Promoting Effective and Inclusive ICT Policy in Africa

Tag Archives: Computer misuse

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  Computer misuse
12Sep

Uganda Passes Regressive Law on “Misuse of Social Media” and Hate Speech

Author CIPESA Writer Posted on

By Edrine Wanyama |

Uganda’s parliament on September 8, 2022 passed a draconian law that criminalises various uses of computers and digital technologies and largely curtails digital rights.

Among the key regressive provisions is the prohibition of the “misuse of social media”, described in clause 6 as publishing, distributing or sharing information prohibited under Uganda’s laws. A highly punitive penalty has been prescribed for the offence: imprisonment of up to five years, a fine of up to UGX 10 million (USD 2,619), or both.

Other retrogressive provisions in the Computer Misuse (Amendment) Bill 2022 are prohibition of sending or sharing of unsolicited information through a computer, and prohibition of sending, sharing or transmitting of malicious information about or relating to any person.

Prior to the enactment of the law, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) presented its analysis of the Bill to parliament’s Committee on Information and Communications Technology (ICT), which indicated that the proposed amendments would be a blow to the enjoyment of online civil liberties. However, the committee has disregarded most of the feedback received from stakeholders listed in the Committee report, many of whom raised concerns on the digital rights gaps within the Bill..

In presentations to the parliamentary  committee, CIPESA argued that rather than introducing new, poorly defined offences, the amendments should have focussed on addressing existing retrogressive provisions in the law on computer misuse, such as section 24 on cyber harassment and section 25 on offensive communication, which have been used severally to criminalise freedom of expression, including through arrests and prosecution of journalists, activists and government opponents. Moreover, trolling, cyber harassment, unauthorised sharing of intimate images, and other forms of online violence against women and girls, are not addressed either.

Gorreth Namugga, the shadow minister for ICT and a member of parliament’s ICT Committee, said in a minority report that the issue of misuse of social media was not discussed in the committee and was not among the clauses the Computer Misuse (Amendment) Bill sought to amend. She added that the ICT Committee did not make a deep analysis of the issue, and none of the organisations and individuals consulted by the committee offered any input on the matter.

In introducing the offence of misuse of social media, the committee reasoned that, while considering the Bill, it observed that “the information technology evolution had created a new medium of communication called social media that is not fully regulated in the existing laws, yet it is “the commonest platform of Computer Misuse.” The committee therefore deemed it fit to define social media and to regulate it.

Accordingly, the Bill defines social media as a set of technologies, sites, and practices which are used to share opinions, experiences and perspectives. It cites as examples YouTube, WhatsApp, Facebook, Instagram, Twitter, WeChat, TikTok, Sina Weibo, QQ, Telegram, Snapchat, Kuaishou, Qzone, Reddit, Quora, Skype, Microsoft Team and Linkedin.

The new law will provide that “a person who uses social media to publish, distribute or share information, prohibited under the laws of Uganda or using disguised or false identity, commits an offence.” It adds that where “prohibited” information is published, shared or distributed on a social media account of an organisation, the person who manages the organisation’s social media account shall be held personally liable for the commission of the offence.

There remain questions as to how the committee introduced provisions on misuse of social media that were not in the Bill, not subjected to stakeholder consultation and, according to the minority report, not discussed by committee members. Moreover, the term, “under the laws of Uganda” with reference to prohibited information is very broad and ambiguous. This could be used by the government and its agencies to target critics and would largely curtail freedom of expression and access to information.

Uganda is not new to regressive control of digital technologies. In 2018, the east African country introduced a tax through the Excise Duty (Amendment) Act that required users to pay a daily tax in order to access social media services. The tax, which dismally failed to raise the anticipated revenues, was  replaced  with a 12% levy tax on internet data. The country’s digital taxation regime has become a key impediment to inclusive access and affordability, with millions of citizens still left out of the digital society. Uganda also routinely blocks access to the internet and social media. Since January 2021, Facebook has been blocked in Uganda on orders of the government.

While the new law attempts to define “unsolicited information” as meaning “information transmitted to a person using the internet without the person’s consent, but does not include an unsolicited commercial communication.” The guidance offered by the provision only extends to interpretation of the earlier blanket provision that had been proposed in the Bill. It does not provide any guarantees for the protection and enjoyment of freedom of expression and access to information.

