Back to main site

    Types of Cybercrimes

    Module 7: Cybercrimes

    Data privacy violations

    The use of data, including the volume of cross-border data flows, is increasing every year, particularly in relation to personal data.  However, there is a lack of adequate regulations for the collection and processing of personal information which can have significant ramifications, making data protection regulations critical.  At least fourteen African countries currently have data protection laws in place,(1) but their comprehensiveness and effectiveness varies significantly.  Some of the most recently passed laws were in Kenya and the Togolese Republic, which were signed into law in November and October 2019 respectively.(2) Countries such as South Africa and Morocco have successfully set up Data Protection Authorities (DPAs) to enforce data protection regulations and investigate violations, though many such DPAs still suffer from a lack of funding and political support, leading to a lack of proper enforcement.

    The rise of sophisticated surveillance technologies and the use of biometric technologies without proper safeguards are just some of the many threats to the right to privacy across Africa.  There have, however, been some encouraging judgments in recent years pointing to the willingness of judiciaries around Africa to protect the right to privacy.

    In Kenya, the High Court in Nairobi ruled in 2020 in Nubian Rights Forum and Others v The Hon. Attorney General and Others(3) that the government could not implement a new comprehensive digital identity system without an adequate data protection law being in place.  On surveillance, the High Court of South Africa found in the case of amaBhungane and Another v Minister of Justice and Correctional Services and Others(4) in 2019 that mass surveillance and the interception of communications by the National Communications Centre were unlawful, and declared certain sections of the Regulation of Interceptions of Communications and Provision of Communication Related Information Act (RICA) unconstitutional.

    These developments follow the rapid development of data protection legislation around the world since the entry into force of the European Union’s General Data Protection Regulations (GDPR) in 2018.  The GDPR has set a new standard for the protection of personal data online, and has served as a template for numerous other countries’ legislation.  The California Consumer Privacy Act (CCPA) likewise has set sweeping regulations regarding consumers’ rights to know what personal information is being collected from them, to request deletion of their data, and to opt out of data collection.(5) Because of its application to the technology sector of Silicon Valley, the CCPA has also been lauded for advancing the state of data protection globally.(6)

    Criminalisation of online speech

    Cybercrimes legislation usually seeks to deal with a wide range of illegal or harmful content that is posted online.  This may include terrorist propaganda, racist content, hate speech, sexually explicit content such as child pornography, blasphemous content, content critical of states and their institutions and content unauthorised by intellectual property rights holders.(7)

    This is often the area in which such legislation most conflicts with the right to freedom of expression and the right to information.  The UN Special Rapporteur on Freedom of Expression stated in 2011 that the only types of expression that states may prohibit under international law are: (a) child pornography; (b) direct and public incitement to commit genocide; (c) hate speech; (d) defamation; and (e) incitement to discrimination, hostility or violence.(8) Even legislation that does criminalise these forms of expression needs to be precise, have adequate and effective safeguards against abuse or misuse, and include oversight and review by an independent and impartial tribunal or regulatory body.(9) In 2018, the Special Rapporteur stated that “[b]roadly worded restrictive laws on “extremism”, blasphemy, defamation, “offensive” speech, “false news” and “propaganda” often serve as pretexts for demanding that companies suppress legitimate discourse.(10)

    In Zimbabwe, for example, the Cyber Security and Data Protection Bill was published in the Zimbabwean Government Gazette shortly after extensive public protests had taken place over rising fuel and commodity prices in the country.  It is intended to consolidate cyber-related offences and provide for data protection and seeks to “create a technology-driven business environment and encourage technological development and the lawful use of technology.”(11) However, the Bill has been widely criticised as being a tool for the Zimbabwean government to stifle freedom of expression, access to information, promote interference of private communications and data, and use search and seizure powers to access the information of activists in order to quell protests.(12) MISA-Zimbabwe has criticised the Bill for:

    “Criminali[sing] the sending of messages that incite violence or damage to property.  In the past, this charge has been used to prosecute organizers of peaceful protests and other forms of public disobedience.  The same goes for sections 164A and 164B that criminalize the sending of threatening messages and cyber-bullying and harassment respectively.”(13)

    For more on the criminalisation of online speech, see Module 3 of Media Defence’s Advanced Modules on Digital Rights and Freedom of Expression Online.

