized access - Angola, Botswana, Mauritius, Namibia,
Seychelles, Tanzania, Zambia2.llegal interception – Angola, Botswana, Lesotho, Malawi,
Mauritius, Mozambique, Namibia, South Africa, Swaziland, Tanzania , Zambia. Zimbabwe Interception of Communications Act no.6 of 2007 provides for telecom. Interception but does not provide for offence of illegal interception
8
3.1Comparative Law Analysis – Substantive Criminal 3.1Comparative Law Analysis – Substantive Criminal LawLaw
3.1.1. Similarities –cont’d3.Interfering with computer data – Angola, Act, Lesotho, Mauritius, Namibia, South Africa, Zambia4.Interfering with computer systems – Angola, Botswana, Mauritius, Namibia, Zambia; no exceptions to liability3.1.1. Similarities – 5.Illegal devices – Angola, Botswana, Mauritius, Namibia S. Africa, Zambia6.Disclosure of details of an investigation Botswana, S. Africa, Zambia7.Failure to permit assistance – Botswana, S. Africa, Zambia8.Computer related forgery - Angola, Madagascar, S. Africa, Zambia9. Computer related fraud - Angola, Botswana, Mauritius, Madagascar, Namibia, S. Africa10.Child pornography – Angola, Botswana, Madagascar11.Lack of provisions on illegal remaining, data espionage, identity theft/crime
9
SADC Cybercrime Legislation Comparative Law Analysis – Substantive Criminal Law provisions (February 2012)
Subs’tive Provision
Acts covered in offence
Ang. Bots DRC Les. Mal awi
Mad ag.
Maur. Moz. Nam. Seych. S.Afri. Swaz. Tanz. Zam. Zim. B. prac- tice.
Unau- th’zed Access
1.Integrity 2.Follow up acts 3.intent 4.exceptions
X X X X X
X X X X
X X X X
X X* X
Maur. Defn of comp.sys.*
Illegal intercpt’n
1.transm’sns 2.intent 2.exceptions
X X X X
X* X* X X* X X X* X* Bots. off- ence fully criminalized
Interf.with comp. data
1.Integrity 3.intent 4.exceptions
X
X X X
X* X X X
X X X
X Maur.pe- nalty (10yrs)
Interf. with comp. sys
1.Integrity 2.intent
X X X
X X
X X* Bots.- acts (detailed provns),
Illegal devices
1.making available, use 2.intent
X* X X
X X
X X X Maur. penalty (5yrs)
Comp.-related fraud
1.data mani- pulation 1.advantage to oneself 2.loss to anor 3.intent
X X X X X
* X X X X
X X
X X
Bots.-clarity, extent of applicn (all cybercrime offences)
Comp.-rela- ted forg.
1.unauth. data 2.advantg to oneself 3.loss to anor 4.intent
X
*
X X
X X
X* S.Af., acts, clari- ty of application (all cyberc- rime offences)
Discl’r of inv- gn. details
1.permitted discl.
X
X X X* Maur. Clarity*
Failure to per- mitt assist.
1.non. com- liance with order 2.exeptions
X X
X* X* Bots.
Child porn. 1.making available 2.intent 3.Def. of child
X
X X
X Bots.
*Mauritius definition of computer system includes specific exceptions (‘calculators which are not programmable’) to definition of computer system *Tanzania – unauthorized access acts restricted to computer *Lesotho – illegal interception acts restricted to telecom message contents; Tanzania and Zambia definitions include interception done individually or through a third party *Zambia – unauthorized interference acts to computer system restricted to destruction *Angola – illegal devices acts restricted to use; Namibia includes control of device/program/data in possession of a third party *Madagascar computer-related fraud acts covered are not provided * Zambia – forgery acts restricted to unauthorized decryption or release of decryption key; Namibia - no distinction between fraud & Forgery; Madagascar - no distinction in medium used to commit offence *Zambia – Disclosure of investigation details restricted to interception; S.Africa restricted to court order, prosecution or for purpos es of Electronic Communications & Act no. 25 0f 2002; Mauritius – disclosure pursuant to an Act, court order, prevention of injury/damage to person/property, public interest,) while Botswana Act is gene ral ie with ‘lawful authority’ (See S17 Cybercrime & Computer related crimes Act no. 22 of 2007; *S.Africa, Zambia – failure to permit assistance restricted to search and seizure *Botswana – Child pornography acts covered also include procuring an underage person to facilitate commission of an offence.