In submissions to parliament, CIPESA stated that, besides undermining civil liberties, many provisions of the Bill duplicated existing laws such as the Regulation of Interception of Communications Act, 2010 and the Data Protection and Privacy Act, 2019, and would be difficult to implement

According to the minority report, all the clauses in the Bill are already catered for in existing legislation and in some instances offend Uganda’s constitution. The report states: “The fundamental rights to access information electronically and to express oneself over computer networks are utterly risked by this Bill. If passed into law it will stifle the acquisition of information. The penalties proposed in the Bill are overly harsh and disproportionate when compared to similar offences in other legislations. This Bill, if passed, will be a bad law and liable to constitutional petitions upon assent.”

Despite the largely regressive law, there are some positives, such as defining and proscribing hate speech and i the law provides and if rightly employed they could potentially improve on certain aspects regarding the digital civic space. Thus;

  • The addition of the element of intent in clause 3 in the definition of the offence of unauthorised access is quite progressive. It potentially helps to exonerate innocent individuals from wanton prosecution of what would constitute criminal access over innocent and unintended access. The Bill did not have the element of intent which is core to determination of criminal liability to qualify the offence.
  • Clause 3 was initially overly broad to the extent of discouraging the public from sharing information to the best interests of the child such as their protection from danger and harmful practices. The amendment in clause 3 in as far as it provides for circumstances under which information about children may be shared will serve to ensure that while privacy of the child is paramount, their best interest should not be disregarded.
  • Clause 4 of the Bill defines hate speech which was not previously provided for. It goes milestones in addressing hate speech which has for decades posed challenges to public order, security and persons. Furthermore, section 41 of the Penal Code Act on sectarianism presented uncertainties having limited the definition of sectarianism to groups of religion, tribe, ethnic or regional origin.
  • The law recognizes other laws on disciplinary action against errant leaders. Thus, the deletion of clause 7 is commended. It is a progressive move against a potentially excessive and discriminatory provision as was initially presented in the Bill.

The newly passed Bill is a threat to digital rights and digital civic space and falls short of the key international minimum standards. As such, it is imperative for the law to be challenged in court and for the president to deny its assent and return it to parliament for reconsideration.

29Jul

Uganda: CIPESA Submits Comments on the Computer Misuse (Amendment) Bill, 2022 to Parliament

Author CIPESA Writer Posted on

By Edrine Wanyama |

The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has made a submission on emerging concerns from the proposed Computer Misuse (Amendment) Bill, 2022 (the Bill) to the Parliamentary Committee on Information and Communications Technology. In its submission, CIPESA analyses the changes proposed by the Bill which are a blow to online civil liberties in Uganda.

The private members Bill is seeking to amend the Computer Misuse Act of 2011and  argues that existing laws “do not specifically address regulation of information sharing on social media” or are “not adequate to deter the vice”. The objectives of the amendment are: to enhance the provisions on unauthorised access to information or data; prohibit the sharing of any information relating to a child without authorisation from a parent or guardian; prohibit the sending or sharing of information that promotes hate speech; prohibit the sending or sharing of false, malicious and unsolicited information; and to restrict persons convicted of any offence under the Computer Misuse law from holding public office for a period of 10 years.

While the amendment could be justified by advancements in technology, upsurge in cybercrime, disinformation, and hate speech (clause 4), experience has shown that the law since enactment has been used to suppress digital rights including free expression and access to information.

The underlying provisions of the bill including clause 5 which seeks to prohibit the sending or sharing of unsolicited information through a computer, and clause 6 on prohibition of sharing malicious or misleading information, could be misused and abused by the government and its agencies to curtail sharing and dissemination of information, which would limit freedom of expression and access to information. Moreover, such restriction would counter the ruling by Supreme Court in Charles Onyango Obbo and Another v Attorney General that the penalisation of the publication of false news under Section 50 of the Penal Code is unconstitutional.

The Bill also duplicates existing laws including the Regulation of Interception of Communications Act, 2010 and Data Protection and Privacy Act in as far as it relates to unlawful interception of communications and unlawful access to and sharing of personal information under clause 2 and  prohibition of processing and sharing information about children under clause 2.

Similarly, the Bill proposes the adoption of very punitive and prohibitive penalties which could not only hinder expression and access to information but also transparency and accountability in governance. The penalties proposed stretch to UGX 15 million (USD 3,900), imprisonment not exceeding 10 years, or both for unauthorised access, interception, recording and sharing of information under clause 2. On the other hand, sharing information related to children (clause 3), hate speech (clause 4), unsolicited information (clause 5) and misleading or malicious information (clause 6) are punished with imprisonment not exceeding seven years.

While specifically targeting leaders, Clause 7 of the Bill seeks to bar persons convicted under the Computer Misuse Act from holding public office for a period of 10 years, and to further dismiss convicted personsfrom public offices that they were holding.  In addition to the restrictions under the  Official Secrets Act  it may discourage the disclosure of information by duty bearers where such disclosure would be necessary for enforcing transparency and accountability.

