Failure to Implement Privacy Legistation Impacts the Cybersecurity of South Africa

Posted April 22, 2015
Written by Mark Heyink

There is little doubt that over the past year there has been a sharp escalation in the recognition of cyber-threats. Commensurate with this escalation has been the consideration and implementation of measures to combat cyber-threats. The well-publicised “Sony hack” late in 2014 illustrated how vulnerable even apparently secure information systems may be to disruption arising from cyber-attacks. It is also becoming increasingly apparent the extent to which ISIS is using the Internet to garner support for its campaigns and those of other terrorist groups associated with extremist factions operating in many theatres globally.

While some countries have been proactive in establishing cybersecurity frameworks and developing the capability necessary to deal with cyber-threats, there are others that, despite the evidence that has been before their leaders for some time, have failed to take the threats seriously. A draft National Cybersecurity Framework was published in South Africa in 2010 but little progress has been visible in this regard since then. In 2012 the National Cybersecurity Framework was apparently adopted by Cabinet (some 3 years ago) but has remained classified since that date. This covert approach is so misaligned to international approaches to cybersecurity, and particularly the absolute necessity of a public/private sector approach to cyber threats, as to be regarded as incredible and also laughable by outsiders.

Prompted by the recognition of the escalation of cyber threats countries who have previously chosen to ignore or failed to address these issues are scrambling to catch up. There is a flurry of activity which is a welcome change in attitude. However, it is important that we are ever vigilant against a suddenly zealous approach to cybersecurity, resulting in the undermining of civil liberties.

What then does cybersecurity have to do with privacy? In an authoritarian regime or police state of course privacy has nothing to do with cybersecurity. In an open democracy privacy has everything to do with cybersecurity and the checks and balances that have to be established between the powers granted to National Security and Law Enforcement and civil liberties of the citizens of the state. No democracy which has a cybersecurity framework does not make privacy a primary element of that framework.

Since the Snowden revelations both the governments of the United States of America and the United Kingdom have come under severe criticism, not only for the broad powers and practices allowed to the National Security Agency and the General Communications Headquarters (as well as other agencies of a similar nature), but because these agencies have clearly over-reached their powers and in many instances acted illegally in spying on their own citizens. This has led to outrage at the mass surveillance that is being conducted in those countries, and indeed many others, at the expense of civil liberties. Calls for reforming legislation creating more stringent oversight have been the order of the day.

Thus, there are many consequences of our government’s failure to protect privacy of South Africa citizens. The first of those is that we have fallen 30 years behind most other democracies in establishing privacy protection and as a result have failed to develop a culture of security around personal information. Not only has this failure delayed the creation of general awareness around the protection of personal information and the positive effect that this has generally on cybersecurity, equipping citizens to protect themselves against these threats, but so too has it laid bare the possibility that government can implement legislation dealing with cybersecurity without the checks and balances that privacy legislation and independent regulators (or commissioners) provides in democratic countries around the globe.

South African’s should be asking:
• Is government serious in protecting citizens from the threats in cyberspace?
• If so, why has it not implemented privacy legislation?
• Is government afraid of independent oversight of its own processing of personal information?
• What legislation relating to cybersecurity is contemplated?

Each one of these questions is immediately pertinent to the freedom of the Internet, the protection of our Constitution and the advancement of our open democracy.

Unless government acts with considered haste and with a due appreciation of the alignment of the appropriate balances between cybersecurity and privacy we are likely to end up with a legislative framework that will lay a firm foundation for mass surveillance of South Africa’s citizens. In the relationship between government and citizens this would clearly be unacceptable in an open democracy and an assault on the Bill of Rights. As between citizen and citizen this approach would embolden and enable companies in the private sector to continue the illegal practices of plundering the personal information of South African citizens, free from oversight and regulation and immune from any meaningful sanction.

As I have said previously, government’s failure to address privacy and the attendant consequences for the 21st century South African society renders it an accomplice to every crime and breach of security that is perpetrated against South Africa and its citizens.

©Mark Heyink 2015