2012 Lex Informatica Cyber Law Conference

November 1st, 2012
x
Bookmark

By Nomfundo Manyathi

Pretoria law firm Snail Attorneys at Law held its annual Lex Informatica Cyber Law Conference in Johannesburg in October.

Some of the topics discussed at the event were cloud forensics, cyber crime regulation, computer forensics, domain names and online defamation.

Speakers included dean of law at Brazil’s Paraiba State University, Professor Claudio de Lucena Neto; Unisa Professor of intellectual property and information technology law, Tana Pistorius; Professor Murdoch Watney of the University of Johannesburg’s criminal law and procedure department and Professor Sanette Nel from Unisa’s department of criminal and procedural law.

Domain name disputes

Speaking on domain name disputes, attorney Sizwe Snail explained that a domain name is a unique address that can be used on the internet, which is visible after the ‘www.’ in web browsers. He said that domain names could be used to exploit one’s trading name or trade mark and noted that in South Africa businesses usually registered both the .com and .co.za domains in order to operate effectively in both the South African and international business spheres and to avoid others from claiming first rights to that particular name.

Mr Snail said that the Commission for Conciliation, Mediation and Arbitration equivalent for domain name disputes in South Africa is Domain Disputes, which can be found at www.domaindisputes.co.za and which deals with disputes via alternative dispute resolution (ADR).

Mr Snail explained the legal process, the grounds for filing a complaint, the factors that indicate whether a registered domain name is abusive or offensive and the relevant defences.

Mr Snail said that in 2006 regulations in terms of s 69 read with s 94 of the Electronic Communications and Transactions Act 25 of 2002 (ECT Act) were drafted in terms of which the concepts of abusive and offensive registrations were defined in respect of the dispute resolution process.

To institute a domain name dispute, Mr Snail said that one should have access to the Domain Disputes website, which provides a ‘one-stop shop’ where one can lodge a dispute, have it adjudicated and, once adjudicated, have the decision published on the website and enforced by the .za Domain Name Authority. He added that (at the time of going to print) the price of instituting such a dispute is a non-refundable R 10 000 in the case of a single adjudicator and R 24 000 in the case of three adjudicators.

Mr Snail also elaborated on the ADR process and the grounds for filing a dispute.

He said that domain names usually operated on a ‘first-come-first-serve’ principle, with regard to the first-time registration of a domain name, unless a person can show that he has prior rights to the domain name or can rely on the common law passing-off remedy or remedies in terms of the Trade Marks Act 194 of 1993.

Mr Snail said that the ADR regulations make provision for a domain name complaint to be instituted where the registration of a domain name –

  • takes unfair advantage of the rights of a trade mark owner;
  • is contrary to law;
  • gives offence to any class of persons; or
  • amounts to hate speech, racism or could be considered contrary to public policy.

Mr Snail provided an example of unfair advantage by citing a case involving football association FIFA prior to the 2010 FIFA World Cup soccer tournament in South Africa. In the case Fédération Internationale de Football Association v X Yin (ZA2007-0007, 14-11-2007), FIFA had a website, ‘fifa.com’, but had not registered ‘fifa.co.za’. However, another registrant had registered the latter in his name.

Mr Snail said that FIFA won the case because the website that the other registrant had registered was identical to the trade mark FIFA had registered. He said that the burden of proof shifted to the registrant as he had to show that the domain name was not an abusive registration. Mr Snail said that the adjudicator accepted an expert’s findings in the similar case of Chivas Brothers Ltd v David William Plenderleith (DRS 00658, 16-12-2002), which involved ‘chivasbrothers.co.uk’.

Mr Snail said that the court took into account that FIFA was the worldwide governing body of soccer and organised and managed the international soccer tournament officially called FIFA; that it was the registered holder of numerous registered trade marks consisting of, or incorporating, the word FIFA in South Africa and internationally.

In respect of abusive registrations, Mr Snail said that these involved the registration of a domain name in a manner that took unfair advantage of, or was unfairly detrimental to, the complainant’s rights.

Mr Snail added that factors indicating that a registration is not abusive include where the registrant has used or made demonstrable preparation to use the domain name in connection to a good faith offering of goods and/or services and when the registrant has been commonly known by the name or connected with a mark that is identical or similar to that of the domain name. Another defence would be where the registrant has made legitimate non-commercial or fair use of the domain name.

Mr Snail said that an arbitrator –

  • can refuse a dispute if it has no merits;
  • may transfer the domain name; or
  • may make a settlement agreement a ruling.

He added that offensive registrations relate to the registration of a domain name that is contrary to law.

Mr Snail concluded by saying that either of the parties could refer a dispute to the High Court at any time for determination, appeal or review.

