InternationalTelecommunicationUnion

Support for Harmonization of the ICT Policies Support for Harmonization of the ICT Policies in Sub-Sahara Africa in Sub-Sahara Africa

Name of presenter

HIPSSA ProjectHIPSSA Project

Workshop on the SADC Harmonized Legal Cybersecurity Framework for Southern

Africa

27 February to 2 March 2012

CYBERCRIME LEGISLATION IN SADC MEMBER STATES COMPARATIVE ANALYSIS

JUDITH M C TEMBO

2

SummarySummary

Context Background Overview of Existing Legislation Comparative Law Analysis - Substantive Criminal Law - Criminal Procedural Law Conclusion and recommendations

3

1.Background1.Background

Context – Development of model law on cybercrimeGlobalization has given rise to activities and transactions increasingly conducted via ICT and internet ICT applications - e-Government, e-Commerce, e-Education, e-Health and e-Environment, seen as enablers for development, as they provide efficient channel to deliver a wide range of basic servicesChallenges - attacks against information infrastructure and internet, and cyber threats (legal, technical, institutional) Risks - financial, economic, health, security, technical etc Need to protect information infrastructure and internet against cybercrime

4

1. Background1. Background

1.0 Legal measures – cybercrime legislation (as part of cybersecurity strategy)Internet borderless, challenges global, global solution needed Harmonization of legislation needed 2.0 SADC countries situation analysis as at February 2011: -countries with cybercrime laws, -countries with cybercrime laws under development - countries with cybercrime related laws2.1 Countries with cybercrime laws: Botswana , Mauritius, South Africa, Zambia2.2 Countries with cybercrime legislation under development/cybercrime related legislation: Angola, Democratic Republic of Congo, Lesotho, Madagascar, Malawi, Mozambique, Namibia, Swaziland, Seychelles, Tanzania, Zimbabwe

5

SADC Countries Cybercrime Legislation Assessment – Substantive Criminal Law

criminalized offences

Substantive Provisions

ANGOLA

BOTSW

ANA

DRC

LESOTHO

MALAWI

MAURI

TIUS

MADAGA

SCAR

MOZAMBIQUE

NAMI

BIA

SEYCHE

LLES

SOUTH

AFRICA

SWAZIL

AND

TANZA

NIA

ZAMBIA

ZIMBABWE

Unauthorized Access

X X X X X X X

Illegal Remaining

Illegal Interception

X X X X X X X X X X X X

Interfering with Computer Data

X X X X X X X

Data Espionage

Interfering with Computer Systems

X X X X X

Illegal Devices

X X X X X X

Computer- related Forgery

X X X X X X

Computer-related Fraud

X X X X X X

Child Pornography

X X X

Identity-related Crimes

SPAM X Disclosure of Details of an Investigation

X X X X

Failure to Permit Assistance

X X X

Harassment Using Means of Electronic Comm.unication

X

KEY

X countries with specific cybercrime legislation

X countries with cybercrime draft legislation

X countries with cybercrime related legislation

6

SADC Countries Cybercrime Legislation Assessment – Criminal Procedural Law investigative instruments provisions

Jurisdiction

AGOLA

BOTSWANA

DRC

LESOTOTHO

MALAWI

MAURITIUS

MADAGASCAR

MOZAMBIQUE

NAMIBIA

SECHELLES

S.AFRICA

SWAZILAND

TANZANIA

ZAMBIA

ZIMBABWE

Jurisdiction

X X X X X X

Procedural Law

Search and Seizure

X X X X X X

Assistance

X X

Production Order

X X X X

Expedite d Preservation of Computer Data

X X X

Partial Disclosure of Traffic Data

Real- time Collection of Traffic Data

X X X ?

Real- time Interception of Content Data

X ?

