Promoting Effective and Inclusive ICT Policy in Africa

Tag Archives: Cybercrime

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  Cybercrime
14Jun

Overview of Intermediary Liability in Senegal

Author CIPESA Posted on

By Astou Diouf |

Among its west African counterparts, Senegal is among the leaders in digitalisation efforts. Its press freedom rankings are high and the country has also recorded positive strides in data protection. Telecommunications sector players include 2018 entrants ARC Telecom, WAW Telecom and Africa Access, alongside the state-owned Sonatel, Free (initially licensed as SENTEL, later rebranded as Tigo), and Expresso Senegal

Moreover, internet affordability remains a challenge, with the country ranked 25th out of 72 countries assessed under the Affordability Index. As at December 2020, internet penetration in Senegal was estimated at 88.7% and mobile penetration at 114.2%. However,  there are concerns about repressive controls purportedly aimed at countering cybercrime, misinformation and hate speech. 

This article highlights the state of intermediary liability in Senegal, including the legal and regulatory environment relevant to intermediaries’ obligations including information/ data disclosure to law enforcement authorities, filtering or blocking content, and service restrictions. 

Legislative and Regulatory Overview

The electronic transactions law and eCommunications decree are the primary legislations that establish an intermediary liability framework in Senegal. Article 3(1) of law n° 2008-08 of January 25, 2008 on Electronic Transactions refers to intermediaries as “persons whose activity is  to provide  the public access to services through information and communication technologies”.

Borrowing from France’s law n° 2004-575 of June 21, 2004 on Confidence in the Digital Economy, the 2008 law places limited obligations on intermediaries to monitor content, but requires them to put in place mechanisms to remove or prevent access to unlawful content, inform users of service restrictions and complaints.

Article 3(2) states that a natural or legal persons who provides  to the public a service of storage of signals, writings, images,  sound or messages “cannot be held liable for the activities or information stored at the request of a recipient of these services if they did not have actual knowledge of their illicit nature or of facts and circumstances showing this nature or if, from the moment they had such knowledge, they acted promptly to remove this data or to make access [to it] impossible“.

However, without a clear definition of what constitutes illicit content, the electronic transactions law leaves room for restriction of access to content arbitrarily deemed illegal yet there are no clear provisions on ways to challenge content takedown decisions. 

On the upside, confidentiality of personal information is required under Article 5. Failure to comply with the provisions of the electronic transactions law is an offence under Articles 431-46 to 431-49 of the Penal Code, 2016, punishable with a fine of between 250,000 and 1,000,000 Francs (USD 461-1,845), imprisonment of between six months and one year, or both. 

The 2008 decree on eCommunications considers intermediaries to be neutral parties with no control over content, assuming that they merely provide transmission or storage of information, sometimes temporarily. Accordingly, Article 6 limits the liability of intermediaries when “1) they do not select the recipient of the transmission; 2) they do not initiate the transmission; 3) the activities of transfer and provision of access are aimed exclusively at carrying out the transmission or provision of access; 4) they do not modify the information that is subject to transmission; 5) they execute a decision of a judicial or administrative authority to remove the information or prohibit access to it.” 

While the electronic transactions law and the eCommunications decree limit the liability of intermediaries, other laws place obligations that have implications on users’ rights as detailed below. These include the law on intelligence services, the law amending the Code of Criminal Procedure, the eCommunications Code and the law amending the Penal Code.

Interception of Communications and Information Disclosure

The law n°2016-33 of December 14, 2016 relating to Intelligence Services under Article 10 states that in the interest of national security, intelligence authorities can “use technical, intrusive, surveillance or location procedures to collect information useful for neutralising the threat’’. Article 11 requires service providers to cooperate with and assist unspecified “relevant private bodies” with intelligence activities. 

