Promoting Effective and Inclusive ICT Policy in Africa

Category Archives: Blog

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  Blog  /  Blog
21Oct

Policy Brief: How African States Are Undermining the Use of Encryption

Author CIPESA Posted on

By Lillian Nalwoga |

Encryption enables internet users to protect their data and communications from unauthorised access. Accordingly, anonymity and the use of encryption in digital communications are key enablers of citizens’ enjoyment of the right to privacy.

Worryingly, many African countries have passed legislation that limits anonymity and the use of encryption, purportedly to aid governments’ efforts to combat terrorism and crime. Other governments in the region limit the use of encryption to enable them to monitor the communications of critical journalists, human rights defenders, and opposition politicians.

In commemoration of the inaugural Global Encryption Day, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has published a policy brief that highlights restrictions to encryption and what needs to be done by governments in Africa to promote the use of encryption. The brief shows that encryption laws and government practices in several countries undermine the privacy rights of citizens, which in turn hampers their right to free expression and to secure use of digital technologies.

The importance of the right to anonymity in the digital era has been recognised in the Declaration of Principles on Freedom of Expression and Access to Information in Africa of the African Commission on Human and Peoples’ Rights. Principle 40(3) provides that: “States shall not adopt laws or other measures prohibiting or weakening encryption, including backdoors, key escrows, and data localisation requirements unless such measures are justifiable and compatible with international human rights law and standards.”

However, encryption is under threat from governments in Africa, as indeed in other parts of the world. Among the concerns cited by the brief are legislation and regulations that require registration and licensing of encryption service providers before they can offer cryptographic services. This is the case in Benin, Chad,  Cameroon, Congo Brazzaville, Democratic Republic of Congo (DR Congo), Ethiopia, Guinea, Ivory Coast, Malawi, Mali, Morocco, Senegal, South Africa, Tanzania, Tunisia and Zambia, among others. Offering encryption services without a license attracts penalties, as does failure to hand over secret encryption codes to state authorities, or using prohibited encryption tools.

Encryption in Africa

The requirement for registration of encryption services providers makes it easy for regulators and other government agencies to access information held by these service providers, including decryption keys and encrypted data. This undermines best practices which require governments to reject laws, policies, and practices that limit access to or undermine encryption and other secure communications tools and technologies. 

Further, the brief points to how governments in Africa prohibit the use of some types of encryption and require disclosure to regulators of the characteristics of cryptology. Crucially, governments should not prohibit the use of encryption by grade or type. Further, governments should not mandate insecure encryption algorithms, standards, tools, or technologies. 

Meanwhile, laws on interception of communications across the continent including in Benin, Cameroon, Chad, Ivory Coast, Malawi, Mali, Niger, Nigeria, Rwanda, Senegal, Tanzania, Togo, Tunisia, Uganda, Zambia and Zimbabwe require communication service providers to put in place mechanisms, including the installation of software, which facilitates access and interception of communications by state agencies. Indeed, state agencies in several countries can request for decryption of data held by service providers, which poses a big concern. 

For instance, Zimbabwe’s Interception of Communications Act requires cryptography services providers to decrypt data at judicial authorities’ request or provide them with the codes allowing the decryption of data they have encrypted (article 78). Section 11(1)(d) permits security agents to demand that information is decrypted before it is handed to them, where the disclosure is necessary for national security, to prevent or detect a severe criminal offense, or in the interests of the country’s economic well being. Failure to comply is punishable with up to five years’ imprisonment, a fine not exceeding USD 373, or both. Similar provisions are found in the laws of several other countries.

Such compelled assistance from service providers has been reinforced with mandatory SIM card registration of phone users around the continent, as well as data localisation requirements amidst ineffective safeguards.

 In some countries, if the private communications of human rights defenders and opposition politicians fall into the hands of state agencies, the consequences can be dire. The brief cites Rwanda, where the private communications of musician Kizito Mihigo, opposition leader Diane Rwigara, and two former army officers were used in their separate prosecutions. In Ethiopia, the Zone 9 bloggers were detained and prosecuted, among others, for using encrypted communications.

