By Johan Kruger
It has become clear that industrial espionage and theft of information will become the crimes of the new millennium. In no other way is it possible to obtain so much economic advantage with so little effort. Since by far the most information these days is stored on computers, it has become easy for hackers and other technologically advanced criminals to “misappropriate” masses of valuable information without leaving a trace.
The current infrastructure of the Internet and of computer networks connected to the internet allows offenders to maintain a level of anonymity not possible in the physical world. The internet allows criminals to transverse multiple jurisdictions instantaneously and to target multiple victims without requiring any additional effort or resources
If anyone doubts that theft of information could wreak havoc in corporate and other economically sensitive areas, consider the prize that is the objective of the computer criminal. A large corporation may take many years and spend billions to develop a client base. This can be downloaded from computer storage hardware in a matter of minutes. Trade secrets, marketing strategies, product specifications, corporate expansion plans, supplier information, technical specifications etc, are all aspects that companies spend a lot of time, money and energy on. A competitor may obtain practically anything that may be stored on a computer from an experienced hacker.
The most alarming part of this situation is the complete lack of protection that the South African law appears to afford the owner of valuable information in this information age. While the South African courts are barely able to deal with the normal case load of other crimes, including fraud and corruption, technology advances every day, and the legal system is falling further and further behind with dealing with the new age criminal, the computer hacker.
The world economy is becoming increasingly dependent on information- based services and as such, the legal system should be supporting the protection of such information.
In an attempt to regulate the electronic environment in South Africa, the South African legislator passed into law the Electronic Communications and Transactions Act, no. 25 of 2002 (ECT Act) on 30 August 2002. No direct reference is, however, made to the theft of information. The legislator’s apparent failure or unwillingness to address the problem of the theft of information, again raises the question of whether the South African common law is an effective and appropriate solution to the problem or whether the legislator should have included the protection of information in the Act.
The ECT Act is the culmination of the work of The South African Law Commission project team, under the leadership of Prof Van der Merwe of the University of South Africa, who was tasked formally to assess whether it was necessary to create new offences to criminalise, inter alia, the unauthorised accessing of computers and the unauthorised modification of computer data. The commission concluded that there were insurmountable problems in extending the definitions of common- law crimes to computer crime and found that this extension by the judiciary is highly unlikely. They concluded that the option of introducing new offences by way of legislation should be seriously considered.
Many other countries in the world have legislation in place to deal with computer crime. It should, however, be borne in mind that most first world countries, which appear to be on the forefront of the fight against computer crime, have penal codes and, in most cases, fully codified criminal legal systems. In one of his earlier works, Van der Merwe pleads for the extension of the common law crime of theft to include theft of incorporeals. He pointed out that there is no great difference between the theft of money or credit and the theft of ideas, a sentiment shared by a number of South African Jurist. In a later work, Van der Merwe states, with reference to the application of the common law to computer crimes, that the codification of computer crime is the only way out. This change of heart is illustrative of the road that has been travelled by the South African legal fraternity since the early eighties, regarding computer crime. In many earlier works, attempts were made to apply common law principles to the computer age. In later works, academics referred with greater enthusiasm to the codification of the criminal law pertaining to computers and concluded that the common law was not flexible enough to extend to the information age.
A number of South African Jurists have concluded that the common law offences of theft, fraud, malicious injury to property and crimen iniuria are adequate to deal with most cyber crimes. This author respectfully submits that this is not the case, particularly with regard to the theft of information. The measure of changes necessary to common law definitions and elements and the proven reluctance on the side of the courts to create new law in this regard makes regulation through statute clearly the most sensible way in which to deal with the problem of computer crime.
Ironically, South African jurists have duplicated the road travelled by jurists in many other countries. Canada, Germany, Greece and the United Kingdom all flirted with the application of common law principles or even old and outdated criminal codes before realising that the creation of specific computer crimes is the only solution to the problem.
The promulgation of the ECT Act in South Africa, however, cannot be seen as the definitive solution to all problems relating to computer crime in South Africa. Although it appears that the common law, that has its roots in age old Roman and Dutch law has reached its sell- by date with regard to the fields of technology and information, it may have to be revived to apply to those areas of computer crime that the legislator chose to ignore, despite warnings by various authorities and academics such as Van der Merwe and lessons learnt from countries such as Britain, Germany and Greece. Theft of information has, in many respects, potentially devastating effects on individuals and entities and the economy of the country and will have to be addressed by the South African criminal law system by inclusion in the ECT Act as a matter of urgency. A section, criminalizing theft of data, should be included in the ECT Act that addresses the interception, downloading, possession or obtaining in any other manner, of electronic data belonging to the owner of the data or the authorised user of the particular computer from which it was misappropriated. This offence should not have permanent deprivation of ownership of the owner or authorised user as an element, since it is possible to “steal” data without depriving the owner of the benefit thereof, even for a very short space of time. This offence and the possession of such data should also be made a continuous crime, analagous to the common law offence of theft.
This author concurs with Van der Merwe when he states that, in order for the authorities to become aware of the urgency of the problem of the theft of information, more computer criminals should be brought before the courts. Only by bringing perpetrators before the courts, will the ineffectiveness of the common law and the present state of the ECT Act to deal with the theft of information be demonstrated.
As e-commerce in South Africa grows at a rate only matched by the growth in the United States and United Kingdom, the need for re- visiting the ECT Act to include those areas not dealt with, will become apparent. As South Africans increase their activities online and as the virtual office becomes more and more of a reality, the ECT Act will form the cornerstone of large volumes of litigation and criminal sanction that is bound to come.
The South African experience appears to be analagous to the British one and illustrates that the creation of legislation is only the first step in addressing the problem. The failure of the legislator to recognise the need for the protection of information per se from theft from electronic storage devices is a case in point. Re-visiting legislation, learning from experience and the development of new law appears to be a future necessity.