Act No. 2016-30 amending Act No. 65-61 of 1965 on the Code of Criminal Procedure also mentions  intermediary liability in relation to criminal investigations. Article 90-11 requires the cooperation of intermediaries with investigative authorities in collecting or recording “in real time” relevant electronic data and communications. Article 90-14 provides that a public prosecutor must issue  to telecommunications operators and service providers a formal request for cooperation. Recording and interception of communications under the criminal code are subject to written authorisation by a judge. 

Further, article 90-17 empowers judges to order intermediaries to decrypt data or provide information on the operation of encrypted systems. Orders are not subject to appeal and their validity is restricted  to between two and four months renewable on a case-by-case basis. The lack of provisions for individuals subject to surveillance to challenge court orders is against the provisions of the Budapest Convention (which Senegal is Party to), aimed at ensuring an appropriate balance between the interests of law enforcement and respect for fundamental human rights.

Article 20 of the eCommunications Code re-emphasises the requirement for service providers to cooperate with government authorities in accordance with the provisions of Article 90-11 of the Code of Criminal Procedure, including through disclosing relevant information and offering technical assistance when asked. 

Service Restrictions

The 2018 eCommunications Code requires service providers to “prevent impending network congestion and mitigate the effects of exceptional or temporary congestion, provided that equivalent categories of traffic are subject to equal treatment” (Article 27)”. It adds that “the regulatory authority may authorise or impose any traffic management measure it deems useful to preserve competition in the electronic telecommunications sector and ensure fair treatment of similar services.” In application of these provisions, intermediaries can reduce the speed or interrupt the internet at times and locations, under the pretext of reducing network congestion. The provisions also give the Telecommunications and Postal Regulatory Authority (ARTP) unchecked powers to authorise or impose restrictions  on the availability of digital communication networks. 

Strict confidentiality and continuity of service requirements are also placed on intermediaries and their staff under the Penal Code Article 167 which states that “deletion or opening of correspondence addressed to third parties in bad faith” is an offense punishable by imprisonment for between six days and one year, a fine of 20,000-100,000 francs (USD 36-185), or both.  

Content Restrictions

There are no specific obligations for intermediaries to actively monitor networks and platforms for infringing content. Article 3(5) of the 2008 electronic transactions law states that service providers “are not subject to a general obligation to monitor the information they transmit or store, nor to a general obligation to search for facts or circumstances revealing illicit activities.” However, the provision is subject to targeted surveillance activity and requests by judicial authorities. In relation to crimes against humanity, incitement to racial hatred and child ponography, Article 3(5) states that intermediaries should set up systems that are “easily accessible and visible” to allow for such content to be brought to their attention. Furthermore, to promptly inform authorities of infringing content and inform users of the policies and practice in place to fight against illegal content. 

Whereas the Constitution of Senegal guarantees free speech, the Penal Code under Article 255 provides that: “The publication, dissemination, disclosure or reproduction, by any means whatsoever, of false news, fabricated, falsified or falsely attributed to third parties” that results in civil disobedience, endangers the public, or discredits public institutions is an offense punishable by imprisonment of one to three years and a fine of 100,000 to 1,500,000 Francs (USD 185 to 2,770). Without a clear definition of what constitutes false news, and considering requirements to cooperate with law enforcement authorities, failure of intermediaries to report any infringements may lead to sanctions. 

Under Article 431-61 of the Penal Code, conviction for an offense under the law that is committed via electronic communications attracts additional penalties. They include prohibition from sending electronic communications, temporary or permanent prohibition of access to the site used to commit the offense or its host. The article also requires service providers to implement measures necessary to ensure compliance with the penalties, violation of which is an offense punishable by six months to three years imprisonment and a fine of 500,000 to 2,000,000 Francs (USD 923 to 3,693). 

