PART II – PROHIBITED CONDUCT
Illegal access
Part II (4) (1-2) is far too broad in its scope and can implicate innocent or well meaning individuals such as cybersecurity professionals, researchers, activists, and whistleblowers. It’s even more problematic where judicial officers aren’t trained to understand how to distinguish criminality from activities that serve the public interest, protect organizations, or advance the cybersecurity profession.* Certain guidance should be included with the legislation to distinguish between acceptable and criminal behaviours.
For example, the European Union (EU) General Data Protection Regulations (GDPR) includes 172 recitals – also known as preamble – that provides context and explains the reasons for the regulations. There was also an explanatory memorandum that provided further details on the proposed legislation.
Misuse of devices
Part II (9) (a-b) There are a number of dual use programmes and applications which can be and are used for both legitimate testing and protection of computer systems and conversely for malicious intent. There should be language here which acknowledges such and removes criminality in cases of ethical hacking for instance.
Disclosure of access codes
Part II (11) (1) There are several legitimate reasons for sharing access codes or credentials without authority, and this alone should not be illegal. The qualifier for criminality should be when the individual knowingly or has reason to believe that it is likely to cause loss, damage or injury to any person or property.
Critical information infrastructure system
Part II (12) (1) The list of critical information infrastructure (CII) systems is too limited in scope. A broader list should be published as an appendix or guidance note when the act is proclaimed (e.g., financial services, water utility, transportation, healthcare, hospitality, etc.). This should not be vague or left up to interpretation.
Note: Complementary critical infrastructure (CI) protection legislation is needed to ensure that:
- There is a legal framework or a mechanism to identify operators of critical information infrastructure.
- Operators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.
- Public sector organizations are required to assess and manage cyber risks and/or implement cybersecurity measures.
- A competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.
Malicious communications
Part II (19) (3) This is deeply problematic and can be used to stifle freedom of expression or valuable public commentary. It can also be leveraged to prevent criticisms of politicians/public personalities or for the purpose of political persecution. This same vague language exists in the Computer Misuse Act 2005, and has been improperly used for the same abuses identified. There must be safeguards and/or independent supervision in place to ensure that such vague clauses are not abused. This applies to several other elements of this Bill.**
Cyber bullying
Part II (20) (1) – Same as the previous comment.
Cyber terrorism
Part II (21) (1-2) This is too limited in scope and should include any use of computer systems for terrorism or organized crime. It should also include preparatory acts for terrorism or organized crimes (these are not the crimes themselves but the precipitating actions).
PART III – INVESTIGATION AND ENFORCEMENT
Search and seizure
Part III (23) (1-2) gives law enforcement excessively broad powers when it comes to confiscation and access to computer systems (including smaller form factors such as tablets and mobile phones). These types of powers require independent and effective oversight functions (as does this entire Act).
Assisting a police officer
Part III (24) (1-5) Some of the provisions in this section are concerning and can be used to force individuals to grant access to their personal devices, especially in the event that the grounds for disclosure have not been met. Again, this requires independent and effective oversight functions, and the oath of a police officer shouldn’t be enough to obtain a warrant that grants such far reaching powers.
Production of data for criminal proceedings
Part III (26) (1) This gives law enforcement excessively broad and intrusive surveillance powers when it comes to intercepting Internet communications, compelling service providers to handover subscriber data and Internet activity, and other potentially disproportionate collection or interception of online communications. These types of powers require independent and effective oversight functions. Again, the oath of a police officer shouldn’t be enough to obtain a warrant that allows for such intrusive acts.
Preservation of data for criminal proceedings
Part III (28) (1-3) There is no discussion of the conditions and safeguards for adequate protection of human rights and liberties when collecting and storing (preservation) data for criminal proceedings. This includes maintaining the “chain of custody”, protection of personal data in line with the Data Protection Act, handling of sensitive data, retention periods, adequate security measures, automated decisions (e.g., use of AI), sharing personal or sensitive data with third-parties, records of how data is accessed and used, etc. The provisions should also include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.
General observations – Part III
Part III (Investigation and enforcement) is missing key provisions related to:
- Joint investigations or joint investigation teams
- Expert witness testimony by video conferencing
- Emergency mutual assistance (which is different to expedited disclosure)
ALIGNMENT WITH THE BUDAPEST CONVENTION
2nd Protocol of the Budapest Convention
It is clear that the Cybercrime Bill was patterned after the Council of Europe’s (CoE) Budapest Convention 1st Protocol, which has been deemed as outdated or deficient for several reasons. The 2nd Protocol of the Budapest Convention was ratified on 12 May 2022, which addressed several of the challenges, issues, and criticisms from cyber law experts, privacy professionals, and human rights advocates. The drafters of this Bill do not appear to have integrated the substantive updates from the 2nd Protocol. So it looks like the government is essentially looking to enact legislation that is outdated and not in step with current technology developments or evolving jurisprudence.
* Training of judicial officers, especially with regards to technology law and privacy law, is a major problem in the country. Because these specialist areas of law are emerging, there is poor understanding of the issues by magistrates, judges, prosecutors, etc. and limited case law to refer to locally or in other regional jurisdictions. Consequently, many rulings / decisions have flawed bases, and individuals are often under- or over-penalised.
** The Budapest Convention, on which the Cybercrime Bill is based has an accompanying 60-page explanatory report that specifies the additional checks and balances and rule of law-based environment that countries like Barbados should have underpinning their cybercrime legislation.
The current version of the Cybercrime Bill (2023) can be found here: https://bit.ly/3uLrSQC