Countering Digital Authoritarianism in Africa

By Apolo Kakaire |

The Internet which is viewed as the panacea for democracy, participation and inclusion is increasingly becoming a tool of repression deployed by regimes across the world to stifle rights and voice.  Africa, a continent already replete with poor democratic credentials and practices seems to be rapidly catching up on the new ‘epidemic’- digital authoritarianism.

The use of technology tactics to advance repressive political interests has come to be  referred to as digital authoritarianism. However, the tactics employed by authoritarian regimes have also been deployed by democratic states for purposes of surveillance, spread of misinformation, disinformation, and the disruption of civic and political participation under the pretext of fighting cybercrime, and in the interest of protecting national security, and maintaining public order.

Big technology companies are key drivers of digital authoritarianism through the creation, innovation and supply of repressive technology and related support. Moreover, political parties, interest groups, and smaller private companies have lapped it up too, developing and using tools and strategies of digital authoritarianism.

Digital authoritarianism is a great case study in understanding and appreciating the impact of technology on human rights. While laws legalising surveillance and interception of communications, and widespread data collection and processing may not be a problem in themselves, it is the ambiguity often present within those laws that give governments wide latitude of interpretation to facilitate the rights abuse that is a growing challenge.

At the Forum on Internet Freedom in Africa 2022 (FIFAfrica22), Global Voices Advox, shared findings from the Unfreedom Monitor– a project exploring the political and social context that fuels the emergence of digital authoritarianism in 17 countries. They hosted a panel discussion in which project researchers from India, Nigeria, Sudan and Zimbabwe presented the project findings on the connections between political contexts, analogue rights, and the growing use of digital communications technology to advance authoritarian governance.

The findings paint a grim picture for  freedom of the media, expression, and democracy in general. In Zimbabwe for instance, the Unfreedom Monitor report notes that; “the press walks a precarious line between national security and the professional obligation to report truthfully” on issues that happen in the country. It is an observation that is replicated in the mapping conducted in Morocco, Egypt, and Tanzania 

In Sudan, where internet censorship, bad laws and repressed liberties and network disruptions are commonplace, Khattab Hamad noted that the contours and motives of digital authoritarianism include fear of losing power, protecting the existence of regional or international alliances, and geopolitical motives protecting private and family interests. He added that terrorism and support for terrorist groups was another motive for authoritarianism in the country. 

In Tanzania, researchers found that often, laws are enacted as precursors to enable various methods of digital authoritarianism. For example, the Cybercrime Act which was hurriedly enacted just months before the October 2015 elections. “There were many other such laws, including the amendments to the Non-Governmental Orgnaisations (NGO) Act, that saw NGOs being deregistered and control on them tightened in the lead up to the 2020 elections”, they revealed.

In Uganda, network disruptions in the run up to and during recent elections is another example of digital authoritarianism. “Sometimes the internet is restored after elections. So, the question is what exactly is the purpose? What are you hiding? Why do you deny your people access to information? Internet shutdowns also question the credibility of elections”, said Felicia Anthonio of Access Now. She added that network disruptions affect engagement between voters and political candidates, in addition to limiting  electoral oversight and monitoring by human rights activists and election observers. 

As part of the Unfreedom Monitor project, Global Voices Advox has established a publicly available database on digital authoritarianism to support advocacy in light of the “urgency of a fast deteriorating situation”, said Sindhuri Nandhakumar, a researcher  with the project. 

While applauding the research and database in supporting evidence-based advocacy, digital rights activists at FIFAfrica22 noted that given the behaviour of authoritarian regimes, advocacy at the national level may be met with a lot of resistance. As such, more engagement was called for  through special mandates and periodic human rights review mechanisms at the African Union (AU) and the United Nations Human Rights Council.   

“Advocacy [against digital authoritarianism] at national level will be difficult. Positive results could be registered through Special rapporteurs at the AU and states through the Universal Periodic Review (UPR), towards securing accountability”, said Arsene Tungali from the Democratic Republic of Congo.

For African digital rights activists, the Global Voices Advox research and database unravels new  avenues for collaborative advocacy and transnational opportunities for interventions to stem this spread of digital authoritarianism. The findings however also point at the need for a concerted and robust response to its growing traction.

As elections in Africa remain a major flashing point for digital authoritarianism as all manner of manipulation of voters, narratives, even results abound, it remains a key area of transnational cooperation. Ahead of the elections in Zimbabwe, slated for July-August 2023, Advox will come up with tips on awareness raising on voter rights and the role of technology in elections. Zimbabwe provides a good opportunity to pilot, learn and perhaps adopt some interventions to counter this behemoth.

Uganda Passes Regressive Law on “Misuse of Social Media” and Hate Speech

By Edrine Wanyama |

Uganda’s parliament on September 8, 2022 passed a draconian law that criminalises various uses of computers and digital technologies and largely curtails digital rights.

Among the key regressive provisions is the prohibition of the “misuse of social media”, described in clause 6 as publishing, distributing or sharing information prohibited under Uganda’s laws. A highly punitive penalty has been prescribed for the offence: imprisonment of up to five years, a fine of up to UGX 10 million (USD 2,619), or both.

Other retrogressive provisions in the Computer Misuse (Amendment) Bill 2022 are prohibition of sending or sharing of unsolicited information through a computer, and prohibition of sending, sharing or transmitting of malicious information about or relating to any person.

Prior to the enactment of the law, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) presented its analysis of the Bill to parliament’s Committee on Information and Communications Technology (ICT), which indicated that the proposed amendments would be a blow to the enjoyment of online civil liberties. However, the committee has disregarded most of the feedback received from stakeholders listed in the Committee report, many of whom raised concerns on the digital rights gaps within the Bill..