Cases of intermediary liability 

  1. Several private and public entities collect personal data in Senegal. For instance, there is Mandatory SIM card registration linked to the national identity database. However, there have been numerous reports of non-compliance with the data protection law and Commission of Personal Data (CDP) regulations. See, for instance, quarterly CDP notice
  2. During riots in early 2021, the government suspended private television channels Sen TV and Walf TV for repeatedly broadcasting images of the unrest following the arrest of the Senegalese opposition leader Ousmane Sonko. Furthermore, access to social media platforms including Youtube and Whatsapp was restricted.
  3. On June 20, 2019, the online newspaper “Pressafrik” was allegedly inaccessible for hours after it collaborated with the BBC on an investigative report into allegations of corruption implicating the brother of President Mack Sall. According to the Publishing Director Lissa Faye, the hack was “sponsored” given that “60% of Senegalese news sites are with the same host and PressAfrik is the only site to be inaccessible”. 
  4. The telecoms regulator ARTP has in the past issued ultimatums to telecommunications operators to improve quality of services.
  5. According to Facebook’s Transparency report, Senegal made six requests for user data, relating to seven accounts in 2020 – none of which was complied with. Earlier requests totaling 21 in the period 2016-2019 were also not complied with.
  6. Since 2009, Senegal has made four requests to remove content to Google
  7. Back in 2016, Senegal is reported to have made the second highest number of subscriber information requests  to Orange  – 18,653, up from 13,557 the previous year.  

Conclusion and Recommendations

The legislative and practice environment for liability of intermediaries in Senegal lacks clarity on roles and obligations. In some cases excessive powers over network operations are granted to service providers and the regulator. In others, requirements to cooperate with law enforcement authorities are broad, without specifying the recourse avenues for abuse of users’ rights. While the eTransactions Act and the Decree on eCommunications are clear about intermediary’s role regarding user’s content, the Intelligence Services Act, the Penal Code and other documents provide conflicting provisions related to surveillance and interception of communications that are likely to infringe privacy and freedom of expression online. 

There is need for specific legislation to determine the liability of intermediaries including with precision on content subject to take down or blockage, appeals procedures for decisions and measures for reinstating removed content. In the absence of a specific legal document entirely dedicated to intermediary liability, definition of intermediary liability, responsibilities and obligations, as well as unlawful content should be clear and consistent across all the existing legislation.

For their part, intermediaries should provide clear, accessible and understandable terms and conditions for service use, including options for privacy, back up and anonymisation, in accessible formats towards promoting privacy and data protection. Furthermore, increased transparency of service providers should include advance communication of changes to relevant user policies, service restrictions, as well as publication of detailed reports on cooperation with authorities.  Meanwhile, there is need for increased partnerships and engagement with civil society towards collaborative advocacy to promote business and human rights principles

Astou Diouf is a CIPESA Fellow, working on the role of internet intermediaries and service providers in the fight against Covid-19 in Senegal, including on issues such as facilitating increased access to the internet, privacy and personal data infringements, and content.

02Jun

Are Cryptocurrencies the Future of Freedom and Financial Inclusion in Africa?

Author CIPESA Posted on

By Daniel Mwesigwa and Thomas Robertson |

Advances in innovation have ushered in new approaches to digital transformation and financial service provision. With the growth in internet connectivity in sub-Saharan Africa, emerging technologies such as blockchain and cryptocurrencies have the potential to advance financial inclusion. 

Blockchain is the technology underpinning cryptocurrencies such as Bitcoin, Ethereum, and Litecoin, among others. The emergence of cryptocurrencies in Africa is particularly exciting due to the opportunities they provide for Africans in cash-based and informal economies to participate in alternative financial infrastructures. Many traditional financial infrastructures across Africa are often subject to high levels of volatility and ineffective governance. Blockchain financial technology allows for alternative financial infrastructures that increase monetary stability and efficient governance through a decentralised digital financial system.

Exploring the Digital Currencies Landscape in Africa

According to the World Bank, sub-Saharan Africa has one of the highest remittance rates in the world. In 2019, 3.6% of sub-Saharan Africa’s Gross Domestic Product (GDP) was derived from personal remittances- a figure over three times the global average. However, the region also has the world’s largest unbanked population, with only 42.6% of those above the age of 15 having an account at a financial institution. 

