New standard operating procedures for the investigation, search, access or seizure of cyber articles
Submitted by: Teresa SettasBy Wendy Tembedza, Partner, Prineil Padayachy, Senior Associate & Danielle van der Watt, Candidate Attorney from Webber Wentzel
The new standard operating procedures for cyber investigations outline guidelines for conducting searches, seizing evidence, and accessing digital data while protecting individuals' rights.
The Standard Operating Procedures (SOPs) for the Investigation, Search, Access or Seizure of Articles in terms of section 26 of the Cybercrimes Act 19 of 2020 (CCA) were published by the Department of Police on 6 October 2023.
The CCA creates legal mechanisms to address cybercrime in South Africa. The aim of the SOPs enacted in terms of the CCA is to ensure that investigations conducted by the South African Police Service (SAPS) are compliant with legislation. The SOPs also ensure that the Constitutional rights to privacy and to a fair trial are duly observed and protected during the exercise of any powers given to SAPS in the CCA.
Scope and application of the SOPs
Once publicised in the Government Gazette, the SOPs must be observed by members of SAPS as well as any other person or agency afforded investigative powers in respect of any offence committed by means of, or facilitated through the use of, a cyber article.
What is a "cyber article"?
A 'cyber article' is broadly defined under the CCA to mean any data, computer program, computer data storage medium, or computer system, which is concerned with, may afford evidence of, or is intended to be used for the commission or suspected commission of any offence (or reasonably suspected as such).
Who may search for, seize, or access the cyber article?
Only police officials may search for, access, or seize a cyber article. They may, however, be assisted by an investigator (such as a digital forensic expert) where required, provided that they obtained the necessary authorisation.
Police officials are expressly instructed to refuse any help offered from "unauthorised persons" (i.e., possible suspects) during an investigation.
How are searches and seizures carried out?
There are essentially four ways in which a police official can be authorised to search for and/or seize a cyber article:
- in terms of a warrant;
- where lawful consent is provided;
- during a lawful arrest; or
- where they can show urgency or exceptional circumstances.
Generally, section 29(1) of the CCA provides that a police official can only search for, access, or seize a cyber article by virtue of a search warrant issued by a competent court. A warrant is, however, not necessary in all instances.
Firstly, it is also possible for a police official to conduct a search and seizure without a warrant if they have obtained consent in writing from a person who has lawful authority to consent. In this instance, the police official will have all the same powers as they would have under an issued search warrant.
A police official may also have full powers of search and seizure despite not having obtained a warrant if they can show urgency and exceptional circumstances. The official will, more specifically, have to show that they reasonably believe that a search warrant would be issued if applied for, and that the delay created by first bringing an application would have resulted in the object of the search and seizure being defeated.
Furthermore, police officials are given limited powers to seize cyber articles without a warrant during an arrest made in terms of the CCA. However, the official will not be allowed to access the data or computer programs until they have obtained a warrant unless they can show urgency.
Depending on how the search or seizure has to be carried out, the police official conducting the search will likely require different types of legal permission or authorization in each particular case. This may mean a warrant obtained under the CCA in relation to relevant cyber articles and a subpoena under the Criminal Procedure Act 51 of 1977 in relation to historical information such as bank records or cell phone records.
Methods of search, access, or seizure
The search, access, and seizure of a cyber article generally involve two steps:
- the physical seizure of the device (computer data storage medium or computer system); and
- the seizure (copying or printing) of the data and computer programs stored thereon.
The action of 'seizing' is narrowly defined in the CCA to mean:
- removal of a computer data storage medium or any part of a computer system;
- rendering inaccessible data, a computer program, a computer data storage medium or any part of a computer;
- making and retaining a copy of data or a computer program; or
- making and retaining a printout of the output of data or a computer program.
These are the only actions which are permissible once the police official has obtained a search warrant.
The SOPs also give SAPS officers powers to search and document any information necessary for the subsequent analysis of a cyber article, such as passwords, email accounts, and Personal Identification Numbers (PINs). Importantly, where a police official obtains or uses an instrument, device, equipment, password, decryption key, or data to get access to a cyber article, they may only do so to the extent, in the manner, and for the purposes specified in the warrant.
Where the cyber article belongs to an innocent third party or witness, SAPS must try to follow a process which is proportionally the least intrusive to that person when acquiring the evidence. The first point of call is to obtain consent from the third party – only where the third party refuses to give consent should steps be taken to obtain a warrant. This also applies in cases where the data is held by a third party or an independent data holder.
Individuals must understand what powers are conferred onto SAPS, and when SAPS may execute such powers. While the SOP intends to create separate procedures around the search, access, and seizure of cyber articles, it remains to be seen how these distinct and nuanced procedures will play out in practice, given the apparent cybersecurity skills gap present in South Africa.