Online Event: Combating Online Violence Against Women and Girls Towards a Digital Equal World (March 8, 2022)

Online Event |

Sustainable Development Goal five aims to achieve gender equality and empower all women and girls. Target 5B calls for enhancing the use of enabling technology, in particular information and communications technology, to promote the empowerment of women. However, women in eastern Africa face various challenges that undermine their use of digital technologies, with these challenges tending to mirror the impediments that they face in the offline world, such as in access to education and economic opportunities, or participation in civic processes. There is also a wide gender digital divide in the region. For instance, in Uganda men are 43% more likely to be online than women. In Kenya, a study found that in the slums of the capital Nairobi, only 20% of women were connected to the internet, compared to 57% of men.

Despite a large gender disparity in digital access, more women face various forms of online violence than their male counterparts. The absence of laws designed to specifically address the various forms of digital violence (such as “revenge pornography”, trolling, and threats) and the lack of sufficient in-country reporting mechanisms, exacerbate these being forced to go offline or resorting to self-censorship. Research by CIPESA has found that cyberstalking, online sexual harassment, blackmail through non-consensual sharing of personal information, promotes and normalises violence against women and girls who use the internet in Uganda.

However, these digital threats and attacks remain difficult to quantify due to several inhibitions including the culture of silence and the absence of structured reporting mechanisms. Nonetheless, there have been various documented cases of online harassment and abuse. In a study conducted in Kenya, more than one in five women reported having experienced online harassment. Meanwhile, redress mechanisms were insufficient, as the national legal framework safeguarding security online is broad, “and does not pay special attention to women and girls.”

The true extent of online violence against women (OVAW) remains unknown, partly due to cultural inhibitions, lack of data and lower levels of internet access among women. However, as more women go online, the cases are increasing, yet there are insufficient safeguards to enable victims to protect and enhance their personal security, including the absence of laws prohibiting online violence against women. Moreover, such cases continue to go unreported, leaving victims with limited legal recourse or resources to seek justice. Further, many women are uninformed of their rights online and are not aware of the tools available to secure themselves online.

According to a 2020 UN Women report, women in politics and the media are at higher risk of online and ICT-facilitated violence due to their public personas.  Indeed, research related to Uganda’s 2021 elections found that men and women politicians experienced online violence differently: women, especially candidates in elections, were more likely to experience trolling, sexual remarks, and body shaming, while men were more likely to experience hate speech and satirical comments. This mirrored Previous findings in the region that also found that women who are more prominent online and in society appeared to be targeted more, with the women who advocated for gender equality, feminism, and sexual minority rights facing heightened levels of  OVAW. This undermines the ability of women to embrace and meaningfully use digital technologies.

The UN Women report also cites evidence  suggesting  that  women  with  multiple identities (such as the LBTQI community, ethnic minority, indigenous) are often targeted online through  discrimination and hate speech, which often forces them to  self-censor  and  withdraw  from  debates and online discussions. Similarly, the UN Special Rapporteur on violence against women, its causes and consequences, has stated that some  groups  of  women,  including human  rights  defenders,  women  in  politics, journalists, bloggers, women belonging to ethnic minorities, indigenous women, lesbian, bisexual and transgender women, and women with disabilities are particularly targeted by ICT-facilitated violence.

The extent to which cyber harassment affects women in marginalised communities in the region is not well known. However, interviews conducted in 2019 as part of digital literacy and security training for refugee rights defenders, from the Democratic Republic of Congo, Eritrea, South Sudan and Sudan, who are living in Uganda, showed that three in four of the respondents had experienced some form of cyber harassment including abuse, stalking, unwarranted sexual advances and hacking of social media accounts. The perpetrators included anonymous individuals, security agents in their home countries, known friends and ex-partners. These online affronts against the women refugees run in parallel to gender-based violence in refugee camps, at border crossings and resettlement communities. Urban refugees in the country face heightened gender-based violence risks due to unmet multiple and complex social, economic and medical needs as well as intersecting oppressions based on race, ethnicity, nationality, language, sexual orientation and gender identity.