Meanwhile, Uganda instituted a ban on use of Virtual Partial Networks (VPNs) in the face of internet taxes and network disruptions. For its part, Zimbabwe barred telecom operator Econet Wireless from introducing the Blackberry Messenger service, which provided encrypted messaging, arguing that it contravened the southern African country’s interception of communications law which bars provision of services which the communications regulator can not intercept. Another example cited is Mauritius, which this year attempted to introduce a controversial lawful interception mechanism that would decrypt and re-encrypt all social media traffic. 

In light of the above concerns, the CIPESA brief is urging governments to repeal or amend provisions that place undue restrictions on the use of encryption tools; cease blanket compelled service providers and intermediary assistance to state agents and instead provide for clear and activity-bound assistance; and enact data protection and privacy laws that robustly promote the use of strong encryption. 

The full brief can be accessed here.

21Oct

CIPESA Submits Comments on Tanzania’s Proposed Amendment to The Online Content Regulations 2021

Author CIPESA Posted on

By Edrine Wanyama |

The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has made a submission on the proposed amendments to Tanzania’s controversial Electronic and Postal Communications (Online Content) Regulations, 2020 that regulate online content service providers, internet service providers, application services licensees, and online content users.

On August 24, 2021, the government made a public call for comments on proposals to amend the 2020 Regulations, which entrenched the licencing and taxation of bloggers, online discussion forums, radio and television webcasters, and repressed online speech, privacy and access to information. The move towards amending the Regulations follows a series of concerns expressed in 2017, 2018 and 2020 over the regressive and repressive nature of online content regulation in the country, and its detrimental effect on freedom of expression, access to information, and the right of establishment of media.  

The proposed 2021 regulations largely reflect the previously issued regulations. While they have  some positive elements, they largely fail to address the threats posed to human rights defenders, political dissidents, journalists, academics, civil society organisations and actors.

On a positive note, the proposed regulations reduce licence application fees, as well as annual and renewal fees charged for online media content services and online content aggregators. Thus, online media content service providers will pay application fees of TZS 50,000 (USD 22) down from TZS 100,000 (USD43), initial licence fees of USD 217 from USD 433, annual licence fees of USD 217   from USD 433 and renewal fees of USD 43 from USD217.

The regulations also remove some ambiguous specification of obligations of service providers, such as the proposed deletion of the current regulation  9 (d) which potentially censors a broad variety of content by imposing on service providers the obligation to filter what is considered “prohibited content.” Regulation  9 (d) of the EPOCA Regulations of 2020 requires online content service providers to, “use moderating tools to filter prohibited content.” 

Furthermore, under regulation 3, some level of certainty in the scope of definitions is provided especially for “online media content services” and “online content aggregators”, which are lacking in the current regulations. The proposed regulations also make attempts to define and narrow the scope of categories of licences by removing all fees that were earlier imposed on online content relating to education and religion, and fees chargeable for the provision of Online Content Service Licence Category B (Simulcasting radio and television). 

However, the proposed regulation maintains broad and vague definitions, such as of “hate speech”, which could potentially be misused against individuals, media and private sector players.

Moreover, the licensing requirements under Part II of the EPOCA regulations of 2020, which have not been proposed for amendment, are still prohibitive with very heavy penalties of not less than five million shillings (USD 2,157) or  12 months imprisonment, or both, for operating without a license from the Tanzania Communications Regulatory Authority (TCRA). 

Further, the process of applying for a licence under regulation 6 remains tedious, requiring the applicant to furnish TCRA with extensive information including personal information. This comprises certified copies of certificate of incorporation or certificate of registration, tax identification number, tax clearance certificate, national identity cards, and list of owners and management teams, curriculum vitae of staff, editorial policy guidelines and any other documents required by the authority. 

