Cyber Diplomacy with Africa: Lessons From the African Cybersecurity Convention

By Mailyn Fidler |
Two years ago, the African Union (AU) adopted its Convention on Cybersecurity and Personal Data Protection. The Convention seeks to improve how African states address cybercrime, data protection, e-commerce, and cybersecurity. However, only eight of the AU’s fifty-four members have signed the Convention, with none ratifying it. Despite this currently limited uptake, the Convention, and how the AU produced it, signals that African states value political autonomy and independence when developing cyber policy. The U.S. government should keep this in mind as it reaches out to AU member states in promoting cyber norms and capacity building efforts.
Development of the Convention
The AU’s development of the Convention reflects a desire of African states to have autonomy over their response to cyberspace challenges. The AU chose to develop its own Convention instead of promoting African participation in existing cyber treaties, most notably the Council of Europe’s Budapest Convention on Cybercrime (2001). Only one African state, South Africa, participated in the Budapest Convention negotiations, and, even then, had to ask to be included.  The Council of Europe approved three other African country requests to accede, a low rate compared to other regions in the global south, and only one African state has ratified it. South Africa has refused to ratify the Budapest Convention because of sovereignty concerns.
Instead, the AU began work on its own approach in 2007. By this time, African states had already started to act as a bloc in international cyber negotiations. For instance, African countries advocated for more equitable access to the Internet and participation in Internet governance during the 2003 and 2005 World Summit on the Information Society (WSIS) – a stance that challenged prevailing Western views.
Read the full article here.

South Africa Bill Threatens Internet Freedom

By Juliet Nanfuka |
South Africa’s Cybercrimes And Cybersecurity Bill (2014) has been met with apprehension among civil society due to its vague definitions, its limited safeguards for access to information and freedom of expression. In many ways, it resonates with the equally stifling Draft Online Regulation Policy gazetted in March 2015, which contains clauses that have the potential of blocking online content including films, games and certain publications.
Civil society welcomed the invitation by the Department of Justice and Constitutional Development to provide comment to the draft document. However, concerns have been raised across the board including by the Interactive Advertising Bureau South Africa on the grounds that the bill “broadens the definitions of copyright and creates requirements that do not exist in current copyright law.”
The Association for Progressive Communications in their submission stated that the bill does not make sufficient distinction between unlawful intention and a lack of intention by an internet user, such as an inexperienced internet user downloading illegal malware, but being ignorant of this fact. According to APC, given the low levels of digital literacy in South Africa, this is an important concern. it also noted that the Bill lacks a clear perspective on the culpability of minors and the evolving capacity of minor.
The Right2Know campaign in their comments  pointed out that the bill gives the state excessive authority by granting “the power to declare any data, database, device, network, infrastructure – publicly or privately owned – to be a ‘National Critical Information Infrastructure.’”
Many clauses in the South African Bill are similar to clauses present in a spate of bills that have emerged in East Africa.  In Part V of the Kenya Security Laws (Amendment) Act 2014, the surveillance capabilities of the Kenyan intelligence and law enforcement agencies are expanded without sufficient procedural safeguards. A similar stance is present in the Tanzania Cybercrime Act (2015), which was signed into law with limited public review. The Act makes no indication on the rights the users have of their data nor how it is protected once in the hands of the state, putting citizens’ data at risk especially in the absence of a data privacy and protection law.
Meanwhile in Nigeria, the controversial Social Media Bill was met with criticism as it “completely negated important international conventions to which Nigeria was a signatory”. The Partnership for Media and Democracy in Nigeria (PAMED) raised the concern that “the bill constitutes a threat to democracy because it seeks to repress the social media, the conventional media, the civil society and the citizenry as a whole.”
A recurring theme across many of these new legislations is the continued attempt of states to muzzle opinion of the media, independent social commentators (popular bloggers) and various other non-state actors who are involved in the promotion of freedom of expression, accession to information, increased state transparency and accountability.
Further, the contradictory nature of the new and proposed laws with existing legislation compromises the security and privacy of citizens and their data and leaves gaps for the abuse of internet rights as prescribed in the African Declaration of Internet Rights and Freedoms  remain largely ignored.
 