    Cyberstalking and online harassment

    Online harassment is becoming increasingly prevalent with the spread of social media, which can provide especially fertile ground for online harassment.  Cyberstalking is undue harassment and intimidation online through text messages, phone calls or social media, and it severely restricts the enjoyment that persons have of their rights online, particularly vulnerable and marginalised groups, including women and members of sexual minorities.  Research has shown that online harassment is often focused on personal or physical characteristics, with political views, gender, physical appearance and race being among the most common.(14) Furthermore, women encounter sexualised forms of online harassment at much higher rates than men.(15)

    A worrying new trend: non-consensual dissemination of intimate images

    A particular form of online harassment that has emerged as a concerning new trend is that of private and sexually explicit images, mostly of women, being shared publicly online without their permission or consent, often by former partners in retaliation for a break-up or other falling out, or for the purposes of extortion, blackmail or humiliation.  However, few countries’ cybercrime legislation specifically caters for offences related to non-consensual dissemination of intimate images (NCII), often leaving victims with little recourse against perpetrators.(16)

    South Africa is an exception, having passed the Film and Publications Board Amendment Act(17) in 2019 which, for the first time, explicitly criminalised the practice of non-consensual dissemination of intimate images, stating that:

    “[A]ny person who knowingly distributes private sexual photographs and films in any medium including through the internet, without prior consent of the individual or individuals and where the individual or individuals in the photographs or films is identified or identifiable in the said photographs and films, shall be guilty of an offence and liable upon conviction.”(18)

    Practical steps to take if you are a victim of non-consensual dissemination of intimate images:
    • Make a record (and copies) of the content posted online, to ensure permanent documentation of the crime.  This should include the date the content was posted, where it was posted, and who posted it.  Screenshots are a useful way to do this.
    • Seek psycho-social and legal assistance. (You may be able to interdict the further dissemination of images or video.)(19)
    • File a report with the police.  Even if your country does not have a specific provision for the non-consensual dissemination of intimate images, an offence may be located within the existing criminal law.
    • File a report with the platform on which the content was posted.  It might also help to include a copy of the police report in your report to the platform.(20)
    The importance of a name:

    The non-consensual dissemination of intimate images is often referred to as ‘revenge porn.’  However, activists and researchers have universally rejected the term as being misleading.(21) Firstly, the word ‘revenge’ implies that the victim has committed a harm worth seeking revenge for, and ‘porn’ conflates the practice with the consensual production of content for mass consumption, which NCII decidedly is not.  Secondly, the term “repackages an age-old harm as a new-fangled digital problem,” belying the long history that exists of images of women being distributed non-consensually across a range of mediums.(22) Lastly, the term oversimplifies the offence by ignoring a range of aggressors and motivations, and invoking a moralist reaction against the victim.(23)

    Many stalking crimes begin online before moving offline,(24) and cyberstalking can be complicated for many reasons:

    “[Cyberstalking is] online harassment, threats, intimidating messages and subscribing the victim to unwanted online services.  From the outset this interaction may be considered an irritation or an annoyance or may give rise to a belief that harm may be caused.  The cyber-stalker may however initiate contact in a non-confrontational manner and proceed to woo or groom the victim into a cyber-friendship in order to gain the victim’s confidence and to determine personal details such as the person’s address.  Without the victim’s knowledge the same “cyber-friend” could be stalking the victim in person, perhaps even giving the victim advice on how he or she should respond to the stalker.  Although cyberstalking which has escalated into stalking the victim in person i.e. “real-time stalking” may result in the commission of a sexual offence, it is not the only outcome.”(25)

    Because of this complexity, as well as the rapid evolution of technology that makes it difficult for regulation to keep up, the South African Law Reform Commission recommended that specific reference to cyberstalking not be included explicitly in law:

    “In reality, however surreal “cyberstalking” or the use of technical or computerised equipment to stalk a person is it fundamentally amounts to an extension of physical stalking.  One is merely dealing with a different medium.”(26)

    Ongoing harassment and attacks on members of the media have also become a particularly worrying trend.

    Online harassment of the media

    Where journalists allege imminent threats to their safety, courts are empowered to grant interdictory relief in appropriate circumstances and subject to the relevant legal requirements.

    For instance, in the matter of South African National Editors Forum and Others v Black Land First and Others,(27) the High Court of South Africa granted an interdict in favour of the media broadly, in terms of which the respondents were interdicted from “engaging in any of the following acts directed towards the applicants: intimidation; harassment; assaults; threats; coming to their homes; or acting in any manner that would constitute an infringement of their personal liberty”, and from “making any threatening or intimidating gestures on social media… that references any violence, harm and threat.”(28)

    Cyberbullying

    It is also worth noting the crime of cyberbullying, which is the sending of intimidating or threatening messages, often via social media, and which is pervasive among children and young adult.(29) According to the United Nations Children’s Fund (UNICEF):

    “[Cyberbullying] can take place on social media, messaging platforms, gaming platforms and mobile phones.  It is repeated behaviour, aimed at scaring, angering or shaming those who are targeted.  Examples include:

    – spreading lies about or posting embarrassing photos of someone on social media;

    – sending hurtful messages or threats via messaging platforms;

    – impersonating someone and sending mean messages to others on their behalf.

