Thursday, April 11, 2024

The Cyber Security Bill is a threat to freedom of expression online[Article 19] (Tabled on 25/3 and passed by Senate on 3/4) - Most dangerous when Bills(kept secret before tabling) and passed so fast?

DANGER - The Malaysian Cyber Security Bill - has been speedily tabled(25th) and passed(27th) by Dewan Rakyat. There was NO TIME for people to study the Bill and give their comments. No time for the people to be consulted by their MPs, so that the MPs can reflect the voice/position of their constituents, the people they represent in Parliament.Then on 3/4/2024, the Senate passed it.

The Dewan Negara on Wednesday (April 3) passed the Cyber Security Bill 2024. - Star, 3/4/2024

TRANSPARENCY - The government really should make available BILLS to create new law, and amend existing laws in advance > so people can also study it and give their feedback. LISTEN to the people - give us our right to tender our opinions.

Prime Minister Anwar Ibrahim's and the Pakatan Harapan's credibility and trust is declining as this government continue to use draconian provisions and/or laws that ought to be REPEALED long ago. See Akmal or anyone should not be investigated under draconian Sedition Act or Section 233 of the Communications and Multimedia Act(MADPET)

Quickly glancing through the Bill, one provision that was 'funny' - after search you will only be left with necessary clothing....what about money, credit cards, passport, Identity card,... should it not be taking of just things related or connected to the crime?

'(4) An authorized officer making a search of a person under subsection (3) may seize or take possession of, and place in safe custody all things, other than the necessary clothing, found upon the person, and any other things, for which there is a reason to believe that they are the instruments or other evidence of the crime, and they may be detained until the discharge or acquittal of the person'

And we have to give our passwords, encryption to authorized officers... What about our privacy? 

(2) For the purposes of this section, an authorized officer shall be provided with the necessary password, encryption code, decryption code, software or hardware and any other means required to enable comprehension of the computerized data.

What happens if the Government or a State Department commits the CRIME? Why are they  exempted?

2) Nothing in this Act shall render the Federal Government and State Governments liable to prosecution for any offence under this Act
7 of the 13 members of the National Cyber Security Committee are the Prime Minister and his Cabinet members, and this is not right as PM Anwar can dominate decision making, and that is DANGEROUS. There must be others who are NOT part of the Executive Branch in this Committee to prevent abuse - Parliamentary Representatives(Speaker of Dewan Rakyat, Speaker of the Senate and maybe the Opposition Leader) and Judiciary Representatives and more INDEPENDENT Members - Malaysians have lost trust in the Cabinet and/or PM as we still reel from the wrongs done by previous PM Najib Razak whilst in office..

They want to LICENSE all cyber security service providers. But do we trust Malaysian government approved service providers? What about the online 'cyber security service provider' that provide Apps and programs, sometimes for FREE to help us protect the security of our computers, smartphones, servers, etc... ?

As I stated before, there was so little time to analyze this BILL - The Malaysian Bar and SUHAKAM has yet to consider and air their views... Once the King gives his assent, and the Minister puts it into force, it will be LAW ....Anyway, Article 19 issued a statement (looks like not carried by Malaysian Press), which is below


Malaysia: The Cyber Security Bill is a threat to freedom of expression online

Malaysia: The Cyber Security Bill is a threat to freedom of expression online - Digital

ARTICLE 19 is concerned about the threat that the Malaysian Cyber Security Bill 2024 presents to the right to freedom of expression online as well as to media and broadcast organisations in Malaysia. Any legislation on ‘cybercrime’ must fully comply with international human rights standards, in particular those on the right to freedom of expression and privacy.

On 3 April 2024, the upper house of the Parliament (Dewan Negara) unanimously passed the Cyber Security Bill 2024 after the third reading. On 27 March 2024, the Dewan Rakyat, the lower house of the Malaysian Parliament, passed the Bill after its second reading. The Bill was tabled for the first reading on 25 March 2024, in a surprise move to civil society. The speedy passing of such a problematic law reflects the Malaysian government’s poor commitment to upholding freedom of expression. Next, upon assent by the King (Yang di-Pertuan Agong), the law will take effect once it is published in the Government Gazette.