The Computer Misuse Act has been previously used to suppress digital rights including free expression and access to information. For instance, academic and social critic Dr. Stella Nyanzi was arrested for insulting the president in a social media post. In 2019, she was convicted of cyber harassment contrary to section 24 of the Act but acquitted of offensive communications, which is proscribed under section 25. Other individuals who have suffered the wrath of the same law include former presidential aspirant Henry Tumukunde who was arrested over alleged treasonable utterances in radio and television interviews, the Bizonto comedy group who were arrested over alleged offensive and sectarian posts, and author Kakwenza Rukirabashaija who was arrested, detained and prosecuted over offensive communication against the president and his son.

While the need for amendment of the Computer Misuse Act might be eminent to address emerging technologies, the proposed provisions are unfounded and redundant, and stipulate highly punitive penalties. They fail to address existing retrogressive provisions including section 24 on cyber harassment and section 25 on offensive communication, which have been used to criminalise freedom of expression. Moreover, trolling, cyber harassment, unauthorised sharing of intimate images, and other forms of online violence against women and girls are not addressed.

Read CIPESA’s full submission!

14Dec

South Sudan’s Cybercrimes and Computer Misuse Order 2021 Stifles Citizens’ Rights

Author CIPESA Posted on

By Edrine Wanyama |

South Sudan has enacted the Cybercrimes and Computer Misuse Provisional Order 2021 aimed to  combat  cybercrimes. The country has a fast-evolving technology sector, with three mobile operators and 24 licensed internet service providers. Investments in infrastructure development have propelled internet penetration to 16.8% and mobile phone penetration to 23% of the country’s population of 11.3 million people, which necessitates a law to curb cybercrime.

The Order is based on article 86(1) of the Transitional Constitution of South Sudan 2011, which provides that when parliament is not in session, the president can issue a provisional order that has the force of law in urgent matters.

The Cybercrimes and Computer Misuse Order makes strides in addressing cybercrimes by extending the scope of jurisdiction in prosecuting cybercrimes to cover offences committed in or outside the country against citizens and the South Sudan state. The Order also establishes judicial oversight especially over the use of forensic tools to collect evidence, with section 10 requiring authorisation by a competent court prior to collecting such evidence. Furthermore, the Order attempts to protect children against child pornography (section 23 and 24), and provides for prevention of trafficking in persons (section 30) and drugs (section 31).

However, the Order is largely regressive of citizens’ rights including freedom of expression, access to information, and the right to privacy.

The Order gives overly broad definitions including of “computer misuse,” “indecent content,” “pornography,” and “publish” which are so ambiguous and wide in scope that they could be used by the state to target government opponents, dissidents and critics. The definitions largely limit the use of electronic gadgets and curtail the exercise of freedom of expression and access to information.

Article 22 of the Transitional Constitution of South Sudan 2011 guarantees the right to privacy. The country has ratified the International Convention on Civil and Political Rights (ICCPR) that provides for the right to privacy under article 17 and the African Charter on Human and Peoples Rights, whose article 5 provides for the right to respect one’s dignity, which includes the right to privacy. The Order appears to contravene these instruments by threatening individual privacy.

Despite a commendable provision in section 6 imposing an obligation on service providers to store information relating to communications, including personal data and traffic data of subscribers, for 180 days – a period far shorter compared to other countries – personal data is still potentially at risk. The section requires service providers and their agents to put in place technical capabilities to enable law enforcement agencies monitor compliance with the Order. With no specific data protection law in South Sudan and without making a commitment to the leading regional instrument, the African Union Convention on Cyber Security and Personal Data Protection, privacy of the citizens is at stake.

The section on offences and penalties lacks specificity on fines which may be levied on errant individuals or companies. On the other hand, some of the offences provided for under the Order potentially curtail freedom of expression and the right to information. For instance, the offence of spamming under section 21 could be interpreted to include all communications through online platforms including social media platforms like Facebook and WhatsApp. Under the provision, virtually all individuals who forward messages on social media stand the risk of prosecution. This also has a chilling effect on freedom of expression and the right to information.

The offence of offensive communication under section 25 potentially has a chilling effect on freedom of expression, media freedom and access to information. A similar provision under section 25 of the Computer Misuse Act, 2011 of Uganda has been widely misused to persecute, prosecute and silence political critics and dissidents. Section 25 of the South Sudan Cybercrimes Order could be used in a similar manner to target government critics and dissidents. 