Forensic Software

KEY

X countries with specific cybercrime legislation

X countries with cybercrime draft legislation

X countries with cybercrime related legislation

7

3.1 Comparative Law Analysis 3.1 Comparative Law Analysis – Substantive Criminal – Substantive Criminal LawLaw

Comparisons:1.Substantive criminal law provisions – offence and acts constituting offence 2.Criminal procedural law - procedural instruments that enable

law enforcement agencies to take necessary measures to identify offender and collect the evidence required for criminal proceedings

3.1.Substantive Criminal Law provisions - Comparative Law Analysis table

Countries with specific cybercrime legislation or cybercrime legislation draft laws and cybercrime related legislation available as at February 2012

3.1.1. Similarities – 1.unauthorized access - Angola, Botswana, Mauritius, Namibia,

Seychelles, Tanzania, Zambia2.llegal interception – Angola, Botswana, Lesotho, Malawi,

Mauritius, Mozambique, Namibia, South Africa, Swaziland, Tanzania , Zambia. Zimbabwe Interception of Communications Act no.6 of 2007 provides for telecom. Interception but does not provide for offence of illegal interception

8

3.1Comparative Law Analysis – Substantive Criminal 3.1Comparative Law Analysis – Substantive Criminal LawLaw

3.1.1. Similarities –cont’d3.Interfering with computer data – Angola, Act, Lesotho, Mauritius, Namibia, South Africa, Zambia4.Interfering with computer systems – Angola, Botswana, Mauritius, Namibia, Zambia; no exceptions to liability3.1.1. Similarities – 5.Illegal devices – Angola, Botswana, Mauritius, Namibia S. Africa, Zambia6.Disclosure of details of an investigation Botswana, S. Africa, Zambia7.Failure to permit assistance – Botswana, S. Africa, Zambia8.Computer related forgery - Angola, Madagascar, S. Africa, Zambia9. Computer related fraud - Angola, Botswana, Mauritius, Madagascar, Namibia, S. Africa10.Child pornography – Angola, Botswana, Madagascar11.Lack of provisions on illegal remaining, data espionage, identity theft/crime

9

SADC Cybercrime Legislation Comparative Law Analysis – Substantive Criminal Law provisions (February 2012)

Subs’tive Provision

Acts covered in offence

Ang. Bots DRC Les. Mal awi

Mad ag.

Maur. Moz. Nam. Seych. S.Afri. Swaz. Tanz. Zam. Zim. B. prac- tice.

Unau- th’zed Access

1.Integrity 2.Follow up acts 3.intent 4.exceptions

X X X X X

X X X X

X X X X

X X* X

Maur. Defn of comp.sys.*

Illegal intercpt’n

1.transm’sns 2.intent 2.exceptions

X X X X

X* X* X X* X X X* X* Bots. off- ence fully criminalized

Interf.with comp. data

1.Integrity 3.intent 4.exceptions

X

X X X

X* X X X

X X X

X Maur.pe- nalty (10yrs)

Interf. with comp. sys

1.Integrity 2.intent

X X X

X X

X X* Bots.- acts (detailed provns),

Illegal devices

1.making available, use 2.intent

X* X X

X X

X X X Maur. penalty (5yrs)

Comp.-related fraud

1.data mani- pulation 1.advantage to oneself 2.loss to anor 3.intent

X X X X X

* X X X X

X X

X X

Bots.-clarity, extent of applicn (all cybercrime offences)

Comp.-rela- ted forg.

1.unauth. data 2.advantg to oneself 3.loss to anor 4.intent

X

*

X X

X X

X* S.Af., acts, clari- ty of application (all cyberc- rime offences)

Discl’r of inv- gn. details

1.permitted discl.

X

X X X* Maur. Clarity*

Failure to per- mitt assist.

1.non. com- liance with order 2.exeptions

X X

X* X* Bots.

Child porn. 1.making available 2.intent 3.Def. of child

X

X X

X Bots.

*Mauritius definition of computer system includes specific exceptions (‘calculators which are not programmable’) to definition of computer system *Tanzania – unauthorized access acts restricted to computer *Lesotho – illegal interception acts restricted to telecom message contents; Tanzania and Zambia definitions include interception done individually or through a third party *Zambia – unauthorized interference acts to computer system restricted to destruction *Angola – illegal devices acts restricted to use; Namibia includes control of device/program/data in possession of a third party *Madagascar computer-related fraud acts covered are not provided * Zambia – forgery acts restricted to unauthorized decryption or release of decryption key; Namibia - no distinction between fraud & Forgery; Madagascar - no distinction in medium used to commit offence *Zambia – Disclosure of investigation details restricted to interception; S.Africa restricted to court order, prosecution or for purpos es of Electronic Communications & Act no. 25 0f 2002; Mauritius – disclosure pursuant to an Act, court order, prevention of injury/damage to person/property, public interest,) while Botswana Act is gene ral ie with ‘lawful authority’ (See S17 Cybercrime & Computer related crimes Act no. 22 of 2007; *S.Africa, Zambia – failure to permit assistance restricted to search and seizure *Botswana – Child pornography acts covered also include procuring an underage person to facilitate commission of an offence.