On the occasion to mark the International Women’s Day, 2022 the Collaboration in International ICT Policy for East and Southern Africa (CIPESA) has organised a webinar to foster multi-stakeholder dialogue on OVAW towards promoting women’s ability to meaningfully participate in the information society, democratic and decision making processes. The webinar will also serve as an opportunity to promote engagement between platforms operator Meta, user communities and stakeholders, and to collect feedback and strategize on how to mitigate harm online.

Speakers

  • Nashilongo Gervasius, Researcher
  • Suzan Elsayed, Meta (Facebook)
  • Hon. Neema Lugangira, Member of Parliament Representing NGOs – Tanzania National Assembly
  • Hon. Sarah Opendi, Chairperson Uganda Women Parliamentary Association (UWOPA)
  • Justice David Batema, High Court of Uganda

Join the Conversation

  • Date: Tuesday March 8, 2022
  • Time: 15:00 – 16:45 East African Time EAT
  • Where: Online via Zoom. Register here

Data Privacy Still A Neglected Digital Right in Africa

By Juliet Nanfuka |

In recent years, the threats to data privacy have evolved at a quicker pace than the development of regulatory frameworks dedicated to safeguarding the right to privacy, especially in the digital era. Currently, just over half of African countries have enacted privacy laws and policies. Still, the right to privacy is repeatedly under threat through the introduction of new laws  that  facilitate  surveillance  and  the  collection  of  biometric  data  and  limit  the  use  of  encryption. There are growing concerns that in several African countries, government agencies and private entities are collecting and processing personal data without adequate data protection frameworks, amidst weak oversight mechanisms and inadequate remedies.

Most African countries are parties to international human rights instruments such as the International Covenant on Civil and Political Rights (ICCPR) and the Universal Declaration of Human Rights (UDHR) which provide for the right to privacy. However, the African Charter on Human and Peoples’ Rights does not provide for the right to privacy, although its article 9 has been interpreted to encompass the right to privacy.

Meanwhile, the continent’s model instrument on privacy and data protection, the African Union Convention on Cybersecurity and Personal Data Protection, has been signed by 14 countries and only eight countries had ratified it by June 2020. Indeed, adherence to these instruments remains low.

“In recent years, various African countries have enacted  laws  and  policies  to  regulate  the  right  to  privacy.  Many of  the  laws  enacted  do  not  measure  up to  international  human  rights  standards  and  fail  to  establish  clear  and  appropriate  oversight,  redress  and  remedy mechanisms.” CIPESA Mapping and Analysis of Privacy Laws in Africa

Increased digitalisation, which was accelerated by Covid-19, has seen rising use of  technology in health, business, education, and civic participation and engagement, necessitating greater need for progressive personal data privacy policies and practices. However, as many positive developments emerged in the region so did gaps in the respect for data protection and privacy  in the numerous state responses.

For example, Ethiopia has embarked on a national digital identification (ID) biometric-based project which it argues will support access to services for citizens and hasten trade relations with other nations on the continent. However, the country has no comprehensive data protection law.  In 2020, the government published the draft Personal Data Protection Proclamation which is yet to come into force.

In Kenya, the Data Protection Act, 2019 which establishes the Office of the Data Protection Commissioner also prohibits the sharing of data with third parties without consent of the data subjects and requires that individuals are informed when their data is being shared and for what purposes. In December, an amendment to the Central Bank of Kenya Act addresses digital lenders that share personal data of loan defaulters with third parties could have their licenses revoked. Tactics used by lenders reportedly included calling friends and family, to shame and compel their borrowers to repay the loans.

In South Africa, the data privacy debate recently surged when the Department of Basic Education stated that high school leaving exam (National Senior Certificate) results would no longer be published on media platforms, in line with the Protection of Personal Information Act (POPIA). However, a court ruled against the department and instructed that the results be published publicly on media platforms and newspapers. Historically, the results have been made available with students identified through their ID numbers or exam numbers. The Department argued that in order to publish the results, it would have to seek consent from every pupil per the POPIA.