The proposed amendments do not make any attempt to address the wanton restrictions laid down in the Third Schedule to regulation 16 on prohibited content.  This  includes content in paragraph 1 on sexuality and decency, content on personal privacy and respect for human dignity which extends to insults, slander and defamation or exposes news related to a person’s privacy under Paragraph 2(b)

Further, there are restrictions on content  on public security, violence and national security (Paragraph 3), content that is considered to be disrespectful of religion and personal beliefs (paragraph 7), public information that may cause public havoc and disorder (paragraph 8), use of bad languages and disparaging words (paragraph 9) and false, untrue and misleading content (paragraph 10). 

The scope of prohibited content under the Third Schedule is wide and ambiguous, and the provisions facilitate curtailment of freedom of expression and access to information. 

Additionally, the schedule prohibits publication of “content with information with regards to the outbreak of a deadly or contagious disease in the country or elsewhere without the approval of the respective authorities.” The penalty for breach of regulations is a fine of not less than five million Tanzanian shillings (USD 2,174), imprisonment for not less than 12 months, or both. This prohibition undermines freedom of expression and access to health information as it provides room for suspension of content.

Regulation 9(g) maintains  the status quo of the obligations of online content service providers to ensure that prohibited content  is removed immediately upon being ordered by TCRA. This ultimately means the sweeping powers of the authority to determine what content is available for public consumption are still on the statute books. Such powers are also a potential tool for censorship of content and hinder free expression and access to information.

The proposed amendments to the regulations come a few months after the death of Tanzania’s former president, John Magufuli. His reign was characterised by systematic clampdown and curtailment of freedoms including of expression, access to information, assembly and associations. The period before Magufuli’s death was also  characterised  by a lacklustre response to the Covid-19 pandemic.  

The analysis concludes that the proposed amendments provide some ray of hope especially in providing some degree of certainty in definition of key terms and reduction of application and licensing fees. However, the proposals are not sufficient to tackle the deep concerns in the 2020 regulations. 

You can read the full submission here.

14Oct

FIFAfrica21: Stronger International Cooperation Key to Advancing Digital Rights in Africa

Author CIPESA Posted on

By Apolo Kakaire |

Constructive international cooperation will be key to shaping digital rights in Africa and creating a path towards an inclusive, safe and secure internet on the continent. This observation was at the heart of the eighth  edition of the Forum for Internet Freedom in Africa (FIFAfrica21) as it kicked off on September 28, 2021. 

In a keynote panel discussion, Ambassador Tadej Rupel, Ministry of Foreign Affairs of Slovenia, Presidency of the Council of European Union (EU) 2021, reiterated the need for a comprehensive partnership between the European Commission and the African Union (AU) to address the challenges that come with the wider advances in the  digital sphere.

He noted that many political actors view digitalisation through the lenses of the digital economy and yet there are more critical aspects to it. Accordingly, the Slovenian EU Presidency would work to raise political awareness and attention about the significance of digital rights. He called for policy dialogue as a precursor to addressing and reinforcing a human-centric agenda through sharing experiences, such as in regulatory expertise and frameworks, and underscored the need for cooperation in building cyber security, promoting cyber resilience, and increasing responsible state behaviour.

Ambassador Rupel said: “We are trying to solve similar challenges and we can all benefit from dialoguing on these issues. We cannot allow ourselves to pursue some things in isolation. We cannot talk about increased connectivity without talking about responsibility and safety. The partnership between AU and EU can play a big role in balancing sustainable, safe and a human-centric agenda for digital services.” 

Among the growing challenges that are key for EU-AU cooperation is safe and secure use of Artificial Intelligence (AI), which calls for streamlining the regulatory landscape and public sector policies in regulating AI governance, autonomous intelligence systems, and privacy/safety issues. “It is urgent that the Global Partnership on Artificial Intelligence prioritises bridging the gap between the theory and practice of AI,” said Ambassador Rupel. He said the Slovenia-based International Research Centre on Artificial Intelligence (IRCAI) could be developed into a centre of excellence on AI to drive multi-disciplinary research in the field. 