 
 
 
 

OpenNet Africa Challenge Uncovers Gaps in Digital Safety Tools

By Ashnah Kalemera |
There are numerous tools which can secure online users’ communications, including through anonymising their identities and enabling them to circumvent online surveillance and censorship. In some cases, developers have gone on to localise such tools to suit various contexts. However, the tools’ relevance to certain populations and how best to improve them for a diverse range of users remains largely unknown.
During May 2015, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) in partnership with tech innovation hub OutBox challenged members of the Ugandan tech community to test five digital safety and security tools in order to gain an understanding, in a local context, of the tools’ strengths, weaknesses and opportunities for localisation. The challenge was in the context of CIPESA’s OpenNet Africa initiative which monitors and promotes internet freedom in east and southern Africa.
The tested tools were Cyrptocat, Mailvelope, Martus, TextSecure and Redphone. The scope of testing included how the tools enabled anonymisation, circumvention, and privacy of communications. The tests had to take into consideration different user communities, including women, bloggers, journalists, human rights defenders, and sexual minorities, and the nature of threats to internet freedom in the East African region.

A team presents to the panel during the OpenNet Africa Tools Testing Challnge
A team presents to the panel during the OpenNet Africa Tools Testing Challnge

These threats are often linked to the fight against terrorism, combating online hate speech, suppressing the views of opposition parties (mainly around election periods), and in crackdowns against particular groups, such as Lesbian, Gay, Bisexual, and Transgender (LGBT) community, critical media and human rights activists. The threats often come in the form of surveillance, blocking of websites and social media sites, and interception of communications.
Three teams participated in the challenge through trial exercises, user consultations and stakeholder interviews. In considering which tools were better suited to promote internet freedoms of the region’s citizens, the teams that conducted the tests also bore in mind the proliferation of technology, internet speeds and literacy levels in the region. Language, multiple device use and aesthetics such as the interface design including colours and icons, were also among the other features for testing.
The teams found a number of shortcomings on some tools, including the lack of protection from key loggers, poor or no consideration for low internet speed users and those with low ICT skills and literacy levels. Some tools were found to have limited cross platform/device operability, while others were not accessible to visually impaired persons.
Select test findings
 

Tool Safety and Security Features Key test finding limitation
Martus Allows for secure collection, transmission and storage of data. It is popularly used by human rights defenders.
  • There is no option for retrieving a lost encryption key

 

Cryptocat This app enables encrypted chat via a browser and mobile phone.
  • Lack of IP address anonymisation
  • There are no administrative privileges in group chats meaning there is free entry and exit of members in the conversations.
Mailvelope This is a browser extension that enables the exchange of encrypted emails
  • Lack of an attachment encryption function
Redphone An Android based mobile app that allows for encrypted voice calls over a Wi-Fi or data connection using a normal phone number.
  •  Unregistering a RedPhone number is not currently supported.
  • Very slow or no synchronisation with contacts that have RedPhone installed, meaning there is no possibility to upgrade calls to encrypted calls even when the user being called is running the RedPhone app.
TextSecure Secure messaging app
  • Recently dropped SMS support
  • Installation requires Google services

 

“Pious, a 25-year old IT student at Makerere said that he is now using Redphone with his girlfriend whenever they feel like phone sex in order to avoid the spying software announced by Fr. Simon Lukodo, Minister of Ethics and Integrity,” Tean Tech4Dev

