Promoting Effective and Inclusive ICT Policy in Africa

Category Archives: Online Freedoms

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  Blog  /  Online Freedoms
27Jan

Centering Digital Rights and the Digital Economy in Encryption Regulation

Author CIPESA Writer Posted on

By CIPESA Writer |

In many African countries, the regulation of the use of encryption considers “national security” as the predominant concern and gives limited consideration to other areas that would benefit from the use of secure tools and technologies. Accordingly, many countries in the region are saddled with laws that unreasonably limit the use of encryption by individuals and businesses, which in turn undermine digital rights and the digital economy.

Encryption technologies enable users of digital technologies, including the internet and messaging services, to protect the confidentiality of their data and communications from unwarranted interception, observation and intrusion. Such protections are essential for businesses to thrive and be resilient, in addition to being key considerations by their customers. Those protections are crucial for individuals to enjoy their rights to privacy, free expression, and public participation.

As the world marks the Data Privacy Day on January 28, it is imperative that reflection is drawn onto Africa’s performance in regards to the role that encryption regulation plays in human rights protection online and promoting the digital economy.

The Digital Economy

The digital economy in Africa is steadily growing and contributes significantly to countries’ Gross Domestic Product (GDP), besides being a notable direct employer.  As of the end of 2021, around 33% of individuals in Africa used the internet, while there were eight mobile cellular telephones for every 10 individuals in the region, according to the International Telecommunications Union (ITU) figures.

Across the continent there has been significant growth in the penetration, access, and usage of Information and Communications Technologies (ICT). At the same time, the use of ICT is taking centre stage in education, health, economic, and governance sectors. It is also driving financial inclusion, with fintechs proliferating at high speed. In 2020, mobile technologies and services generated more than USD 130 billion of economic value added (or 8% of GDP) in Sub-Saharan Africa, according to the GSMA. In that year, the value of transactions on mobile money platforms in the region reached USD 490 billion.

Many governments are undertaking digitalisation programmes and have prioritised the integration of technology into more sectors to drive economic and social transformation. However, the growing rate of digital transformation in Africa is creating new cybersecurity threats which must be addressed to unlock new pathways for technology-enabled  economic growth, innovation, job creation and service delivery.

Regulation that facilitates the use of strong encryption by individuals and companies as opposed to limitation and prohibition of use is one way of nipping those risks in the bud and building trust and confidence to embrace and participate in the digital economy.

Various countries’ laws require registration and licensing of encryption service providers, and regulators have extensive powers to prohibit the use of some encryption technologies. Moreover, offering encryption services without licenses attracts penalties, as does failure to hand over secret encryption codes to state authorities, or using prohibited encryption tools. How African Countries Undermine Use of Encryption.

In 2021, research by the Internet Society (ISOC) showed that laws that undermine encryption can significantly harm the national economy, with the single biggest source of adverse economic effects being the indirect threat that such laws pose for trust in the internet and digital services. This reduced trust in data security depresses aggregate demand across the digital economy and induces firms to incur higher costs in attempts to build trust in their services.

Digital Rights

Compelled assistance by service providers as part of interception of communications, including the requirement to decrypt encrypted data and communications or disclose encryption keys gives governments and their agencies unfettered access to personal data, undermining citizens’ right to privacy and various other digital rights. Countries including Benin, Gabon, Namibia, Niger, Nigeria, Sierra Leone, and Zimbabwe prohibit service providers from providing any communications services that cannot be lawfully intercepted.

Such prohibitive regulations undermine digital rights in similar ways to laws on surveillance, which impose undue liability on intermediaries, and fail to provide for strong judicial oversight over surveillance operations. Meanwhile, data localisation requirements in some countries further grant authorities easier access to data for decryption and surveillance purposes with or without compelled assistance, “as they would not need to go through foreign countries’ or intermediaries’ data management protocols to access this data”, as highlighted by recent CIPESA research. Combined with mandatory SIM card registration and growing biometric databases, they thus contribute to the regressive situation for online freedom in a region fraught with human rights abuses and violations.

