Legislation My thoughts on the Cybersecurity and Cybercrime Bill

This Cybersecurity and Cybercrime Bill was presented to the National Assembly on the 22nd October 2021. It is meant to replace the current Computer Misuse and Cybercrime Act that dates 2003.

A few people asked me about my opinion on the Bill and it is only today that I read the document and I share a few things that I found pertinent about the Bill.

At the beginning of the document, the Budapest Convention on Cybercrime is mentioned and the Bill is said to increase compliance with the same through additional criminal offences related to cybercrime and cybersecurity, improved investigation techniques and increased international cooperation.

I don't see any improved investigation technique in this document. There does not seem anything that will drastically reduce the time to solve a cybercrime.

Anything related to Mutual Assistance, obtaining data from service providers etc, was already possible under current legislation. This Bill will probably reduce the paperwork if there is a will for that but not improve the investigation technique.

What is the Budapest Convention on Cybercrime?

It is the first international treaty that aims to harmonize laws on cybercrime and cybersecurity and increase cooperation among countries. It was initiated by the Council of Europe and opened for signature in November 2001. In two decades, 66 countries have acceded to the convention. Mauritius acceded to the convention in November 2013.

The convention provides a guideline to countries for implementing a legislation against cybercrime. The full guideline is available on the website of the Council of Europe. Some of the main articles of the guideline are (I refer to their article number):

Article 1 — Definitions
Article 2 — Illegal access
Article 3 — Illegal interception
Article 4 — Data Interference
Article 5 — System Interference
Article 6 — Misuse of devices
Article 7 — Computer-related forgery
Article 8 — Computer-related fraud
Article 9 — Offences related to child pornography
Article 10 — Offences related to infringements of copyright and related rights
Article 15 — Conditions and safeguards
Article 19 — Search and seizure of stored computer data
Article 20 — Real-time collection of traffic data
Article 21 — Interception of content data
Article 25 — General principles relating to mutual assistance

The guideline highlights the importance of safeguards and the protection of human rights & liberties in Article 15.

Current Cybercrime legislation

The Computer Misuse and Cybercrime Act came into force in 2003. Although, Mauritius hadn't yet acceded to the Budapest Convention on Cybercrime, the legislation had some provisions as stated in the Convention guideline.

What's new in the Cybersecurity and Cybercrime Bill?

New terms in the glossary of offences

There are a few new definitions of terms that have been added in this Bill, especially to describe the new offences. Among them are the terms:

Cyberbullying

It has been defined as any behaviour by means of information and communication technologies which is repetitive, persistent and intentionally harmful or involves an imbalance of power between the perpetrator and the victim and causes feelings of distress, fear, loneliness or lack of confidence in the victim.

Cyber extortion

It means a form of cybercrime which occurs when a person uses the internet to demand money or other goods or behaviour from another person by threatening to inflict harm to his person, reputation, or property.

Fake profile

An untrue online representation, existent or or non-existent.

Harm

It includes physical, sexual, psychological, emotional or moral abuse, injury, neglect, ill-treatment, degradation, discrimination, exploitation or impairment of health or development.

Pornography

The representation in a book, magazine, photograph, film, computer data or any such other media, a scene of sexual behaviour in any form, that is erotic or lewd and is designed to arouse sexual interest.

Sexual photograph or film

An image or video that depicts nudity or a picture of someone who is engaged in sexual behaviour or posing in a sexually provocative way.

Offences

Misuse of fake profile

Any person who individually, or with other persons, makes use of a fake profile to cause harm shall commit an offence. The penalty can be upto a million rupees fine or a maximum of 20 years imprisonment.

Cyberbullying

Any person who individually, or with other persons, commits cyberbullying, shall commit an offence. The penalty is again, upto a million rupees fine or a maximum of 20 years imprisonment.

Same penalty is mentioned for offences of cyber extorsion, cyberterrorism and revenge pornography.

How these new offences will help deter cybercrime or facilitate the task law enforcement, only time will reveal. In my opinion, new offences won't be of much help if the attitude of cybercrime officers remains the same. Not even a thousand new definitions will help if the officers do not improve their investigation techniques and become accountable.