In presentations to the parliamentary  committee, CIPESA argued that rather than introducing new, poorly defined offences, the amendments should have focussed on addressing existing retrogressive provisions in the law on computer misuse, such as section 24 on cyber harassment and section 25 on offensive communication, which have been used severally to criminalise freedom of expression, including through arrests and prosecution of journalists, activists and government opponents. Moreover, trolling, cyber harassment, unauthorised sharing of intimate images, and other forms of online violence against women and girls, are not addressed either.

Gorreth Namugga, the shadow minister for ICT and a member of parliament’s ICT Committee, said in a minority report that the issue of misuse of social media was not discussed in the committee and was not among the clauses the Computer Misuse (Amendment) Bill sought to amend. She added that the ICT Committee did not make a deep analysis of the issue, and none of the organisations and individuals consulted by the committee offered any input on the matter.

In introducing the offence of misuse of social media, the committee reasoned that, while considering the Bill, it observed that “the information technology evolution had created a new medium of communication called social media that is not fully regulated in the existing laws, yet it is “the commonest platform of Computer Misuse.” The committee therefore deemed it fit to define social media and to regulate it.

Accordingly, the Bill defines social media as a set of technologies, sites, and practices which are used to share opinions, experiences and perspectives. It cites as examples YouTube, WhatsApp, Facebook, Instagram, Twitter, WeChat, TikTok, Sina Weibo, QQ, Telegram, Snapchat, Kuaishou, Qzone, Reddit, Quora, Skype, Microsoft Team and Linkedin.

The new law will provide that “a person who uses social media to publish, distribute or share information, prohibited under the laws of Uganda or using disguised or false identity, commits an offence.” It adds that where “prohibited” information is published, shared or distributed on a social media account of an organisation, the person who manages the organisation’s social media account shall be held personally liable for the commission of the offence.

There remain questions as to how the committee introduced provisions on misuse of social media that were not in the Bill, not subjected to stakeholder consultation and, according to the minority report, not discussed by committee members. Moreover, the term, “under the laws of Uganda” with reference to prohibited information is very broad and ambiguous. This could be used by the government and its agencies to target critics and would largely curtail freedom of expression and access to information.

Uganda is not new to regressive control of digital technologies. In 2018, the east African country introduced a tax through the Excise Duty (Amendment) Act that required users to pay a daily tax in order to access social media services. The tax, which dismally failed to raise the anticipated revenues, was  replaced  with a 12% levy tax on internet data. The country’s digital taxation regime has become a key impediment to inclusive access and affordability, with millions of citizens still left out of the digital society. Uganda also routinely blocks access to the internet and social media. Since January 2021, Facebook has been blocked in Uganda on orders of the government.

While the new law attempts to define “unsolicited information” as meaning “information transmitted to a person using the internet without the person’s consent, but does not include an unsolicited commercial communication.” The guidance offered by the provision only extends to interpretation of the earlier blanket provision that had been proposed in the Bill. It does not provide any guarantees for the protection and enjoyment of freedom of expression and access to information.

In submissions to parliament, CIPESA stated that, besides undermining civil liberties, many provisions of the Bill duplicated existing laws such as the Regulation of Interception of Communications Act, 2010 and the Data Protection and Privacy Act, 2019, and would be difficult to implement

According to the minority report, all the clauses in the Bill are already catered for in existing legislation and in some instances offend Uganda’s constitution. The report states: “The fundamental rights to access information electronically and to express oneself over computer networks are utterly risked by this Bill. If passed into law it will stifle the acquisition of information. The penalties proposed in the Bill are overly harsh and disproportionate when compared to similar offences in other legislations. This Bill, if passed, will be a bad law and liable to constitutional petitions upon assent.”

Despite the largely regressive law, there are some positives, such as defining and proscribing hate speech and i the law provides and if rightly employed they could potentially improve on certain aspects regarding the digital civic space. Thus;

  • The addition of the element of intent in clause 3 in the definition of the offence of unauthorised access is quite progressive. It potentially helps to exonerate innocent individuals from wanton prosecution of what would constitute criminal access over innocent and unintended access. The Bill did not have the element of intent which is core to determination of criminal liability to qualify the offence.
  • Clause 3 was initially overly broad to the extent of discouraging the public from sharing information to the best interests of the child such as their protection from danger and harmful practices. The amendment in clause 3 in as far as it provides for circumstances under which information about children may be shared will serve to ensure that while privacy of the child is paramount, their best interest should not be disregarded.
  • Clause 4 of the Bill defines hate speech which was not previously provided for. It goes milestones in addressing hate speech which has for decades posed challenges to public order, security and persons. Furthermore, section 41 of the Penal Code Act on sectarianism presented uncertainties having limited the definition of sectarianism to groups of religion, tribe, ethnic or regional origin.
  • The law recognizes other laws on disciplinary action against errant leaders. Thus, the deletion of clause 7 is commended. It is a progressive move against a potentially excessive and discriminatory provision as was initially presented in the Bill.

The newly passed Bill is a threat to digital rights and digital civic space and falls short of the key international minimum standards. As such, it is imperative for the law to be challenged in court and for the president to deny its assent and return it to parliament for reconsideration.