ARTICLE 19 is gravely concerned about the speedy passing of the Bill, as it will be a mechanism for government censorship of online expression. It will give the government unaccountable control of computer-related activities, as well as nearly unlimited search and seizure powers. Its criminal provisions do not require any actual intent to violate, effectively introducing many strict liability offences. As such, it is part of the alarming regional trend toward increasingly repressive cyber security regulations, which must be reversed.

Against the backdrop of existing censorship and an increasingly repressive environment for journalists, human rights defenders, and land rights defenders in Malaysia under the Communication and Multimedia Act 1998 (CMA), the broad language of the Bill will likely be abused to further restrict online freedom of expression and dissent in the country.

In our analysis, ARTICLE 19 points out the following issues:

  • The Bill will create a system for broad control of digital services in Malaysia. Although labelled as a ‘cybersecurity’ instrument, it fails to be narrowly tailored to address data breaches causing serious harm, and it does not resemble other computer-related legal instruments. The Bill deems “communications”, and hence the media, to qualify as “critical information infrastructure” that are potentially subject to disproportionate reporting and regulation under threat of criminal sanctions.
  • The broad scope of key terms under the Bill could capture journalistic activities and target whistleblowers. The Bill would conflate any disclosure of information in the public interest with the intentional infringement of security measures with dishonest intent. The framing of “cyber security” includes the phrase “unauthorized access” to a computer. A “cyber security incident” could therefore describe journalistic activities such as reporting on “unauthorized” leaked evidence of corruption provided by a whistleblower. It can even imperil cybersecurity researchers and professionals doing routine pen testing to actually improve network security. Such a concern is far from hypothetical; journalists in Malaysia have previously faced harassment for publishing evidence from whistleblowers in the public interest.
  • The Bill would require prior licensing of a wide range of expressive activities. Anyone providing “cyber security services” in Malaysia will require pre-approval under arbitrary standards subject to change or revocation at any time under threat of up to ten years imprisonment. The scope of “cyber security services” is vague and goes well beyond any common conception of the phrase. It would require licensing those who exercise their right to expression by publishing or distributing source code online in the public interest, engaging in academic research, or disseminating free digital security tools to journalists and human rights defenders.
  • The Bill will provide for search and seizure powers not subject to judicial or other independent review. The chief executive of the Committee may appoint anyone to be a so-called “authorized officer” with the same powers as police. These powers include the ability to execute searches and seizures of persons and places without any need for a warrant. While it might appear at first that the Bill requires such warrants, it provides a broad exception that an authorized officer can skip obtaining a warrant so long as they claim (without independent checks or other review) there is “reasonable cause” for not needing one. Further, the “Chief Executive” established under the Bill may issue production demands with no warrant requirement.

These broad powers are particularly concerning as Malaysia has seen an increasingly repressive climate in recent years. 444 cases had been opened under CMA Section 233 from 2020 through January 2023, including 38 prosecutions, 31 convictions, and several ongoing trials. ARTICLE 19 has previously warned that the CMA is often combined with other criminal laws to levy severe criminal sanctions as an intimidation tactic to chill freedom of expression. There has also been an alarming use of police powers against online expression, including against journalists, in recent years. These include:

ARTICLE 19 further questions the necessity of the Bill when nations are debating an international convention on cybercrime at the UN level, in a process Malaysia is actively participating in. While ARTICLE 19 and numerous human rights organizations have taken serious issue with the UN negotiations and current draft text of the proposed convention, we note that the Bill falls far short of even that standard.

ARTICLE 19 believes the Bill to be unnecessary and flawed in its current state. We urge the government to withdraw the Bill before the royal accent to address the shortcomings identified above to ensure the compatibility of any cybercrime legislation with international standards of freedom of expression. We also encourage the proposal to be tabled in anticipation of any outcomes of the ongoing UN cybercrime convention negotiations. We stand ready to provide further assistance in this process.

We repeat our urgent call for Malaysia to renew its commitment to human rights by signing and ratifying the International Covenant on Civil and Political Rights (ICCPR) as well as other major international human rights treaties, as well as to repeal or amend all laws restricting freedom of expression in Malaysia.

Source: Article 19 Website

The LEGAL ANALYSIS is an interesting read.

Some extracts are laid out below:-

Malaysia: Cyber Security Bill 2024
ARTICLE 19 – www.article19.org –
Page 15 of 21


Analysis of the Draft Cyber Security Bill 2024

Overall, ARTICLE 19 recommends withdrawing the Draft Bill in its current state. If it progresses for further approval, it must be brought in line with international human rights standards. Below we set forth fundamental concerns, although these should be understood as indicators of key problems with the Bill rather than as an endorsement of the Bill even if these issues are addressed.