10

3.1Comparative Law Analysis – Substantive Criminal 3.1Comparative Law Analysis – Substantive Criminal LawLaw

3.1.2 Differences -Offences 1a.Unauthorized access•Terminology - - computer or computer systems –Botswana, Mauritius, Zambia; information system – S. Africa, Namibia 1.b. Best practice - Harmonization in line with global standards to improve international cooperation in the framework of cybercrime investigations and prosecution; 2a. Illegal interception - acts covered , intent, exceptions 2b. Best practice - Harmonization as in 1b.

11

3.1Comparative Law Analysis – Substantive Criminal 3.1Comparative Law Analysis – Substantive Criminal LawLaw

3.1.2 Differences cont’d3a. Interfering with computer dataActs covered – destruction, suppression, alteration, modification, rendering data meaningless, useless or ineffective, obstruction, interruption, interfering with lawful use, with intent – Botswana, Mauritius (‘knowingly’ , ‘where as a result of the commission of an offence … the reliability of data is … otherwise impaired’),Angola, Namibia – deterioration and degradation of data included, denying access to data to person entitled with intent – Botswana; South Africa , Zambia (‘interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective‘ ), Lesotho – restricted to interference with contents of telecom message;3b. Best practice - Harmonization as in 1b.

3.1Comparative Law Analysis – Substantive 3.1Comparative Law Analysis – Substantive Criminal LawCriminal Law

3.1.2 Differences cont’d4a. Interfering with computer systems - Acts covered , intent 4b. Best practice - Harmonization as in 1b.5a.Illegal devices - Acts covered, intent5b. Best practice - Harmonization as in 1b.6a. Computer-related fraud - Acts covered, intent; Madagascar –

details of acts covered in offence not provided. 6. Computer-related fraud6b. Best practice - Harmonization as in 1b.7a.Computer-related forgery - Acts covered , intent 7b. Best practice - Harmonization as in 1b.

12

3.1Comparative Law Analysis – Substantive 3.1Comparative Law Analysis – Substantive Criminal LawCriminal Law

3.1.2 Differences Cont’d8a.Disclosure of details of an investigation - acts

covered/permitted disclosure – 8b. Best practice - Harmonization as in 1b.9a. Failure to permit assistance - Acts covered – non

compliance with investigative order or notice under procedural provisions – Botswana; search and seizure - S. Africa, Zambia.

9b. Best practice - Harmonization as in 1b.

10a. Child pornography - Mauritius, S. Africa, Namibia not criminalized, Madagascar criminalized in Penal Code,

Zambia criminalized in S.177A (1) Penal Code;

13

3.1Comparative Law Analysis – Substantive 3.1Comparative Law Analysis – Substantive Criminal LawCriminal Law

3.1.2 Differences Cont’d10a. Child pornography Acts covered - production, publication, possession, access,,

Botswana, Angola; Zambia provision applicable to generally; Botswana includes communication with under 18 year old to commit offence or prostitution /other sexual offence on child under Penal Code, or 16years for purpose of abduction, kidnapping, defilement under Penal Code; Madagascar – transmission or broadcast of pornographic material ‘by any means’ -S.346

Definition of child – Botswana below 14 years, Zambia below 16 years (S.131 A Penal Code); Angola 18 years; Madagascar no definition, but ‘minor ‘below 15years imprisonment for offence 3-10years from 2-5years)

10b. Best practice - Harmonization as in 1b.

14

3.1Comparative Law Analysis – Substantive 3.1Comparative Law Analysis – Substantive Criminal LawCriminal Law

3.1.2 Differences cont’d11a. Harassment using means of electronic communications Only criminalized by Angola – acts covered - to commission of

fraud, sexual harassment, threats and coercion (Art.13 and Art.1).

