Picture: 123RF
Picture: 123RF

A friend recently received an e-mail that began as follows: "I am aware ********* is your pass[word]. Let's get right to purpose. You do not know me and you're probably thinking why you are getting this mail? I installed software on the adult (sexually graphic) website and guess what, you visited this website to have fun (you know what I mean)."

The writer then claims to have video footage of my friend watching porn and threatens to release it to all her Facebook and e-mail contacts if she doesn't cough up $1,000 in 24 hours - in bitcoin. "If you do not know this, search for 'how to buy bitcoin' in Google."

You may be the MD of a listed company who reads Mills & Boon, and doesn't want anyone to know

The bad grammar and typos are funny, I know, and might indicate the work of an amateur, but the scamster had her password.

My friend ignored the e-mail, describing herself as "way too boring to visit a porn site". But she can't ignore the fact that the only time she used that password was to track her recent application for a British visa.

"The application is made online, on the British consulate's website," she explains. "One is required to enter a large amount of sensitive data, including bank statements, your parents' personal information and dates of your international travel over the past five years. Then you register on the website of an agency, which operates visa application centres on behalf of government authorities, to get feedback."

It was after she registered on this agency's website that she received the "sextortion" e-mail. She knows of two other people who have recently applied for British visas and also got either the same e-mail or an SMS along the same lines.

"I've been quite anxious ever since," she says.

Her fears are valid. All of her personal information has probably found its way onto the dark web, where bank account details sell for up to $110 (R1,630).

R1,630

What your bank details can sell for on the dark web

Mark Heyink, an attorney who specialises in information security and privacy law, says even though we aren't yet able to enforce our rights through the Information Regulator, it doesn't detract from the constitutional right to privacy.

"The Protection of Personal Information [Popi] Act enables the enforcement of that right. Popi doesn't give the right; the right to privacy comes from the constitution.

"There are all sorts of behaviours that we may want to keep private. You may, for example, be the MD of a listed company who reads Mills & Boon, and doesn't want anyone to know. That's the crux of privacy."

My friend has reported the breach to the agency concerned, the South African Information Regulator, and the British Information Commissioner's Office. But she knows that until Popi Act is fully in force, we're all in the painful position of having law that espouses the right to privacy but provides no practicable remedy for enforcing that right, and no penalty if the right is breached.

Both the Information Regulator and the British Information Commissioner have acknowledged receipt of her complaint.

So what can you do if you've viewed porn and someone is trying to extort money from you? For starters, viewing porn is not a crime in SA, unless it's child pornography. Extortion, on the other hand, is. But you're not likely to have much luck trying to nab the perpetrator, especially if he runs his little enterprise from his mom's garage somewhere in Kazakhstan.

I feel for you, as I do for the Mills & Boon-loving MD. If all your contacts were to find out, it could be damaging for your relationships and maybe even your job.

You could ignore it and call the scamster's bluff. It seems to have worked for Liberty. Since hackers managed to access the company's e-mail server in June, demanding a ransom in exchange for the personal records of an untold number of policyholders and investors, there's been nothing but deafening silence.

There haven't been any reports of Liberty clients suffering a financial loss as a result of the attack. The question is whether the personal information accessed has been used to commit cyber- and other crimes.