Overbroad definitions of key terms, subject to change at will, or missing entirely

ARTICLE 19 observes that several key terms of the Draft Bill are incredibly broad, circular, or subject to revision at will. For instance, “cyber security incident” can include any “act or activity” that is done “on or through” a system without “lawful authority”. To qualify as such an incident, the activity must merely “jeopardize or adversely affect” the “cyber security” of a computer or computer system. The lay understanding of the term ‘cyber security’ might appear to encompass the infringement of technical security measures. Looking to the term “cyber security” leads to a similarly vague definition; it is simply described as a “state” in which a computer or system is “protected from any attack or unauthorized access” and the “confidentiality” of information is maintained.

At the outset we observe that the phrase “cyber security” is not defined under international law, and instruments such as the Budapest Convention do not contain this term. The closest analogue to the concept of ‘security’ may include criminal offences named under the Budapest Convention, such as illegal access in Article 2 of that instrument, which require the intentional access to the whole or any part of a computer system without right. Importantly, the latter framing has an intentionality requirement, whereas an “incident” under the Bill need not be the result of any ill intent.

Read literally, a “cyber security incident” could thus capture an instance where a whistleblower provides evidence of corruption or violations of law to a journalist. Such reporting on primary documents would be the result of “unauthorized” access that fails to preserve “confidentiality” of information. As set forth below, this whistleblower activity (and subsequent reporting) would trigger numerous affirmative obligations on part of providers as well as overreaching investigatory provisions that would interfere with journalistic activities. It can even imperil cybersecurity researchers and professionals doing routine pen testing to actually improve network security.

Other standards of the Draft Bill are open-ended, with numerous ‘definitions’ containing clauses allowing for re-definition as fit. Some examples include:

• The definition of “national critical information infrastructure entity” may be expanded at will under Articles 17 and 18;

Page 16 of 21

• A “cyber security service” is defined as whatever the Minister “may prescribe” under Article 27(2);

• Article 28(a) provides that requirements for licenses are “as may determined by the Chief Executive”;

• Conditions for such under Article 31(1) are subject to “conditions as the Chief Executive
thinks fit to impose”;

• An “authorized officer” may be “any public officer authorized under section 36”.

As currently drafted, the following are just a few (non-exhaustive) examples of terms appearing in the Bill which are either undefined, or so vague as to be nearly meaningless: “cyber security,” “cyber security service,” “cyber security provider,” “national critical information infrastructure entity,” “unauthorized access,” “lawful authority,” “reasonable cause,” or “moral turpitude.”

By nature, such an absence of legal definition fails the first test of legality under the three-part test of international law where those definitions may impact the exercise of freedom of expression or other rights online.

Recommendation:

• Strike any cross-references of definitions that allow for government modification of terms. Key terms that are relied upon in measures imposing criminal liability must be defined explicitly and with legal precision.

Requirement of prior licensing for wide range of legitimate activities in the public interest 

One of the primary aims of the Draft Bill is to create a “licensing” system as laid out in Part VI. Article 27(1) makes it a crime to “provide any cyber security service” or even hold oneself out to do so, without first obtaining a license. Doing so is subject to a fine of 500,000 ringgit or imprisonment of up to a staggering ten years.

As ARTICLE 19 outlined above, it is difficult to even ascertain the scope of this provision because the basic definition of “cyber security service” is overbroad. Further, Article 27(2) gives the Minister the blanket authority to “prescribe any cyber security service”, meaning the scope of the license is subject to change at will. In the context of media, mandatory licenses are never justified for simply exercising expression online.

At a minimum, we predict that the following actors or entities would fall under the broad scope of requiring licenses:
• Publishers of digital security tools, including developers of free and open source software (FOSS);
• Academic researchers conducting security testing;
• Internet intermediaries or social media platforms;
• Human rights activists or journalists sharing digital security tools.