The keynote panel also noted that states were variously stifling citizens’ digital rights including the right to free expression and access to information. Samira Sawlani, a journalist, called for the establishment of mechanisms to ensure enforcement of guidelines and laws on access to information because, while many countries have legal and constitutional guarantees, the practice leans more towards impeding information disclosure. “One way to stop journalists from doing their work is to deny them information, and when a journalist is blocked then others also do not get this information and it is something we have seen before and even during the pandemic,” she said. 

Donald Deya, the Chief Executive Officer of the Pan African Lawyers Union (PALU), underscored the importance of stronger commitment from states to establish civil rights and digital rights standards at national, regional and continent level. So far, the commitment has been lacklustre. He cited the African Union Convention on Cybersecurity and Personal Data Protection, which requires only 15 countries to ratify it for it to come into force, yet currently only eight states have ratified.

Moreover, he noted, there is selective application of laws that has seen action taken against critics on such allegations as money laundering and terrosim. “The laws have issues but the culture of rule of law is a bigger problem – with laws being applied wrongly. We should cultivate the culture of doing what is right for the majority,” said Deya.

Meanwhile, there is growing concern that states are increasingly responding to criticism with draconian measures, such as internet shutdowns. According to Michèle Ndoki, a Cameroonian lawyer and activist, “there is a shift in muzzling dissenting views, which has the net effect of cutting off masses and also has widespread economic ramifications for individuals and the economy, and activists must respond to this growing threat”.

Digital taxation is another threat to the realisation of digital rights across the continent, which speakers indicated should be addressed under the proposed cooperation. As observed by one participant, “digital taxation has become a low hanging fruit for governments [in Africa] to tighten control of the digital space.” Deya said it was essential  to establish a fair global digital taxation formula, which could be pursued through the involvement of the United Nations (UN) Tax Committee.

Initiatives that could inform international cooperation include the Digital Transformation Strategy for Africa (2020-2030) which was launched in 2019, as well as human rights mechanisms such as the UN Human Rights Council, African Commission on Human and Peoples’ Rights (ACHPR) and the Special Rapporteur on Freedom of Expression and Access to Information.

12Oct

FIFAfrica21: Africa Must be Assertive in International Cybercrime Negotiations

Author CIPESA Posted on

By Apolo Kakaire |

Local nuances, technology neutrality and cross-border cooperation should be at the heart of multi-stakeholder negotiations by African states as part of the United Nations (UN) process on elaborating an international convention on cybercrime. This is according to experts who brainstormed on how African stakeholders can contribute to the planned negotiations, and the role African civil society organisations can play in this process.

Speaking at a session on Africa and the Future of International Cybercrime Cooperation as part of the eighth edition of the Forum on Internet Freedom in Africa (FIFAfrica), Dr. Katherine Getao, the Chief Executive Officer of the Information and Communication Technology Authority of Kenya, stated that African countries have grown some capacity and are better equipped to negotiate in international norm-setting fora. However, she urged states not to “just send lawyers and diplomats” but assemble balanced teams including technical experts that enrich the negotiations. 

According to Dr. Getao, while contexts vary between the different countries on the continent, given the complexity of cybercrime, it is imperative that African countries strategically focus on what works for their countries to ensure clarity on priorities. Moreover,  she called for a local process to coordinate participation in the international process but also to ensure eventual implementation of the agreed conventions. 

George-Maria Tyendezwa, the Africa Group Vice Chair of the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, urged African countries to engage with the negotiations “irrespective of their installed capacity”. Since countries are at different levels of growth in the area of cybercrime, cooperation would enable continued peer learning. 

Globally, Ransomware attacks have surged drastically with damage estimated to hit USD 6 trillion in 2021. Such attacks and other cybercrimes affect all countries, but in Africa, weak network infrastructure security especially within financial institutions, governments, and e-commerce companies makes countries especially vulnerable. In March 2021 Interpol established the African Joint Operation Against Cybercrime (AFJOC), a project to drive intelligence-led, coordinated actions against cybercrime and its perpetrators in African member countries.