Private entities in South Africa have also come under scrutiny for their surveillance systems’ compliance with privacy regulations and their data privacy practices. Among these entities is Vumacam, which in 2021 announced that it was gearing up to instal additional “hundreds of thousands of cameras” in the country. Vumacam currently has over 5,000 cameras that have been installed in Johannesburg suburbs since 2019.

The concerns raised about private surveillance actors in South Africa echo those that have emerged about state actors in Botswana, Equatorial Guinea, Kenya, Morocco, Nigeria, Uganda, Zambia, and Zimbabwe who have heavily invested in state-run video surveillance systems commonly referred to as “Safe Cities” – which in the absence of sufficient safeguards, present risks through their collection and processing of personal data.

Indeed, there are concerns on the true extent to which governments are committed to ensuring citizens’ data privacy rights. In 2019, Clément Voule, the United Nations Special Rapporteur on the Rights to Freedom of Peaceful Assembly and of Association, stated that a surge in legislation and policies aimed at combating cybercrime had also opened the door to punishing and surveilling activists and protesters in many countries around the world.

Among the ways in which data privacy is being undermined through legislation and policy is by increasing restrictions to the use of anonymity and encryption – both of which are fundamental to upholding other rights including press freedom, access to information and freedom of expression. States fear the use of anonymisation and encryption tools will hamper their capacity to fight terrorism and crime.

Anonymity and encryption protect privacy, and without effective protection of the right to privacy, the right of individuals to communicate anonymously and without fear of their communications being unlawfully detected cannot be guaranteed. Whether used to protect sensitive information or to verify identities, individuals and corporations alike benefit from cryptographic software in a world that is becoming increasingly networked.

In the absence of robust oversight, legal and practical safeguards, and the selective application of data protection laws, data privacy remains a primary concern for digital users in several African countries.  This is compounded by  governments who continue to encourage and support an enabling environment that facilitates efforts by state and non-state actors to undermine privacy-related rights at the cost of numerous digital rights in Africa.

—————————————————————————————————————-

This Data Privacy Day (January 28), the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) reaffirms its commitment towards advancing effective policy that shapes and informs a progressive data privacy landscape in Africa. See some of our blogs and indepth research reports on data privacy and protection in Africa.

Centering Digital Rights and the Digital Economy in Encryption Regulation

By CIPESA Writer |

In many African countries, the regulation of the use of encryption considers “national security” as the predominant concern and gives limited consideration to other areas that would benefit from the use of secure tools and technologies. Accordingly, many countries in the region are saddled with laws that unreasonably limit the use of encryption by individuals and businesses, which in turn undermine digital rights and the digital economy.

Encryption technologies enable users of digital technologies, including the internet and messaging services, to protect the confidentiality of their data and communications from unwarranted interception, observation and intrusion. Such protections are essential for businesses to thrive and be resilient, in addition to being key considerations by their customers. Those protections are crucial for individuals to enjoy their rights to privacy, free expression, and public participation.

As the world marks the Data Privacy Day on January 28, it is imperative that reflection is drawn onto Africa’s performance in regards to the role that encryption regulation plays in human rights protection online and promoting the digital economy.

The Digital Economy

The digital economy in Africa is steadily growing and contributes significantly to countries’ Gross Domestic Product (GDP), besides being a notable direct employer.  As of the end of 2021, around 33% of individuals in Africa used the internet, while there were eight mobile cellular telephones for every 10 individuals in the region, according to the International Telecommunications Union (ITU) figures.

Across the continent there has been significant growth in the penetration, access, and usage of Information and Communications Technologies (ICT). At the same time, the use of ICT is taking centre stage in education, health, economic, and governance sectors. It is also driving financial inclusion, with fintechs proliferating at high speed. In 2020, mobile technologies and services generated more than USD 130 billion of economic value added (or 8% of GDP) in Sub-Saharan Africa, according to the GSMA. In that year, the value of transactions on mobile money platforms in the region reached USD 490 billion.