CIPESA Joins over 125 Organisations and Academics In Submitting Letter to the UN Ad Hoc Committee on Cybercrime

The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has joined over 125 organisations and academics who work to protect and advance human rights, online and offline in submitting a letter to the United Nations Ad Hoc Committee on Cybercrime. The letter stresses that the process through which the Ad Hoc Committee does its work includes robust civil society
participation throughout all stages of the development and drafting of a convention, and that
any proposed convention include human rights safeguards applicable to both its substantive and
procedural provisions. The first session of the Ad Hoc Committee, which was scheduled to begin on January 17, 2022, has been rescheduled to begin on February 28, 2022, due to the ongoing situation concerning the coronavirus disease. See the full letter below.

————————————————————————————————————————————-

December 22, 2021

H.E. Ms. Faouzia Boumaiza Mebarki

Chairperson

Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communication Technologies for Criminal Purposes

Your Excellency,

We, the undersigned organizations and academics, work to protect and advance human rights, online and offline. Efforts to address cybercrime are of concern to us, both because cybercrime poses a threat to human rights and livelihoods, and because cybercrime laws, policies, and initiatives are currently being used to undermine people’s rights. We therefore ask that the process through which the Ad Hoc Committee does its work includes robust civil society participation throughout all stages of the development and drafting of a convention, and that any proposed convention include human rights safeguards applicable to both its substantive and procedural provisions.

Background

The proposal to elaborate a comprehensive “international convention on countering the use of information and communications technologies for criminal purposes” is being put forward at the same time that UN human rights mechanisms are raising alarms about the abuse of cybercrime laws around the world. In his 2019 report, the UN special rapporteur on the rights to freedom of peaceful assembly and of association, Clément Nyaletsossi Voule, observed, “A surge in legislation and policies aimed at combating cybercrime has also opened the door to punishing and surveilling activists and protesters in many countries around the world.” In 2019 and once again this year, the UN General Assembly expressed grave concerns that cybercrime legislation is being misused to target human rights defenders or hinder their work and endanger their safety in a manner contrary to international law. This follows years of reporting from non-governmental organizations on the human rights abuses stemming from overbroad cybercrime laws.

When the convention was first proposed, over 40 leading digital rights and human rights organizations and experts, including many signatories of this letter, urged delegations to vote against the resolution, warning that the proposed convention poses a threat to human rights.

In advance of the first session of the Ad Hoc Committee, we reiterate these concerns. If a UN convention on cybercrime is to proceed, the goal should be to combat the use of information and communications technologies for criminal purposes without endangering the fundamental rights of those it seeks to protect, so people can freely enjoy and exercise their rights, online and offline. Any proposed convention should incorporate clear and robust human rights safeguards. A convention without such safeguards or that dilutes States’ human rights obligations would place individuals at risk and make our digital presence even more insecure, each threatening fundamental human rights.

As the Ad Hoc Committee commences its work drafting the convention in the coming months, it is vitally important to apply a human rights-based approach to ensure that the proposed text is not used as a tool to stifle freedom of expression, infringe on privacy and data protection, or endanger individuals and communities at risk.

The important work of combating cybercrime should be consistent with States’ human rights obligations set forth in the Universal Declaration of Human Rights (UDHR), the International Covenant on Civil and Political Rights (ICCPR), and other international human rights instruments and standards. In other words, efforts to combat cybercrime should also protect, not undermine, human rights. We remind States that the same rights that individuals have offline should also be protected online.

Scope of Substantive Criminal Provisions

There is no consensus on how to tackle cybercrime at the global level or a common understanding or definition of what constitutes cybercrime. From a human rights perspective, it is essential to keep the scope of any convention on cybercrime narrow. Just because a crime might involve technology does not mean it needs to be included in the proposed convention. For example, expansive cybercrime laws often simply add penalties due to the use of a computer or device in the commission of an existing offense. The laws are especially problematic when they include content-related crimes. Vaguely worded cybercrime laws purporting to combat misinformation and online support for or glorification of terrorism and extremism, can be misused to imprison bloggers or block entire platforms in a given country. As such, they fail to comply with international freedom of expression standards. Such laws put journalists, activists, researchers, LGBTQ communities, and dissenters in danger, and can have a chilling effect on society more broadly.

Even laws that focus more narrowly on cyber-enabled crimes are used to undermine rights. Laws criminalizing unauthorized access to computer networks or systems have been used to target digital security researchers, whistleblowers, activists, and journalists. Too often, security researchers, who help keep everyone safe, are caught up in vague cybercrime laws and face criminal charges for identifying flaws in security systems. Some States have also interpreted unauthorized access laws so broadly as to effectively criminalize any and all whistleblowing; under these interpretations, any disclosure of information in violation of a corporate or government policy could be treated as “cybercrime.” Any potential convention should explicitly include a malicious intent standard, should not transform corporate or government computer use policies into criminal liability, should provide a clearly articulated and expansive public interest defense, and include clear provisions that allow security researchers to do their work without fear of prosecution.

Human Rights and Procedural Safeguards

Our private and personal information, once locked in a desk drawer, now resides on our digital devices and in the cloud. Police around the world are using an increasingly intrusive set of investigative tools to access digital evidence. Frequently, their investigations cross borders without proper safeguards and bypass the protections in mutual legal assistance treaties. In many contexts, no judicial oversight is involved, and the role of independent data protection regulators is undermined. National laws, including cybercrime legislation, are often inadequate to protect against disproportionate or unnecessary surveillance.

