Theft of Information and the Impotency of the ECT Act.

By Johan Kruger

It has become clear that industrial espionage and theft of information will become "the crimes" of the new millennium. In no other way is it possible to obtain so much economic advantage with so little effort. Since by far the most information these days is stored on computers, it has become easy for hackers and other technologically advanced criminals to “misappropriate” masses of valuable information without leaving a trace.

The current infrastructure of the internet and of computer networks connected to the internet allows offenders to maintain a level of anonymity that is extremely difficult to penetrate. Communication mobility and the internet allows criminals to transverse multiple jurisdictions instantaneously and to target victims anywhere without requiring any additional effort or resources.

If anyone doubts that theft of information could wreak havoc in corporate and other economically sensitive areas, consider the prize that is the objective of the computer criminal. A large corporation may take many years and spend billions to develop a client base. This can be downloaded from computer storage hardware in a matter of minutes. Trade secrets, marketing strategies, product specifications, corporate expansion plans, supplier information, technical specifications etcetera, are all aspects that companies spend a lot of time, money and energy on. A competitor may obtain practically anything that may be stored on a computer from an experienced hacker.

The most alarming part of this situation is the complete lack of protection that the South African law appears to afford the owner of valuable information in this information age. While the South African courts are barely able to deal with the normal case load of other crimes, including fraud and corruption, technology advances every day, and the legal system is falling further and further behind with dealing with the new age criminal, "the computer hacker".

The world economy is becoming increasingly dependent on information- based services and as such, the legal system should be supporting the protection of such information. In an attempt to regulate the electronic environment in South Africa, the South African legislator passed into law the Electronic Communications and Transactions Act, no. 25 of 2002 (ECT Act) on 30 August 2002. No direct reference is, however, made to the theft of information. The legislator’s apparent failure or unwillingness to address the problem of the theft of information, creates the risk of the equivalent of electronic anarchy in both the public and private sectors in South Africa.

Sections 85 to 89 of the ECT Act seeks to make the first statutory provisions on cyber crime in South African jurisprudence. The ECT Act introduces statutory criminal offences relating to information systems and includes unauthorised access to data, interception or interference with data, computer related extortion, fraud and forgery. Section 86 (1) criminalizes unauthorised access to data. Section 86(2) deals with sabotage of data. Section 86 (3) and (4) deals generally with possession and utilization of a hacker’s tools. Section 86 (5) deals with interference of access to an information system.

Although Section 86 of the ECT Act appears to successfully criminalise unauthorised access to data, no mention is made of that which is the aim of the unauthorised access. The electronic theft of information is not mentioned at all and the prescribed penalties for unauthorised access has the unsatisfactory consequence that a person who hacks into a large company’s databanks and steals information worth millions, will only be liable to a fine or imprisonment of one year. One can also not expect a significant fine for the electronic equivalent of trespassing.

The promulgation of the ECT Act in South Africa cannot be seen as the definitive solution to all problems relating to computer crime in South Africa. Although it appears that the common law, that has its roots in age old Roman and Dutch law has reached its sell- by date with regard to the fields of technology and information, it may have to be revived to apply to those areas of computer crime that the legislator chose to ignore. Theft of information has, in many respects, potentially devastating effects on individuals and entities and the economy of the country and will have to be addressed by the South African criminal law system. A section, criminalizing theft of data, should be included in the ECT Act that addresses the interception, downloading, possession or obtaining in any other manner, of electronic data belonging to the owner of the data or the authorised user of the particular computer from which it was misappropriated. This offence should not have permanent deprivation of ownership of the owner or authorised user as an element, since it is possible to “steal” data without depriving the owner of the benefit thereof, even for a very short space of time. This offence and the possession of such data should also be made a continuous crime, such as the common law offence of theft.

In order for the legislator to become aware of the urgency of the problem of the theft of information, more computer criminals should be brought before the courts. Only by bringing perpetrators before the courts, will the ineffectiveness of the common law and the present state of the ECT Act to deal with the theft of information be demonstrated. As South Africans increase their activities online and as the virtual office becomes more and more of a reality, the ECT Act will form the cornerstone of large volumes of litigation and criminal sanction that is bound to come. The South African experience appears to illustrate that the creation of legislation is only the first step in addressing the problem. The failure of the legislator to recognise the need for the protection of information per se from theft from electronic storage devices is a case in point. Re-visiting legislation, learning from experience and the development of new law appears to be a future necessity.