Securitising Encryption

Various countries regulate the use of encryption with national security as the sole key consideration. In Ivory Coast, the Telecommunications Regulatory Authority (ARTCI) is tasked to ensure that no service provider employs encryption that is contrary to public order or which undermines the interests of national defence, internal or external security of the state. Similarly, in the Central African Republic, the Electronic Communications Law of 2018 empowers the security minister to approve encryption services “based on the need to preserve the internal and external security of the state and national defence.”

Moroccan legislation restricts the import and use of encryption “to prevent its use for illegal purposes, and to protect the interests of national defence and the internal or external security of the State.” In that spirit, in 2015, the responsibility for authorising and monitoring encryption in Morocco was moved from the civilian National Telecommunications Regulatory Agency (ANRT) to the military’s General Directorate for the Security of Information Systems (DGSSI).

In Algeria, the acquisition and use of encryption by individuals and organisations must be authorised by the Regulatory Authority of Post and Electronic Communications (ARPCE) after approval by the Ministry of Defence and the Ministry of the Interior. Further, Algerian law requires that the type and nature of the equipment that will be used, list of cryptography algorithms, the size of the encryption keys, the type of virtual private network (VPN) used, the authentication methods, and the Public IP address, be provided to the regulator while applying for authorisation.

Many other countries require registration, while also requiring service providers to disclose the technical characteristics of the cryptology means, and the source code of the software used. Concerningly, some countries (including Benin, Gabon, Namibia, Niger, Nigeria, Sierra Leone, and Zimbabwe) prohibit service providers from providing any communications services that cannot be lawfully intercepted.

Overall, these limitations to the use of encryption go against Principle 40(3) of the Declaration of Principles on Freedom of Expression and Access to Information in Africa, which provides that “States shall not adopt laws or other measures prohibiting or weakening encryption, including backdoors, key escrows, and data localisation requirements unless such measures are justifiable and compatible with international human rights law and standards.”

Ultimately, all laws that place undue restrictions on the use of encryption tools should be repealed.

To promote the use of encryption in the region, it is imperative to desist from the current trends towards securitisation of encryption regulation. While governments often require surveillance to curb crime, laws should not outrightly prohibit or criminalise the use of encryption technologies. Rather, they should be supportive of legitimate state interests, which  also robustly protect digital rights and support growth of the digital economy.

23Dec

Sudan’s Bad Laws, Internet Censorship and Repressed Civil Liberties

Author CIPESA Posted on

By Khattab Hamad and CIPESA Writer | 

On December 19, 2021, the third anniversary of the start of the uprising that overthrew former Sudanese strongman Omar al-Bashir, protests against the current military rulers rocked the capital Khartoum. Yet these demonstrations are only a small part of the north African country’s challenges, as it remains saddled with a slew of repressive laws that undermine civil liberties, with the digital civic space particularly under attack.

Sudan’s 2019 constitution grants citizens the right to privacy (article 55) and to free expression (article 57) and “the right to access the internet” (article 57(2)). As of December 2020, Sudan had 34.2 million mobile subscriptions while internet subscriptions stood at 13.7 million, representing a penetration of 31%. Sudan has the most affordable mobile internet in Africa and is ranked among the five least expensive countries for mobile internet globally.

Despite the constitutional guarantees and proliferation of technology, a new briefing paper by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) shows that the state of digital rights remains precarious, with the cybercrimes law enabling the military rulers to harass dissenters and critics under the guise of fighting false information online. 

Frequent internet shutdowns remain a constant reminder that the government will go to great lengths to control access to and use of digital technologies for mobilisation. In the last three years, six internet disruptions have been recorded, mostly ordered to thwart public protests against bad governance. The disruptions have had significant economic implications and only ended following the intervention of the courts. 

The brief explores the repressive elements of media and technology-related laws and how they have been used to undermine freedom of expression, access to information and press freedom in the aftermath of al-Bashir’s overthrow. Overall, while there have been some improvements since al-Bashir’s ouster, the current government continues to institute regressive measures such as news website blockages and censorship. The latest power machinations that saw the military stage a coup on October 25, 2021 are making matters worse. 