With the bulk of remittances on the continent being peer to peer transfers, cryptocurrencies have the potential to revolutionise remittances between Africa and the rest of the world. Cryptocurrency-based remittances would result in faster transfers, less logistical constraints, and lower transaction costs due to advanced Blockchain technology. Whereas remittances cannot be considered a form of financial inclusion, their potential application to digital currency infrastructures could usher in more inclusive financial infrastructures. 

Indeed, in August 2020, sub-Saharan Africa traded USD 18.3 million of the USD 95 million total worth of Bitcoin traded globally in one week – the second highest peer-to-peer Bitcoin trading volume in the world after North America (at USD 28.7 million). While it is argued that Bitcoin trading significantly increased in sub-Saharan Africa due to the need to hedge against the volatility of local currencies amid the effects of Covid-19 lockdowns on local economies, Bitcoin.com’s analysis shows that 86.3% of the volume was contributed exclusively by the continent’s leading economies –  Nigeria, Kenya, and South Africa.

Contrasted against the average weekly mobile money transaction volumes in sub-Saharan Africa of around USD 457 million, Bitcoin’s trading volumes seem dismal. However, it should be noted that since its 2007 debut in Kenya, the M-Pesa mobile money model has been replicated by over 140 mobile money services worldwide. Mobile money itself has positively contributed to financial inclusion on the continent by enabling person-to-person and person-to-business digital transactions, alongside access to savings, credit and investment services via mobile phones. However, it is not without challenges – including high transaction fees and costs associated with interoperability and regulatory gaps. Meanwhile research shows that women are less likely to use mobile apps to conduct financial transactions due to  gender bias in digital financial services (DFS).

Meanwhile, intercontinental financial flows are largely dominated by foreign currencies because Africa’s aspirations for a single currency are often undermined by national currency variations in stability, convertibility, and control. While it is possible to address these issues by pegging unstable national currencies to more stable international currencies, the solution is fraught with structural deficits, as evidenced by the West African CFA franc (Eco), which is pegged to the Euro.

Digital currencies are thus arguably positioned as more appealing and accessible alternatives to the status quo. They attract comparatively lower transaction fees and carry less of the bureaucratic burdens prevalent in existing financial systems, even those between neighboring countries. Further, unlike mobile money and traditional currency, which are prone to interference by authorities, most digital currencies such as Bitcoin are resistant to external suppression because they are not controlled by central banking authorities. For example, during the #EndSARS campaign against police brutality in Nigeria, authorities ordered banks and financial institutions to block donations to the Feminist Coalition, one of the organisations charged with coordinating the protests. The Coalition turned to Bitcoin and other cryptocurrencies to circumvent the blockade. Meanwhile in Kenya, despite calls against virtual currencies by the Central Bank of Kenya, there has been an emergence of community-based initiatives for local cryptocurrencies enthusiastically welcomed by domestic users

Tangible Obstacles to Digital Advancements

In Francophone West Africa, activists are calling for stable, regional currencies independent of European financial institutions that impose economic reliance on the West. Some have speculated that the creation of a regional cryptocurrency based on blockchain would finally emancipate their economic systems from unwanted foreign manipulation. Indeed, the establishment of a legally-recognised digital currency in Senegal – the eCFA – demonstrates that feasibility and a framework for digital currency exists. However, this potential is faced with constraints across the region such as internet disruptions as well as gaps in cybercrime and data protection and privacy legislation Nonetheless, the mobilisation of young enterprises around technological innovation in combination with civil society and government-led innovation in digital economic expansion hold some promise that blockchain utilisation can contribute to Africa’s social-economic development on a country or regional needs basis.