11b Best practice – inclusion of provision harmonized as in 1b.12a. Spam - Only criminalized by Zambia- acts covered - sending of

unsolicited message over the internet ‘for purposes of illegal trade or commerce or other illegal activity‘ (S105 ECT Act).

12b. Best practice - inclusion of provision harmonized as in 1b.13. Other differences Penalties (maximum) – Botswana P5000 and P100 000, imprisonment of up to 5 years,

Zambia 900 000 penalty units to twenty-five years imprisonment, Mauritius and 50 000 rupees to twenty years imprisonment, or to both penalties

15

3.1Comparative Law Analysis – Substantive 3.1Comparative Law Analysis – Substantive Criminal LawCriminal Law

13. Other differences Penalties (maximum) – South Africa no minimum or maximum monetary and no minimum,

custodial penalties, maximum imprisonment 5years, Namibia N$500,000 to5 years imprisonment, Angola – penalties to be applied as provided in the Criminal Code

Eg - unauthorized access Botswana 1year, 6months if with intent to commit offence under another law , Mauritius 5years, 20yrs if with intent to commit offence, Zambia 2years, Angola 2yrs , 8yrs if through violation of safety measures , Seychelles 2years, Namibia 24 months;

-Illegal interception – Angola 2years, Botswana 2years, Lesotho 6 months, Malawi 10years(fixed) Mauritius 10years, S. Africa 1year, Zambia 25years ,

-Child pornography – Angola 3yrs, 8years if minor under 14years, Botswana 3years, Madagascar 5years,10years if minor under fifteen years, Zambia life imprisonment (minimum 15years)

16

3.2 Comparative Law Analysis – Criminal 3.2 Comparative Law Analysis – Criminal Procedural LawProcedural Law

3.2.Criminal Procedural Law provisions - Comparative Law Analysis table

Countries with specific cybercrime legislation , cybercrime legislation draft laws and cybercrime related laws available as at February, 2012

3.2.1.Similarities- Search and seizure order - Angola, Botswana, Mauritius, S.

Africa, Swaziland, Zambia- Production order - Angola, Botswana, Mauritius, Zambia- Expedited Preservation of Computer data - Angola, Botswana,

Mauritius- Real-time collection of traffic data – Angola, Botswana,

Mauritius, - Lack of provisions on forensic software

17

18

SADC Cybercrime Legislation Comparative Law Analysis

– Criminal Procedural Law Investigative Instruments provisions

Crim. Proced. Provisi- ons

Proced- ures

Ang. Bots. DRC Les. Mal awi

Mad ag.

Maur. Moz. Nam. Seych. S.Afri. Swaz. Tanz. Zam. Zim. B. prac- tice.

Search and seizure order

1.Admin. order 2.Judicial order* 3.co-ope- ration of subject

X

X

X

X X

X

* X X

Bots.co- urt for- um open, potential advantage for delay reduction

Prod- uction order

1.Admin. order 2.Judicial order

X X

X

Bots. co- urt for -um open

Expedit- ed prese- rvation of comp. data

1. Admin. order 2.Judicial order

X X

X

Maur. jud. or- der with stipula- ted time frames

Real-time collection of traffic data

1.Judicial order

X X*

X

* Ang., specifies restrict- ion to investig., includes content data

*Botswana judicial orders are applied for to a ‘judicial officer’ (not specified), Mauritius - a Judge in Chambers, S.Africa - a magistrate or judge, Angola - a magistrate, Swaziland – a magistrate, Zambia - a magistrate *Botswana specifically authorizes the application made to a judicial officer to be made ex-party *Zambia provisions not clear

3.2 Comparative Law Analysis – Criminal 3.2 Comparative Law Analysis – Criminal Procedural LawProcedural Law

3.2.2 DifferencesProcedures for issuance/competent authorities – 1a. search and seizure - Swaziland provided for in S.46 Criminal

Evidence and Procedure Act No. 67 of 1938; - procedure1b. Best practice - Harmonization in line with global standards to

improve international cooperation in the framework of cybercrime investigations and prosecution

2a. Production orders - procedure2b. Best practice - Harmonization as in 1b.3.a Expedited Preservation of Computer Data - procedure3b Best practice - Harmonization as in 1b4a. Real-time collection of traffic data - procedure4b Best practice - Harmonization as in 1b.