The Sudanese Professionals’ Association (SPA), which spearheaded the uprising that overthrew al-Bashir, extensively used digital technologies to disseminate news about the uprising and to mobilise citizens to attend protests. The military rulers that succeeded Bashir seem to have realised the power of technology in mobilisation and embarked on continuous disruption of the internet, in addition to instituting other measures to curtail online organising, freedom of expression, and the free flow of information online.

Bashir’s dictatorship initiated internet disruptions in view of public protests calling for his overthrow, but the government that succeeded him has been more prolific in utilising shutdowns to try and shut off criticism and protests. 

The longest internet disruption in Sudan’s history was recorded in 2019 and lasted 37 days. During protests around the time the shutdown was initiated, more than 100 protesters were killed. The latest shutdown started on October 25, 2021 and lasted 25 days. It was instituted after Lt. Gen. Abdel Fattah al-Burhan seized control of the government. The shutdown was ended by a court order on November 11.

In July 2021, Sudanese authorities blocked more than 30 local news websites in the run up to protests demanding the resignation of the government, a move that severely undermined the right to expression and access to information.

Meanwhile, the cybercrime law of 2020 punishes publishing “lies” and “fake news” online with a heavy penalty of four years imprisonment, or flogging, or both. This law has been used by the military to silence activists and critical state officials. Even Lt. Gen. Burhan has this year invoked it to bring a suit against a prominent critic. The Press and Publications Law of 2009 equally has repressive provisions and was last August controversially invoked to suspendAlitibaha and Alsayha newspapers.

In 2020, Sudan issued the National security law amendment of 2020, article 25 of which leaves latitude for staff of intelligence agencies to violate citizens’ privacy by giving the Sudanese General Intelligence Service “the right to request information, data, documents or things from anyone to check it or take it” without a court order. Last October, military forces that staged a coup appeared to use this provision to search people’s phones in the streets to delete documentation of human rights violations perpetuated by security forces.

See the policy brief for further details on Sudan’s Bad Laws, Internet Censorship and Repressed Civil Liberties.

14Dec

South Sudan’s Cybercrimes and Computer Misuse Order 2021 Stifles Citizens’ Rights

Author CIPESA Posted on

By Edrine Wanyama |

South Sudan has enacted the Cybercrimes and Computer Misuse Provisional Order 2021 aimed to  combat  cybercrimes. The country has a fast-evolving technology sector, with three mobile operators and 24 licensed internet service providers. Investments in infrastructure development have propelled internet penetration to 16.8% and mobile phone penetration to 23% of the country’s population of 11.3 million people, which necessitates a law to curb cybercrime.

The Order is based on article 86(1) of the Transitional Constitution of South Sudan 2011, which provides that when parliament is not in session, the president can issue a provisional order that has the force of law in urgent matters.

The Cybercrimes and Computer Misuse Order makes strides in addressing cybercrimes by extending the scope of jurisdiction in prosecuting cybercrimes to cover offences committed in or outside the country against citizens and the South Sudan state. The Order also establishes judicial oversight especially over the use of forensic tools to collect evidence, with section 10 requiring authorisation by a competent court prior to collecting such evidence. Furthermore, the Order attempts to protect children against child pornography (section 23 and 24), and provides for prevention of trafficking in persons (section 30) and drugs (section 31).

However, the Order is largely regressive of citizens’ rights including freedom of expression, access to information, and the right to privacy.

The Order gives overly broad definitions including of “computer misuse,” “indecent content,” “pornography,” and “publish” which are so ambiguous and wide in scope that they could be used by the state to target government opponents, dissidents and critics. The definitions largely limit the use of electronic gadgets and curtail the exercise of freedom of expression and access to information.

