Note: Several paragraphs in this column, related to the provisions of South Africa’s Cybercrime and Cybersecurity Bill were first published in ITWeb Brainstorm, November 2015, available in print to subscribers and at leading newsagents.
Some do it intentionally, and others unintentionally, but governments all over the world are hard at work breaking the technology that produced the greatest advance in human communication, and free speech since the telephone.
In South Africa, we have until 30 November to register comments on a new Cybercrimes and Cybersecurity Bill, which alongside some welcome updates to the definition of crimes like data theft, contains provisions that are overbroad, criminalise perfectly legitimate behaviour, and severely punish even minor infractions. It takes a sledgehammer to a task that requires a scalpel. It will, in important ways, threaten freedom of speech, and make it impossible for network engineers and internet entrepreneurs to do their jobs.
For reasons that will become clear in a minute, the link in the previous paragraph is the only link in this column. It is important. Read on, and then click on it and go comment. But before we get to how South Africa’s politicians are proposing to ruin the internet, let’s take a quick trip around the world to see how governments everywhere are doing so, wittingly or otherwise.
The only government with a vague right to do as it pleases is the US, if you accept that it was not the global free market that built the internet, but the US Department of Defence. While somewhat correct about the roots of the internet in the 1960s, it’s a bit of a stretch in 2015. Sure, you would not have a car if it wasn’t for the guy who invented the internal combustion engine, but would you expect them to claim ownership of your vehicle, and the right to monitor and control your movements?
Of course not.
The internet, today, should belong to the world’s private sector, which saw in it much more than just a resilient network for military and academic use, and built it into powerful engine of prosperity and progress for the world. It should belong to you and me, and the more than 3.2 billion other users that make the internet the vibrant political, intellectual and commercial market place that it is.
But it doesn’t.
After offering the illusion of escape from oppressive authorities, the high-minded internet idealists have been yanked to heel with a vicious rattling of chains. Governments have re-asserted their stifling control over the internet, just like they do over so many other aspects of our lives.
The US government has turned the internet into the very embodiment of Big Brother. It is no longer a device for unfettered private communication. With telescreens in every home and office, it has become a surveillance device to monitor billions. And when every word could be overheard by government bureaucrats assisted by vast data centres full of powerful servers, people guard their words.
We are now aware of the constant threat of going on a secret watchlist, having a long-forgotten indiscretion brought up in the future, or having a foreign government conduct industrial espionage on behalf of its corporations. These fears have a chilling effect on legitimate communication or action, and that is what makes surveillance such an effective tool of control, used by every dictatorship in the history of the world.
The US government’s electronic reach is so broad it has swept up even the US citizens protected by the US Constitution. And when someone raises the alarm, as Edward Snowden did, senior officials not only were not apologetic, but they lied under oath, and called him a criminal. Yet, even after being lied to, the US Congress just legislated the intelligence chiefs out of trouble, by passing the Cybersecurity Information Sharing Act (CISA), which provides both the legal incentive and legal cover for companies to “voluntarily” share their customers’ private records with the government. The “blessings of liberty”, which the US Constitution claims to secure for its authors and their posterity, are not even to be extended to Americans, let alone foreigners.
After pointing accusatory fingers at the “Great Firewall of China” for 20 years, because only communist dictatorships would dare break the internet by monitoring and censoring their own people, the governments of Russia, the UK, Australia, Iran and Canada have all stood proudly alongside the US in using the internet to spy on foreigners, silence dissidents, and guard national morals. In Britain, Prime Minister David Cameron supported a new bill on investigatory powers, by proposing to ban strong encryption. When faced with the uncomfortable fact that this would break all internet commerce of any kind, including banking, he changed his tune, and said that service providers will be required to provide an unencrypted back door to customers’ data. But not only will customers desert any service provider that grants this access, this is logically impossible if customers use their own end-to-end encryption, rather than relying on the service provider. Yet despite its technical absurdity, this provision remains in the Investigatory Powers Bill tabled in the House of Commons.
In addition, the UK government wants ISPs to retain 12 months’ worth of internet history of customers. If you visit a website about bomb making, the government wants to know. If you visit a website about hacking, ditto. And if you visit a website about syphilis, well, it’s awkward, but only your ISP and the government will know. But both the UK government and some of that country’s large ISPs, have suffered major, embarrassing hacks that compromised private and confidential information. So basically, everyone will know. If you are not entitled to protect your own information, your information will not be safe. Better just go see your doctor face-to-blushing-face. At least then only your doctor, and possibly their Facebook friends, will know. (Google “Ohio Facebook syphilis” for the horror story.)
In some cases, the proposed legislative action that will break the internet seems to do so unwittingly. At least, that is the most charitable interpretation of an entirely new class of cyber-stupidity placed before the European Commission.