The teams made recommendations for improvement and localisation, including translation of the tools into local languages, compatibility provisions across social media platforms, and feature phone support.
The teams also proposed numerous cases in which the tools can be used by marginalised and vulnerable user groups in East Africa. They cited youth mobilisation, gender-based violence and other human rights violations reporting, monitoring and victims support, facilitation of opposition groups’ activities, and protection from corporate espionage.
However, the teams also highlighted the potential of the tools promoting hate speech and radicalism in East Africa’s fragile socio-political environment through safeguarding the communications and activities of offenders.
“One of the primary uses of the Internet by terrorists is for the dissemination of propaganda. Through encrypted communications, terrorists can easily spread their propaganda and also plan their activities,” noted Team African Value. The team added that promotion of divisiveness and encouraging violent acts on ethnic grounds has become common on East African online platforms.
The teams also noted the need for increased awareness raising and capacity building among users to promote an understanding of cyber threats and online safety. Among the possible ways to achieve this was through working with academia to develop cyber security curriculums for education institutions.
The findings of the teams were showcased at a pitching event held on June 2, 2015 where a panel of judges determined the team with the best reports and localisation recommendations. The judges were Wilson Abigaba (Internet Society – Uganda Chapter), Richard Lusimbo (Sexual Minorities Uganda), Baldwin Okello (Uganda Telecom) and Neil Blazevic and Mark Kiggundu – both from East and Horn of Africa Human Rights Defenders Project.
The winning team was Tech4Dev, which was followed by Ghost In The Wires then African Values. See more on the event on  Storify

Tanzania Cybercrime Bill Should Safeguard Citizens’ Rights on the Internet

By Juliet Nanfuka |
Tanzania has published a Cybercrime Bill that makes “provisions for criminalizing offences related to computer systems and Information Communication Technologies” and provides for investigation, collection, and use of electronic evidence.
However, the release of the Cybercrime Bill has been met with apprehension by the public due to its overt disregard for press freedom and freedom of expression, the excessive powers granted to police, and the limited protections afforded to ordinary citizens.
On social media, critics have suggested that the timing and content of the Bill were intended to control the media and bloggers ahead of the October 2015 elections. According to the 2014 State of Internet Freedom in Tanzania report, the process of making Cybercrime laws began in 2013 with proposals for the development of the Cyber security Act, Data Protection Act and the Electronic Transacting Act by the end of 2014.
Some of the problematic clauses in the Bill that affect freedom of expression and privacy include Sections 7, 8, 14, 16, 31, 32, 34, 35, 37, 41 and 45.
Section 7 (2) criminalises citizens who receive unauthorized computer data.  There should be consideration of content received with intent and without.
Section 8 and 16 provide vague descriptions of phrases including “unauthorized data” and “false information.” In Section 8, one can be charged with data espionage for obtaining “computer data protected against unauthorized access without permission.” The parameters that define unauthorized data need to be indicated as this could have an impact upon investigative journalists and confidentiality of their sources.
In Section 16, on the Publication of false information, the terms “deceptive, misleading and inaccurate information” are subjective and open to abuse by implementers of the law. A clear definition of what constitutes these terms needs to be stipulated in the bill. Moreover, there should be consideration of  the intent of those who publish such information, failing which the law would ultimately stifle freedom of expression, including of creative expression.
Also the lack of definition for ‘unauthorised data’ in Section 7 (2b) and “unsolicited messages” in Section 30 makes the bill open to misinterpretation and abuse by state authorities.
On the issue of pornography, the Bill should not proscribe the offence of pornography in general, particularly where not shared in public and where all parties that access it are adults. As is currently framed, Section 14 can be used to abuse individuals’ right to privacy. Besides, a clear definition of pornography which is “lascivious” or “obscene” should be added to the Bill.
Sections 31, 32, 33, 34 and 35 of the bill provide excessive powers to the police for search and seizure of computer systems; and disclosure of data. These sections should provide clear guidelines, safeguards and oversight, including the requirement for a warrant issued by a competent court of law before any search and seize or disclosure of data is to be undertaken.
For section 31, owners of the property or other independent parties should also be witness to such activity by the police for the safety of the equipment and data seized to be guaranteed.
According to Section 32 (1), “where disclosure of data is required for purposes of criminal investigation or the prosecution of an offence, a police officer in charge of a police station or a law enforcement officer of a similar rank may issue an order to anyperson in possession of such data compelling him todisclose such data.” This section needs to be adjusted to include police officers first obtaining a court order before compelling any person to disclose data.
On the disclosure of data in Clause 32 (3) b, there should be a clear indication as to the kind and extent of information a service provider can provide. Service providers should be required to report subscriber information requests in the public domain on a regular basis.
Further, there needs to indicate means of storage, retention period and methods of disposal for data collected or recorded through technical means as provided under Section 35 (b).
In regard to Section 37 (9), where service providers are required to support the installation of forensic tools, for purposes of transparency they should be compelled to provide reports of such requests made to them.
Section 41 provides for that  a hosting provider is not liable for information stored at the request of a user of the service, however following orders from any “competent authority” or court, the provider has to take down offending information. The Bill should name the authority or authorities who can issue an order to a hosting provider. The Bill should also indicate what the course of action in the event that a hosting provider does not comply with the order or where the owner of the information wants to contest the take-down order issued by the competent authority.
In regard to “Take down notifications” as provided in Section 45, service providers should notify the persons upon whom a complaint has been lodged, including the reason for the take down.
Also a section compelling service providers to periodically release takedown requests and actions taken to the public should be included.
There is no indication on the rights the users have of their data nor how it is protected once in the hands of the state, thus further putting citizens’ data at risk especially in the absence of a data privacy and protection law.
The Bill was this week tabled in Parliament by Communication, Science and Technology Minister Professor Makame Mbarawa.  However, in their discussions Members of Parliament should consider the amendments proposed by civil society so that the country gets a progressive law that strongly supports freedom of expression and the right to privacy.
 