Central banks could either support or develop the blockchain and technology infrastructure upon which third parties could participate, or  sidestep the burden of  technology infrastructure development and maintenance through designing licensing regimes that allow appropriate third parties to issue digital currencies on behalf of their countries. However, to achieve this,  countries must have adequate financial and technology policy, including legislation that incentivises cryptocurrency development, ensures cybersecurity and protects user data and privacy. Furthermore, universal access to the internet and digital services, quality of service provision and infrastructure investments would go a long way in promoting adoption of digital financial technology.

07Feb

2019 International Cyber Security and Intelligence Conference

The International Cybersecurity and Intelligence Conference (ICSIC) provides a rare opportunity for global experts in Cyber security, Intelligence, Counter-Terrorism, National Infrastructure, Industry, Cyber Operations research, Law enforcement, and Legal Practitioners to proffer unified ideas and best practices on cyber safety, attacks prevention and secured cyber world. ICSIC, is a unique cyber security and intelligence conference that features high profile speakers from cyber security, privacy, intelligence, national critical infrastructure and counter-terrorism. Attendees will have a unique privilege to interact with some of the best brains in the industry.
For more details on the event, please click on ICSIC.

19Dec

Is the future of the internet in Africa fractured?

Author admin Posted on

By Daniel Mwesigwa |
At its founding, in the late 80s, the internet promised to democratize information, level uneven grounds, and the destroy barriers associated with distance, space, and time. Through promoting communication, coordination, integration at a pace and scale beyond the ability of any government to halt, the connectivity set a foundation for dichotomies so often aligned with colonialism, imperialism, and globalization.
Today the internet is not just about inscrutable abstracts on the potential merits of its ubiquity but rather its impact and probable effects on a global scale. If anything, the weaponization of algorithms, speech, objectivity, and people has been pronounced in the recent past. For example, Facebook and Cambridge Analytica have accepted responsibility for abetting electoral malfeasance in America and other states by enabling the manipulation of electorates through an à la carte of sensational news and unsubstantiated political advertising only meant to swing and tilt public opinion.
That is why it might be hard to assess whether governments will continue to sit back and watch powerful technology companies from the west continue to prowl over strategic industries in their backyards, or whether they will take to the ‘commanding heights’ to steer the internet’s governance, at the expense of an open and decentralized internet, within their jurisdictions.
But how did we get there? An Xiao Mina’s instructive take on the potential effects of censorship on the future of the global internet and the attendant effects on the public sphere predicts not only deeper digital divides but also bolder and even more daring abuses to democracy by nation-states. She’s not alone, Google’s former chairman, Eric Schmidt, and internet theorist and scholar Evgeny Morozov have made similar pronouncements: the internet is splintering due to policy dilemmas in the realms of sovereignty and globalization.
In spite of all; bad laws, technical upheavals, spam, and disruptions, the popular narrative is that we could not kill the “global” internet even if we tried. However, through technical disruptions (covert and overt) and an array of legal and regulatory guises, governments in Africa have institutionalized attacks on the internet at a level not experienced before.
Censorship is arguably one of the leading factors threatening the future of the internet. And China is the pariah. It has been particular to institutionalize censorship through remodelling its own internet reality in what the Communist party president, Xi Jinping, calls ‘internet sovereignty’. The Republic augmented her stringent controls on free speech and tightened media regulations in the real world onto the internet through even tighter controls on content, privacy and security. Through ambitious projects like the infamous “Great Firewall” and the more recent proposal to create a dystopian future where citizens are assessed for the good and bad through a “national social rating system”, China has asserted her position on her internet governance despite the internet’s original ideals on openness and decentralization. Indeed, China’s ethos on “internet sovereignty” are being evangelized and promoted in fragile, and weak nation-states. Zimbabwe is reported to be in the process of adopting a Chinese sanctioned facial recognition system to surveil high traffic areas such as airports and malls. For its renowned poor human rights record, such surveillance capabilities pose a danger to a free society.