Many governments are undertaking digitalisation programmes and have prioritised the integration of technology into more sectors to drive economic and social transformation. However, the growing rate of digital transformation in Africa is creating new cybersecurity threats which must be addressed to unlock new pathways for technology-enabled  economic growth, innovation, job creation and service delivery.

Regulation that facilitates the use of strong encryption by individuals and companies as opposed to limitation and prohibition of use is one way of nipping those risks in the bud and building trust and confidence to embrace and participate in the digital economy.

Various countries’ laws require registration and licensing of encryption service providers, and regulators have extensive powers to prohibit the use of some encryption technologies. Moreover, offering encryption services without licenses attracts penalties, as does failure to hand over secret encryption codes to state authorities, or using prohibited encryption tools. How African Countries Undermine Use of Encryption.

In 2021, research by the Internet Society (ISOC) showed that laws that undermine encryption can significantly harm the national economy, with the single biggest source of adverse economic effects being the indirect threat that such laws pose for trust in the internet and digital services. This reduced trust in data security depresses aggregate demand across the digital economy and induces firms to incur higher costs in attempts to build trust in their services.

Digital Rights

Compelled assistance by service providers as part of interception of communications, including the requirement to decrypt encrypted data and communications or disclose encryption keys gives governments and their agencies unfettered access to personal data, undermining citizens’ right to privacy and various other digital rights. Countries including Benin, Gabon, Namibia, Niger, Nigeria, Sierra Leone, and Zimbabwe prohibit service providers from providing any communications services that cannot be lawfully intercepted.

Such prohibitive regulations undermine digital rights in similar ways to laws on surveillance, which impose undue liability on intermediaries, and fail to provide for strong judicial oversight over surveillance operations. Meanwhile, data localisation requirements in some countries further grant authorities easier access to data for decryption and surveillance purposes with or without compelled assistance, “as they would not need to go through foreign countries’ or intermediaries’ data management protocols to access this data”, as highlighted by recent CIPESA research. Combined with mandatory SIM card registration and growing biometric databases, they thus contribute to the regressive situation for online freedom in a region fraught with human rights abuses and violations.

Securitising Encryption

Various countries regulate the use of encryption with national security as the sole key consideration. In Ivory Coast, the Telecommunications Regulatory Authority (ARTCI) is tasked to ensure that no service provider employs encryption that is contrary to public order or which undermines the interests of national defence, internal or external security of the state. Similarly, in the Central African Republic, the Electronic Communications Law of 2018 empowers the security minister to approve encryption services “based on the need to preserve the internal and external security of the state and national defence.”

Moroccan legislation restricts the import and use of encryption “to prevent its use for illegal purposes, and to protect the interests of national defence and the internal or external security of the State.” In that spirit, in 2015, the responsibility for authorising and monitoring encryption in Morocco was moved from the civilian National Telecommunications Regulatory Agency (ANRT) to the military’s General Directorate for the Security of Information Systems (DGSSI).

In Algeria, the acquisition and use of encryption by individuals and organisations must be authorised by the Regulatory Authority of Post and Electronic Communications (ARPCE) after approval by the Ministry of Defence and the Ministry of the Interior. Further, Algerian law requires that the type and nature of the equipment that will be used, list of cryptography algorithms, the size of the encryption keys, the type of virtual private network (VPN) used, the authentication methods, and the Public IP address, be provided to the regulator while applying for authorisation.

Many other countries require registration, while also requiring service providers to disclose the technical characteristics of the cryptology means, and the source code of the software used. Concerningly, some countries (including Benin, Gabon, Namibia, Niger, Nigeria, Sierra Leone, and Zimbabwe) prohibit service providers from providing any communications services that cannot be lawfully intercepted.

Overall, these limitations to the use of encryption go against Principle 40(3) of the Declaration of Principles on Freedom of Expression and Access to Information in Africa, which provides that “States shall not adopt laws or other measures prohibiting or weakening encryption, including backdoors, key escrows, and data localisation requirements unless such measures are justifiable and compatible with international human rights law and standards.”

Ultimately, all laws that place undue restrictions on the use of encryption tools should be repealed.