10
3.1Comparative Law Analysis – Substantive Criminal 3.1Comparative Law Analysis – Substantive Criminal LawLaw
3.1.2 Differences -Offences 1a.Unauthorized access•Terminology - - computer or computer systems –Botswana, Mauritius, Zambia; information system – S. Africa, Namibia 1.b. Best practice - Harmonization in line with global standards to improve international cooperation in the framework of cybercrime investigations and prosecution; 2a. Illegal interception - acts covered , intent, exceptions 2b. Best practice - Harmonization as in 1b.
11
3.1Comparative Law Analysis – Substantive Criminal 3.1Comparative Law Analysis – Substantive Criminal LawLaw
3.1.2 Differences cont’d3a. Interfering with computer dataActs covered – destruction, suppression, alteration, modification, rendering data meaningless, useless or ineffective, obstruction, interruption, interfering with lawful use, with intent – Botswana, Mauritius (‘knowingly’ , ‘where as a result of the commission of an offence … the reliability of data is … otherwise impaired’),Angola, Namibia – deterioration and degradation of data included, denying access to data to person entitled with intent – Botswana; South Africa , Zambia (‘interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective‘ ), Lesotho – restricted to interference with contents of telecom message;3b. Best practice - Harmonization as in 1b.
3.1Comparative Law Analysis – Substantive 3.1Comparative Law Analysis – Substantive Criminal LawCriminal Law
3.1.2 Differences cont’d4a. Interfering with computer systems - Acts covered , intent 4b. Best practice - Harmonization as in 1b.5a.Illegal devices - Acts covered, intent5b. Best practice - Harmonization as in 1b.6a. Computer-related fraud - Acts covered, intent; Madagascar –
details of acts covered in offence not provided. 6. Computer-related fraud6b. Best practice - Harmonization as in 1b.7a.Computer-related forgery - Acts covered , intent 7b. Best practice - Harmonization as in 1b.
12
3.1Comparative Law Analysis – Substantive 3.1Comparative Law Analysis – Substantive Criminal LawCriminal Law
3.1.2 Differences Cont’d8a.Disclosure of details of an investigation - acts
covered/permitted disclosure – 8b. Best practice - Harmonization as in 1b.9a. Failure to permit assistance - Acts covered – non
compliance with investigative order or notice under procedural provisions – Botswana; search and seizure - S. Africa, Zambia.
9b. Best practice - Harmonization as in 1b.
10a. Child pornography - Mauritius, S. Africa, Namibia not criminalized, Madagascar criminalized in Penal Code,
Zambia criminalized in S.177A (1) Penal Code;
13
3.1Comparative Law Analysis – Substantive 3.1Comparative Law Analysis – Substantive Criminal LawCriminal Law
3.1.2 Differences Cont’d10a. Child pornography Acts covered - production, publication, possession, access,,
Botswana, Angola; Zambia provision applicable to generally; Botswana includes communication with under 18 year old to commit offence or prostitution /other sexual offence on child under Penal Code, or 16years for purpose of abduction, kidnapping, defilement under Penal Code; Madagascar – transmission or broadcast of pornographic material ‘by any means’ -S.346
Definition of child – Botswana below 14 years, Zambia below 16 years (S.131 A Penal Code); Angola 18 years; Madagascar no definition, but ‘minor ‘below 15years imprisonment for offence 3-10years from 2-5years)
10b. Best practice - Harmonization as in 1b.
14
3.1Comparative Law Analysis – Substantive 3.1Comparative Law Analysis – Substantive Criminal LawCriminal Law
3.1.2 Differences cont’d11a. Harassment using means of electronic communications Only criminalized by Angola – acts covered - to commission of
fraud, sexual harassment, threats and coercion (Art.13 and Art.1).
