The Law Reform Commission of Mauritius recently published a paper that addresses changes related to cyber laws. I am no expert in legal matters but I am a professional in the IT industry. Cyber laws have a direct impact on my work. Why? Well, simply because I use tools that have to simulate an attack or even cause an outage in my own network. Unless I understand the stress limit of my network, I cannot make recommendations to improve the infrastructure.
The paper can be downloaded from the Law Reform Commission website.
Let us see what does the Law Reform Commission say...
The document states that the Law Reform Commission consists of the Director of Public Prosecutions, a parliamentary counsel, a master & registrar, a barrister, an attorney, a notary, a law academic (University of Mauritius) and two persons from the civil society.
I did not find any mention about people from that IT industry being consulted for the paper. There is one paragraph that talks about cyber crimes in Mauritius:
Maurice, depuis quelques années déjà, connait un essor de ce type de criminalité. En effet, pour la seule année 2012, on ne recense pas moins de 87 cas d’infractions tombant sous l’Information and Communication Technologies Act et 49 cas tombant sous le Computer Misuse and Cybercrime Act. Le réseau social Facebook, lui, dont sont friands de nombreux Mauriciens, a donné lieu à 53 cas d’infractions de cybercriminalité.
There are mentions of cyber crimes without further details. I have tried in the past to find details about the types of IT security incidents in Mauritius to understand the reach of cyber criminals. Unfortunately, it is not easy to get hands on such data. You just have to believe what is being presented to you.
Okay. Let's see something interesting now. The paper proposes the following amendment in the law, it's called Section 369C,
369C Interference with data in a computer system
The fraudulent introduction of data into an automated data processing system or the fraudulent deletion or modification of the data that it contains is punished by imprisonment not exceeding five years and a fine not exceeding 200,000 rupees. When this offense has been committed against an automated processing system of personal data implemented by the State, the penalty is increased to imprisonment not exceeding seven years and a fine not exceeding 500,000 rupees.
The text says fraudulent introduction of data into an automated data processing system... Is an accidental insertion of a special character in a form considered as fraudulent? If yes, jail me now, my fast typing habit gets single quotes inserted in wrong places very often.
Section 369D says the following:
369D Import, possession, supply, sale or provision of a breach equipment to computer systems
A person who, without lawful authority, imports, possesses, offers, transfers or makes available any equipment, instrument, computer programme or information created or specially adapted to commit one or more of the offences prohibited by sections 369A to 369C, is punished by the penalties prescribed for the offence itself, or the one that carries the heaviest penalty.
Holy cow! That makes me a cyber criminal right now, right here. I use a large suite of software to test application security. The same tools could be used to do harm to vulnerable applications. I am thus in possession of software that can commit offences prohibited by sections 369A to 369C. Grrr! Where are we heading?
Section 369E says:
369E Participation in a group formed or association established with a view to committing computer fraud
Participating in a group or conspiracy established with a view to the preparation of one or more offences set out under sections 369A to 369D, and demonstrated by one or more material actions, is punished by the penalties prescribed for offence in preparation, or the one that carries the heaviest penalty.
The texts lack clarity and laws are rigid. Earlier in the document it is specified "inspirés des dispositions du Code pénal français". Oh, please, do not do copy & paste. When copied, it should be understood and adapted. The laws, the way proposed right now are too rigid. A few days ago I heard lawyers commenting on PoCA 2002, saying the law is rigid and archaic. With the cyber laws as proposed in the paper, we might be heading towards another PoCA.
Image source: www.jisc.ac.uk