Among the proposals on copyright law reform, the worthy commissioners will consider placing the act of hyperlinking to online content under copyright protection. They call this “ancillary copyright”. This technologically illiterate idea would permit, or even require, media companies to charge search engines and news portals for the privilege of linking to their freely accessible articles.
Digital commissioner, Günther Oettinger, says that it is necessary to prevent companies like Google from “eroding copyright”. He believes that newspapers are in “existential danger”, because young people no longer read newspapers, subscriber numbers are declining, news-stand sales are dropping, and classified advertising has become an online service.
He is quite right, of course, but his solution – to levy a “Google tax” on internet links – is absurd. That is like levying a hay-and-stabling tax on motor vehicles. He is asking the EU government to forcibly redistribute revenue from innovative new business models to obsolete old ones, because “in five years it will be too late” to “stabilise the journalists and publishers”.
This idiot is being paid a very handsome salary to sit in a luxurious European office and muse about this kind of idiotic nonsense. He wants to use a very blunt hammer to drive what is not a nail into something that is not at all like wood. While one might hope he only breaks his own thumb, chances are that he will break something.
As a small token of protest, regular readers may notice that this column, in stark contrast to my others, contains no links to sources. Sadly, I had neither the time nor motive to ask everyone I would have linked to for permission to do so. And if they had demanded payment, I’d have been really screwed. Of course, the lack of hyperlinks makes this look like an old-fashioned newspaper column, in which readers knew their place and just read what was given to them. And I’ll give our nostalgic German politician his due: it is much easier to write a lengthy column without having to bother with potentially infringing niceties like linking to sources. (I hope classified advertisers will take notice and shower Daily Maverick with the money they now waste on Gumtree and eBay.)
If Oettinger thinks he’s breaking the internet to help journalists and save the media, he can take it from this journalist: get lost. Even if it would help, which it won’t, we wouldn’t want state protection because then we will owe the state a debt of gratitude. We will save ourselves, thank you very much, and those of us who can’t do so probably do not deserve to survive.
It is not far-fetched to think that this brain fart might pass into law, either. In Spain, a law that required companies to pay publishers to link to their articles was passed last year, at the behest of said publishers. The payments would be centrally controlled, so that nobody could dodge the clever new plan, and steal a march on their competitors.
On 16 December 2014, Google responded by simply closing Google News to Spanish publishers, and removing them from the main Google search index. Some smaller Spanish news portals shut up shop entirely. You want Spanish news? The internet cannot help you. Go buy a Spanish newspaper.
Those publishers will need to go back to their government lobby, however, to get their new protectionist law overturned. The results of a study they commissioned themselves show that the law cost them €10 million, a cost mostly born by smaller publishers, and it reduced the variety of content available to Spanish readers. So much for “stabilising journalists and publishers”, eh, Herr Oettinger?
Laws in foreign countries have a habit of not staying there. The US in particular is good at exporting its ideas about corporate protections and intellectual property to countries it trades with through supposed “free trade” agreements.
Some of the provisions in such agreements are perfectly sound, and really do promote free trade. But others are thinly-veiled corporate protectionism against the domestic laws and regulations of foreign governments, or crude, broad-stroked measures to enforce copyright and patent protection.
The Trans-Pacific Partnership, for example, between the United States and everyone on the Pacific Rim, except China, would extend provisions of the controversial Digital Millennium Copyright Act to those countries. It will prohibit circumventing technological protection measures, which would prohibit users from doing such ordinary things such as storing legal music and movies on a media server, transferring them to portable media devices, unlocking mobile handsets to switch networks, changing the software on their own wi-fi routers, or using universal remote control devices. It will impose serious criminal sanctions against disclosure of all manner of information that is claimed to be confidential, which makes whistle-blowing and investigative journalism illegal. It would require ISPs and social networks to respond to take-down notices, placing the onus upon their customers to prove their innocence, rather than on plaintiffs to demonstrate their guilt. It would make copyright infringers subject to property seizure, heavy fines and jail terms, even if the supposed infringement had no commercial purpose and the copyright owners did not complain.
Not being part of the Trans-Pacific Partnership, or its cousin, the Trans-Atlantic Trade and Investment Partnership, other countries such as Pakistan, Kenya, Nigeria, Egypt, Tanzania and South Africa have responded with far-reaching “cyber-crime” laws of their own.
Allow me an etymological aside. Why do they even use the cyber- prefix?