11b Best practice – inclusion of provision harmonized as in 1b.12a. Spam - Only criminalized by Zambia- acts covered - sending of
unsolicited message over the internet ‘for purposes of illegal trade or commerce or other illegal activity‘ (S105 ECT Act).
12b. Best practice - inclusion of provision harmonized as in 1b.13. Other differences Penalties (maximum) – Botswana P5000 and P100 000, imprisonment of up to 5 years,
Zambia 900 000 penalty units to twenty-five years imprisonment, Mauritius and 50 000 rupees to twenty years imprisonment, or to both penalties
15
3.1Comparative Law Analysis – Substantive 3.1Comparative Law Analysis – Substantive Criminal LawCriminal Law
13. Other differences Penalties (maximum) – South Africa no minimum or maximum monetary and no minimum,
custodial penalties, maximum imprisonment 5years, Namibia N$500,000 to5 years imprisonment, Angola – penalties to be applied as provided in the Criminal Code
Eg - unauthorized access Botswana 1year, 6months if with intent to commit offence under another law , Mauritius 5years, 20yrs if with intent to commit offence, Zambia 2years, Angola 2yrs , 8yrs if through violation of safety measures , Seychelles 2years, Namibia 24 months;
-Illegal interception – Angola 2years, Botswana 2years, Lesotho 6 months, Malawi 10years(fixed) Mauritius 10years, S. Africa 1year, Zambia 25years ,
-Child pornography – Angola 3yrs, 8years if minor under 14years, Botswana 3years, Madagascar 5years,10years if minor under fifteen years, Zambia life imprisonment (minimum 15years)
16
3.2 Comparative Law Analysis – Criminal 3.2 Comparative Law Analysis – Criminal Procedural LawProcedural Law
3.2.Criminal Procedural Law provisions - Comparative Law Analysis table
Countries with specific cybercrime legislation , cybercrime legislation draft laws and cybercrime related laws available as at February, 2012
3.2.1.Similarities- Search and seizure order - Angola, Botswana, Mauritius, S.
Africa, Swaziland, Zambia- Production order - Angola, Botswana, Mauritius, Zambia- Expedited Preservation of Computer data - Angola, Botswana,
Mauritius- Real-time collection of traffic data – Angola, Botswana,
Mauritius, - Lack of provisions on forensic software
17
18
SADC Cybercrime Legislation Comparative Law Analysis
– Criminal Procedural Law Investigative Instruments provisions
Crim. Proced. Provisi- ons
Proced- ures
Ang. Bots. DRC Les. Mal awi
Mad ag.
Maur. Moz. Nam. Seych. S.Afri. Swaz. Tanz. Zam. Zim. B. prac- tice.
Search and seizure order
1.Admin. order 2.Judicial order* 3.co-ope- ration of subject
X
X
X
X X
X
* X X
Bots.co- urt for- um open, potential advantage for delay reduction
Prod- uction order
1.Admin. order 2.Judicial order
X X
X
Bots. co- urt for -um open
Expedit- ed prese- rvation of comp. data
1. Admin. order 2.Judicial order
X X
X
Maur. jud. or- der with stipula- ted time frames
Real-time collection of traffic data
1.Judicial order
X X*
X
* Ang., specifies restrict- ion to investig., includes content data
*Botswana judicial orders are applied for to a ‘judicial officer’ (not specified), Mauritius - a Judge in Chambers, S.Africa - a magistrate or judge, Angola - a magistrate, Swaziland – a magistrate, Zambia - a magistrate *Botswana specifically authorizes the application made to a judicial officer to be made ex-party *Zambia provisions not clear
3.2 Comparative Law Analysis – Criminal 3.2 Comparative Law Analysis – Criminal Procedural LawProcedural Law
3.2.2 DifferencesProcedures for issuance/competent authorities – 1a. search and seizure - Swaziland provided for in S.46 Criminal
Evidence and Procedure Act No. 67 of 1938; - procedure1b. Best practice - Harmonization in line with global standards to
improve international cooperation in the framework of cybercrime investigations and prosecution
2a. Production orders - procedure2b. Best practice - Harmonization as in 1b.3.a Expedited Preservation of Computer Data - procedure3b Best practice - Harmonization as in 1b4a. Real-time collection of traffic data - procedure4b Best practice - Harmonization as in 1b.