Any potential convention should detail robust procedural and human rights safeguards that govern criminal investigations pursued under such a convention. It should ensure that any interference with the right to privacy complies with the principles of legality, necessity, and proportionality, including by requiring independent judicial authorization of surveillance measures. It should also not forbid States from adopting additional safeguards that limit law enforcement uses of personal data, as such a prohibition would undermine privacy and data protection. Any potential convention should also reaffirm the need for States to adopt and enforce “strong, robust and comprehensive privacy legislation, including on data privacy, that complies with international human rights law in terms of safeguards, oversight and remedies to effectively protect the right to privacy.”

There is a real risk that, in an attempt to entice all States to sign a proposed UN cybercrime convention, bad human rights practices will be accommodated, resulting in a race to the bottom. Therefore, it is essential that any potential convention explicitly reinforces procedural safeguards to protect human rights and resists shortcuts around mutual assistance agreements.

Meaningful Participation

Going forward, we ask the Ad Hoc Committee to actively include civil society organizations in consultations—including those dealing with digital security and groups assisting vulnerable communities and individuals—which did not happen when this process began in 2019 or in the time since.

Accordingly, we request that the Committee:

●  Accredit interested technological and academic experts and nongovernmental groups, including those with relevant expertise in human rights but that do not have consultative status with the Economic and Social Council of the UN, in a timely and transparent manner, and allow participating groups to register multiple representatives to accommodate the remote participation across different time zones.

●  Ensure that modalities for participation recognize the diversity of non-governmental stakeholders, giving each stakeholder group adequate speaking time, since civil society, the private sector, and academia can have divergent views and interests.

●  Ensure effective participation by accredited participants, including the opportunity to receive timely access to documents, provide interpretation services, speak at the Committee’s sessions (in-person and remotely), and submit written opinions and recommendations.

●  Maintain an up-to-date, dedicated webpage with relevant information, such as practical information (details on accreditation, time/location, and remote participation), organizational documents (i.e., agendas, discussions documents, etc.), statements and other interventions by States and other stakeholders, background documents, working documents and draft outputs, and meeting reports.

Countering cybercrime should not come at the expense of the fundamental rights and dignity of those whose lives this proposed Convention will touch. States should ensure that any proposed cybercrime convention is in line with their human rights obligations, and they should oppose any proposed convention that is inconsistent with those obligations.

We would be highly appreciative if you could kindly circulate the present letter to the Ad Hoc Committee Members and publish it on the website of the Ad Hoc Committee.

