Close Sidebar
The Financial Gazette
The Financial Gazette
The Financial Gazette

Input your search keywords and press Enter.

Home Tech Computer, Cyber Crime Bill silent on mobile phones
Tech
May 6, 2017

Computer, Cyber Crime Bill silent on mobile phones

Print
EMail
More people have smart phones with data access than people with computers and data access.

More people have smart phones with data access than people with computers and data access.

By Robert Ndlovu
RECENTLY, I requested for the final draft of the Computer Crime and Cyber Crime Bill from the Information Communications Technology Ministry so that I could look at it before it is tabled in Parliament.

While the initial draft was pretty scrappy and untidy, the final draft has indeed incorporated most of the issues that were raised last September; but trust me there is a lot of work still to be done. 
Too bad, very few Members of Parliament have even seen a draft of the Bill and have no idea what its contents are. 
This might not be their fault. Most of our lawmakers have no technical or legal training. So do not be shocked if this Bill sails through without any debate. 
This brief write-up is not a legal paper, but an attempt to breakdown and highlight some areas of the Bill that are either fuzzy or unclear.
It is not clear whether the omission of mobile phones in the Bill was by design or an oversight. A quick word scan of the final draft reveals some interesting numbers. 
The word computer has been used 142 times. The term device — which I assume encompassed all “other” gadgets with electronic communications capability, be it via radio, text, Information Management Systems (IMS), bluetooth or other devices — is used 22 times. 
The term network occurs 26 times while systems logs feature on 71 instances.
Both the terms mobile and phone are not cited in the final document. How is this important and why should it matter?
Legally, I am not sure, but I suspect the use of a generic term loosely might cause problems. But the fact that more than eight million mobile subscribers exist on our networks means that more people enter and retrieve data on the networks and systems by using mobile phones. 
While the traditional computer crime investigation is clearly spelt out, the authors of this Bill have decided to be silent on mobile phones. 
I am aware that mobile phone technology that uses smart phones is pretty new and maybe for now they decided to address what they understood and leave out what they do not understand for now. 
That could be the only explanation. 
More people have smart phones with data access than people with computers and data access. It goes without saying therefore that statistically more cyber-related crimes originate from a mobile phone.
Now coming to the final draft itself, it is available online so I do not plan to copy and paste it here. I will mainly dwell on some sticky portions of Part III entitled: Offences against the confidentiality, integrity and availability of information communication data and systems.
The offences cited here all have the same two elements: Unlawful and intentional. This is as far as I tread on the legal path. Most of these offences are self-explanatory.
Illegal Access: This refers to a person gaining access to a computer or network system without permission. This is what is “loosely” referred to as hacking. If you do not have express permission to gain access to someone’s computer, device, phone or network, you might be one step towards Chikurubi Maximum Prison.
Illegal remaining: This is basically the same as above, but more so to the effect that one remains logged into a computer system beyond the period he/she was authorised access time. Like someone riding on your unlogged Gmail at an internet cafe.
Illegal interception: This is the act of grabbing information or data in whatever format between the transmitting point and the receiving point illegally. This is basically spying.
Illegal Data Interference, Illegal System Interference: These refer to manipulating, damaging, deleting, distorting, denying system access or data from one point to another, resulting in unclear or corrupt information being received at the other end. Briefly, this involves tempering with the system or data integrity.
Illegal disclosure of data: You cannot pass on data you acquired through some privileged status to a third party without express permission. This becomes very tricky if that data or computer programme is “leaked” to commit a crime. If you are employed by one bank, you cannot give access to an outsider to download the database with your client contact details. That is staring straight at a jailhouse.
Data Espionage: This is being involved in intercepting and acquiring data in the State’s possession and is classified and specially protected. I am thinking of, say State secrets. This carries a 20-year jail sentence.
Illegal use of data or devices: If you download some computer programme that, however, can be used to scan other people’s computers or networks, you can be in deep trouble. Before using packet sniffers, ports scanners, remote system enumerators etc, you must seek express permission from the device or system owner. It is that simple or better still sniff your own laptop or Samsung phone. A simple phone with appropriate software can access other people calls. This is very illegal, morally wrong and attracts some good time in prison. The fact that you can tweak a phone does not make it legal.
Computer-related forgery and uttering: “Photo-shopping” for fun is not illegal. But using software to misrepresent original data to misrepresent facts or situations is. Using photoshop to create fake IDs online is easy, but illegal.
Computer-related fraud, computer-related financial offences, illegal financial transactions: These are pretty self-explanatory. This is using computer systems to commit financial fraud online. Credit card offences fall under this category.
Computer-related terrorist activities: The draft Bill says that if a person is involved in activity that involves training and recruiting a person or a group of persons to receive training to further computer and cyber crime activities, you are in for it. This carries a cool 20 years in some jail. This is not specific.