To promote the use of encryption in the region, it is imperative to desist from the current trends towards securitisation of encryption regulation. While governments often require surveillance to curb crime, laws should not outrightly prohibit or criminalise the use of encryption technologies. Rather, they should be supportive of legitimate state interests, which  also robustly protect digital rights and support growth of the digital economy.

Sudan’s Bad Laws, Internet Censorship and Repressed Civil Liberties

By Khattab Hamad and CIPESA Writer | 

On December 19, 2021, the third anniversary of the start of the uprising that overthrew former Sudanese strongman Omar al-Bashir, protests against the current military rulers rocked the capital Khartoum. Yet these demonstrations are only a small part of the north African country’s challenges, as it remains saddled with a slew of repressive laws that undermine civil liberties, with the digital civic space particularly under attack.

Sudan’s 2019 constitution grants citizens the right to privacy (article 55) and to free expression (article 57) and “the right to access the internet” (article 57(2)). As of December 2020, Sudan had 34.2 million mobile subscriptions while internet subscriptions stood at 13.7 million, representing a penetration of 31%. Sudan has the most affordable mobile internet in Africa and is ranked among the five least expensive countries for mobile internet globally.

Despite the constitutional guarantees and proliferation of technology, a new briefing paper by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) shows that the state of digital rights remains precarious, with the cybercrimes law enabling the military rulers to harass dissenters and critics under the guise of fighting false information online. 

Frequent internet shutdowns remain a constant reminder that the government will go to great lengths to control access to and use of digital technologies for mobilisation. In the last three years, six internet disruptions have been recorded, mostly ordered to thwart public protests against bad governance. The disruptions have had significant economic implications and only ended following the intervention of the courts. 

The brief explores the repressive elements of media and technology-related laws and how they have been used to undermine freedom of expression, access to information and press freedom in the aftermath of al-Bashir’s overthrow. Overall, while there have been some improvements since al-Bashir’s ouster, the current government continues to institute regressive measures such as news website blockages and censorship. The latest power machinations that saw the military stage a coup on October 25, 2021 are making matters worse. 

The Sudanese Professionals’ Association (SPA), which spearheaded the uprising that overthrew al-Bashir, extensively used digital technologies to disseminate news about the uprising and to mobilise citizens to attend protests. The military rulers that succeeded Bashir seem to have realised the power of technology in mobilisation and embarked on continuous disruption of the internet, in addition to instituting other measures to curtail online organising, freedom of expression, and the free flow of information online.

Bashir’s dictatorship initiated internet disruptions in view of public protests calling for his overthrow, but the government that succeeded him has been more prolific in utilising shutdowns to try and shut off criticism and protests. 

The longest internet disruption in Sudan’s history was recorded in 2019 and lasted 37 days. During protests around the time the shutdown was initiated, more than 100 protesters were killed. The latest shutdown started on October 25, 2021 and lasted 25 days. It was instituted after Lt. Gen. Abdel Fattah al-Burhan seized control of the government. The shutdown was ended by a court order on November 11.

In July 2021, Sudanese authorities blocked more than 30 local news websites in the run up to protests demanding the resignation of the government, a move that severely undermined the right to expression and access to information.

Meanwhile, the cybercrime law of 2020 punishes publishing “lies” and “fake news” online with a heavy penalty of four years imprisonment, or flogging, or both. This law has been used by the military to silence activists and critical state officials. Even Lt. Gen. Burhan has this year invoked it to bring a suit against a prominent critic. The Press and Publications Law of 2009 equally has repressive provisions and was last August controversially invoked to suspendAlitibaha and Alsayha newspapers.

In 2020, Sudan issued the National security law amendment of 2020, article 25 of which leaves latitude for staff of intelligence agencies to violate citizens’ privacy by giving the Sudanese General Intelligence Service “the right to request information, data, documents or things from anyone to check it or take it” without a court order. Last October, military forces that staged a coup appeared to use this provision to search people’s phones in the streets to delete documentation of human rights violations perpetuated by security forces.

See the policy brief for further details on Sudan’s Bad Laws, Internet Censorship and Repressed Civil Liberties.