19
4. Conclusion and Recommendations4. Conclusion and Recommendations
• Of the fifteen benefitiary States, Botswana, Mauritius, South Africa and Zambia cybercrime legislation contain similar provisions to large extent, with some differences. Angola and Namibia laws still in draft form. Differences mainly centred on terminology, acts covered in offences, non-criminalisation of certain offences and or lack of provision for certain procedural instruments, and penalties;
• Differences including significant differences in penalties for offences of concern vis-avis effectiveness of deterrence provided for cybercrime and the need for removal of safe havens to would-be offenders;
• Harmonization in line with global standards to improve international cooperation in the framework of cybercrime investigations and prosecution recommended.
20
21
Thank you for your attention!Thank you for your attention!
22
References
1. Angola - Basic Telecommunication Law Of 2001 2. Constitution of Zambia Chapter 1 of the Laws of Zambia 3. Discussion document on the activities of the Working Group established to facilitate the technical
development of a (draft) legal framework to regulate electronic transactions and commerce in Namibia and further to provide for related matters with the objective to promote the use of information and communication technologies (ICT) in Namibia
4. Green paper on Electronic Commerce for South Africa 2000 5. Interception of Communications Act No 6 of 2007 (Zimbabwe)
www.thewip.net/.../2007/09/zibabwean_human_rights_activi.html 6. ITU Publication on Understanding Cybercrime : A Guide For Developing Countries
www.itu.int/ITU-D/cyb/.../docs/itu-understanding -cybercrime-guide.pdf 7. Lesotho - Telecommunications Act 8. Lesotho ICT Policy 2003
Unpan1.un.org/intradoc/groups/public/document/cps/unpan033873.pdf – 9. Madagascar constitution
www.servat.unibe.ch/icl/ma00000_html- 10. Namibia – Communications Act No. 8 of 2009 11. Malawi Information and Communications Technology (ICT) Policy 12. Constitution of Mozambique 2004 13. Constitution of the Democratic Republic of Congo 2005 14. Madagascar Penal Code
www.ebookbrowse.com/penal-code-madagascar-fr-pdf-d92577106 French Law: Madagascar: Legislation: Penal Code of June 17, 1972 made jo ... Page 46 of 66 http://droit.francophonie.org/doc/html/mg/loi/fr/1972/1972dfmglgfr4.html 10/25/2005
15. Mozambique Telecommunication Law 8/2004 16. Mauritius Copyright Act no. 12 of 1997 17. Mauritius Data Protection Act no. 13 of 2004 18. Law 8/2004 Mozambique
www.wipo.int/wipolex/en/details.js?id=6415
23
19 National ICT Policy for Seychelles 20. www.ict.gov.sc/resources/policy.pdf 21. www.techzim.co.zw/wp/zimbabwe_mict 22. National ICT Policy for Zambia 2007
www.mct.gov.zm/index.php?option+com_docman&task 23. Namibia Use of Electronic Transactions and Communications Bill 24. SADC Report Chapter 3: Review Of The Existing Social And Economic Policies
And Strategies, www.sadc.int
25. South Africa Electronic Communications and Transactions Act 26. South Africa Regulation of Interception of Communications and Provision of Communication-
related information Act No. 70 of 2002 27. Swaziland ICT Policy 28. www.i-policy.org/2006/08/swaziland_ictp.html 29. Swaziland Criminal Procedure and Evidence Act, 1938 30. Tanzania - Electronic and Postal Communications Act 2010 31. United nations Economic Commission For Africa Legal & Regulatory Frameworks for the
Knowledge Economy 2009 32. United nations Economic Commission For Africa Benchmarking the WSIS in Africa Report 2011 33. Zambia Electronic Communications and Transactions Act 34. Zimbabwe Children’s Act Chapter 5:06 35. Zimbabwe Cybersecurity Policy Report July 2011 36. Z imbabwe Interception of Communication Act Number 6 of 2007 37. National ICT Policy for Zimbabwe
www.techzim.co.zw/wp/zimbabwe_mict 38.2009 Access to On-line Information and Knowledge www.safilii.org/zm/legis/consol_act/pca87/