Article 22 of the Transitional Constitution of South Sudan 2011 guarantees the right to privacy. The country has ratified the International Convention on Civil and Political Rights (ICCPR) that provides for the right to privacy under article 17 and the African Charter on Human and Peoples Rights, whose article 5 provides for the right to respect one’s dignity, which includes the right to privacy. The Order appears to contravene these instruments by threatening individual privacy.

Despite a commendable provision in section 6 imposing an obligation on service providers to store information relating to communications, including personal data and traffic data of subscribers, for 180 days – a period far shorter compared to other countries – personal data is still potentially at risk. The section requires service providers and their agents to put in place technical capabilities to enable law enforcement agencies monitor compliance with the Order. With no specific data protection law in South Sudan and without making a commitment to the leading regional instrument, the African Union Convention on Cyber Security and Personal Data Protection, privacy of the citizens is at stake.

The section on offences and penalties lacks specificity on fines which may be levied on errant individuals or companies. On the other hand, some of the offences provided for under the Order potentially curtail freedom of expression and the right to information. For instance, the offence of spamming under section 21 could be interpreted to include all communications through online platforms including social media platforms like Facebook and WhatsApp. Under the provision, virtually all individuals who forward messages on social media stand the risk of prosecution. This also has a chilling effect on freedom of expression and the right to information.

The offence of offensive communication under section 25 potentially has a chilling effect on freedom of expression, media freedom and access to information. A similar provision under section 25 of the Computer Misuse Act, 2011 of Uganda has been widely misused to persecute, prosecute and silence political critics and dissidents. Section 25 of the South Sudan Cybercrimes Order could be used in a similar manner to target government critics and dissidents. 

In CIPESA’s analysis of the Order, we call for specific actions that could ensure the prevention of cybercrime while at the same time not hurting online rights and freedoms, including:

  • Deletion of problematic definitions or provisions from the Order.
  • Enactment of a specific data protection law to guarantee the protection of data of individuals.
  • Urgent drafting of rules and regulations to prescribe the procedures for implementing the Order.
  • Ratification of the African Union Convention on Cyber Security and Personal Data Protection.
  • Service providers should not be compelled to disclose their subscribers’ information to law enforcement agencies except on the basis of a court order.
  • Amendment of the Order to emphasise the oversight role of courts during the processes of access, inspection, seizure, collection and preservation of data or tracking of data under section 9.

Read the full analysis here.

03Dec

CIPESA Working On Advancing Digital Inclusion for Persons With Disabilities in Africa

Author CIPESA Writer Posted on

By Staff Writer |

Persons with disabilities have unique needs and have for long been disadvantaged, yet the more some African countries get digitally connected, the deeper the digital divide for this community seems to grow. Despite growth in Information and Communications Technology (ICT) penetration, a large section of persons with disabilities faces digital exclusion due to lack of access and affordability of the requisite ICT tools and equipment, and failure by telecommunication operators to provide information and services in disability-friendly formats.

While millions turned to technology and traditional media for information in the wake of the Covid-19 pandemic, critical messages about the disease that are disseminated by health authorities, telecom companies, and broadcasters were and still are not reaching persons with visual and hearing impairments.

In turn, the digital exclusion of persons with disabilities worsened with the Covid-19 pandemic yet the Covid-19 crisis rendered technology key to working, learning, political participation and the enjoyment of other rights. Yet few organisations, within and outside the digital rights movement, are pushing for greater ICT accessibility.

These gaps in access to information gaps are growing despite the International Disability Alliance (IDA) issuing key recommendations towards a disability-inclusive Covid-19 response, including the requirement that persons with disabilities must receive information about infection mitigating tips, public restriction plans, and the services offered, in a diversity of accessible formats with use of accessible technologies.

The Collaboration for International ICT Policy for East and Southern Africa (CIPESA), is working to raise the availability of information on ICT and disability in Africa by producing relevant evidence-based research; mainstreaming disability rights issues in conversations about technology access and digital rights; growing the capacity of diverse actors to research on and advocate for meaningful connectivity and digital accessibility, and engaging key actors such telecom companies and regional bodies.