Signatories,*

  1. Access Now – International
  2. Alternative ASEAN Network on Burma (ALTSEAN) – Burma
  3. Alternatives – Canada
  4. Alternative Informatics Association – Turkey
  5. AqualtuneLab – Brazil
  6. ArmSec Foundation – Armenia
  7. ARTICLE 19 – International
  8. Asociación por los Derechos Civiles (ADC) – Argentina
  9. Asociación Trinidad / Radio Viva – Trinidad
  10. Asociatia Pentru Tehnologie si Internet (ApTI) – Romania
  11. Association for Progressive Communications (APC) – International
  12. Associação Mundial de Rádios Comunitárias (Amarc Brasil) – Brazil
  13. ASEAN Parliamentarians for Human Rights (APHR)  – Southeast Asia
  14. Bangladesh NGOs Network for Radio and Communication (BNNRC) – Bangladesh
  15. BlueLink Information Network  – Bulgaria
  16. Brazilian Institute of Public Law – Brazil
  17. Cambodian Center for Human Rights (CCHR)  – Cambodia
  18. Cambodian Institute for Democracy  –  Cambodia
  19. Cambodia Journalists Alliance Association  –  Cambodia
  20. Casa de Cultura Digital de Porto Alegre – Brazil
  21. Centre for Democracy and Rule of Law – Ukraine
  22. Centre for Free Expression – Canada
  23. Centre for Multilateral Affairs – Uganda
  24. Center for Democracy & Technology – United States
  25. Center for Justice and International Law (CEJIL) – International
  26. Centro de Estudios en Libertad de Expresión y Acceso (CELE) – Argentina
  27. Civil Society Europe
  28. Coalition Direitos na Rede – Brazil
  29. Código Sur – Costa Rica
  30. Collaboration on International ICT Policy for East and Southern Africa (CIPESA) – Africa
  31. CyberHUB-AM – Armenia
  32. Data Privacy Brazil Research Association – Brazil
  33. Dataskydd – Sweden
  34. Derechos Digitales – Latin America
  35. Defending Rights & Dissent – United States
  36. Digital Citizens – Romania
  37. DigitalReach – Southeast Asia
  38. Digital Rights Watch – Australia
  39. Digital Security Lab – Ukraine
  40. Državljan D / Citizen D – Slovenia
  41. Electronic Frontier Foundation (EFF) – International
  42. Electronic Privacy Information Center (EPIC) – United States
  43. Elektronisk Forpost Norge – Norway
  44. Epicenter.works for digital rights – Austria
  45. European Center For Not-For-Profit Law (ECNL) Stichting – Europe
  46. European Civic Forum – Europe
  47. European Digital Rights (EDRi) – Europe
  48. ​​eQuality Project – Canada
  49. Fantsuam Foundation – Nigeria
  50. Free Speech Coalition  – United States
  51. Foundation for Media Alternatives (FMA) – Philippines
  52. Fundación Acceso – Central America
  53. Fundación Ciudadanía y Desarrollo de Ecuador
  54. Fundación CONSTRUIR – Bolivia
  55. Fundacion Datos Protegidos  – Chile
  56. Fundación EsLaRed de Venezuela
  57. Fundación Karisma – Colombia
  58. Fundación OpenlabEC – Ecuador
  59. Fundamedios – Ecuador
  60. Garoa Hacker Clube  –  Brazil
  61. Global Partners Digital – United Kingdom
  62. GreenNet – United Kingdom
  63. GreatFire – China
  64. Hiperderecho – Peru
  65. Homo Digitalis – Greece
  66. Human Rights in China – China
  67. Human Rights Defenders Network – Sierra Leone
  68. Human Rights Watch – International
  69. Igarapé Institute — Brazil
  70. IFEX – International
  71. Institute for Policy Research and Advocacy (ELSAM) – Indonesia
  72. The Influencer Platform – Ukraine
  73. INSM Network for Digital Rights – Iraq
  74. Internews Ukraine
  75. InternetNZ – New Zealand
  76. Instituto Beta: Internet & Democracia (IBIDEM) – Brazil
  77. Instituto Brasileiro de Defesa do Consumidor (IDEC) – Brazil
  78. Instituto Educadigital – Brazil
  79. Instituto Nupef – Brazil
  80. Instituto de Pesquisa em Direito e Tecnologia do Recife (IP.rec) – Brazil
  81. Instituto de Referência em Internet e Sociedade (IRIS) – Brazil
  82. Instituto Panameño de Derecho y Nuevas Tecnologías (IPANDETEC) – Panama
  83. Instituto para la Sociedad de la Información y la Cuarta Revolución Industrial – Peru
  84. International Commission of Jurists – International
  85. The International Federation for Human Rights (FIDH)
  86. IT-Pol – Denmark
  87. JCA-NET – Japan
  88. KICTANet – Kenya
  89. Korean Progressive Network Jinbonet – South Korea
  90. Laboratorio de Datos y Sociedad (Datysoc) – Uruguay
  91. Laboratório de Políticas Públicas e Internet (LAPIN) – Brazil
  92. Latin American Network of Surveillance, Technology and Society Studies (LAVITS)
  93. Lawyers Hub Africa
  94. Legal Initiatives for Vietnam
  95. Ligue des droits de l’Homme (LDH) – France
  96. Masaar – Technology and Law Community – Egypt
  97. Manushya Foundation – Thailand
  98. MINBYUN Lawyers for a Democratic Society – Korea
  99. Open Culture Foundation – Taiwan
  100. Open Media  – Canada
  101. Open Net Association – Korea
  102. OpenNet Africa – Uganda
  103. Panoptykon Foundation – Poland
  104. Paradigm Initiative – Nigeria
  105. Privacy International – International
  106. Radio Viva – Paraguay
  107. Red en Defensa de los Derechos Digitales (R3D) – Mexico
  108. Regional Center for Rights and Liberties  – Egypt
  109. Research ICT Africa
  110. Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC) – Canada
  111. Share Foundation – Serbia
  112. Social Media Exchange (SMEX) – Lebanon, Arab Region
  113. SocialTIC – Mexico
  114. Southeast Asia Freedom of Expression Network (SAFEnet) – Southeast Asia
  115. Supporters for the Health and Rights of Workers in the Semiconductor Industry (SHARPS) – South Korea
  116. Surveillance Technology Oversight Project (STOP)  – United States
  117. Tecnología, Investigación y Comunidad (TEDIC) – Paraguay
  118. Thai Netizen Network  – Thailand
  119. Unwanted Witness – Uganda
  120. Vrijschrift – Netherlands
  121. West African Human Rights Defenders Network – Togo
  122. World Movement for Democracy – International
  123. 7amleh – The Arab Center for the Advancement of Social Media  – Arab Region

Individual Experts and Academics

  1. Jacqueline Abreu, University of São Paulo
  2. Chan-Mo Chung, Professor, Inha University School of Law
  3. Danilo Doneda, Brazilian Institute of Public Law
  4. David Kaye, Clinical Professor of Law, UC Irvine School of Law, former UN Special Rapporteur on Freedom of Opinion and Expression (2014-2020)
  5. Wolfgang Kleinwächter, Professor Emeritus, University of Aarhus; Member, Global Commission on the Stability of Cyberspace
  6. Douwe KorffEmeritus Professor of International LawLondon Metropolitan University
  7. Fabiano Menke, Federal University of Rio Grande do Sul
  8. Kyung-Sin Park, Professor, Korea University School of Law
  9. Christopher Parsons, Senior Research Associate, Citizen Lab, Munk School of Global Affairs & Public Policy at the University of Toronto
  10. Marietje Schaake, Stanford Cyber Policy Center
  11. Valerie Steeves, J.D., Ph.D., Full Professor, Department of Criminology University of Ottawa

Will Our Human Rights and Freedoms and a Free and Open Internet be the Next Victims of Cybercrime?

Manifesto Launch |

The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has joined civil society organisations and industry in a rally against the potential threat of cybercrime on human rights and freedoms as well as the open internet.

Day-by-day the effects of cybercrime continue to get worse. Although something clearly needs to be done, there is growing concern that any efforts to tackle this modern scourge come at the expense of fundamental human rights and that they threaten the open and free internet.

As countries are considering their input to the United Nations ahead of the scheduled January negotiations on a Cybercrime Convention, the CyberPeace Institute and the Cybersecurity Tech Accord have brought together a range of stakeholders to publish the Multistakeholder Manifesto on Cybercrime. The principles outlined in the Manifesto should be at the heart of any cybercrime legislation and to guide the negotiating process.

The Manifesto is supported by over 50 members of civil society, industry organizations (such as the Center for Democracy and Technology, World Wide Web Foundation, Cyber Threat Alliance, and Derechos Digitales) and individuals. Signatories to the Manifesto want to also ensure that any cybercrime convention preserves and upholds basic human rights and freedoms guaranteed under existing international UN and other treaties.