    Face-to-face bullying and cyberbullying can often happen alongside each other.  But cyberbullying leaves a digital footprint — a record that can prove useful and provide evidence to help stop the abuse.”(30)

    The scale of the problem is significant and growing.  A study by UNICEF and the UN Special Representative of the Secretary-General (SRSG) on Violence against Children found that one in three young people in 30 countries reported being a victim of online bullying.(31)

    David v Goliath: tackling cyberbullying on tech platforms

    In South Africa, the family of a teenager who was sent graphic threats through Instagram from an anonymous account, has pitted them against one of the largest technology companies in the world, Facebook, the owner of Instagram.(32) The girl, who has reason to believe the threats are from someone attending her school, fears for her physical safety and has therefore been attempting to force Facebook to release the identity of the person behind the anonymous account sending the threats.  Multiple attempts to do so were futile, forcing the family to turn to the courts for relief.  The case is an interesting example of challenges in holding multi-national companies to account in the digital age, and raises questions about how far their responsibility to protect children who use their platforms should go.

    Other violations

    Given that the Malabo Convention has yet to be tested in practice, a reading of the Budapest Convention on Cybercrime, the first international treaty that seeks to address internet and computer crimes, is instructive.(33) It is increasingly being used in Africa, and has served as a guideline or source for more than 80% of states around the world to develop domestic cybercrimes laws.(34) It is also open for any state willing to implement its provisions to join, and can be ratified by African countries.(35)

    The Budapest Convention defines the following types of cybercrimes:

    • Illegal access to a computer system;
    • Illegal interception;
    • Data interference;
    • System interference;
    • Misuse of devices;
    • Computer-related forgery;
    • Computer-related fraud;
    • Child pornography;

    Offences related to infringements of copyright and related rights.

    • Illegal access to a computer system;
    • Illegal interception;
    • Data interference;
    • System interference;
    • Misuse of devices;
    • Computer-related forgery;
    • Computer-related fraud;
    • Child pornography;
    • Offences related to infringements of copyright and related rights.(36)

    Although these definitions date to 2001, much of what constitute cybercrimes today is still covered by these categories and provisions.

