We share the unease of Dr Andrew Wheatley, who shadows the information technology sector for the Opposition, over the protection accorded under the new cybercrimes bill to private or proprietary information which may be held on devices seized by law-enforcement officials as part of an investigation. That protection, on the face of it, is neither sufficient nor explicit.
Under Section 17 of the bill passed in the House last week, if the police believe that data stored on a computer or any storage medium can help in their investigation of a criminal offence, then they can take control of the device or require that the information not be deleted for up to 60 days.
Put another way, law-enforcement officials will have legal authority to interrogate that seized device with the likelihood of gaining access to data other than that which is the subject of their investigation. With that, we have no problem when it is part of the pursuit of justice, which, of course, is a two-way street. And this is where we stand with Dr Wheatley.
He has raised the issue of protocol for the treatment of data which are of no concern to an investigation, to which investigators are now privy and which may be "of considerable value to the owner, or is deemed confidential". Dr Wheatley also questioned, rightfully, to our mind, how the "keys" or other codes that may be required to provide access to the data will be managed.
This is not merely the Opposition having a bit of a whinge over a hypothetical issue. Real issues are at stake. In today's technological world, individuals and firms often store their most private and confidential, sometimes deeply personal information, on electronic retrieval systems. In some instances, that information may be of economic value and, therefore, demands a different arch of protection beyond cover, for say, against embarrassment.
Yet, as Dr Wheatley complained, "there are no adequate or acceptable details in the legislation regarding the treatment and handling" of this kind of data. We will, perhaps, be advised that there is other legislation that adequately protects people's privacy and economic interests, to which individuals and firms can have recourse. Further, Dr Wheatley's concerns may find cover in the provisions of the Evidence Act.
NOT GOOD ENOUGH
These, we hold, are not good enough. Protection against the misuse and/or exploitation of private information, obtained from electronic devices seized during the investigation of a crime, should be explicitly declared in the same law that gives the law-enforcement officials the power to confiscate that device in the first place.
Such an approach would not be unique to the Cybercrimes Act. Under the banking laws, for instance, people who obtain private information in the course of their jobs, and reveal that information to unauthorised persons, are guilty of an offence for which they may be fined or jailed - or both. Indeed, people have been prosecuted or convicted for such offences.
Similar provisions exist for employees of the commissions that police the integrity of legislators and other public-sector workers. They have specific framework for treatment of the asset and liability statements that come into their possession, and there are penalties if they breach the rules. They can't be more deserving of protection than other individuals.
Dr Wheatley's concerns should be addressed when the bill reaches the Senate.