Speakers at the FIFAfrica21 session acknowledged that the African cybercrimes landscape presents unique challenges related to detection and investigations, and poor technical capacity among law enforcement officials to retrieve evidence to support criminal prosecution. Given the transnational nature of cybercrime, international cooperation at infrastructure level is key in the recovery of evidence to prosecute perpetrators.

However, the regulatory framework for international cooperation on cybercrime remains weak and fraught with lack of commitment. For instance, while the Budapest Convention is 20 years old, only 66 countries have ratified it across the world. Similarly, the Malabo Convention whose implementation in Africa requires 15 ratifications has only registered eight so far. 

Citing the example of the cost of cybercrime in Africa, which in comparison to other economies and the monetary threshold of cybercrime under international law may seem paltry, Michael Ilishebo, a Digital Forensic Analyst and Cyber Crime Investigator with the Zambia Police Service, emphasised that the legal framework governing cybercrime on the continent should be home- grown and resonate with the region’s crime patterns. To strengthen their bargaining power during negotiations, however, African states need to develop national and regional positions and synchronise these with the UN ad hoc committee. “We should have a consensus on [the] Malabo [Convention] before we start talking about Budapest. We should first ensure that African cyberspace is safe before we rush to the UN,” said Ilishebo. 

For her part, Tatiana Tropina from Leiden University said negotiations should ensure that frameworks are technology neutral so as to deal with emerging unanticipated aspects. By defining illegal conduct irrespective of the medium, technology neutral legislation would give some certainty to criminal justice. “When the instrument at the global level says this is what should be stopped, this should trigger domestication which can vary in as much as it does not violate the agreed principles,” said Tropina.

On the multi-faceted approach to tackling cybercrime, Dr. Getao emphasised that focus should not only be on individual perpetrators but also technology service providers who expose consumers to crimes.  “There are civil and criminal aspects that should be taken into account,” she said. As such, a truly global solution must be developed in a participatory way, balancing law enforcement, foreign policy and human rights interests. 

Among the suggested ways to achieve the balance was consensus on key principles, clarity that emerging concerns resonate with existing principles, and human rights due diligence as part of the processes. “Vulnerable communities take the main brunt of cybercrime and this must be taken into consideration as duties of states to guarantee non-discrimination, fair trial, respect for human rights law, access to information and to legal attorney,” said Klara Jordan, the Chief Public Policy Officer of the Cyber Peace Institute. The Institute has recently launched a Multi-stakeholder Manifesto as a guide ahead of treaty negotiations at the UN. 

Ultimately, cybercrime should be considered beyond law enforcement and include the perspectives of civil society who also have a role to play in the implementation of conventions and yet also happen to be victims. “Civil society and individuals being part of the solution is very key and governments must open up,” said Jordan.

27Sep

Africa Law Tech Festival 2021: CIPESA Underscores Strategies to Cutting Through Common Emerging Barriers To Access To Justice Despite the Covid-19 Pandemic

Author CIPESA Posted on

By the Lawyers hub |

At the onset of the COVID-19 pandemic, governments across Africa implemented measures to curb the spread of the virus that greatly disrupted judicial processes, slowing down access to justice. Such measures include suspension of all in- person court activities like mentions, hearings and appeals as well as execution of court judgements. Gradually, courts looked to adopting technological measures to aid in the delivery of justice; measures which despite the noble intentions, had to be grounded in law. 

These developments informed the Collaboration on International ICT Policy for East and Southern Africa (CIPESA)’s masterclass at the second edition of the Africa Law Tech Festival, a five-day annual conference that convenes different stakeholders in Africa to deliberate on digital policy issues. In line with this year’s theme, ‘Digital Policy for Economic Growth’, the class explored The Role of Lawyers and Courts digital access to Justice amidst the Covid 19 Pandemic. CIPESA affirmed that for many African countries, the basis for e-justice can be founded on the supreme law- the Constitution. In July 2020, the Supreme Court of Nigeria ruled in favour of virtual courts and  dismissed suits by Lagos and Ekiti States in which they sought to have virtual courts declared unconstitutional and null and void. 

