Much has been written and speculated about the new Cybercrime and Cybersecurity Bill due to be tabled in Parliament. While it may take some time to create the necessary infrastructure to give full effect to all the provisions of the Bill (e.g. 24/7 Point of Contact Centre) a question which is rarely raised is what will happen to a cybercriminal if he is actually caught? Although it will be extremely tempting to simply lock up the culprit and throw away the key, he will be entitled to the same Constitutional rights available to other arrested persons to dispute the allegations against him.
Given the globally intrinsic nature of cybercrime and the ability of criminals to commit these offences across several jurisdictions (without the need to be present in the same geographical location), it is almost inevitable that an arrest will coincide with bail application and possibly extradition proceedings. Careful consideration of the nature and seriousness of the complaint will be crucial: if the Suspect is arrested prematurely it may result in him/her being granted bail and absconding due to a lack of evidence at the time. Conversely, if the arrest is delayed to gather more evidence, it becomes more likely that the Suspect will realise that he is a viable Suspect and go “underground” to escape detection and arrest. It is therefore imperative that the Law Enforcement officials and Prosecutors know exactly what they are dealing with: is the offence an ongoing crime which requires further investigation or does it present an imminent threat which requires immediate action?
Presently most cybercrime offences are prosecuted under Sections 86 to 88 of the ECT Act and, in the absence of certain qualifying criteria described in Schedule 5 of the Criminal Procedure Act (“the CPA”), such offences would usually resort under Schedule 1 of the CPA. Schedule 1 offences are considered “less serious” when it comes to bail application proceedings and the State will bear the onus to prove why an Accused should not be granted bail under these circumstances.
The Bill is broader in defining the different types of cybercrime and makes provision for many of the listed crimes to be categorised as Schedule 5 offences. Accused persons charged with offences listed under Schedule 5 carry the burden to satisfy a bail court by means of evidence under oath (viva voce or by means of an affidavit) that his/her release on bail will be in the interest of justice. Needless to say, the Bill will bring about welcome and drastic improvements to the current legislation available to prosecute cyber criminals.
In the likely event where the Accused committed his offence(s) in more than one country, extradition proceedings may come into play. Even if an Accused is arrested on the strength of an arrest warrant issued for purposes of extraditing him to stand trial in another country, he will still be entitled to dispute the extradition order and may even be granted bail while doing so. An interesting case on this point is Patel v NDPP (838/2015)  ZASCA 191 (01 December 2016). In brief, Mr. Patel was arrested in South Africa during 2011 pursuant to a request for extradition from the United States of America after a warrant of arrest was issued for him. Mr. Patel fought his extradition all the way to the Supreme Court of Appeal (SCA) where his appeal was eventually dismissed in 2016. Although the facts and technical arguments raised by Mr. Patel’s legal team are an interesting read, the REAL interesting part is that when Mr. Patel’s appeal was eventually dismissed in the SCA, he was already out on bail for several years. Although I stand to be corrected, I doubt that Mr. Patel merely shrugged his shoulders and reported to the authorities to catch the next flight to the US when he heard that the Supreme Court of Appeal ruled against him. This is not an isolated case and there are several examples of accused persons being granted bail and delaying extradition proceedings to frustrate the authorities. Therefore the State will need to ensure that its house is in order already at the very inception of this matter, especially if one considers the intelligence of and resources at the disposal of “hackers”.
Another important consideration is that even if someone is arrested on the strength of a warrant issued by another country, South African authorities will still be entitled to prosecute the same offender in South Africa if his conduct also constituted an offence here. An accused may therefore find himself in the difficult position of fighting off his extradition while, at the same time, facing further charges under South African legislation.
Software giant Microsoft is reportedly in the process of setting up data centres in Johannesburg and Cape Town that will host the data (cloud services) of numerous companies, including some prominent financial institutions. It is difficult to imagine that cyber criminals will be able to resist the temptation of going after the information being stored in these centres. Although merging public and private resources can be a potential minefield, it would make sense, from a cybercrime perspective, for the State and private sector to follow a collaborated approach (at least initially) to prevent and pursue cyber criminals. Most first year law students will be able to explain the importance of stare decisis (“doctrine of principle”) when it comes to arguing cases in court which provides all the more reason why it will be crucial for the first few cases to be properly prosecuted under the new Bill.