Child pornography, pornography: This again is self-explanatory.
Identity-related crimes: We-ll, if one day you decide to use your computer or iPhone to steal my online identity and impersonate someone else you will be charged for this. For some reason, I did not see Caller ID Spoofing identity theft, maybe because the operators can’t trace its meaning; they can’t use Wireshark effectively? I can call you using your Pastor’s number and ask for you to pay your offering. This is just an example. Do not quote me.
Racist and xenophobic: If you use computer networks or systems like social media to target someone solely based on their racial, ethnic, cultural or religious background, this is an offence.
Spam: This is not limited to sending unsolicited email messages, but must also include unsolicited text messages. No need to remind the reader of how annoying the short messages service posts are from our local mobile network operators.
Harassment using means of electronic communication, violation of intellectual property rights: This is also self-explanatory.
Attempt, abetment and conspiracy: This section is pretty vague and not clear. In essence, it attempts to say that if you are involved in preparation work or “incitement” of others to commit a crime you would be charged under this. This is still very incomplete and will need to be revisited because it is not clear what this is about and no sentence has been attached to this crime like the others. We have enough lawyers to clean this up because I am struggling to see how computers, systems and networks are involved on this one. 
Most technical terms have been loosely used. This may render the Bill dead on arrival. This Bill needs to be very clear and very specific when it comes to technical issues where possible. The reasons for this are obvious. The country has not been developing any human capital to address this. Most ICT professionals are either in the Diaspora or happily employed elsewhere in the country, but not at the ICT Ministry. 
Authorities have largely not heeded calls to develop local capacity and capability. Calls were made as far back as 2014 when this Bill was still in its infancy. 
I doubt if Zimbabwe has more than five computer and cyber forensic analysts and experts, who are both technically competent and experienced. 
The issues of electronic evidence will be a huge headache in the courts of law. I believe that the onus is on the prosecution to prove beyond any reasonable doubt that a certain device was used by the accused person to commit a crime. 
Now forensic evidence carries its own burden of proof. 
The manner in which a device is seized from the suspected victim up to the point where the device is presented in court as evidence is tricky. 
If proper procedures are not followed in capturing, storing and restoring the data in the seized device, an offender will walk away scot-free, even if we know he/she committed the crime.
Digital evidence is pretty volatile and can easily be manipulated. If, for one reason or another, the accused can show the court that the data was compromised or exposed to danger, there is no case.
Last, but not least, is the issues of remote forensic tools. 
The Bill seeks to authorise law enforcement to use some “magic tool” to monitor and possibly capture data traffic from a remote system, which can be a computer, database, tablet or phone.                              
This part, again, is not clear. There is no such thing as one size-fits-all. But via use of key loggers that are pre-installed on your device, someone can remotely read as you type. 
This invokes that debate of privacy versus national security.
So where do we draw the line? 
No one has the right to come into my computer or phone and start reading my stuff. 
But there are instances where the use of remote tools may be useful such as in trying to investigate rape, murder, treason, kidnapping cases; that is pretty straight forward. 
But knowing our “friends”, who man traffic roadblocks, my confidence level that they will be able to draw the line is low.
The public declaration for authorities to use a remote monitoring will have unintended consequences. One such consequence would be the use of military grade encryption. 
What I mean is, when you tell someone that if I suspect you are involved in XYZ activities and I spy on you, what do you expect that person to do? 
We can do a lot better than that. 
Someone somewhere has deliberately chosen to forget that WhatsApp messages are encrypted using a 256 key. Also the average system administrator will tell you that recovering of deleted photos, documents and chats threads  is not as easy as abc since they can be erased permanently to such a point that nothing can be recovered. 
Also room must be left for cloud-based services, especially IMS systems. Most of these servers are in Iceland!
My point is that we do not want to look like clowns in the technical aspect of this Bill and I am certain techies agree with me on that. This has to be done right.
Passing of this Bill needs to be postponed a bit so that technical issues and specifics are addressed. The lawyers have done a great job. But technically a lot needs to be done. 
We can only contribute to it if we read through it and make suggestions and recommendations. You can get a soft copy if you app me the referenced number below. 
It is not possible to discuss the whole Bill here.
In conclusion, however, mobile phones cannot be ignored in this Bill. This needs to be addressed. 
What is the fuss? For a country with economic challenges, we cannot afford to have insecure systems that cannot guarantee the privacy and security of the investor’s data and connection. 
No investor will be interested in investing in an environment where “cyber spooks” are always trying to sniff at his/her devices for open ports to exploit. 
Robert Ndlovu is contactable on telephone +263 77 600 2605; email Ndlovu@Ymail.com and Twitter: @robertndlovu