Since the emergence of COVID-19, the African Judicial system has greatly changed. Courts have developed guidelines and practice notes for development of virtual courts and adopted online case management systems. As at December 2020, at least 20 African states had adopted e-filing and e-service and incorporated virtual hearings. Despite these successes, there are various challenges inhibiting the growth and adoption of virtual courts in Africa including:

The costs of acquisition of hardware and software needed for virtual courts. Africa has the lowest internet penetration rate caused by high cost of services and connectivity devices. In 2020, the Alliance for Affordable Internet reported that Africa had the least affordable smart devices globally costing about 62.8% of individual monthly income. Unaffordable devices raise the cost of connectivity for most Africans, pushing many offline. Conversely, those offline are not able to effectively utilize and participate in virtual courts, thus limiting access to justice. In Uganda, the judiciary obtained support from the UNDP to purchase zoom licenses. In Kenya, the judiciary partnered with the Ministry of ICT to acquire licenses for teleconferencing facilities and technical officers to provide support in respective court stations. 

Africa’s increasing digital divide has further degenerated access to justice. The International Telecommunication Union reports that Africa has the lowest percentage of persons using the internet globally. Moreover, urban areas have twice as much home internet access than rural areas. Despite having internet access, the reliability may be affected by constant power outages. Other justice actors like prisons would also need to be meaningfully connected. Previous efforts to implement the e-filling system and virtual courts by the judiciary in Kenya were slowed down due to lack of digital infrastructure and unreliable electricity in courts. As the adoption of virtual courts becomes widespread, it is crucial to ensure accessibility for all by addressing issues of digital infrastructure, device and broadband affordability otherwise justice would be discriminatory and a violation of their right to access to justice. 

Law and policies regulating the internet are not favourable. For instance, taxation of the internet leads to high data costs which in most cases aggravates digital exclusion. In 2021, Uganda replaced the unpopular social media tax of 200 shillings (USD 0.02) by introducing a 12% excise duty on the internet. In 2018 Zambia introduced a daily tax of USD 0.03 on internet voice calls following research that 80% of the citizens were using internet voice calls like WhatsApp, Skype and Viber. Recently, Kenya raised excise duty on internet services by from 15% to 20% further raising the cost of internet.  Such tax raises the cost of the internet, decreasing affordability for most citizens. Limitation on access and usage stifles innovation and ultimately access to justice as litigants would also be required to meet these high costs whether directly or indirectly. 

While digital security is important for a safe digital space, there has been a rise in cybercrimes during the COVID-19 pandemic. This includes malware that was previously dormant. The Communication Authority of Kenya reported a 152.9% increase in cybercrimes during the pandemic as cyber criminals exploit vulnerable computer systems. With recent cyberattacks in Uganda’s financial system as well as South Africa’s healthcare, there is concern over capacity to deal with cyberattacks given the sensitivity of judicial proceedings. Cyberattacks and crime are usually associated with a chilling effect on the use of digital platforms.

Meanwhile lack of the required digital skills pose a challenge to use of ICTs. While the goal remains to leave no one in Africa offline, African participation may be hindered by lack of digital skills. According to a study by the International Finance Corporation, by 2030,  over 200 million jobs in Africa will require digital skills. This means that Africans should strive to have the basic skills required that allows for full participation in virtual court system such as the filing of documents or attendance of virtual hearings. This is especially so in critical times like the pandemic where isolation could cause one to be away from those with the digital skills.   

From the aforementioned highlights, it is necessary to undertake practice measures that harness access and use of technology for justice. This would in turn lead to maximization of the benefits of e-justice. Similarly, governments should undertake a favourable licensing policy and legal frameworks that encourage investment and connectivity in ICTs. 

1 29 30 31 32 33 70