What CIPESA is doing is quite powerful and empowering. The tool is excellent, it needs to be worked on as we’ve given our input in the meeting. Once that is done, reaching out and creating awareness about the tool will be more powerful, engaging such stakeholders such as government and other key stakeholders. Once it is out this is going to be a game-changer because for persons with disabilities, ICT makes the world go round … This has been one of the first meetings on ICT and disabilities, so it is an excellent move. – Erick Ngondi, United Disabled Persons of Kenya

Here are some of our blogs and in-depth research reports on technology and persons with disabilities in Africa.

Blogs

  1. Why Access to Information on Covid-19 is Crucial to Persons with Disabilities in Africa
  2. Placing ICT Access for Persons with Disabilities at the Centre of Internet Rights Debate in Kenya
  3. CIPESA Submits Comments to Uganda Communications Commission on Improving Access to ICT for Persons With Disabilities
  4. Calling Out the African Union and Telecoms Associations to Prioritize ICT Access for Persons with Disabilities
  5. Vodacom Outshines MTN in Efforts to Serve Persons With Disabilities in South Africa
  6. People With Disabilities Left Out in ICT Jamboree
  7. Governments and Donors Urged to Advance ICT Access for Persons with Disabilities
  8. Telcos in Nigeria and Kenya Should Address Exclusion of Persons With Disabilities
  9. CIPESA Endorses GSMA Principles to Drive Digital Inclusion of Persons With Disabilities
  10. Fighting for plight of persons with disabilities

Research Reports

  1. Assessing the Barriers to Accessing ICT by People with Disability in Tanzania
  2. Assessing the Barriers to Accessing ICT by People with Disability in Uganda
  3. Assessing the Barriers to Accessing ICT by People with Disability in Kenya
  4. Removing Barriers to ICT Accessibility for Persons with Disabilities in  Kenya, Tanzania and Uganda which identified needed actions by government, regulators and communication companies.
  5. Access Denied: How Telecom Operators in Africa Are Failing Persons With Disabilities. CIPESA assessed 10 telecom companies in five countries (Botswana, Kenya, Nigeria, South Africa, and Uganda). Most of them – despite being long-established operators with a majority market share in their respective countries – were found to have failed to meet their obligations to provide information and services to persons with disabilities, in contravention of the companies’ obligations under national laws and the CRPD.

CIPESA made submission to the AUC, the ATU and EACO, drawing attention to these organisations’ obligation to protect and advance the rights of persons with disabilities in line with the African Charter on Human and Peoples’ Rights; the CRPD; the Treaty to Facilitate Access to Published Works for Persons Who Are Blind, Visually Impaired or Otherwise Print Disabled (the Marrakesh Treaty); the SDGs; and the Protocol to the African Charter on Human and Peoples’ Rights on the Rights of Persons with Disabilities in Africa.

See an in-depth document about our work here.

Watch this insightful discussion on “The Role of the Media in Promoting Digital Rights for  Persons With Disabilities in Africa.

16Nov

How Weaponization of Network Disruptions During Elections Threatens Democracy

Author CIPESA Posted on

By Evelyn Lirri |

In August 2021, Zambia became the latest country to restrict citizens’ access to social media platforms including Facebook, Twitter and WhatsApp as the country went to the polls. Citing the need to stop the spread of election misinformation, the Zambian government disrupted the internet in an election that saw an opposition politician defeat the incumbent president.

The disruption of digital communications is a recurring theme in numerous countries in as states pursue their ambitions of controlling information and communication flow during elections and other times of public protest.

Between January and May 2021, digital advocacy group Access Now documented at least 50 internet shutdowns in 21 countries, including in several African countries like Uganda, Ethiopia, Nigeria, Niger and Congo Brazzaville. However, there has also been pushback against these shutdowns by various civil society and digital rights actors, alongside users turning to Virtual Private Networks (VPNs) to circumvent blockages.