Page 17 of 21

The administrative burdens of such a license are completely subject to government discretion. For instance, Article 28(a) provides that requirements of a license are “determined by the Chief Executive”, and its period under Article 29(4) is “valid for a period as specific in the license”. Conditions of such a license, pursuant to Article 31(1), are contingent on whatever the Chief Executive “thinks fit to impose”, which can be varied or revoked at will. Violating any of these arbitrary conditions is a separate offence subject to two years imprisonment or a fine of 100,000 ringgit. A license also carries an obligation to produce nearly limitless information “as the Chief Executive may direct” pursuant to Article 32(2)(c). While Article 53 appears to provide a right of appeal, this appeal is made directly to the Minister rather than any independent external review.

ARTICLE 19 notes that requiring government pre-approval, under threat of criminal penalty, for activities such as publishing or the use of digital security tools is by nature a restriction on freedom of expression. 

As a result, the licensing scheme set forth by Part VI must be analysed under the three-part test of international law, and if it fails this test, it is incompatible with international standards. As set forth above, these articles routinely fail the test of legality, as a number of key terms and procedural requirements contain no definition at all, or are subject to change at will. Such a system provides no legal notice of the
underlying conduct subject to restriction.

Further, imposing such a licensing restriction on broad sectors of society, for expressive activity, is neither a necessary nor a proportionate means to achieving any legitimate aim under international law. Therefore, the licensing system fails the three-part test. Outside the scope of the limitations on expressive activity, it is unclear why such a licensing system (and accompanying penalties) is necessary or appropriate to further cybersecurity in Malaysia.

The only time a licensing system might be appropriate or proportionate in the context of media is where there is a limited number of broadcast frequencies requiring some degree of administrative regulation due to scarcity. That, however, is not the case here nor what is contemplated.


Recommendation:
• Strike the licensing system of Part VI in its entirety.
 

Lack of independence or external oversight of the National Cyber Security Committee

The Draft Bill established, in Part II, a “National Cyber Security Committee” (Committee) that suffers from numerous fatal problems as a body with significant authority and procedural powers. Most importantly, the Committee lacks any independence at all. It is comprised primarily of government ministers, its most prominent member being the chair, the Prime Minister. The addition of other members is limited to two. The Chairman (Prime Minister) has significant procedural discretion under Article 7, and basic procedures are undefined and up to the Committee to determine. There are no term limits on the Committee, no external Malaysia: Cyber Security Bill 2024

ARTICLE 19 – www.article19.org –
Page 18 of 21
oversight or opportunity to challenge or review its composition or decisions, and no
mechanisms to remove members who engage in misconduct. As such, the work of the
Committee can be viewed as a direct extension of the Prime Minister.


Chief Executive may demand production without a warrant

This lack of independence is particularly problematic as the Committee and its Chief Executive possess significant police powers. For instance, Article 6(1)(g) contains a catch-all provision granting the Committee the power to “do such other things” that are “arising out of or consequential” to the Bill. The next provision, Article 6(2), provides for powers “necessary for, or in connection with, or reasonably incidental to” the performance of the Bill. This provides latitude for a wide range of measures, the limit of which is unclear. However, as other articles specifically provide for police powers with criminal penalties, the aforementioned broad provisions may be read as reasonably intending to accomplish the same.

The Committee maintains a “Chief Executive” who is granted a wide range of enumerated powers in Article 10, including the same language as appears in Article 6(2). Supplementing that broad provision are numerous sweeping investigatory and search powers. This includes the power to issue written notices under Article 14 to “any person” to demand the production of information, documents, or electronic media on a schedule “as specified” or otherwise determined by the Chief Executive. If the recipient of such a demand does not possess the demanded information, Article 14(2) requires them to assist by identifying who may have custody. Failure to comply may lead to up to three years imprisonment. These notices are not subject to any external review process and are entirely up to the discretion of the Chief Executive in substance and procedure.


Disproportionate burdens on nearly any entity in the private sector, including media

Part IV provides the Committee the power to designate any person or entity as belonging to “national critical information infrastructure”, a cumbersome concept that appears over 200 times in the Bill and grants nearly limitless control over any designee. This phrase (herein labelled NCII) is cross-referenced via a Schedule attached at the end of the Bill, and provides a number of “sectors” of society that are determined to be of heightened critical information. However, we observe that the list contains 11 items that seem to cover every aspect of society beyond what would commonly be understood to be critical for defence, energy, or disaster relief. These categories include everything from transportation to information and communication, healthcare, energy, agriculture, trade and industry, and technology. We note with grave concern the inclusion of “communication” which would appear to capture media.


