Author: PWessels

A framework for data security, privacy, and trust in “consumer internet of things” assemblages in South Africa

Written by PWessels on . Posted in Industry News.

There are serious problems in Consumer Internet of Things “CIoT” concerning data security, privacy, and trust. Personal information is valuable to the owner of that information. It is for this reason that relevant stakeholders put measures in place to control it. Private information includes such information as physical location and movement of the person. Besides, service providers and regulatory bodies need to implement privacy enhancement technologies (PETs) and relevant protection laws. Finally, there is a need for standards, methodologies, and tools to identify consumers and objects.

Concerning security, the developers and service providers of CIoT need to ensure safety from the design stage to the execution stage. Services providers of CIoT need to be proactive in the identification and protection of IoT from arbitrary attacks such as the denial of service (DoS) attacks and abuse.

A framework for security, privacy, and trust in CIoT (Researchers, 2020)

In addition, service providers need to ensure that malicious software does not enter the IoT ecosystem. The CIoT service provider is responsible for continuously updating the software and firmware of devices in response to security threats. Consumers need trust and be comfortable in exchanging personal information with any CIoT stakeholder. The information exchange is critical in the success of CIoT, and sensitive data must be protected. This trust also applies when smart objects communicate on behalf of consumers with trustworthy services. Trust has to be incorporated from the design stage of CIoT and must be in-built in the system. Also, trust needs to exist among all stakeholders, such as cloud providers, device manufacturers, connectivity providers, and mobile apps developers, to mention just a few, in the CIoT assemblages.

A Proposed Framework

Studies have sought to propose a framework to address data security, privacy, and trust issues relating to CIoT.As reflected in Figure 1, the framework addresses security, privacy, and trust issues experienced by consumers concerning legal matters and technology about CIoT.

Legislative framework

Concerning legislation, the framework identified key legal frameworks in South Africa as the Consumer Protection Act 68 of 2008 (CPA), and the Protection of Personal Information Act 4 of 2013 (POPI Act).

1. Consumer Protection Act

The protection of consumers is of vital importance in any market. South Africa enacted the CPA to deal with the need to protect consumers. When consumers of IoT suffer financial losses or identity theft because of improper business practices, the laws of the country need to protect them. Improper business practices may include habits like misleading information, advertising, direct marketing, use of inferior products, and unclear instructions on how to use the services. These practices apply to any business venture in the supply chain of delivering the service. In CIoT, the service providers may over-promise regarding what the service is capable of doing or its ability to provide security concerning consumers’ information. The providers may also use consumers’ information for advertising and marketing purposes without the consent of the consumers. Ukwueze36 states that the goal of the law in consumer protection is to prevent harm or injury to and provide redress for the consumer where he or she suffered damage or injury in his or her relationship with the producer or supplier of goods and services. In South Africa, the CPA derives from the International

2. Protection of Personal Information Act

The POPI Act exists to guarantee that all South African institutions behave themselves responsibly when collecting, processing, storing, and sharing other people’s information. The Act ensures this by holding the institutions accountable should they abuse or compromise people’s data in any way. The South African government created the POPI Act to promote the constitutional right to privacy by safeguarding PII. The Act tries to guarantee that all South African institutions behave responsibly when collecting, processing, storing, and sharing another entity’s personal information by holding them accountable, should they abuse or compromise that entity’s personal information in any way. The enactment of the POPIAct considers personal information valuable and therefore aims to bestow upon the people certain rights concerning their data. The owner of the data should be able to exercise control over their personal information.

What qualifies as a signature in terms of s 13(3) of the ECT Act?

Written by PWessels on . Posted in Industry News.

 

Global & Local Investments Advisors (Pty) Ltd v Fouché (SCA) (unreported case no 71/2019, 18-3-2020) (Mojapelo AJA (Navsa, Saldulker, Makgoka and Nicholls JJA concurring))

With more South Africans working from home than ever before, the importance of electronic signatures cannot be taken lightly since we live in a digital age, and most recently in an era of national lockdown where contracts or any other agreements require electronic signatures. There have been many question in the past relating to the validity and form of an electronic signature. The Supreme Court of Appeal (SCA) recently delivered a judgment on the question of what qualifies as a signature in terms of the Electronic Communications and Transactions Act 25 of 2002 (ECT Act).

The ECT Act introduced formal legal recognition of electronic commerce. In addition to this, the ECT Act stipulated that, simply because the information is in the form of a data message, it does not mean that it is without force and effect. In South Africa, ‘[t]he primary functions of a signature, includes evidencing the:

  • identity of the signatory;
  • intention of the signatory to sign; and
  • adoption of the writing signed by the signatory

The ECT Act recognises data as the functional equivalent of writing, or evidence in writing, by guaranteeing data messages the same legal validity as messages written on paper. It states that a requirement under law that a document or information be in writing is met if the document or information is in the form of a data message and accessible in a manner usable for subsequent reference to a person who either wants to rely on the existence of a particular agreement or for record purposes.

