As police and prosecutors test new legislation, what are the challenges of using digital evidence?
In one of the first cases of its kind, South Africa’s 2020 Cybercrimes Act has been put to the test to secure a conviction of incitement based on WhatsApp evidence. It is a major step forward in the use of digital evidence in the country and signals a growing confidence among prosecutors and investigators to bring cases to court using the law.
Philani Gumede, a senior figure from Operation Dudula, was arrested in Durban after voice notes he recorded were circulated on WhatsApp in March 2022. Operation Dudula is a vigilante group that has been waging a campaign of intimidation against foreign nationals in South Africa. The messages incited followers to seize businesses owned by ‘foreigners’.
The conviction comes at an important time as the country heads to national elections in 2024. In a climate of political polarisation and factionalism within the governing African National Congress, online influence could play a significant role.
Evidence has already surfaced of WhatsApp chat groups having been used during the July 2021 unrest. Forensic experts found that ‘the riots bore the hallmarks of a group of people being behind the organisation thereof, using technology as the primary mode of organisation.’ The expert panel report on the unrest found that police and intelligence officers were ‘ill equipped’ to deal with the threat.
Police and prosecutors worked hand in hand to gather the digital evidence and secure a conviction
South Africa’s Cybercrimes Act came into force in May 2021. It defines cybercrimes and details the powers to investigate, search, access or seize cellphones, computers, etc. Section 14 states that a data message that incites violence against a person or group, or incites damage to property, constitutes ‘malicious communications’. This recognises that cybercriminals not only target computers or networks (by launching ransomware attacks, for example) but may also use technology to perpetrate crimes such as extortion, fraud and incitement.
Prosecutors told ISS Today that after a tipoff to the South African Police Service (SAPS), they worked hand in hand with police colleagues to gather evidence as part of a ‘prosecution guided investigation.’ Digital evidence may include email, text messages, instant messages, files or documents removed from hard drives, as well as audio and video files.
After Gumede was arrested, a team of prosecutors led by Senior Public Prosecutor Advocate Roshiela Benimadho, acquired a customised ‘cyber warrant’ to search his phone. A separate warrant was then secured to ‘seize’ (download) its contents.
Although the case never went to trial, Gumede pleaded guilty to incitement and was fined R10 000. The National Prosecuting Authority (NPA) is now pursuing similar cases under the act, including alleged offences of revenge porn, which entails sharing intimate images online without a person’s consent. The crime carries a penalty of up to two years in jail or a hefty fine.
Ensuring the evidentiary chain of custody and proving intent for malicious use are among the biggest hurdles
‘It’s important to highlight the prosecution-guided nature of such investigations,’ said Benimadho. Under the legislation, external technical experts can assist police and prosecutors. In this case, however, prosecutors worked with the SAPS cybercrimes unit.
‘Digital evidence is increasingly the key to proving culpability in complex corruption cases, for example; yet the skills needed to integrate this evidence into investigation plans and prosecution strategies is in very short supply,’ says Professor Chris Stone. Stone is advising on the design of a new digital forensic unit that a private-sector consortium is developing for the NPA’s use.
‘It is not a question of whether to build greater skill inside SAPS and the NPA, or to build greater resources available in the private sector – both are essential,’ according to Stone.
Ensuring the evidentiary chain of custody and proving intent for malicious use are among the biggest hurdles prosecutors face. An investigator inadvertently switching a seized phone on or off can lead to precious evidence being lost. Furthermore, as deep fake technology becomes ubiquitous and genuine audio or video is indistinguishable from manipulated media, proving the authenticity of evidence is key.
The Cybercrimes Act builds on the 2002 Electronic Communications and Transactions Act, and regulates the admissibility of electronic or digital evidence. It seeks to strike a balance between privacy issues, authenticity of evidence and the manner of extraction.
With deep fake technology becoming ubiquitous, proving the authenticity of digital evidence is key
There are few studies in Africa on the use of digital evidence, but in the United States it remains a ‘fraught landscape’ for prosecutors, argues Christa Miller in her assessment of this cyber resource. ‘Prosecutors must prove that only authorized persons had access to the evidence and guarantee that copies and analyses were made by authorized manipulations and using acceptable methods.’
Furthermore, given cybercrime’s borderless nature, access to digital data is also an issue. Although it’s not the only means to collaborate, few countries have ratified the African Union’s ‘Malabo’ convention on harmonising cybercrime laws and enabling cross-border data exchange and legal assistance. There is a move to draft a United Nations-wide cyber convention that should help set common standards for data sharing for criminal investigations.
Another challenge is that data is often stored outside the country where a suspected offence occurs. It may be under the ‘sole control’ of a digital service provider, many of whom are headquartered in the United States or Europe. That gives ‘the service provider the power to determine the ability of law enforcement authorities to gather digital evidence for legitimate criminal investigations,’ according to HH Abraha, in an analysis of government access to digital evidence in Africa.
This is fuelling debate about ‘data sovereignty’ and digital dependence, where Africa may be especially vulnerable.
Many in the cyber world believe that strategically and operationally, South Africa needs a shift in both mindset and work culture to adequately deal with these offences. Securing a conviction is a vital first step in what may increasingly become a multidisciplinary operation requiring professionalism and trust between the private sector, law enforcement and other stakeholders.
Karen Allen, Consultant, ISS Pretoria