Cloud forensics

Michael Kohn, manager at professional services firm Deloitte, spoke about cloud forensics, which consists of cloud computing and digital forensics. He said that cloud computing in South Africa was limited and that growth and development were needed.

Mr Kohn said that cloud computing entailed the use of computing resources, both hardware and software as well as ‘everything in-between’, that are delivered over a network, typically the internet. Examples include social networking platforms, such as Twitter and Facebook, as well as e-mail service provider Gmail.

Mr Kohn defined ‘digital forensics’ as ‘a specific, predefined and accepted process applied to digitally stored data or digital media using scientifically proven and derived methods based on a solid legal foundation to produce after-the-fact digital evidence. The goal is to determine the set of events or actions indicating a possible root cause, where reconstruction can be used to validate the scientifically derived conclusions, he said.

Mr Kohn advised that before using a cloud computing service, its security measure requirements should be ascertained. In this regard, he said that one must ask how and where the data is stored and who else will have access to it.

Cyber crime regulation

Professor Watney spoke on the evaluation of cyber crime regulation in South Africa. In doing so, she looked at what is understood by cyber crime and the difference between cyberspace and the internet, which she said were often incorrectly used as synonyms.

Professor Watney said that the internet was commercialised and developed in the United States, which was the driving force behind the laws regarding the internet. However, she said that there would be a ‘huge shift’ in how cyber law will be regulated in the future.

Professor Watney said that information and communication technology (ICT) in South Africa was growing. With an almost 20% internet penetration of the South African population, she said that a majority of people accessed the internet via their mobile phones, adding that many of them did not have computers, which was something banks and shops with online services needed to keep in mind.

Professor Watney said that while the growth of internet penetration was positive, the downside was cyber crime. She said that while the first measure should be prevention, businesses and the government were finding that, in many instances, it was impossible to prevent cyber crime and one should have security measures in place to detect it as soon as possible. Professor Watney added that a country needed laws that allow for the investigation and prosecution of cyber crime.

‘Cyber crime has evolved into an economy of its own and runs parallel to the mainstream economy. It is worth billions; it is a shadow industry and it is the sophisticated criminals that are involved in these types of crimes. This makes it very difficult when it comes to investigation,’ she said.

Professor Watney warned that cyber crime affects the South African economy: ‘If our economy is stable, then these socio-economic crimes will also decrease,’ she said. Professor Watney added that it was important that South Africa did not fall behind when it came to cyber crime regulation. She also noted that there was no uniform definition for ‘cyber crime’, which was problematic.

‘When the Electronic Communications and Transactions Act was enacted, there was no definition of “cyber crime”. I define “cyber crime” as “any unlawful conduct involving a computer, computer system or computer network, irrespective of whether it is the object of a crime (denial of service attack) or whether it is the instrument of a crime (ie, child pornography) or is incidental to the crime committed (such as money laundering in drug trafficking) where you keep record of all the transactions”,’ said Professor Watney.

She also noted that the physical and electronic mediums were starting to overlap and it was not easy to draw a strong distinction between the two. To illutrate this, she referred to the case of convicted rapist and murderer Thabo Bester, who made use of Facebook to lure young women, who he would then rape, murder and/or rob. She said that his crimes were physical and not cyber crimes.

Professor Watney said that the National Cyber Security Policy Framework for South Africa, which was approved by cabinet in March, noted that a clear distinction must be made between cyberspace and the internet. She added that cyberspace was the place where communication took place but to be able to have communication, one needed the internet, and the internet must be present within the borders of a country.

Professor Watney said that South Africa had jurisdiction over an incident that happened within the internet and cyberspace borders of the country. ‘When an incident happens outside of South African borders, then it becomes a problem and that is when transnational and international laws come into play,’ she added.

Professor Watney said that crimes committed in an electronic or cyber medium usually related to theft or fraud. She also said it was possible to institute a claim based on defamation where a derogatory comment was made on Facebook, for example.

Professor Watney said that the ECT Act was the first piece of legislation implemented in the country that dealt exclusively with the electronic medium. However, she noted that there had been some criticism in respect of the Act:

‘One of the biggest criticisms is that the sentencing penalty is too lenient. For example, if a person is convicted for unauthorised access, which is a huge problem, he is either fined or given 12 months’ imprisonment.’

Professor Watney added that South Africa would soon have to implement legislation providing for identity theft. She also discussed other legislation related to cyberspace, including:

  • The Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002.
  • The Criminal Law (Sexual Offences and Related Matters) Amendment Act 32 of 2007.
  • The Protection from Harassment Act 17 of 2011, which covers instances of stalking on networking sites.

Professor Watney concluded by recommending the establishment of a special police unit to deal with cyber crime, adding that there was a need for legislation compelling all victims of cyber crime to disclose that they have been victims, as sometimes big businesses did not disclose this for fear of losing business and customer confidence.

