We began to scrutinise the proposed Cybercrime Bill for Guyana in the previous instalment of this column. We acknowledged that the bill addresses several matters that merit such attention then turned our attention to the issues that we felt are problematic.
We addressed the definitions of child, data and computer and article 9 which targets even the recipients of data. We then concluded with a focus on the sedition clause (article 18).
In the current instalment of this column, we conclude our focus on the proposed Cybercrime Bill by addressing enforcement, the penalties and a few miscellaneous items.
Surveillance of Citizens
Article 38. (1) of the Cybercrime Bill seeks to institutionalise surveillance of citizens through computing systems. It states that
“Where a Judge is satisfied on ex parte application by a police officer of the rank of Superintendent or above, that there are reasonable grounds to believe that computer data which is required for the purpose of a criminal investigation into an offence under this Act or any other law, cannot be collected without the use of a remote forensic tool, the Judge may authorise a police officer, with such assistance as may be necessary, to utilise a remote forensic tool for the investigation.”
This provision enables surveillance of (“spying” on) the computer and Internet activities of citizens by allowing law enforcement to tap into the equipment of service providers such as GTT, Digicel and others that provide Internet or data services. The bill prohibits these providers from disclosing both the occurrence and the nature of this kind of activity (see article 34).
The right of citizens to privacy is sacred and therefore, such a provision should not become law without the awareness of the citizens. The potential for abuse of this provision should be given the consideration it deserves in light of the gravity of the concession that is asked (or demanded) of the citizens.
Concerns about violation of privacy caused a furore in parliament in 2008 when the Interception of Communications Act 2008 (ICA 2008, referred to as the wiretapping law) was discussed. The October 18, 2008 edition of Stabroek News reported that the PNCR-1G walked out of parliament and that its leader; the Leader of the Opposition, Robert Corbin, (1) referred to the ICA 2008 as a “flimsy law”, (2) indicated that he “worried that it would see the creation of spy offices at telecommunication providers GT&T and Digicel” and (3) “dismissed the government’s (PPP/C at the time) safeguards as meaningless and described the law as very suspect in the current landscape”. With reference to the ICA 2008, Mr. Raphael Trotman, the then leader of the AFC, said that “our leaders will be afraid to speak their minds” (see SN, October 18, 2008). The APNU+AFC coalition government should therefore explain the extent to which these concerns are relevant to surveillance for cybercrimes.
Consistent with the ICA 2008, the Cybercrime Bill requires a warrant from a judge to authorise surveillance. However, the ICA 2008 also places such authority in a “designated officer” in cases of national emergency or where the urgency of the case renders approval of a warrant “impractical” (Section 3 (2) of the ICA 2008). On this particular matter, the accountability standard is higher in the Cybercrime Bill.
Enforcement Light on Accountability
The timeframe for actions in relation to surveillance provided for in the Cybercrime Bill leaves much to be desired. Article 38 (4) states that
“Where a remote forensic tool is utilised under this section – (c) the police officer authorised under subsection (1) shall, as soon as possible thereafter, prepare a record of – (i) the remote forensic tool used; (ii) the time and date of the application; (iii) the identification of the computer system and details of the modification
undertaken; and (iv) the information obtained.”
This provision does not compel the police to act decisively and to be accountable within a specific timeframe or be compelled to withdraw. Yet this is the kind of accountability that is reflective of the gravity of the concession that the citizens must make.
Accountability issues also arise in article 29 which provides for seizure of computer equipment and for the owners of seized equipment to obtain data stored on them. Though the law enforcement officer who executes the seizure is required to provide a list of items seized or rendered inaccessible, the bill indicates that the police shall “at the time of execution, or as soon as possible thereafter” produce a list of the items seized (see 29 (1) (a) to (b)). A similar provision applies to the response to a person who makes a request for data stored on seized equipment.
The lack of a timeframe for these actions will create loose expectations and it is apparent that the bill is attempting to compensate for deficiencies in law enforcement and to avoid accountability. There should be a set timeframe within which the police must act or must withdraw surveillance equipment or return seized equipment or access to them as relevant. The law should require that the police gets its act together and it should not permit abuse of power. The people should also not be expected to rely on the assurances of the executive. Guarantees against abuse of power need to be an integral component of the provisions.
Another possibility for abuse of power arises in article 30 which deals with giving assistance to the police. Article 30 indicates that
“A person who has knowledge about the functioning of a computer system or computer data storage medium, or security measures applied to protect computer data, that is the subject of a search warrant shall, if requested by the police officer authorised to undertake the search, assist the police officer …”
The person, if asked, must provide information to assist the police to search the system or to locate the data being sought or copy data etc. as required and otherwise be subjected to a fine of $3 million and imprisonment of one year (Article 30 (2)). Notably absent is intervention of a judge to order such assistance as required by the ICA 2008 (Section 5 (3) of the ICA 2008). The Cybercrime Bill empowers the police to request (or demand as the case might be) and have the person comply or face the consequences. It also makes no explicit exception to avoid self-incrimination. The lack of oversight by a judge renders the provision more susceptible to abuse in the Cybercrime Bill compared to the ICA 2008.