At the eighth edition of the Forum on Internet Freedom in Africa (FIFAfrica) that was hosted by the Collaboration on International ICT for East and Southern Africa (CIPESA) from September 28-30, 2021, members of the KeepItOn coalition, a global movement to end internet shutdowns, shared experiences from various countries on How Weaponization of Network Disruptions During Elections Threatens Democracy and some of the actions taken to prepare and advocate against election-related shutdowns.

Susan Mwape, an Election Analyst and Executive Director of Common Cause-Zambia, noted that in the lead up to the August 2021 elections in Zambia, the government imposed restrictions on public gatherings in the name of enforcing Covid-19 prevention measures. Consequently, citizens resorted to digital platforms to engage in election-related issues.

Threatened by the increased online engagement and mobilisation, the government hurriedly adopted the Cyber Security and Cyber Crimes Act, 2021. The Act was passed amidst criticism that it was primarily aimed at policing cyberspace, gagging freedom of expression and speech, and stifling internet use by opposition groups and supporters ahead of the general elections.

See this CIPESA analysis: Implications of Zambia’s  Cyber Security and Cyber Crimes Act 2021 on Digital Rights

Anticipating a shutdown ahead of the elections, Mwape said capacity building and advocacy activities were conducted  in collaboration with the KeepItOn coalition.

“We trained over 70 people – civil society, journalists, citizens and frontline defenders on secure tools they could use to stay online. But we also wrote an open letter to the President on why it was important to keep the internet on,” Susan Mwape.

Capacity building in circumvention techniques in anticipation of shutdowns has become a common strategy across the world. In Iraq, Hayder Hamzoz, the Founder and Chief Executive Officer of INSM Network, said efforts in this regard not only cover use of specific tools but prior installation of applications to overcome “governments’ first course of action” which is often to disable application stores where circumvention tools can be accessed.

Indeed, this was the case in Uganda, which has experienced various forms of election-related network disruptions – the most recent being a total shutdown during the January 2021 general elections and an ongoing block on Facebook access.

Allan Ssempala Kigozi, the Head of Legal Affairs at Unwanted Witness, explained that while a shutdown was anticipated in the country, civil society actors held a number of engagements with telecommunications companies and regulators on the need to keep the internet on.

“We wanted the government to understand that as the country was heading to the polls, an internet shutdown should not be the way to go because it has a wide-ranging impact on the economy beyond the misinformation that the government says it was trying to avert,” said Kigozi. He further noted that despite the shutdown, there was still an opportunity for misinformation to flow through text messages and added that upon the reinstatement of access, recorded videos and photos were shared thus maintaining the misinformation.

Despite having a long history of disruptions, Chad last April held an election without disrupting the internet. Abdeldjalil Bachar Bong, the Founder and Chief Executive Officer of House of Africa in Chad, attributed this to advocacy campaigns including by the #KeepItOn movement, which wrote an open letter to the President and telecommunications providers on the importance of keeping the internet on.

“We told them that shutting down the internet is not a solution. The solution is to educate the public on the benefits of using the internet,” he said. This was complemented by skills and knowledge building efforts targeting human rights defenders and civil society on how to use circumvention tools in the event of a shutdown.

For their part, circumvention tools developers such as TunnelBear have worked with digital rights groups and activists to ensure access to their platform in the event of a shutdown including through providing free bandwidth to use TunnelBear. Shames Abdelwahab, the Advocacy and Community Manager at TunnelBear, noted that in countries where they have done this, there has been a huge spike in the usage of the service. TunnelBear also provides free VPN accounts to activists on the ground. “The aim is to ensure digital activists keep online as they advocate against internet shutdowns,” said Abdelwahab.

Manson Gwanyanya, a researcher with the Business and Human Rights Resource Centre, noted that with increasing cases of internet shutdowns happening across the globe, more efforts including increased company transparency are being made to ensure that telecommunication companies and internet service providers are held accountable for their actions.

Blocking the internet ahead of the elections undermines electoral transparency, severely hinders the work of journalists, and denies citizens’ access to badly needed information. Governments should thus ensure the internet remains open to provide an opportunity for opposition actors to reach the electorate with information and for a pluralistic media to flourish.

1 2 3 4 5 6 41