On 17 July 2003, hackers defaced more than 60 South African web sites. This is a new daily record and a significantly higher that the previous record of 52 web sites defaces in one 24-hour period. On 20 July 2003 the Sunday Times reported that a 'hacker' cleaned out a number of ABSA bank accounts. According to the police and bank officials the 'hacker' used spyware to obtain usernames and passwords, essentially engaging in identity theft in syphoning off funds from unsuspecting users. Helaine Leggat of Buys Incorporated offers Buys' views on the current legal landscape, as it affects South African businesses.
Helaine Leggat, Buys Incorporated
Increased hack activity is not of course limited to South Africa. When police arrested Brooklyn, NY, busboy Abraham Abdallah in March 2002, he had Forbes magazine's issue on the 400 richest people in America, plus Social Security numbers, credit card numbers, bank-account information and mothers' maiden names of an A-list of intended victims drawn from the issue, including Steven Spielberg, Oprah Winfrey and Martha Stewart. Abdallah is accused of using websites, e-mail and off-line methods to try to steal the celebrities' identities and make off with millions in assets. One scheme that was caught in time: he allegedly sent an e-mail purporting to come from Siebel Systems founder Thomas Siebel to Merrill Lynch, directing that $10 million be transferred to an offshore account.
Abdallah's high-profile arrest brought national attention to identity theft, which the FBI says is the nation's fastest-growing white-collar crime. An estimated 500 000 Americans have their identities stolen each year. A sign of the times: at least four insurance companies now offer ID-theft policies.
The Privacy Rights Clearinghouse, which works with victims, says it takes an average victim of identity theft two years to clear his credit rating. A growing worst-case scenario: 'criminal-identity theft', in which thieves use the stolen identity when they are arrested, leaving their victims with a criminal record that can be difficult to expunge.
South African businesses can certainly expect the profile of identity theft to increase in the years to come, as the country becomes a more integrated part of the global economy, essentially a world without borders.
Hacking and the law
Although hackers may be prosecuted in terms of common law crimes such as trespassing and fraud or in terms of statutory crimes such as copyright infringement, South African law is not certain as far as the theft of information is concerned. In terms of the common law, theft only occurs when a tangible asset is removed from its owner's possession; and information is not a tangible asset.
To prosecute hackers in terms of the new Electronic Communications and Transactions (ECT) Act will probably be most successful. Chapter 13 of the Act deals with cyber crimes and section 86 states that:
1. Subject to the Interception and Monitoring Prohibition Act, 1992 (Act No. 127 of 1992), a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence.
2. A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence.
3. A person who unlawfully produces, sells, offers to sell, procures for use, designs, adapts for use, distributes or possesses any device, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilise such item to contravene this section, is guilty of an offence.
4. A person who utilises any device or computer program mentioned in subsection (3) in order to unlawfully overcome security measures designed to protect such data or access thereto, is guilty of an offence.
5. A person who commits any act described in this section with the intent to interfere with access to an information system so as to constitute a denial, including a partial denial, of service to legitimate users is guilty of an offence. Penalties for the section 86 crimes include fines and maximum prison sentences of between 2 and 5 years.
The ECT Act and the South African courts will have jurisdiction over a wide range of hacking related activities anywhere in the world. In terms of section 90 a local court will be able to prosecute a hacker if:
a. The offence was committed in the Republic.
b. Any act of preparation towards the offence or any part of the offence was committed in the Republic, or where any result of the offence has had an effect in the Republic.
c. The offence was committed by a South African citizen or a person with permanent residence in the Republic or by a person carrying on business in the Republic.
d. The offence was committed on board any ship or aircraft registered in the Republic or on a voyage or flight to or from the Republic at the time that the offence was committed.
The wide jurisdictional provisions mean that a South African court can prosecute offenders in the following situations:
* The hacker operated from within the borders of South Africa;
* The hacker prepared the attack from within the borders of South Africa (it is unclear which actions would be seen as 'preparation' for a hack attack);
* Where the hack attack had a result in South Africa notwithstanding the physical location of the hacker, eg, a South African web site was defaced or a South African company suffered losses and damages;
* The hacker is a South African citizen operating from anywhere in the world;
* The hacker is the holder of a permanent residence permit, notwithstanding the territory from where he or she operates;
* The hacker carries on business in South Africa, notwithstanding his or her physical location;
* The hacking offence was done from ship or aircraft registered in South Africa, notwithstanding the fact that the flight or voyage was between two non-South African destinations (eg, a SAA flight between Frankfurt and Paris); and
* The hacking offence was done from a ship or an aircraft on a voyage or flight to or from South Africa, notwithstanding the fact that the ship or aircraft is not registered in South Africa (eg, a BA flight from or to Cape Town).
The ECT Act's efforts to criminalise hacking and to give the South African courts wide jurisdictional powers should be commended. However, prosecuting hackers still remains difficult. To prosecute a hacker that is not in South Africa and cannot be arrested, the police and prosecutors need to request that another country arrest and extradite the hacker. Extradition will only be successful if hacking is also a crime in the country the hacker is in. Many countries, for example Brazil, and most countries in the Middle East, have limited or no laws against hacking. These countries provide safe havens for hackers to operate from.
A further problem in the prosecution of a hacker is the collection of the necessary evidence to ensure a prosecution. Evidence will, in most cases, include both physical and electronic material. In the absence of previous successful hacker prosecutions, it is not always clear what evidence would be required to ensure a successful prosecution.
In terms of the ECT Act a court cannot discriminate against evidence because it is in electronic format. However, the manner in which the electronic evidence was collected and retained may have an effect on the evidential value thereof.
Many victims of hack attacks simply unplug their servers to discontinue a hack attack in progress, resulting in the loss or destruction of valuable evidence.
Law not restricted to hackers
The ECT Act's definitions of hacking (clause 86(1)) and cracking (clause 86(2)) are wide enough to include a whole range of activities that would not normally be regarded as 'hacking' or 'cracking'. The Act defines data as electronic representations of information in any form and does not require any technology to secure the data. This implies that unauthorised access to data that is restricted because of a workplace policy (eg, medical information of employees) or an agreement such as a non-disclosure agreement also falls within the definition of 'hacking'. Employees that access a fellow employee's medical records on a company's computer network or employees that access information that is subject to a confidentiality agreement, will also be committing the crime of 'hacking' as defined in the ECT Act.
A whole range of 'illegal' Internet websites publish stolen usernames and passwords that would enable persons to access restricted websites (such as pay-per-view adult sites). Those who use these stolen passwords to access adult sites would also be committing a 'hacking' crime, under South African law.
Even employer access to employee e-mails in breach of the RIC Act (see eSecure, July 2003) and without the employee's prior written consent, may satisfy the legal requirements of 'hacking'.
Providing hacking tools
Although the writing of software applications is protected by free expression rights in some countries, section 86(3) makes it clear that the production, sale and distribution of any tool or software application that assists in breaching security measures or is used to obtain usernames and passwords is a crime in South Africa. This implies that, for example, the creators of spyware, websites where spyware may be downloaded from, as well as the users of such spyware commit offences.
However, section 86(3) comes with the qualification that the software must have been 'designed primarily' to assist in the breach of security. This qualification, although constitutionally sound, may severely restrict the ability of the police to act against those who create, distribute and use hacking tools.