19

4. Conclusion and Recommendations4. Conclusion and Recommendations

• Of the fifteen benefitiary States, Botswana, Mauritius, South Africa and Zambia cybercrime legislation contain similar provisions to large extent, with some differences. Angola and Namibia laws still in draft form. Differences mainly centred on terminology, acts covered in offences, non-criminalisation of certain offences and or lack of provision for certain procedural instruments, and penalties;

• Differences including significant differences in penalties for offences of concern vis-avis effectiveness of deterrence provided for cybercrime and the need for removal of safe havens to would-be offenders;

• Harmonization in line with global standards to improve international cooperation in the framework of cybercrime investigations and prosecution recommended.

20

21

Thank you for your attention!Thank you for your attention!

22

References

1. Angola - Basic Telecommunication Law Of 2001 2. Constitution of Zambia Chapter 1 of the Laws of Zambia 3. Discussion document on the activities of the Working Group established to facilitate the technical

development of a (draft) legal framework to regulate electronic transactions and commerce in Namibia and further to provide for related matters with the objective to promote the use of information and communication technologies (ICT) in Namibia

4. Green paper on Electronic Commerce for South Africa 2000 5. Interception of Communications Act No 6 of 2007 (Zimbabwe)

www.thewip.net/.../2007/09/zibabwean_human_rights_activi.html 6. ITU Publication on Understanding Cybercrime : A Guide For Developing Countries

www.itu.int/ITU-D/cyb/.../docs/itu-understanding -cybercrime-guide.pdf 7. Lesotho - Telecommunications Act 8. Lesotho ICT Policy 2003

Unpan1.un.org/intradoc/groups/public/document/cps/unpan033873.pdf – 9. Madagascar constitution

www.servat.unibe.ch/icl/ma00000_html- 10. Namibia – Communications Act No. 8 of 2009 11. Malawi Information and Communications Technology (ICT) Policy 12. Constitution of Mozambique 2004 13. Constitution of the Democratic Republic of Congo 2005 14. Madagascar Penal Code

www.ebookbrowse.com/penal-code-madagascar-fr-pdf-d92577106 French Law: Madagascar: Legislation: Penal Code of June 17, 1972 made jo ... Page 46 of 66 http://droit.francophonie.org/doc/html/mg/loi/fr/1972/1972dfmglgfr4.html 10/25/2005

15. Mozambique Telecommunication Law 8/2004 16. Mauritius Copyright Act no. 12 of 1997 17. Mauritius Data Protection Act no. 13 of 2004 18. Law 8/2004 Mozambique

www.wipo.int/wipolex/en/details.js?id=6415

23

19 National ICT Policy for Seychelles 20. www.ict.gov.sc/resources/policy.pdf 21. www.techzim.co.zw/wp/zimbabwe_mict 22. National ICT Policy for Zambia 2007

www.mct.gov.zm/index.php?option+com_docman&task 23. Namibia Use of Electronic Transactions and Communications Bill 24. SADC Report Chapter 3: Review Of The Existing Social And Economic Policies

And Strategies, www.sadc.int

25. South Africa Electronic Communications and Transactions Act 26. South Africa Regulation of Interception of Communications and Provision of Communication-

related information Act No. 70 of 2002 27. Swaziland ICT Policy 28. www.i-policy.org/2006/08/swaziland_ictp.html 29. Swaziland Criminal Procedure and Evidence Act, 1938 30. Tanzania - Electronic and Postal Communications Act 2010 31. United nations Economic Commission For Africa Legal & Regulatory Frameworks for the

Knowledge Economy 2009 32. United nations Economic Commission For Africa Benchmarking the WSIS in Africa Report 2011 33. Zambia Electronic Communications and Transactions Act 34. Zimbabwe Children’s Act Chapter 5:06 35. Zimbabwe Cybersecurity Policy Report July 2011 36. Z imbabwe Interception of Communication Act Number 6 of 2007 37. National ICT Policy for Zimbabwe

www.techzim.co.zw/wp/zimbabwe_mict 38.2009 Access to On-line Information and Knowledge www.safilii.org/zm/legis/consol_act/pca87/