Kenyan bid to stop 'flawed' AU cybersecurity convention
A proposed African Union (AU) convention seeking to step up the fight against cybercrime across Africa has critics up in arms over its potential to curb internet freedoms.
The African Union Convention on Cyber Security (AUCC), which is to be voted on in January 2014, proposes “establishing a credible framework for cyber security in Africa through organisation of electronic transactions, protection of personal data , promotion of cyber security, e-governance and combating cybercrime.”
If 15 African states approve the convention at an AU summit in January, the AUCC is expected to be passed into law. African ministers have been discussing conditions of the convention since 2009 and a copy of the draft convention can be viewed by clicking here.
The AU is seeking to establish the convention because of what it says are African states’ “dire need of innovative criminal policy strategies that embody states, societal and technical responses to create a credible legal climate for cyber security.”
The move to introduce the convention comes as cyber crime levels in Africa are growing.
According to the Norton Cybercrime Report for 2012, the likes of South Africa hosts the third-highest number of cyber crime victims in the world, behind only Russia and China. In addition, the South African Cyber Threat Barometer 2012/13 put the total direct losses to cybercrime in South Africa between January 2011 and August 2012 at R2.65 billion.
But Kenyan based Strathmore University's Centre for Intellectual Property and Information Technology Law (CIPIT) has hit out at the proposed AU cyber security convention and called for the convention not to go ahead in its current form.
The centre says the convention, if adopted as is, could abuse Africans’ right to privacy, harm freedom of expression, introduce legislative overkill and place too much power in the hands of judges.
A draft version of the convention allows judges, in the “public interest”, to call for the interception of individuals’ electronic communications without permission from these individuals.
“Our first concern is the omission to the right to privacy,” Rene Enoakpar of Strathmore University’s CIPIT told ITWeb Africa.
“The issue of public interest is complex because it has no unified meaning,” he said.
Enoakpar explained to ITWeb Africa that regulatory agencies in Africa could have varied interpretations of what is in the public interest.
He also said that these interpretations could reflect interests of political actors, especially governments, which in turn makes this provision problematic.
Furthermore, the ability to interfere with traffic data without permission could risk freedom of expression on the continent as well.
“With this provision, we think the right to freedom of expression will be seriously curtailed,” Enoakpar told ITWeb Africa.
Other aspects of the convention introduce what Enoakpar said is “legislative overkill.”
Enoakpar said the bill wants increased focus on crimes committed with online resources or computers. But he said this provision could make it possible for aggravation in situations where, for example, a criminal robs a bank after sending an email.
Other concerns regarding ‘legislative overkill’ include parts of the convention that want corporate bodies to be held responsible for offences that individuals commit using the corporations’ technology.
The convention also wants service providers to conduct vulnerability testing for their technologies: a requirement that could hold back e-commerce on the continent, Enoakpar said.
As a last concern, Enoakpar said the convention “grants absolute power to judges.”
Enoakpar added that judges on the continent are not adequately trained to deal with cybercrime and cyber security, making this absolute power even more problematic.
In a bid to stop the convention then from being adopted in its current form, the Strathmore’s CIPIT has started a campaign to oppose the ratification of it by the AU.
The centre has petitioned Kenya's parliament through an open letter regarding the convention. The petition is sponsored and endorsed by the likes of search giant Google and technology innovation centres iLabAfrica and Nairobi’s iHub.
“We call attention to the fact that the context within which it is being passed will make the convention unfeasible,” Enoakpar told ITWeb Africa.
“We think that there is need for substantive revision,” Enoakpar said.
However, while the CIPIT and its supporters are looking to stop the AU cyber security convention from being adopted in its current form, the organisation does nevertheless want an Africa focused convention on cyber security.
African countries such as South Africa are looking to implement data privacy laws such as the Protection of Personal Information (POPI). But for those countries that do not have such endeavours as yet, there is a need for a guiding framework such as an AU cyber security convention, Enoakpar told ITWeb Africa.
But that framework cannot jeopardise civil liberties, contain legislative overkill or hand over too much power to judges, Enoakpar said.
“The nature of cybercrime is transnational, and that notwithstanding I know many African countries do not have an effective legislation on cybercrimes.”
“A good starting point would be for the African Union (AU) to come up with a model law on cybercrime,” said Enoakpar.