Article 15(1) allows the Minister to appoint any “person” or government entity to be a NCII
sector lead. Article 18(1) further grants the Chief Executive this authority with minimal requirements, and again, not subject to any independent oversight or review. A NCII sector lead may accordingly appoint a NCII entity, which then is held to an onerous number of

Page 19 of 21

requirements and obligations under strict criminal penalty for noncompliance. Some of those include, under Articles 20(1)-20(3):

• A duty to provide information “relating to” the NCII upon request;

• A duty to provide information on any new computers or computer systems obtained;and

• A duty to provide notice of any “material” changes to computers or computer systems of
the NCII.

Importantly, a single violation of these provisions carries a steep criminal penalty of up to two years imprisonment and a fine of 100,000 ringgit, and no intent is required. NCII entities are also expected, pursuant to Articles 22-24, to conduct risk-assessments, cyber-security exercises, and provide active notification of any “cyber security incident”. Failure to comply also carries steep penalties, and in the case of failing to actively disclose a “cyber security incident” may be punished by up to ten years imprisonment without any intentionality.

ARTICLE 19 finds that the lack of clear definition or guidance makes the scope of these provisions unclear, but the explicit inclusion of the “communication” sector would suggest that media or broadcast organizations are contemplated to be subject to being designated as NCII entities. Upon such a designation, a media or broadcast organization would have active obligations to report on all computer-related activities and would be liable for the aforementioned violations. Similarly, social media companies are reasonably part of the sector, and may be expected to comply with unreasonable demands to surveil all digital activities that occur on their systems. The designation and subsequent demands would not be subject to external review or meaningful rights of appeal.

Recommendations:
• Any administrative bodies must be subject to basic procedural protections such as term limits, qualifications for admission or removal, and opportunities for independent oversight;

• Article 14 is especially incompatible with fundamental principles of proportionality, as any police powers must be subject to minimal due process protections;

• NCII entities must not be subject to criminal penalties, especially without any intentionality requirements;

• NCII entities in any regulatory framework must be limited to those strictly necessary, and not include sectors such as “communication” which may draw in media and broadcast organizations as well as social media platforms.


Significant police powers without independent review or oversight

Part VIII pf the Draft Bill sets forth numerous law enforcement powers; we observe that these powers are not simply limited to police officers, but may be issued to any “authorized officer” on the determination of the Minister. In effect, any person who is not a police officer may be granted, under Article 38(2), “the powers of a police officer of whatever rank as provided for under the Criminal Procedure Code” for investigating any offence under the Bill.


Page 20 of 21

Of important note is that while certain powers are granted, there is no mention of accompanying limitations or due process rates with respect to these officers. It is hence unclear whether this part effectively creates a new police designation that operates with the powers of police without the accountability. Neither are authorized officers required to undergo any training or possess any meaningful qualification.

Searches and seizures do not require warrants

The authorized officers are not required to adhere to warrant requirements in conducting searches. While Article 39 sets forth criteria to apply to a Magistrate for a warrant before conducting a search, Article 40 complete subsumes this by offering a blanket exception to any warrant requirement. A warrant is not required if “an authorized officer is satisfied” that “he has reasonable cause to believe” that obtaining a warrant would cause an investigation to be “adversely affected”. All an officer must do is claim there is “reasonable cause”, and they will subsequently have all powers as if a traditional warrant were obtained. 

There is no mechanism to monitor or otherwise review the self-determination of the officer. Further, the standard of “reasonable cause” is the exact same standard that must be articulated to a judge in Article 39, meaning that an officer does not need to satisfy any heightened legal standard to skip the warrant requirement. This would appear to make the Article 39 procedure pointless, and means that for practical purposes warrants are not required under the Bill.

Officers may compel decryption

Article 46(2) allows any authorized officer to demand passwords, encryption or decryption codes, and software or hardware to access information. We note that under international standards, encryption facilitates the exercise of free expression and privacy, and restrictions on encryption and anonymity must meet the three-part test of limitations to the right to freedom of expression under international law. It is often the case that service providers do not even possess the technical capacity to decrypt end-to-end communications that pass through their systems; such providers should not face criminal penalty or contempt if this is the case.

Recommendations:

• Warrant requirements cannot be subject to exception unless in narrow situations of emergency, and still must be subject to immediate judicial review and right of challenge or appeal;

Persons cannot be forced to decrypt information or otherwise provide technical assistance in unlocking communications.


No comments:

Post a Comment