Types of Cybercrimes
Module 7: Cybercrimes
Data privacy violations
The use of data, including the volume of cross-border data flows, is increasing exponentially every year, particularly in relation to personal data. However, there is a lack of adequate regulations over the collection and processing of personal information in Africa. 33 African countries currently have data protection or cybercrime laws in place,(1) but their comprehensiveness and effectiveness varies significantly. Some of the most recently passed laws were in Zimbabwe, Zambia, Rwanda, and Eswatini, which passed laws between 2021-2022.(2) Several African countries have successfully set up Data Protection Authorities (DPAs) to enforce data protection regulations and investigate violations, though many such DPAs still suffer from a lack of funding and political support, leading to a lack of proper enforcement.
These developments follow the rapid development of data protection legislation around the world since the entry into force of the European Union’s General Data Protection Regulations (GDPR) in 2018. The GDPR has set a new standard for the protection of personal data online and has served as a template for numerous other countries’ legislation. The California Consumer Privacy Act (CCPA) likewise has set sweeping regulations regarding consumers’ rights to know what personal information is being collected from them, to request deletion of their data, and to opt out of data collection.(3) Because of its application to the technology sector of Silicon Valley, the CCPA has also been lauded for advancing the state of data protection globally.(4)
The rise of sophisticated surveillance technologies and the use of biometric technologies without proper safeguards are just some of the many threats to the right to privacy across Africa. There have, however, been some encouraging judgments in recent years pointing to the willingness of judiciaries around Africa to protect the right to privacy.
In Kenya, the High Court in Nairobi ruled in 2020 in Nubian Rights Forum and Others v The Hon. Attorney General and Others(5) that the government could not implement a new comprehensive digital identity system without an adequate data protection law being in place. On surveillance, the Constitutional Court of South Africa found in the case of amaBhungane and Another v Minister of Justice and Correctional Services and Others(6) in 2021 that mass surveillance and the interception of communications by the National Communications Centre were unlawful, and declared certain sections of the Regulation of Interceptions of Communications and Provision of Communication Related Information Act (RICA) unconstitutional.
Criminalisation of online speech
Cybercrime legislation usually seeks to deal with a wide range of illegal or harmful content that is posted online. This may include terrorist propaganda, racist content, hate speech, sexually explicit content such as child sexual abuse material (CSAM), blasphemous content, content critical of states and their institutions, and content unauthorised by intellectual property rights holders.(7)
This is often the area in which such legislation most conflicts with the right to freedom of expression and the right to information. The UN Special Rapporteur on Freedom of Expression stated in 2011 that the only types of expression that states may prohibit under international law are: (a) child pornography; (b) direct and public incitement to commit genocide; (c) hate speech; (d) defamation; and (e) incitement to discrimination, hostility or violence.(8) Even legislation that does criminalise these forms of expression needs to be precise, have adequate and effective safeguards against abuse or misuse, and include oversight and review by an independent and impartial tribunal or regulatory body.(9) In 2018, the Special Rapporteur stated that “[b]roadly worded restrictive laws on “extremism”, blasphemy, defamation, “offensive” speech, “false news” and “propaganda” often serve as pretexts for demanding that companies suppress legitimate discourse.(10)
In Zimbabwe, for example, the Cyber Security and Data Protection Act, passed in 2021,(11) was published in the Zimbabwean Government Gazette shortly after extensive public protests had taken place over rising fuel and commodity prices in the country. It is intended to consolidate cyber-related offences and provide for data protection and seeks to “create a technology-driven business environment and encourage technological development and the lawful use of technology.”(12) However, the Act has been widely criticised as being a tool for the Zimbabwean government to stifle freedom of expression and access to information, promote interference of private communications and data and use search and seizure powers to access the information of activists in order to quell protests.(13) Before it was passed, MISA-Zimbabwe criticised the Bill for:
“Criminali[sing] the sending of messages that incite violence or damage to property. In the past, this charge has been used to prosecute organizers of peaceful protests and other forms of public disobedience. The same goes for sections 164A and 164B that criminalize the sending of threatening messages and cyber-bullying and harassment respectively.”(14)
Prominent journalists and activists have seen been arrested under these provisions, leading to criticism that the Act criminalises digital activism.(15)
For more on the criminalisation of online speech, see Module 3 of Media Defence’s Advanced Modules on Digital Rights and Freedom of Expression Online.
Cyberstalking and online harassment
Online harassment is becoming increasingly prevalent with the spread of social media, which can provide especially fertile ground for online harassment. Cyberstalking is undue harassment and intimidation online through text messages, phone calls or social media, and it severely restricts the enjoyment that persons have of their rights online, particularly vulnerable and marginalised groups, including women and members of sexual minorities. Research has shown that online harassment is often focused on personal or physical characteristics, with political views, gender, physical appearance and race being among the most common.(16) Furthermore, women encounter sexualised forms of online harassment at much higher rates than men.(17) Journalists are also particularly at risk due to their public-facing roles and efforts to stifle independent media: research by UNESCO has found that almost three-quarters of women journalists have experienced online violence.(18)
A worrying new trend: non-consensual dissemination of intimate images
A particular form of online harassment that has emerged as a concerning new trend is that of private and sexually explicit images, mostly of women, being shared publicly online without their permission or consent, often by former partners in retaliation for a break-up or other falling out, or for the purposes of extortion, blackmail or humiliation. However, few countries’ cybercrime legislation specifically caters for offences related to non-consensual dissemination of intimate images (NCII), often leaving victims with little recourse against perpetrators.(19)
South Africa is an exception, having passed the Film and Publications Board Amendment Act(20) in 2019 which, for the first time, explicitly criminalised the practice of non-consensual dissemination of intimate images, stating that:
“[A]ny person who knowingly distributes private sexual photographs and films in any medium including through the internet, without prior consent of the individual or individuals and where the individual or individuals in the photographs or films is identified or identifiable in the said photographs and films, shall be guilty of an offence and liable upon conviction.”(21)
Practical steps to take if you are a victim of non-consensual dissemination of intimate images:
- Make a record (and copies) of the content posted online, to ensure permanent documentation of the crime. This should include the date the content was posted, where it was posted, and who posted it. Screenshots are a useful way to do this.
