To some extent, the online space will always be the Wild Wild West. Many efforts have been taken to try and tame it over the years and Zimbabwe is no exception with its Cyber and Data Protection Act.
Many of us were not that interested in that bit of law. I understand it, nobody peruses Acts for fun. After all, many assumed it was about cyber terrorists and the like. However, this new Act has provisions that affect everyday people like you and me.
Not knowing these provisions is a risk we really should not be taking. Especially given that you could find yourself in prison for 10 years for some of the offences.
The best way to wrap your head around it is to stop thinking about organisations and focusing on individuals. People have rights to their data and bypassing the passwords on their phones for example would constitute a crime. More on that later.
The Postal and Regulatory Authority of Zimbabwe (Potraz) is on an awareness campaign. Unpacking the Act for all to understand. We attended one of the sessions they held and they helped break some stuff down.
Here are some of the offences and penalties you should be aware of.
You may think this doesn’t apply to you but you might be surprised. Remove the image of a nerdy American teenager in a basement writing complicated code to breach a bank’s systems. No, hacking goes far beyond that narrow definition.
In the Act, one is said to have hacked if they know or suspect that they must obtain prior authority to access some data, computer data storage medium etc. but intentionally and without such authority, secures access to such data, programme, medium or system.
Some may also be familiar with this definition of hacking, “the act of gaining unauthorised access to data in a system or computer.” It’s really that simple.
So, if you manipulate a human (human hacking) and get access to information that you have no authority to access, you are a hacker. You may not know the first thing about coding but you would still be a hacker.
Do note that the Act says that merely viewing the data counts as hacking. You don’t need to make use of it or copy it for it to be considered hacking.
Hacking attracts a fine of up to level 14 (US$5,000) or 10 years imprisonment or both such fine and imprisonment.
Unlawful acquisition of data
This can look like hacking at times. The Act says acquisition includes using, examining, capturing, copying, moving to a different location or diverting data to a destination other than its intended location.
It can be committed in either or more of the following:
Intercepting private transmission of data or information. The Act says this interception can be by technical means or otherwise. Meaning I have to stop my habit of snooping on people’s WhatsApp conversations. That is intercepting private transmission apparently.
Circumventing or bypassing protective security measures such as passwords. Oh, you’re shaking now. How many of you have ‘gotten’ access to your spouses/boyfriends/girlfriends’ WhatsApp accounts without their knowledge? All while those said WhatsApp accounts are password protected.
Unlawfully possessing data which one knows was acquired unlawfully. Let’s say XYZ bank was hacked and account information was circulating on social media, you would be found guilty if you were found in possession of that data.
Still sounds out there? How about one that Zimbos love – leaked adult tapes. Apart from the illegality of holding that nature of data, you would also be guilty of possessing data that you know was unlawfully acquired.
Unlawful acquisition of data carries a fine of up to level 14 (US$5000) or imprisonment for a period of up to 5 years or both such fine and imprisonment.
Unlawful interference with data or data storage medium
It can be committed in either one or more of the following:
Deleting, altering, obstructing or rendering meaningless computer data. So, you have to stop the “I’m keeping this from you for your own good” kind of speech. You cannot obstruct someone’s lawful use of data. Let alone completely deleting it.
Denying or blocking access to computer data. Potraz gave an example of changing the password on someone’s phone or deleting files from it. Do note that this applies even to your spouse’s phone.
Unlawful interference with data carries a fine of up to level 14 (US$5000) or imprisonment for a period of up to 5 years or both such fine and imprisonment.
Unlawful disclosure of data
It can be committed in either one or more of the following:
Giving or granting unauthorised persons rights of access to a computer and/or the information in it. The Act actually says that just communicating the information is an offence. You don’t have to dish out access codes for it to be considered an offence.
What about whistleblowers? The above would make it illegal to snitch on any organisation. Well, the regulations on whistleblowing are still being worked on and there will be some exceptions in specific circumstances when one is exposing illegal activity etc.
What does this mean for sources that tell journalists privileged stuff about their organisations that’s not necessarily illegal? Will journalists be forced to reveal their inside sources? What about the protection of sources as provided by a different law? I’m no lawyer, but you get the gist.
Unlawful disclosure of data carries a fine of up to level 12 or imprisonment for a period of up to 10 years or both such fine and imprisonment.
Transmission of false data intended to cause harm
Sending or posting any false information, either on social media or in a private message with intent to harm another person is an offence.
Potraz gave an example of fabricating or sharing a story without verifying if it is true. You don’t have to be the one who fabricated it, if you share it and it turns out to be false, you are guilty.
So, for those that love celebrity gossip, you might want to be careful going forward.
Transmission of false data intended to cause harm carries a fine of up to level 10 or imprisonment for a period of up to 5 years or both such fine and imprisonment.
Transmission of intimate images without consent
The Act prohibits the collection, transfer, sharing, and or broadcasting of intimate images and/or videos without the consent of the person concerned.
This extends to the leaked adult tapes that pop up every now and then. Some of you shared the Stunner tapes or the Pokello ones or recently the Levels ones. You could easily do 5 years for that.
Potraz says this empowers citizens to have control over the processing of their personal information. Which is in line with the fundamental rights to human dignity and the right to privacy as enshrined in the Constitution of Zimbabwe.
Transmission of intimate images without consent carries a fine of up to level 10 or imprisonment for a period of up to 5 years or both such fine and imprisonment.
Recording of genitalia and buttocks beneath clothing without consent
The Act got super specific with this one.
Any person who unlawfully and intentionally records an image or video beneath the clothing of another person which depicts this person’s genitalia or buttocks, whether covered by underwear or not, without the consent of the depicted person or with recklessness as to the lack of consent of the person concerned, shall be guilty.
Recording of genitalia and buttocks beneath clothing without consent carries a fine of up to level 10 or imprisonment for a period of up to 5 years or both such fine and imprisonment.
Transmitting data inciting violence or damage to property – Fine of up to level 12 or up to 10 years in prison or both.
Sending threatening data messages – I know a few people who are going to struggle with this. They are quick to threaten violence whenever they feel slighted. It attracts a fine of up to level 10 or up to 5 years in prison or both.
Cyber-bullying – Sending or posting any information, either on social media or in a private message with the intent to coerce, intimidate, harass, threaten, cause substantial emotional distress, humiliate or demean is an offence. It attracts a fine of up to level 10 or up to 10 years in prison or both.
Spam – Transmitting multiple electronic messages with the intent to deceive the recipients as to the origins of such messages. It attracts a fine of up to level 5 or up to 1 year in prison or both.
Child sexual abuse material – Producing, offering, distributing, or possessing any images or videos representing a child engaged in real or simulated sexual activity shall be guilty. It attracts a fine of up to level 10 or up to 5 years in prison or both.
Exposing a child to pornography – Making this dirty material available to children attracts a fine of up to level 14 or up to 5 years in prison or both.
Now you know
The law doesn’t recognise ignorance as an excuse. So, we should all make sure we don’t cross any lines. There might be some leniency until awareness campaigns have been held across the country but don’t risk it. Just be mindful of the provisions of the Cyber and Data Protection Act.