The South African Police Services have recently published their draft Standard Operating Procedures (SOP) which are required in terms of section 26 of the Cybercrimes Act no. 19 of 2020. While we plan to make detailed comments on the SOPs themselves, from a high-level perspective there are a number of important issues that should be borne in mind when reading the SOPs and suggest that the draft SOPs are not fit for purpose:
SOPs in a Cybercrime Act are unusual
While many police services around the world have standard operating procedures, they tend not to reference them in their Act. While it is possible that other cybercrime legislation around the world does this, we are not aware of any. Why does this matter? The reason this is important is that it lends a degree of formality to the Cybercrime SOPs – not only must they be published in the government gazette, but they are only finalized after there has been a ‘process of public consultations’. In essence, this means that the Cybercrimes Act SOPs cannot fly below the radar.
SOPs do not only affect the Police
Section 26 of the Cybercrimes Act obliges the South African Police Service to observe the SOPs but it goes a step further and obliges any investigator appointed in terms of the Cybercrimes Act and ‘any person…who is authorized in terms of any other law to investigate any offence…’ to follow the same SOPs. The point here is that there a huge number of other entities created in terms of laws – the Information Regulator, the National Consumer Commission, the National Credit Regulator, the Financial Intelligence Centre etc. – who will be obliged to follow the same SOPs that the Police have just drafted and those SOPs need to be appropriate for those entities as well.
SABS 27034 seems to be ignored
It should come as no surprise that digital forensic standards have been around for a while and one of the more recognizable standards for this is ISO 27034 which made its way into the SABS 27034 standard which is a South African digital forensic standard. Curiously no mention of this standard can be found anywhere in the SOP.
SOPs are not clear
A major concern when it comes to the SOPs is that they are relatively difficult to understand. This is huge problem when you expect a constable with no tertiary education (and certainly not a degree in computer science) would have to interpret and give effect to the SOPs when collecting digital evidence. For instance, a decision tree would be of great assistance to those who are new to digital evidence collection. Consider the following:
- Do you have a written warrant? – yes / no
- Do you have enough time to get a warrant? Yes / no
- If you do not have enough time to get a warrant then can you get the consent of the person? Yes / no
- Did you get the digital evidence (called ‘articles’ in the Cybercrimes Act) during the course of an arrest? Yes / no
- If your answer to all the above is ‘no’ then can you objectively say that waiting for a written warrant will frustrate the purpose of the warrant (i.e. if you take too long then there is no point to the written warrant as the evidence will have been deleted / be removed / be altered…)? Yes / no
Etc…
What emerges from the SOPs is that it is clear that no real attempt has been made to use a plain language expert to review the SOPs based primarily on who the audience is. SOPs are not going to be useful if they aren’t understood.
SOPs is a principles-based policy document
There are lots of useful tips in the SOPs but the SOP has been drafted as a policy document, not a procedure. Instead of creating a procedure which by its very nature tends to be very binary (right or wrong) the SOPs read like a policy document where the investigator should ‘consider’ factors such as ‘reliability, authenticity, proportionality’ etc (clause 1.8). While there is no problem with creating principle-based legislation – the Protection of Personal Information Act (POPIA) does exactly that – it doesn’t mean that this is a procedure. There should be a clear difference between policy (the principle of reliability), a standard (the SABS 27034 standard) and procedures (do this, do that).
How did we get here?
There is a rumour that the original version of the SOPs was more substantive but were watered down after some of the original versions. This may be partly because the SOPs moved out of the Department of Justice and Constitutional Development and into the Department of Police and partly because the police have a very real fear that specific rules on digital forensics are able to be evaluated (and non-compliance with these rules will be clear). Perhaps the police fear that specific SOPs like this will amount to simply another stick that defence attorneys can use to beat the Police services with? Whatever the case the current version of the SOPs feel like an opportunity lost for South Africa to be a thought