Computer forensics

Jaco Swanepoel from computer forensics laboratory Cyanre spoke on the topic of computer forensics, which he said involved the analysis and collation of computer data in a manner that could be presented and used in court. He said that the type of cases his company commonly dealt with related to fraud, e-mail misuse and recovery of deleted data.

Mr Swanepoel said that often his company was asked to investigate what someone (for example a staff member) had downloaded, how often they had downloaded it, as well as what they were searching for on the internet. That way, he said, companies are sometimes able to monitor how an employee spends his time at work.

E-commerce

Professor Pistorius spoke about the external and internal alignment of South African e-commerce law.

She said that legislative alignment was necessary for legal certainty and the protection of individuals.

Professor Pistorius said that she expected South Africa would face a number of challenges in the near future in respect of internal law. She elaborated on the following two ‘pivotal principles’ in aligning e-commerce laws –

  • functional equivalence, which involves the translation of requirements from the print format to an electronic environment; and
  • technology neutrality, which specifies that a technology medium must be flexible in order to accommodate future technologies.

She added that the Companies Act 71 of 2008 has ‘complete alignment’ with the ECT Act in terms of the meaning of ‘electronic communication’, whereas the Consumer Protection Act 68 of 2008 contains a different definition.

The Brazilian experience

Professor de Lucena Neto spoke on the new principles of civil procedure in Brazil. He said that e-courts in the country run ‘24/7’ as they were electronic courts and anyone with internet access can access courts ‘anywhere and at any time’.

‘In Brazil lawsuits happen online and on the internet. It is not only the exchange of documents that happens online; the whole lawsuit happens online … . The sentencing is also fulfilled via electronic means if it can be done,’ he said.

Online defamation

Professor Sanette Nel from Unisa spoke on online defamation and liability based on either the single or the multiple publication rule. She said that the single publication rule did not allow multiple defamation suits to arise from a single defamatory statement that is published multiple times, while the multiple publication rule states that each publication of defamatory material gives rise to a separate cause of action.

In particular, she questioned whether in ‘today’s world of the internet’, it is possible to sue a publication more than once for the same article if it appeared in both the print and online versions and, if it is possible to sue more than once, how many times it is possible to do so.

POPI v FICA

Associate professor of law at the University of Cape Town and information technology law consultant David Taylor spoke on the topic ‘The Protection of Personal Information Bill (B9 of 2009) (POPI) versus the Financial Intelligence Centre Act 38 of 2001 (FICA): The practice of privacy and anti-money laundering for global companies and their South African subsidiaries’.

He said that secrecy laws should not prohibit the sharing of information by financial institutions, adding that anti-money laundering measures require certain disclosures of customer information, data and documents.

Professor Taylor posed the question as to whether a strict adherence to anti-money laundering measures violates customers’ rights to non-disclosure of information, data and documents. He elaborated on this by saying that, while the preamble to POPI states that it recognises the right to privacy in s 14 of the Constitution, this right includes the right to protection against the unlawful collection, retention, dissemination and use of personal information and that the state must respect, protect, promote and fulfil the rights in the Bill of Rights.

Professor Taylor said that s 4 of POPI contained exclusions in respect of the processing of personal information. These include personal information –

  • in the course of a purely personal or household activity;
  • that has been de-identified to the extent that it cannot be re-identified again;
  • by or on behalf of the state;
  • which involves national security, defence or public safety; or
  • the purpose of which is the prevention, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in specific legislation for the protection of such personal information.

Further, he said that FICA provides that in the event of any conflict relating to the matters dealt with in the Act and the provisions of any other law existing at its commencement, save for the Constitution, the provisions of it shall prevail. However, Professor Taylor noted that POPI did not exist at the time of FICA’s commencement.

IT security management systems

Conrade Pasiya from consulting company Conipas International Management Solutions spoke about information security management systems.

He said that malfunctioning information technology (IT) products and components and the breakdown of security systems or serious cyber attacks may have a considerable negative impact on businesses. He added that cyberspace availability and integrity, authenticity and confidentiality of data had become vital.

Mr Pasiya said that cyber security had turned into a ‘central challenge for the government, businesses and the public at national and international level’.

He noted that ensuring cyber security, enforcing rights and protecting critical information infrastructures required major efforts by the state both at national level and in cooperation with international partners. He added that due to IT systems being interconnected in global networks, incidents in other countries’ information infrastructures may also indirectly affect individual countries and, for this reason, strengthening cyber security also requires the enforcement of international rules of conduct, standards and norms. Mr Pasiya said that cyber security could be improved by enhancing the framework conditions for drawing up common minimum standards (a code of conduct) with allies and partners.

Nomfundo Manyathi, nomfundo@derebus.org.za

This article was first published in De Rebus in 2012 (Nov) DR 17.

X