- Seek psycho-social and legal assistance. (You may be able to interdict the further dissemination of images or video.)
- File a report with the police. Even if your country does not have a specific provision for the non-consensual dissemination of intimate images, an offence may be located within the existing criminal law.
- File a report with the platform on which the content was posted. It might also help to include a copy of the police report in your report to the platform.(22)
The importance of a name:
The non-consensual dissemination of intimate images is often referred to as ‘revenge porn.’ However, activists and researchers have universally rejected the term as being misleading.(23) Firstly, the word ‘revenge’ implies that the victim has committed a harm worth seeking revenge for, and ‘porn’ conflates the practice with the consensual production of content for mass consumption, which NCII decidedly is not. Secondly, the term “repackages an age-old harm as a new-fangled digital problem,” belying the long history that exists of images of women being distributed non-consensually across a range of mediums.(24) Lastly, the term oversimplifies the offence by ignoring a range of aggressors and motivations and invoking a moralist reaction against the victim.(25)
Many stalking crimes begin online before moving offline,(26) and cyberstalking can be complicated for many reasons:
“[Cyberstalking is] online harassment, threats, intimidating messages and subscribing the victim to unwanted online services. From the outset this interaction may be considered an irritation or an annoyance or may give rise to a belief that harm may be caused. The cyber-stalker may however initiate contact in a non-confrontational manner and proceed to woo or groom the victim into a cyber-friendship in order to gain the victim’s confidence and to determine personal details such as the person’s address. Without the victim’s knowledge the same “cyber-friend” could be stalking the victim in person, perhaps even giving the victim advice on how he or she should respond to the stalker. Although cyberstalking which has escalated into stalking the victim in person i.e. “real-time stalking” may result in the commission of a sexual offence, it is not the only outcome.”(27)
Because of this complexity, as well as the rapid evolution of technology that makes it difficult for regulation to keep up, the South African Law Reform Commission recommended that specific reference to cyberstalking not be included explicitly in law:
“In reality, however surreal “cyberstalking” or the use of technical or computerised equipment to stalk a person is it fundamentally amounts to an extension of physical stalking. One is merely dealing with a different medium.”(28)
Ongoing harassment and attacks on members of the media have also become a particularly worrying trend.
Online harassment of the media
Where journalists allege imminent threats to their safety, courts are empowered to grant interdictory relief in appropriate circumstances and subject to the relevant legal requirements.
For instance, in the matter of South African National Editors Forum and Others v Black Land First and Others,(29) the High Court of South Africa granted an interdict in favour of the media broadly, in terms of which the respondents were interdicted from “engaging in any of the following acts directed towards the applicants: intimidation; harassment; assaults; threats; coming to their homes; or acting in any manner that would constitute an infringement of their personal liberty”, and from “making any threatening or intimidating gestures on social media… that references any violence, harm and threat.”(30)
It is also worth noting the crime of cyberbullying, which is the sending of intimidating or threatening messages, often via social media, and which is pervasive among children and young adult.(31) According to the United Nations Children’s Fund (UNICEF):
“[Cyberbullying] can take place on social media, messaging platforms, gaming platforms and mobile phones. It is repeated behaviour, aimed at scaring, angering or shaming those who are targeted. Examples include:
– spreading lies about or posting embarrassing photos of someone on social media;
– sending hurtful messages or threats via messaging platforms;
– impersonating someone and sending mean messages to others on their behalf.
Face-to-face bullying and cyberbullying can often happen alongside each other. But cyberbullying leaves a digital footprint — a record that can prove useful and provide evidence to help stop the abuse.”(32)
The scale of the problem is significant and growing. A study by UNICEF and the UN Special Representative of the Secretary-General (SRSG) on Violence against Children found that one in three young people in 30 countries reported being a victim of online bullying.(33)
David v Goliath: tackling cyberbullying on tech platforms
In South Africa, the family of a teenager who was sent graphic threats through Instagram from an anonymous account was pitted against one of the largest technology companies in the world, Facebook, the former owner of Instagram.(34) The girl, believing the threats were from someone attending her school, feared for her physical safety and therefore attempted to force Facebook to release the identity of the person behind the anonymous account sending the threats. Multiple attempts to do so were futile, forcing the family to turn to the courts for relief. The case is an example of the challenges in holding multi-national companies to account in the digital age and raises questions about how far their responsibility to protect children who use their platforms should go.
Given that the Malabo Convention has yet to be tested in practice, a reading of the Budapest Convention on Cybercrime, the first international treaty that seeks to address internet and computer crimes, is instructive.(35) It is increasingly being used in Africa, and has served as a guideline or source for more than 80% of states around the world to develop domestic cybercrimes laws.(36) It is also open for any state willing to implement its provisions to join, and can be ratified by African countries.(37)
The Budapest Convention defines the following types of cybercrimes:
- Illegal access to a computer system;
- Illegal interception;
- Data interference;
- System interference;
- Misuse of devices;
- Computer-related forgery;
- Computer-related fraud;
- Child pornography;
- Offences related to infringements of copyright and related rights.
Although these definitions date to 2001, much of what constitute cybercrimes today is still covered by these categories and provisions.