The implementation of a penalty for not assisting the police instead of providing some incentive for assisting is also worrisome and appears as another attempt at legislating to compensate for deficiencies in law enforcement at the expense of the citizens. The bill should anticipate (and require) that the police is properly equipped to get into computer systems and extract data instead of penalising the citizens.
The penalties for cybercrimes are stringent. This is exemplified in article 23 which addresses the use of a computer to commit an offence provided for in some other law. The fine for such an offence is explicitly identified as four times that stated in the other law with the length of the custodial sentence preserved. This seems absurd since people will clearly be better-off committing the same offence without the use of a computing device.
If the punishment for a crime is more severe when a computer device is used, one wonders whether (1) a computing device amplifies the severity of a crime, (2) the penalties articulated in other laws are inadequate and whether the penalties for the corresponding cybercrime wouldn’t become draconian if the other laws are updated and (3) the penalties for cybercrimes evidence fear of computers on the part of digital aliens.
All offences in the cybercrime bill have a mandatory custodial sentence and there is no room for a court to decide on the severity of any penalty. Penalties of $3 million and 5 years imprisonment on summary conviction; or $5 million and 8 years imprisonment on conviction and indictment, are common in the bill.
There are a few offences in the Cybercrime Bill with prison terms that are less than 5 years. Those offences usually require incarceration for three years and a have $3 million fine attached. The shortest prison term is one year and this is for failure to give assistance to the police on request (Article 30), failure of service providers to supply information (Article 25) and violation of a restraining order to preserve data (Article 41). At the other extreme, a sedition violation leading to death of the president, prime minister or a minister of government results in imprisonment for life. Apart from this, causing damage to or failure of critical infrastructure carries a penalty of $10 million and imprisonment for 10 years.
Penalties for crimes need to be prohibitive and the penalties for the cybercrimes seem to satisfy this criterion. If one is guilty of a cybercrime, one will likely become bankrupt and will face substantial incarceration. However, the nature of some matters that are criminalised makes the penalties draconian. With respect to sedition without resulting in death of a government officer, the penalty is 5 years imprisonment. Given the archaic, subjective and anti-democratic nature of the sedition violation, the penalty amounts to scaring the citizenry into submission.
In this section, we address a few other provisions in short order.
Article 17. (1) addresses transmission and retransmission of multiple mail messages “that causes harm to a person or damage to a computer system”. Subsection (5) clarifies that “For the purposes of this section, “multiple electronic mail messages” means unsolicited data messages, including electronic mail and instant messages sent to more than fifty recipients within twenty-four hours” In addition to this, the limit of 50 recipients within a 24-hour period is unjustified since it would mean that it is alright for a person to send harmful mails to at most 50 persons, wait for 24 hours then attack another 50 persons and so on. What is the basis for this minimum number of recipients?
Article 19. (2) (a) states that “A person commits an offence if he uses a computer system – (a) to publish or transmit computer data that is obscene, vulgar, profane, lewd, lascivious or indecent with intent to humiliate, harass or cause substantial emotional distress to another person” Determining what is obscene, vulgar, profane, lewd, lascivious or indecent is subjective. Law enforcement will therefore become the moral police in Guyana.
Article 20 is about infringement of copyright, patents and designs and trademarks. Part (a) of this provision cites the Copyright Act 1965 and the Copyright Order, 1966. Citing specific acts is problematic given that they can change. A statement alluding to the relevant Copyright Laws would be more appropriate.
Summary & Conclusion
The Cybercrime Bill seeks to enable surveillance of the Internet and computing activities of citizens and does not require strict enough accountability on the part of law enforcement in this activity. Accountability standards are also lax in other matters including that of empowering the police to obtain assistance from citizens without a court order. In general, the bill appears to compensate for deficiencies in law enforcement with the citizens made to pay the price and, in the process, it creates fertile conditions for abuse of power and violation of the rights of citizens. The penalties articulated in the bill are rigid and are inexplicably more stringent than that which is applicable to similar non-cybercrime offences. Overall, we believe that the proposed Cybercrime Bill is in need of substantial revision.
Editor’s note: Part one of this analysis appeared in the May 29, 2018 edition of Stabroek News and can be found at: https://www.stabroeknews.com/2018/features/transparency-institute/05/29/an-analysis-of-the-proposed-cybercrime-bill-for-guyana/