South Sudan’s Cybercrimes and Computer Misuse Order 2021 Stifles Citizens’ Rights

By Edrine Wanyama |

South Sudan has enacted the Cybercrimes and Computer Misuse Provisional Order 2021 aimed to  combat  cybercrimes. The country has a fast-evolving technology sector, with three mobile operators and 24 licensed internet service providers. Investments in infrastructure development have propelled internet penetration to 16.8% and mobile phone penetration to 23% of the country’s population of 11.3 million people, which necessitates a law to curb cybercrime.

The Order is based on article 86(1) of the Transitional Constitution of South Sudan 2011, which provides that when parliament is not in session, the president can issue a provisional order that has the force of law in urgent matters.

The Cybercrimes and Computer Misuse Order makes strides in addressing cybercrimes by extending the scope of jurisdiction in prosecuting cybercrimes to cover offences committed in or outside the country against citizens and the South Sudan state. The Order also establishes judicial oversight especially over the use of forensic tools to collect evidence, with section 10 requiring authorisation by a competent court prior to collecting such evidence. Furthermore, the Order attempts to protect children against child pornography (section 23 and 24), and provides for prevention of trafficking in persons (section 30) and drugs (section 31).

However, the Order is largely regressive of citizens’ rights including freedom of expression, access to information, and the right to privacy.

The Order gives overly broad definitions including of “computer misuse,” “indecent content,” “pornography,” and “publish” which are so ambiguous and wide in scope that they could be used by the state to target government opponents, dissidents and critics. The definitions largely limit the use of electronic gadgets and curtail the exercise of freedom of expression and access to information.

Article 22 of the Transitional Constitution of South Sudan 2011 guarantees the right to privacy. The country has ratified the International Convention on Civil and Political Rights (ICCPR) that provides for the right to privacy under article 17 and the African Charter on Human and Peoples Rights, whose article 5 provides for the right to respect one’s dignity, which includes the right to privacy. The Order appears to contravene these instruments by threatening individual privacy.

Despite a commendable provision in section 6 imposing an obligation on service providers to store information relating to communications, including personal data and traffic data of subscribers, for 180 days – a period far shorter compared to other countries – personal data is still potentially at risk. The section requires service providers and their agents to put in place technical capabilities to enable law enforcement agencies monitor compliance with the Order. With no specific data protection law in South Sudan and without making a commitment to the leading regional instrument, the African Union Convention on Cyber Security and Personal Data Protection, privacy of the citizens is at stake.

The section on offences and penalties lacks specificity on fines which may be levied on errant individuals or companies. On the other hand, some of the offences provided for under the Order potentially curtail freedom of expression and the right to information. For instance, the offence of spamming under section 21 could be interpreted to include all communications through online platforms including social media platforms like Facebook and WhatsApp. Under the provision, virtually all individuals who forward messages on social media stand the risk of prosecution. This also has a chilling effect on freedom of expression and the right to information.

The offence of offensive communication under section 25 potentially has a chilling effect on freedom of expression, media freedom and access to information. A similar provision under section 25 of the Computer Misuse Act, 2011 of Uganda has been widely misused to persecute, prosecute and silence political critics and dissidents. Section 25 of the South Sudan Cybercrimes Order could be used in a similar manner to target government critics and dissidents. 

In CIPESA’s analysis of the Order, we call for specific actions that could ensure the prevention of cybercrime while at the same time not hurting online rights and freedoms, including:

  • Deletion of problematic definitions or provisions from the Order.
  • Enactment of a specific data protection law to guarantee the protection of data of individuals.
  • Urgent drafting of rules and regulations to prescribe the procedures for implementing the Order.
  • Ratification of the African Union Convention on Cyber Security and Personal Data Protection.
  • Service providers should not be compelled to disclose their subscribers’ information to law enforcement agencies except on the basis of a court order.
  • Amendment of the Order to emphasise the oversight role of courts during the processes of access, inspection, seizure, collection and preservation of data or tracking of data under section 9.

Read the full analysis here.