Civil Society’s Proposals on The African Cybersecurity Convention

In December 2013, the Kenya ICT Action Network (KICTANet) led online discussions on the proposed African Union Convention on Cyber Security (AUCC). The convention establishes a framework for cyber security in Africa “through organisation of electronic transactions, protection of personal data, promotion of cyber security, e-governance and combating cybercrime.”
Civil society and academia have raised concerns about some of the articles in the convention, which had earlier been expected to be signed in January 2014. Latest reports indicate that, at the earliest, the law could be signed in June this year.
The report on the discussions will be used by KICTANet and partners such as CIPESA to create awareness and lobby African governments to pass legislation and instruments that fully support the privacy of individuals and the fully enjoyment of their freedom of expression online.
The stated background to the convention is that the African Union is seeking ways to intensify the fight against cybercrime across the continent“in light of the increase in cybercrime, and the lack of mastery of security risks by African countries.”
Furthermore, the AU states that a major challenge for African countries is the lack of adequate technological security to prevent and effectively control technological and informational risks. As such, it adds, “African States are in dire need of innovative criminal policy strategies that embody States, societal and technical responses to create a credible legal climate for cyber security”.
The intentions may be legitimate but, as noted by the online discussions, some of the articles in the current version of the convention could be used to negate individuals’ privacy and their right to express themselves through online mediums.
Take, for example, Article III – 34. It states that AU member states have to “take necessary legislative or regulatory measures to set up as a penal offense the fact of creating, downloading, disseminating or circulating in whatsoever form, written matters, messages, photographs, drawings or any other presentation of ideas or theories of racist or xenophobic nature using an a computer system.”
How does this clause balance with the fundamental right to freedom of expression? Experts argue that this clause is problematic as it requires a measure of truth, which is hard to actually legislate or determine owing to the relativity of truth. They add that this sort of law would likely be unenforceable.
The discussion noted that although African countries needed legal framework on cybercrime, the current proposals need numerous amendments. The discussions also noted a need for the African Union Commission to engage with civil society to draw up progressive and enforceable laws. However, civil society had the added task of creating awareness and capacity among citizens on cyber security and the need to uphold freedoms of expression online.
These discussions were conducted on multiple lists of KICTANet and the Internet Society (ISOC) Kenya and on the I-Network and ISOC Uganda ists moderated  by the Collaboration on International ICT Policy in East and Southern Africa (CIPESA), from 25 – 29, November 2013. They were also shared through numerous pan-Africa and global lists on ICT policy and online freedom.
Download the full discussions report here.