In 2018 when the ICT Act was amended the then Attorney General, M. Gobin, used the same tune about social media to convince people on how useful the amendment will be to help in cases of online threats such as harassment, sextortion and cyber-bullying. He participated in radio & televised debates (on MBC) and at the University of Mauritius. However, since the amendments were made to the ICT Act, we've seen how poeple voicing out against the government are questioned and/or detained for breach of the ICT Act.

Copyright protection

Downloading pirated software, movies and music

Section 21 of the Bill mentions infringement of copyright and related rights. This section makes the download of music, movies and pirated software a criminal offence liable to upto one million rupees fine or 10 years of imprisonment.

Critical Information Infrastructure & increased penalty

This Bill introduces a definition for Critical Information Infrastructure. The National Cybersecurity Committee will be tasked to select the Critical Information Infrastructures in Mauritius. A system providing life sustaining services (e.g water, health or energy), or has an important effect on the economy, or its disruption could result in massive casualties, will be called a Critical Information Infrastructure.

The penalty for a cybercrime related to a Critical Information Infrastructure is twice the fine for other crimes described in the Bill, i.e upto Rs 2 million and a maximum of 25 years imprisonment.

Failure to moderate content

The failure to moderate content on a webpage, social media page or any other online platform, after having received a notice from an investigatory authority, will be a crime.

Compelling service providers to provide access to store data or collect real-time data

If this Bill is passed, an investigatory authority upon issuance of a Judge's Order, may compel a service provider to provide access to stored data or record real-time traffic data, within its technical capabilities. Any disclosure of the investigation by the service provider will be considered a crime.

A example of traffic data is the history of your everyday websites and online platforms that you visit, including your mobile internet traffic, phone calls, SMS, etc.

A example of stored data is your email content if your email is hosted by the service provider. If your service provider is in Mauritius and the email service is hosted outside Mauritius, then irrespectively the service provider will be compelled to provide access to the emails.

The National Cybersecurity Committee

The Bill introduces a National Cybersecurity Committee. This committee will be composed of fourteen members including a Chairperson that will be appointed by the Prime Minister. A person from the private sector and another from the civil society will be on this committee and both of them will be appointed by the Minister of Technology, Communication and Innovation. Both persons should have experience in the field of cybersecurity and cybercrime.

All members of the committee will be remunerated.

The committee may call upon people who can be of assistance but those persons won't draw any remuneration nor have any voting right at the committee's meetings.

The composition of the committee seems to be tightly controlled by the minister and the committee will operate in complete opacity, although their decisions will impact everyone who use the Internet and other technological services.

The Computer Emergency and Response Team (CERT-MU)

The CERT-MU is mentioned in Section 38. I read and ignored. In my opinion, the CERT-MU acts like a poster for the government to say that they do cybersecurity stuff. I have plenty of un-answered emails in which I questioned CERT-MU on cybersecurity matters. I believe CERT-MU will have to up the game and be more responsive to people irrespective of their religion, caste, color, political background, bank balance, social status, etc.

Will the possession of certain software be criminalised?

Lastly, Section 13 of the Bill states that any person who intentionally procures for use, a computer system or any other device, designed or adapted primarily for the purpose of committing an offence under the Act shall commit an offence.

Let's take a deep breath. Is this bill going to make Tor, Wireshark, tcpdump, Linux distributions, and tons of other operating systems and software, become tools likely for the purpose of committing an offence?

I quote an officer of the Cybercrime Unit who once stood in front of the magistrate and said:

Investigation has also revealed that Applicant is the head or the king pin of a network, well established network [...] Applicant is himself an IT Specialist with mastery of more than three operating systems, Linux is one of them.

With this kind of mentality where the knowledge of an operating system can make you a prime suspect, imagine the havoc or damage that the officers might cause if they find you in possession of network pentesting tools.

A new legislation with the same understaffed, underskilled and underpaid division will not produce results.