“Today, industry and civil society are coming together through a Multi-Stakeholder Manifesto on Cybercrime which provides a set of principles to guide governments in their negotiations at the United Nations” says Klara Jordan, Chief Policy Officer at the CyberPeace Institute. 

In the build up to the convention negotiations, this Manifesto is an urgent appeal to all UN member states, UN agencies, and others involved in the current process, to address concerns regarding the draft and align their submissions with the Manifesto.

The Manifesto also highlights the importance of ensuring cybercrime perpetrators are held accountable for their actions: “In an area as opaque as cyberspace, public-private partnerships are often an indispensable tool to gain insights into evolving cyber threats and those behind them,” said Annalaura Gallo, Head of Secretariat, Cybersecurity Tech Accord. “A new Cybercrime Convention should establish clear mechanisms for states to reduce the operating space for criminals,” added Annalaura Gallo

The Manifesto also tackles the challenges inherent in the current UN process, in particular the lack of multistakeholder participation. “We are concerned about the lack of consultation, inclusion and involvement of stakeholders from across civil society and industry”, said Klara Jordan, adding: “The participation of civil society entities is crucial to ensure that the impact of these crimes on society is properly taken into account.” “The technology industry is ready to offer its expertise and input to UN states in the upcoming negotiations on cybercrime. We hope that our input will be sought more consistently than has been the case in the past in discussions involving the security of our internet ecosystem,” emphasized Annalaura Gallo.

*********

About the CyberPeace Institute: Headquartered in Geneva, Switzerland, the CyberPeace Institute is a nongovernmental organization whose mission is to reduce the harms from cyberattacks on people’s lives worldwide, provide assistance to vulnerable communities and call for responsible cyber behaviour, accountability and cyberpeace.

About the Cybersecurity Tech Accord: The Cybersecurity Tech Accord is a coalition of over 150 technology companies committed to advancing peace and security in cyberspace. The group’s mission revolves around four foundational principles: strong defense, no offense, capacity building and collective response.

Aperçu de la Responsabilité des Intermédiaires au Sénégal

By Astou Diouf |

Parmi ses homologues ouest-africains, le Sénégal fait partie des leaders dans les efforts de numérisation. Ses classements en matière de liberté de la presse sont élevés et le pays a également enregistré des progrès positifs en matière de protection des données. Les acteurs du secteur des télécommunications comprennent les entrants de 2018, ARC Telecom, WAW Telecom et Africa Access, aux côtés de l’entreprise  Sonatel, Free (initialement sous licence SENTEL, rebaptisée plus tard Tigo) et Expresso Sénégal

De plus, l’accessibilité d’Internet reste un défi, le pays se classant 25ème  sur 72 pays évalués selon l’indice d’accessibilité. En décembre 2020, la pénétration d’Internet au Sénégal était estimée à 88,7% et la pénétration mobile à 114,2%. Cependant, il existe des inquiétudes concernant les contrôles répressifs prétendument destinés à lutter contre la cybercriminalité, la désinformation et les discours de haine. 

Cet article met en évidence l’état de la responsabilité des intermédiaires au Sénégal à travers l’environnement juridique et réglementaire relatif aux obligations des intermédiaires, y compris la divulgation d’informations/données aux autorités répressives, le filtrage ou le blocage de contenu et les limitations du service. 

Aperçu législatif et réglementaire

La loi sur les transactions électroniques et le décret sur les communications électroniques sont les principales législations qui établissent un cadre de responsabilité des intermédiaires au Sénégal. L’article 3(1) de la loi n° 2008-08 du 25 janvier 2008 relative aux transactions électroniques désigne les intermédiaires comme « les personnes dont l’activité est de fournir au public l’accès à des services par le biais des technologies de l’information et de la communication ».

S’inspirant de la loi française n° 2004-575 du 21 juin 2004 pour la confiance dans l’économie numérique, la loi de 2008 impose aux intermédiaires des obligations limitées de surveillance des contenus, mais les oblige à mettre en place des mécanismes pour supprimer ou empêcher l’accès aux contenus illicites, informer les utilisateurs des restrictions de service et des plaintes.

L’article 3(2) précise les personnes physiques ou morales qui fournissent au public un service de stockage de signaux, d’écrits, d’images, de sons ou de messages «  ne peuvent pas voir leur responsabilité civile engagée du fait  des activités ou des informations stockées à la demande d’un destinataire de ces services si elles n’avaient pas effectivement connaissance de leur caractère illicite ou de faits et circonstances faisant apparaître ce caractère ou si,  dès le moment où elles en ont eu cette connaissance, elles ont agi promptement pour retirer ces données ou pour en rendre l’accès impossible ».

Cependant, sans une définition claire de ce qui constitue un contenu illicite, la loi sur les transactions électroniques laisse place à la restriction de l’accès à un contenu arbitrairement jugé illégal, mais il n’existe pas de dispositions claires sur les moyens de contester les décisions de retrait de contenu. 

En revanche, la confidentialité des informations personnelles est exigée par l’article 5. Le non-respect des dispositions de la loi sur les transactions électroniques constitue une infraction aux articles 431-46 à 431-49 du Code pénal de 2016, passible d’une amende de 250 000 à 1 000 000 de francs (461 à 1 845 USD), d’un emprisonnement de six mois à un an, ou des deux.