The ECT Act defines an ‘electronic signature’ as ‘data attached to, incorporated in, or logically associated with other data and which is intended by the user to serve as a signature’. The ECT Act further provides at s 13(2) that: ‘An electronic signature is not without legal force and effect merely on the grounds that it is in electronic form’. This clearly indicates that electronic signatures are legally recognised in South African law.

Facts of the case

On 23 November 2015 Mr Fouché, a mining consultant, gave a written mandate to Global to act as his agent and invest money with Investec Bank on his behalf. The written mandate stipulated that: ‘All instructions must be sent by fax to [a designated number] or by e-mail to [a designated e-mail address] with client’s signature.’ The money was to be invested in a Corporate Cash Manager (CCM) account in the name of Mr Fouché.

Global opened the CCM accounts for its clients at Investec and then managed the accounts for a fee expressed as a percentage of the funds invested for the client in such accounts.

Two of the three e-mails containing the instructions to transfer money, ended with the words: ‘Regards, Nick’ while the third ended with ‘Thanks, Nick’. None of them had attachments. In response, Global paid out a total of R 804 000 from Mr Fouché’s CCM account to unknown third parties in three tranches as follows: R 100 000 on 15 August 2016, R 375 000 on 18 August 2016 and R 329 000 on 24 August 2016. Subsequently, Mr Fouché became aware of this and notified Global that the e-mails had not been sent by him. Mr Fouché claimed payment of the amounts transferred to third party accounts on the basis that Global had paid out contrary to the written mandate.

Global’s main submission and defence to the claim is that it acted within the terms of the mandate, on instructions that emanated from the legitimate e-mail address of Mr Fouché and that the typewritten name ‘Nick’ at the foot of the e-mails satisfied the signature requirement, when considered in the light of s 13(3) of the ECTA. Section 13(3) of the ECT Act reads as follows:

‘Where an electronic signature is required by the parties to an electronic transaction and the parties have not agreed on the type of electronic signature to be used, that requirement is met in relation to a data message if –

(a)      a method is used to identify the person and to indicate the person’s approval of the information communicated; and

(b)      having regard to all the relevant circumstances at the time the method was used, the method was as reliable as was appropriate for the purposes for which the information was communicated.’

The High Court, found in favour of Mr Fouché. Vorster AJ stated that the mandate ‘“specifically required the signature of the plaintiff [Mr Fouché] for a valid instruction and not merely an e-mail or fax message purporting to be sent …” The court below stated that this is not a case where the parties agreed to accept an electronic signature as envisaged by s 13(3) of the ECT Act. It went on to say “it is a case where the parties required a signature. No more and no less.”

The SCA per Mojapelo AJA (Navsa, Saldulker, Makgoka and Nicholls JJA concurring), looked at different definitions of signature and held, ‘[t]he Concise English Oxford Dictionary defines “signature” as “a person’s name written in a distinctive way as a form of identification or authorisation.” Black’s Law Dictionary … gives the definition of “sign” and “signature”, which read together bring us close to the legal meaning of signature.’

The court then analysed the mandate itself and held that the mandate required a ‘signature’, which in every day and commercial context serves an authentication and verification purpose. The court further held that in order to be able to resort to s 13(3) of the ECT Act, Global would have had to show that in terms of the mandate an electronic signature was required. The word electronic is absent from the mandate. The SCA accordingly held that, ‘the instruction was not accompanied by such a signature and the court below correctly held that the funds were transferred without proper instructions and contrary to the mandate.’ The court accordingly dismissed the appeal with costs.

Conclusion

As can be seen, this judgement will have far reaching consequences, providing the public with precedent in order to hold many institution, including financial institutions liable for damages suffered due to internet fraud.

It is important to note that a person must first consult the mandate (agreement) they signed with the respective financial institution. If the mandate refers to ordinary signatures and not ‘electronic signatures’, then reliance can be placed on the Global case.

This judgment also places a burden on the financial institutions to amend their agreements, so that it includes ‘electronic signatures’ as envisaged in the ECT Act.

In concluding, when drafting and entering into agreements which may be required to be signed electronically, we need to be cognisant of the manner in which draft and agree to electronic signatures being utilised, in order to avoid future disputes relating to the validity thereof.[i]

 

Site Map

Services

Blog

© Copyright Allnutt Inc | POPIA Terms & Conditions

Powered by Phatman Designs