Some sections of the Cybercrime Bill 2024 are outdated, redundant and not in step with current technological developments or progressive jurisprudence, cybersecurity expert Niel Harper told Monday’s meeting of the Joint Select Standing Committee examining the Cybercrime Bill and the Mutual Assistance in Criminal Matters (Amendment) Bill.
Against the backdrop of international media reports that several countries with Cybercrime Bills, including Pakistan, Egypt, Senegal and Thailand, have been suppressing public discourse in violation of human rights, Harper, in a virtual oral presentation that lasted just over 10 minutes, analysed just over eight subject matters that should be relooked as outlined in his broader written submission to the committee.
He led off with concerns about Part II, 4 (1-2) of the Bill, which speaks to illegal access – where a person who intentionally or recklessly and without authority gains access to the whole or any part of a computer system, causes a programme to be executed, or uses a programme to gain access to any data.
Harper argued that this section was too broad and could lead to innocent or well meaning persons, including cybersecurity testers, researchers, activists and whistle blowers, being implicated, particularly in a situation where judicial officers are not trained to understand criminality from the activities that serve the public interest among other things.
“Certain guidelines should be included with the legislation to distinguish between acceptable and criminal behaviours,” he said, pointing out that Barbados lacks a specialised court such as United Kingdom’s King’s Bench Division of Technology and Construction which has judges who have specialised training to address and adjudicate matters to make sure that innocent or well meaning persons are not imprisoned.
“We don’t have a national strategic cybercrime capacity building approach for training law enforcement officers, prosecutors, magistrates and judges, in terms of making sure that they have continuous development that they understand emerging technologies, how those technologies interact with the law and to ensure that they have the right knowledge and skill set that they actually administer these types of cases when they do come in front of them,” he said.
Harper, who has more than 20 years experience in the field and is currently the Chief Information Security Officer of the World Economic Forum, took issue with the modification of programme or data in Part II, 5 (1-3) of the Bill. He described it as “misaligned” while noting that it was not present in any other model cybercrime laws, including the Budapest Convention, the Commonwealth Model Law on Cybercrime, or the Malabo Convention.
Harper explained that it criminalises a number of modern practices including artificial intelligence, the use of free and open software, and open data policies, among other things, and should be removed.
“It can be addressed by Part II, 6, which should be actually changed to ‘interfering with data’ to better align with the Budapest Convention,” he suggested.
A worrying section, according to Harper, is Part II, 7 which deals with interfering with a computing system, which he said reflected “poor legislative drafting” and failed to address the true criminality.
He also zeroed in on Part II, 8 of the Cybercrime Bill – Illegal interception of data – which he said demonstrated “the lack of understanding of modern computer systems and data management.”
Harper explained that data is often classified as public sensitive, confidential or strictly confidential and questioned if data was public why anyone should be charged for the interception of data that is publicly available.
“The criminal offence should be focused on ‘interception without authority of non-public transmission of computer data, to, from or within a computer system’,” he said.
Harper deemed Part II, 12 (1-4) on critical information infrastructure systems as unnecessary since it was already addressed in different sections of the Bill. He instead advised authorities to create a separate critical infrastructure protection legislation that focuses on obliging critical infrastructure protection providers to implement strong cybersecurity measures.
In the section on malicious communications, Part II, 19 (1-2), he argued that this criminalises normal online discourse and pointed out that Budapest Convention and other model laws do not address malicious communications.
“Trying to treat the Cybercrime Bill with criminal defamation is very, very problematic because the European Court of Human Rights in the United Nations, and several organisations as well as intergovernmental bodies maintain that criminal defamation laws are an unjustifiable affront to human rights. Several progressive nations have actually removed criminal defamation laws from their books,” he contended.
With respect to cyberbullying as addressed in Part II, 20 of the Bill, the expert made it clear that cyberbullying laws in progressive nations focus on schools, children and adolescents.
“They don’t focus on adults and when they do, they’re particularly restricted to violent acts, sexual abuse and harassment,” Harper noted. (SD)