Le décret de 2008 sur les communications électroniques considère les intermédiaires comme des parties neutres n’exerçant aucun contrôle sur le contenu, en partant du principe qu’ils ne font que transmettre ou stocker des informations, parfois de manière temporaire. Ainsi, l’article 6 limite la responsabilité des intermédiaires lorsque « 1) ils ne choisissent pas le destinataire de la transmission ; 2) ils n’initient pas la transmission ; 3) les activités de transfert et de fourniture d’accès visent exclusivement à effectuer la transmission ou la fourniture d’accès ; 4) ils ne modifient pas les informations soumises à la transmission ; 5) ils exécutent une décision d’une autorité judiciaire ou administrative de supprimer l’information ou d’en interdire l’accès. 

Alors que la loi sur les transactions électroniques et le décret sur les communications électroniques limitent la responsabilité des intermédiaires, d’autres lois imposent des obligations qui ont des implications sur les droits des utilisateurs, comme détaillé ci-dessous. Il s’agit notamment de la loi sur les services de renseignement, de la loi modifiant le Code de procédure pénale, du Code des communications électroniques et de la loi modifiant le Code pénal.

Interception des communications et divulgation d’informations

La loi n°2016-33 du 14 décembre 2016 relative aux services de renseignement en vertu de l’article 10 précise que dans l’intérêt de la sécurité nationale, les autorités de renseignement peuvent « utiliser des procédures techniques, intrusives, de surveillance ou de localisation pour collecter des informations utiles à la neutralisation de la menace ». L’article 11 exige des prestataires de services qu’ils coopèrent et assistent des « organismes privés concernés » non spécifiés dans leurs activités de renseignement. 

La loi n° 2016-30 modifiant la loi n° 65-61 de 1965 portant code de procédure pénale mentionne également la responsabilité des intermédiaires en matière d’enquêtes pénales. L’article 90-11 exige la coopération d’intermédiaires avec les autorités d’enquête pour collecter ou l’enregistrer « en temps réel » des données et communications électroniques pertinentes. L’article 90-14 prévoit que le procureur de la République doit adresser aux opérateurs de télécommunications et aux fournisseurs de services une demande formelle de coopération. L’enregistrement et l’interception des communications en vertu du code pénal sont soumis à l’autorisation écrite d’un juge.

En outre, l’article 90-17 habilite les juges à ordonner aux intermédiaires de décrypter les données ou de fournir des informations sur le fonctionnement des systèmes cryptés. Les ordonnances ne sont pas susceptibles d’appel et leur validité est limitée à une période de deux à quatre mois renouvelable au cas par cas. L’absence de dispositions permettant aux personnes faisant l’objet d’une surveillance de contester les ordonnances judiciaires va à l’encontre des dispositions de la Convention de Budapest (à laquelle le Sénégal est partie), qui vise à assurer un équilibre approprié entre les intérêts des forces de l’ordre et le respect des droits fondamentaux de l’homme.

L’article 20 du Code des communications électroniques réaffirme l’obligation pour les prestataires de services de coopérer avec les autorités gouvernementales conformément aux dispositions de l’article 90-11 du Code de procédure pénale, notamment en divulguant les informations pertinentes et en offrant une assistance technique sur demande. 

Limitations du service

Le Code des communications électroniques 2018 impose aux fournisseurs de services de « prévenir une congestion imminente du réseau et atténuer les effets d’une congestion exceptionnelle ou temporaire, pour autant que les catégories équivalentes de trafic fassent l’objet d’un traitement égal » (article 27) ». Il ajoute que « l’autorité de régulation peut autoriser ou imposer toute mesure de gestion du trafic qu’elle juge utile pour préserver la concurrence dans le secteur des télécommunications électroniques et assurer un traitement équitable de services similaires ». En application de ces dispositions, les intermédiaires peuvent réduire le débit ou interrompre Internet à des moments et des lieux, sous prétexte de réduire la congestion du réseau. Les dispositions confèrent également à l’Autorité de régulation des télécommunications et des postes (ARTP) des pouvoirs illimités pour autoriser ou imposer des restrictions sur la disponibilité des réseaux de communication numériques. 

Des exigences strictes de confidentialité et de continuité de service sont également imposées aux intermédiaires et à leur personnel en vertu de l’article 167 du Code pénal qui prévoit  que « la suppression ou l’ouverture de correspondance adressée à des tiers de mauvaise foi » est un délit passible d’un emprisonnement de six jours à un an et une amende de 20 000 à 100 000 francs (36 à 185 USD), ou les deux.  

Restrictions de contenu

Il n’y a pas d’obligations spécifiques pour les intermédiaires de surveiller activement les réseaux et les plateformes à la recherche de contenus contrefaits. L’article 3, paragraphe 5, de la loi de 2008 sur les transactions électroniques stipule que les prestataires de services « ne sont pas soumises à une obligation générale de surveiller les informations qu’ils transmettent ou stockent, ni à une obligation générale de rechercher des faits ou des circonstances révélant des activités illicites ». Cependant, la disposition fait l’objet d’une activité de surveillance ciblée et de demandes des autorités judiciaires. En ce qui concerne les crimes contre l’humanité, l’incitation à la haine raciale et la pornographie infantile, l’article 3, paragraphe 5, prévoit que les intermédiaires doivent mettre en place des systèmes « facilement accessibles et visibles » pour permettre que de tels contenus soient portés à leur attention.