    Footnotes

    1. ALT Advisory, ‘Data Protection Africa’ (accessible at: https://dataprotection.africa/). Back
    2. High Court of Kenya in Nairobi, Consolidated petitions no. 56, 58 & 59 of 2019, (2020) (accessible at: http://kenyalaw.org/caselaw/cases/view/189189/). Back
    3. High Court of South Africa in Pretoria, Case No. 25978/2017, (2019) (accessible at: http://www.saflii.org/za/cases/ZAGPPHC/2019/384.html). Back
    4. Forbes, ‘California Begins Enforcing Broad Data Privacy Law – Here’s What You Should Know’ (2020) (accessible at: https://www.forbes.com/sites/siladityaray/2020/07/01/california-begins-enforcing-broad-data-privacy-law—heres-what-you-should-know/?sh=1279e683de5c). Back
    5. The Guardian, ‘California’s groundbreaking privacy law takes effect in January. What does it do?’ (2019) (accessible at: https://www.theguardian.com/us-news/2019/dec/30/california-consumer-privacy-act-what-does-it-do). Back
    6. Article 19, ‘Freedom of Expression and ICTs’ (2018) (accessible at: https://www.article19.org/wp-content/uploads/2018/02/FoE-and-ICTs.pdf). Back
    7. United Nationals Special Rapporteur on the Right to Freedom of Opinion and Expression, Frank La Rue, (2011) para 25 (accessible at: https://www2.ohchr.org/english/bodies/hrcouncil/docs/17session/A.HRC.17.27_en.pdf). Back
    8. Id at para. 71. Back
    9. United Nations Special Rapporteur on the Right to Freedom of Opinion and Expression, (2018) para 13 (accessible at: https://freedex.org/wp-content/blogs.dir/2015/files/2018/05/G1809672.pdf.) Back
    10. ALT Advisory Africa, ‘Zimbabwe gazettes Cyber Security and Data Protection Bill’ (2020) (accessible at: https://altadvisory.africa/2020/05/20/zimbabwe-gazettes-cyber-security-and-data-protection-bill/). Back
    11. Paradigm Initiative, ‘On Zimbabwe’s Approval of a Cybercrime and Cybersecurity Bill’ (2019) (accessible at: https://paradigmhq.org/zimbabwe-cybercrime-bill/). Back
    12. MISA-Zimbabwe, ‘Commentary on Cybersecurity and Data Protection Bill HB 18 of 2019’ (2019) (accessible at: https://zimbabwe.misa.org/wp-content/uploads/sites/13/2020/06/Commentary-on-Zimbabwe-Cybersecurity-and-Data-Protection-Bill-2019.pdf). Back
    13. Pew Research Center, ‘Online harassment 2017, (2017), (accessible at: https://www.pewresearch.org/internet/2017/07/11/online-harassment-2017/). Back
    14. Id. Back
    15. For example, although legislation in both Malawi and Uganda includes anti-pornography and anti-obscenity provisions, neither cater specifically to NCII situations, often leaving victims with little recourse.  For more see Chisala-Tempelhoff and Kirya, ‘Gender, law and revenge porn in Sub-Saharan Africa: a review of Malawi and Uganda’ (2016) (accessible at: https://www.nature.com/articles/palcomms201669). Back
    16. South Africa Film and Publications Board Amendment Act, 2019 (accessible at: https://static.pmg.org.za/Films_and_Publications_Act.pdf). Back
    17. Ibid at section 24(E). Back
    18. See Case number A3032-2016 in the High Court of South Africa for reference (2017) (accessible at: http://www.saflii.org/za/cases/ZAGPJHC/2017/297.html). Back
    19. News24, Oberholzer, ‘What to do if you’re a victim of revenge porn & image-based abuse,’ (2020) (accessible at: https://www.sowetanlive.co.za/s-mag/2020-06-29-what-to-do-if-youre-a-victim-of-revenge-porn-image-based-abuse/). Back
    20. GenderIT, ‘”Revenge Porn”: 5 important reasons why we should not call it by that name’ (2019) (accessible at: https://www.genderit.org/articles/5-important-reasons-why-we-should-not-call-it-revenge-porn). Back
    21. Id. Back
    22. Association for Progressive Communications, ‘Online gender-based violence: A submission from the Association for Progressive Communications to the United Nations Special Rapporteur on violence against women, its causes and consequences’ (2017) at p.21 (accessible at: https://www.apc.org/sites/default/files/APCSubmission_UNSR_VAW_GBV_0_0.pdf)). Back
    23. South Africa Law Reform Commission, ‘Report on Stalking,’ (2006) (accessible at: https://www.justice.gov.za/salrc/reports/r_pr130_stalking.pdf). Back
    24. Id at p 182. Back
    25. Id at p 183. Back
    26. High Court of South Africa in Johannesburg, Case No 23897/17, (2017) (accessible at: http://www.saflii.org/za/cases/ZAGPJHC/2017/179.html). Back
    27. Ibid at para. 29. Back
    28. News24, above at no. 35.  For more on online harassment see pp. 38-44 of Module 4 of Media Defence’s Advanced Modules on Digital Rights and Freedom of Expression Online accessible at: https://www.mediadefence.org/ereader/publications/advanced-modules-on-digital-rights-and-freedom-of-expression-online/module-4-privacy-and-security-online/). Back
    29. UNICEF, ‘Cyberbullying: What is it and how to stop it’ (accessible at: https://www.unicef.org/end-violence/how-to-stop-cyberbullying). Back
    30. UNICEF, ‘UNICEF poll: More than a third of young people in 30 countries report being a victim of online bullying’ (2019) (accessible at: https://www.unicef.org/press-releases/unicef-poll-more-third-young-people-30-countries-report-being-victim-online-bullying). Back
    31. Daily Maverick, ‘Anonymously threatened with gang rape and murder, SA teenager takes Facebook Inc to court to disclose perpetrator’ (2020) (accessible at: https://www.dailymaverick.co.za/article/2020-07-24-anonymously-threatened-with-gang-rape-and-murder-sa-teenager-takes-facebook-inc-to-court-to-disclose-perpetrator/). Back
    32. Council of Europe, ‘The State of Cybercrime Legislation in Africa – an Overview’ at p. 2 (2015) (accessible at: https://rm.coe.int/16806b8a79). Back
    33. Council of Europe, ‘The global state of cybercrime legislation 2013 – 2020: A cursory overview,’ at page 5 (2020) (accessible at: https://rm.coe.int/3148-1-3-4-cyberleg-global-state-feb2020-v1-public/16809cf9a9). Back
    34. Council of Europe, ‘Chart of signatures and ratifications of Treaty 185’ (2020) (accessible at: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/signatures). Back
    35. Council of Europe, ‘The State of Cybercrime Legislation in Africa – an Overview’ at p. 2 (2015) (accessible at: https://rm.coe.int/16806b8a79) at p.8 Back