Further, African governments have been renown for clandestinely shutting down the internet for all sorts of reasons—twice in Uganda during the 2016 presidential elections and over three months in the English-speaking region of Cameroon—usually in defence “national security”. Such censorships have been arbitrarily executed despite the punitive economic costs associated. Some governments have even flirted with the idea of developing local alternatives to popular social networking sites such as Facebook and Twitter so as to have full control over the knobs of social media must the need arise.
But also the censorship has been effected through particularly prohibitive laws meant to derail social media use and charge social critics and other dissenting voices. For example, the cybercrime laws of countries such as Tanzania give the police the mandate to arrest anybody they deem in breach of cyber laws without the necessary legal oversight. Tanzania has introduced a $900 tax for bloggers, Uganda has slapped a “gossip tax” on social media use and other OTT services, Zambia has levied a cost on internet voice calls. If the feel of the contours is anything to go by, censorship has taken unique and complex forms. It seems like many African governments are operating from the same template.
Meanwhile, if we might on what the future of the internet might look like, despite the attacks, we know it will largely be multimedia and highly, rather unsurprisingly, localized. The internet in the past faced severe infrastructural deficits. For example, before the first landfall of transatlantic fibre optic cables at the coast of East Africa in 2009, the internet was not only accessed through more expensive options such as satellite links, generally suffered lower speeds and was inaccessible with the greater part of the region.
The global interconnection through the fibre and terrestrial optic cables enabled further access and connectivity within the region. Most remarkably, local peering and Content Delivery Networks (CDN) increased internet capacity. Loosely defined, local peering means that instead of a webpage directly loading from some server located in an obscure location in North Carolina, a local copy of the same data would be stored on servers hosted locally, in Africa. This bolsters the user experience and also enables the reduction of costs associated with extending the internet to the last mile.
Of course, such developments are welcome but technology companies and giants predominantly from Silicon Valley have taken over these alternative connectivity methods to further affordable internet access to the “last mile”. However, they also have deep financial and corporate interests at heart. In fact, content companies such as Facebook are laying more fibre optic cables than traditionally renowned telecommunications carrier/infrastructure companies. Facebook has laid its first fibre in sub-Saharan Africa, in Uganda at a cost estimated at $100 million. Google had previously done the same in Uganda and Ghana. Overall, major countries seem to have some sort of connectivity experiment going on involving the use of low frequency, wifi hotspots, rockets and other novel technologies—again, spearheaded by Western tech giants. Such moves have raised concerns on issues regarding net neutrality, data protection and privacy, local content, among others. Technology companies seen through the lenses of benevolence might appear as benign catalysers of internet access. Yet by mere ownership of the plumbing that powers the internet effectively makes their services synonymous with the open internet itself. Indeed, it would not be surprising to find people who think Facebook is the internet. Technology companies could not only influence the internet’s direction but also act as a chokepoint, especially when deciding what geographical areas or income groups to serve or not.
While globalization was mostly lauded for is the discovery of previously unchartered territories and the opening of new frontiers, a lot of how it happened was characterized with pillage and violence—often at the expense of conquered states’ sovereignties. The globalization of the world through the internet promised trade and commerce, education and research, government and service delivery through instantaneous communication, on levelled grounds. But many of the paradigm shifts have enabled good use of the internet insofar as they have enabled abusive, problematic use. Now governments seem to have taken centre stage in steering what directions their internet takes, powerful corporations, on the other hand, have grown so powerful since they can algorithmically control and mediate the internet’s content, and emotions, that they threaten democracy and other virtues of good governance, especially in fragile states. As for the users, disparate realities of the internet look not so far away, some Facebook (through Free Basics) is touted to better than no Facebook (or internet) at all. Balkanization of the internet is at rather happening at an unprecedented pace. Is the future of the internet in Africa fractured?
This article was first published on December 19, 2018, African School on Internet Governance

1 2 3