Alors que la Constitution du Sénégal garantit la liberté d’expression, l’article 255 du Code pénal prévoit que : « La publication, la diffusion, la divulgation ou la reproduction, par quelque procédé que ce soit, de fausses nouvelles, fabriquées, falsifiées ou faussement attribuées à des tiers » qui entraîne la désobéissance civile, met en danger la population ou discrédite les institutions publiques est un délit passible d’un emprisonnement d’un à trois ans et d’une amende de 100 000 à 1 500 000 francs (185 à 2 770 USD). Sans une définition claire de ce qui constitue une fausse nouvelle et compte tenu des exigences de coopération avec les autorités chargées de l’application des lois, le défaut des intermédiaires de signaler toute infraction peut entraîner des sanctions. 

Aux termes de l’article 431-61 du Code pénal, la condamnation pour une infraction à la loi commise via des communications électroniques entraîne des peines supplémentaires. Elles comprennent l’interdiction d’envoyer des communications électroniques, l’interdiction temporaire ou définitive d’accéder au site utilisé pour commettre l’infraction ou à son hébergeur. L’article impose également aux prestataires de services de mettre en œuvre les mesures nécessaires pour assurer le respect des sanctions, dont la violation est un délit passible de six mois à trois ans d’emprisonnement et d’une amende de 500 000 à 2 000 000 francs (923 à 3 693 USD). 

Cas de responsabilité des intermédiaires 

  1. Plusieurs entités privées et publiques collectent des données à caractère personnel au Sénégal. Par exemple, il existe un enregistrement obligatoire de la carte SIM lié à la base de données nationale d’identité. Cependant, de nombreux cas de non-respect de la loi sur la protection des données et des règlements de la Commission des données personnelles (CDP) ont été signalés. Voir, par exemple, l’avis trimestriel du CDP
  2. Lors des émeutes du début de l’année 2021, le gouvernement a suspendu les chaînes de télévision privées Sen TV et Walf TV pour avoir diffusé à plusieurs reprises des images des troubles qui ont suivi l’arrestation du leader de l’opposition sénégalaise Ousmane Sonko. En outre, l’accès aux plateformes de médias sociaux, notamment YouTube et Whatsapp, a été restreint.
  3. Le 20 juin 2019, le journal en ligne « Pressafrik » aurait été inaccessible pendant des heures après avoir collaboré avec la BBC sur un reportage d’enquête sur des allégations de corruption impliquant le frère du président Macky Sall. Selon le directeur  de publication Ibrahima Lissa Faye, le piratage a été “sponsorisé” étant donné que “60 % des sites d’information sénégalais sont chez le même hébergeur et PressAfrik est le seul site à être inaccessible”. 
  4. Le régulateur des télécommunications, l’ARTP, a par le passé lancé des ultimatums aux opérateurs de télécommunications pour améliorer la qualité des services.
  5. Selon le rapport Transparence de Facebook, le Sénégal a fait six demandes de données d’utilisateurs, concernant sept comptes en 2020  dont aucune n’a été respectée. Les demandes antérieures, au nombre de 21 pour la période 2016-2019, n’ont pas non plus été satisfaites.
  6. Depuis 2009, le Sénégal a fait quatre demandes de suppression de contenu à Google.
  7. En 2016, le Sénégal aurait fait le deuxième plus grand nombre de demandes d’informations sur les abonnés  à Orange  – 18 653, contre 13 557 l’année précédente.  

Conclusion et recommandations

 

L’environnement législatif et pratique de la responsabilité des intermédiaires au Sénégal manque de clarté sur les rôles et les obligations. Dans certains cas, des pouvoirs excessifs sur l’exploitation du réseau sont accordés aux prestataires de services et au régulateur. Dans d’autres, les exigences de coopération avec les autorités répressives sont larges, sans spécifier les voies de recours en cas d’abus des droits des utilisateurs. Alors que la loi sur les transactions électroniques et le décret sur les communications électroniques sont clairs sur le rôle de l’intermédiaire en ce qui concerne le contenu de l’utilisateur, la loi sur les services de renseignement, le code pénal et d’autres documents prévoient des dispositions contradictoires relatives à la surveillance et à l’interception des communications susceptibles de porter atteinte à la vie privée et à la liberté d’expression en ligne.

Une législation spécifique est nécessaire pour déterminer la responsabilité des intermédiaires, y compris avec précision sur les contenus susceptibles de faire l’objet d’un retrait ou d’un blocage, des procédures d’appel pour les décisions et des mesures de rétablissement des contenus supprimés. En l’absence d’un document juridique spécifique entièrement dédié à la responsabilité des intermédiaires, la définition de la responsabilité des intermédiaires, des responsabilités et obligations, ainsi que des contenus illicites devrait être claire et cohérente dans l’ensemble de la législation existante.

Pour leur part, les intermédiaires devraient fournir des conditions d’utilisation des services claires, accessibles et compréhensibles, y compris des options de confidentialité, de sauvegarde et d’anonymisation, dans des formats accessibles afin de promouvoir la confidentialité et la protection des données. En outre, une transparence accrue des prestataires de services devrait inclure une communication préalable des modifications apportées aux politiques d’utilisation pertinentes, des restrictions de service, ainsi que la publication de rapports détaillés sur la coopération avec les autorités. Parallèlement, il est nécessaire de renforcer les partenariats et l’engagement avec la société civile en vue d’un plaidoyer collaboratif pour promouvoir les principes des entreprises et des droits de l’homme.

Astou DIOUF est boursière CIPESA et travaille sur le rôle des intermédiaires et des fournisseurs de services Internet dans la lutte contre la Covid-19 au Sénégal, notamment sur des questions telles que la facilitation de l’accès à Internet, les atteintes à la vie privée et aux données personnelles, et le contenu.