The term “cybernetics” was first used by mathematician Norbert Weiner in the 1940s to describe self-governing machines. It remained obscure until the 1980s, when “cyberpunk” began to describe a stylistic movement associated with futuristic youth. William Gibson’s novel Neuromancer and Ridley Scott’s film Blade Runner were trend-setters. Mondo 2000, a futurist magazine founded by the pseudonymous RU Sirius, defined the term in 1993:
cyberpunk ‘si-ber-pungk n 1: a late 20th century techno-revolutionary, or someone who poses as such 2: 2: a hard-boiled hacker with anarchist inclinations 3: a computer geek who likes Ministry 4: as seen in TIME magazine, a member of a counter-cultural “movement” of the same name, characterized by a combination of technological savvy with a rebellious lifestyle 5: Billy Idol’s comeback album 6: someone who has delusions about living in the future 7: someone who maintains that mirrorshade sunglasses (last seen on CHiPs) never went out of fashion
By the turn of the century, however, the term has fallen out of fashion. It became synonymous with online warfare and dirty talk in dodgy chat rooms. Today, it’s an anachronism. The only people who still use it are policemen and bureaucrats. Ironically, that takes the word back to its Greek roots, kubern?t?s, which means ‘helmsman’, from the verb kubernan, ‘to steer’. If that sounds familiar, this is also the root for the word “government”. Perhaps grey-suited bureaucrats deserve this once-hip term.
Etymology geekery aside, South Africa’s Cybercrimes and Cybersecurity Bill has a lot of serious flaws, and requires serious pruning. Like most such efforts, it aims to address a number of valid objectives, such as giving better legal definition to crimes such as identity theft, account hacking, copyright violation and malware attacks. But only intellectual property lawyers and police officers will tell you this makes the law “a step in the right direction”.
Caught up in the bill’s broad wording will be innocent network engineers and ordinary internet users of all kinds.
It outlaws copyright infringement, which one might suspect is more appropriately dealt with in the Copyright Act, of which a major amendment bill is also pending. It defines this crime so broadly that almost any action involving copyright work – which technically is almost any work at all – will become a major crime with multi-year jail terms.
Absurdly, however, whether or not the perpetrator believes the act to be prejudicial to the copyright owner appears to be a determinant of culpability. If you claim to believe peer-to-peer downloading, remixing, or fan fiction is a net benefit to the copyright owner, the law, technically, would let you off. The prosecution will have to show that you knew otherwise. Conversely, even the copyright owner’s tacit consent can’t save you if the state can show you that thought your action might prejudice them in some way. This turns valid charges into acquittals, and innocent actions into crimes.
The bill criminalises the creation and possession of a whole swathe of software tools, many of them included in standard operating system distributions, on the grounds that they can be used to unlawfully access or intercept data, networks, or personal information.
Many tools used by computer security professionals – such as nmap, wireshark, aircrack-ng and metasploit – will effectively be outlawed. It will be an offence to create them, to use them, and to possess them if there is a “reasonable suspicion” that they will be used for contravening the law. Of course they will. And when they are, prosecute that contravention. Do not outlaw crowbars and knives just because you can use them for burglary and assault.
The Cybercrime Bill also criminalises investigative journalism and whistleblowing, by making it illegal to so much as receive government data classified as confidential or secret. Possession and transmission of such information will also be illegal. The way the bill defines cyber-terrorism is far too broad. It does not make provision for legitimate protest or advocacy, and includes even acts that cause no terror, but merely disclose commercial information “which could cause undue advantage or disadvantage to any person”. It completely removes the need for government IT systems to be secured, since even if an incompetent administrator left the stable doors wide open, any breach of any system owned by anyone who is even remotely connected to government is covered by the “computer-related terrorism” clause.
Website defacement and corporate snooping may be annoying, but it is hardly terrorism, worthy of a 25-year jail sentence. Many of the provisions in the bill are already unlawful under other legislation, while this proposed law merely specifies the technical means of committing the crime. It is already illegal to incite violence or damage to property, to perpetrate fraud, to engage in financial transactions that promote crime or involve the proceeds of crime, or to misappropriate (steal) property. There is no need for another law to state the obvious.
The underlying motivation for a comprehensive cybercrime bill is perfectly reasonable. However, making it overbroad will have a host of unintended consequences, including criminalising innocent behaviour, and excessively punishing minor transgressions. It could also lead to the legal persecution of people who never should have been targets of cybercrime or cyber-terrorism law.
Worst of all, laws such as these, whether they are malicious, ill-conceived, or merely badly written, risk breaking the internet. Unless we want to build a new one (and some projects, like Freenet, Meganet and the Invisible Internet Project are trying), we’re going to have to stand up and defend it.
While Americans and Europeans fight their own battles to save the internet from their overbearing and ignorant governments, South Africans have 20 days to let their Department of Justice know what they think of this well-intended but dangerously mis-guided effort. DM