In CIPESA’s analysis of the Order, we call for specific actions that could ensure the prevention of cybercrime while at the same time not hurting online rights and freedoms, including:

  • Deletion of problematic definitions or provisions from the Order.
  • Enactment of a specific data protection law to guarantee the protection of data of individuals.
  • Urgent drafting of rules and regulations to prescribe the procedures for implementing the Order.
  • Ratification of the African Union Convention on Cyber Security and Personal Data Protection.
  • Service providers should not be compelled to disclose their subscribers’ information to law enforcement agencies except on the basis of a court order.
  • Amendment of the Order to emphasise the oversight role of courts during the processes of access, inspection, seizure, collection and preservation of data or tracking of data under section 9.

Read the full analysis here.

30May

Sections of Kenya’s Computer Misuse and Cybercrimes Act, 2018 Temporarily Suspended

Author admin Posted on

By Juliet Nanfuka |
Barely two weeks after the presidential assent to the Computer Misuse and Cybercrimes Act, 2018, a High Court judge has issued a conservatory order suspending the entry into force of 26 sections of Kenya’s contentious Computer Misuse and Cybercrimes Act, 2018. The order by Judge Chacha Mwita, suspending the sections until July 18, follows a petition filed by the Bloggers Association of Kenya (BAKE), which challenged the law for contravening constitutional provisions on freedom of opinion, freedom of expression, freedom of the media, freedom and security of the person, right to privacy, right to property and the right to a fair hearing.
In the order issued on May 29, the judge certified BAKE’s petition as urgent, and stated that  respondents (who include the Attorney General, the Speaker of the National Assembly, the head of the National Police Service, and the Director of Public Prosecutions) be served immediately. The respondents would have seven days from receipt to file written submissions. Hearing of the petition is scheduled for July 18, 2018.
Although the conservatory order only stalls the enforcement and could be lifted or maintained thereafter, it nonetheless represents a win for digital rights advocates in Kenya, as they have in the interim satisfied the judge that there is an arguable case to be made against the constitutionality of the recently enacted law. The order also marks another landmark ruling in the litigation towards respect and realisation of digital rights across Africa.

According to the  order, the suspended sections are: 5, 16, 17, 22, 23, 24, 27, 28, 29, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 48, 49, 50, 51, 52 & 53.


Various organisations criticised the bill prior to its assent on May 16, 2018 calling it unconstitutional. Among the organisations were the Kenya ICT Action Network (KICTANET), Article 19 Eastern Africa, BAKE and the Centre to Protect Journalists (CPJ) who deemed numerous sections unconstitutional and detrimental to Kenyan citizens’ digital rights. They said it infringed on the privacy of individuals, freedom of expression, speech, opinion and access to information online.
Kenya already has a history of stifling online critics of the state and state actors, as echoed by James Wamathai, the Director of Partnerships at BAKE. In a statement, he said: “In the past several years, there have been attempts by the government to clamp down on the freedom of expression online. This Act is a testament of these efforts, especially after other sections were declared unconstitutional by the courts.
Among the prevailing concerns on the law is the use of vague language on issues such as “false” or “fictitious” content and false publications in Section 22 and 23, accompanied with heavy obligations on users to verify truthfulness or untruthfulness of information before disseminating. As per section 12, failure to comply would result in a fine of five million Kenyan shilling (USD 50,000), up to two years in prison, or both.
The  court order comes on the heels of the two judgments (Okiya Omtatah Okoiti v The Communication Authority of Kenya and 3 others Constitutional Petition No. 53 of 2017 and Kenya Human Rights Commission v Communications Authority of Kenya and 3 others no. 86 of 2017) by the Kenya High Court in which the petitioners successfully challenged the installation on mobile phone networks of a communication surveillance system dubbed Device Management System (DMS), by the Communications Authority (CA) Kenya (CA). The petitioners argued that, through this system, the authority would have undue access to the communications of citizens.
As more countries in Sub-Saharan Africa develop technology related laws, it is fundamental that the laws uphold human rights standards prescribed at global and regional levels, including in the International Covenant on Civil and Political Rights (ICCPR), the African Charter on Human and Peoples Rights (ACHPR), and African Union Convention on Cybersecurity and Personal Data Protection. However, recent developments such as has been witnessed in East Africa appear to prioritise the criminalisation and penalisation of internet use rather than encourage its adoption as a tool for greater access to information, and for expanding free expression and civic engagement.
Kenya’s neighbours Tanzania and Uganda have this year taken actions detrimental to digital rights. In Uganda, social media taxes that could be introduced in July 2018 threaten internet access and affordability while in in Tanzania, online content producers will have to pay over USD 900 to register with the state for permissions to maintain their platforms, according to new regulations.