ANALYSIS: Zambia’s Proposed Cyber Laws Facilitate Suppression of Civil Liberties

Zambia has published the Cyber Security Bill, 2024 and the Cyber Crimes Bill, 2024, which would repeal the Cyber Security and Cyber Crimes Act of 2021. These proposed laws’ objective of combating cyber crimes and promoting a safe and healthy digital society is welcome, as is the need for the country to strengthen its cyber security posture, including through legislation.

However, the current drafts of the laws not only miss the opportunity to cure some of the deficiencies in the 2021 cyber crimes law they are repealing but also introduce several, more regressive provisions.

In an analysis of the two Bills, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) and the Bloggers of Zambia, who also hosts the Zambia CSO Coalition on Digital Rights, point to the retrogressive and vague provisions in the two Bills, and offer recommendations that can render the proposed laws more robustly rights-respecting and effective in combating cyber crimes.

The bills have some progressive provisions, such as the separation of cybersecurity and cybercrime functions; the structured cybersecurity governance that includes the creation of dedicated bodies such as the Cyber Security Agency and the Cyber Incident Response Teams (CIRTs); and provision of a framework for mutual legal assistance and cooperation with foreign entities. The bills also introduce new offences in response to emerging cyberthreats, such as identity-related crimes, attacks on critical information infrastructure, cyber harassment, cyber terrorism, and “revenge pornography”.

However, the list of concerns is much longer, as detailed below:

  1. Weak Human Rights and procedural safeguards: The bills do not affirm adherence to regional and international human rights standards and obligations, such as privacy, freedom of expression, access to information, or due process. Also, enforcement measures lack comprehensive human rights and due process safeguards to ensure provisions and practices are proportionate, necessary, and pursue legitimate aims. 
  1. Potential for abuse of power: The bills provide law enforcement agencies significant discretion in applying their provisions, thereby increasing risks for political interference, unchecked surveillance and the widespread targeting of dissenters. These are aided by broad surveillance powers and ambiguous definitions of terms and offences, which create room for subjective interpretation and arbitrary application. These could be used to suppress freedom of expression and legitimate public discourse.
  1. Weak oversight and governance: There are limited independent or judicial review processes mandated for surveillance, data collection, or search and seizure activities. Further, the centralised control of the Cyber Security Agency and Central Monitoring and Co-ordination Centre (CMCC) and the absence of independent oversight mechanisms raise accountability concerns. Also, there is no clear separation of cybersecurity functions from the cybercrime-related functions between the two bills, which could lead to duplication and implementation challenges.
  2. Overly broad surveillance powers: Law enforcement is granted broad interception powers including real-time data collection and communication interception and extensive search-and-seizure powers. The provisions do not include clear limits or provide sufficient safeguards such as judicial oversight, proportionality, or transparency and accountability.
  1. Insufficient safeguards for privacy: The bills enable widespread surveillance and interception without clear provisions on data retention limits, purpose limitation, secure handling of intercepted data and oversight. This could allow for indefinite storage of data, increasing the risk of misuse or unauthorised access. Also, the absence of anonymity protections for whistleblowers, journalists, and researchers could criminalise legitimate anonymous or pseudonymous activities. The provisions limit privacy rights, and are in total disregard of the country’s Data Protection Act, 2021.

General Recommendations

  1. Provide adequate human rights and procedural safeguards: Incorporate a dedicated section affirming the bill’s compliance with Zambia’s constitutional and international human rights obligations. Further, align the bills with the Declaration of Principles on Freedom of Expression and Access to Information in Africa and the African Union Convention on Cybercrime and Personal Data Protection. In addition, conduct a Regulatory and Human Rights Impact Assessment and require periodic review of the bill’s implementation for potential human rights impacts.
  2. Strengthen oversight and governance mechanisms: Introduce mandatory independent judicial oversight, notification and documentation and annual reporting requirements on the use of powers under the bill, ensuring accountability and public trust. Establish independent oversight mechanisms for the Cybersecurity Agency, CMCC and surveillance practices. 

Review the structure and functioning of the newly established agencies vis-a-vis the roles of other agencies e.g. Office of the President, Ministry of ICT, Zambia Information Technology Authority (ZICTA), security agencies, among others, to enhance coordination and avoid duplication of roles and fragmentation. It is also important to have clear delineation of cybersecurity functions and cybercrime functions to avoid confusion or duplication of roles.

  1. Ensure proportionality: Many offences in the Cyber Crimes Bill criminalise minor or vague conduct without proportionality thresholds. Introduce proportionality clauses limiting criminalisation to significant harm, or graduated scales that enhance penalties based on severity, complexity and impact of offences on victims, critical infrastructure or organisations.
  2. Invest in capacity building: Provide a framework for training of law enforcement, prosecution and judiciary officials on applying the law proportionately, balancing enforcement with human rights protection.
  3. Ensure compliance with data protection laws: Ensure the bills align with the provisions of Zambia’s Data Protection Act, 2021, to protect individuals’ privacy rights.

The full analysis can be found here.

A Call on TECNO to Uphold Users Privacy and Security

Open Letter |

Strengthening the digital security of at-risk groups and organisations amidst growing digital rights attacks in Africa has become increasingly crucial. However, inadequate device security is undermining such efforts.

Investigations by Privacy International have revealed that TECNO – a phone manufacturer with an estimated 47% market share in East Africa and widely used across other regions on the continent – is putting users’ privacy and security at risk. 

Based on testing of a TECNO device – the Y2 – purchased in Uganda, the investigations reveal that the phone’s operating system was outdated, having not received updates since 2013. Further, pre-installed applications that users can not uninstall were using up space on the device. Whereas the specific model of phone with the vulnerabilities was discontinued from production by TECNO back in November 2019, it remained on sale as recently as 2020. 

In response to the revelations, Privacy International, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), together with nine other civil society organisations have submitted a letter to TECNO calling on the Chinese manufacturer to make changes to their practices and protect users’ privacy and security.

The letter urges TECNO to make three key changes to significantly improve their users’ privacy and security:

  1. TECNO should ship phones with a supported version of the Android operating system.
  2. TECNO should do their best to support the longevity of their devices and therefore combat e-waste. They must tell consumers, at the point of sale, how long their device will be supported, provide regular updates to the device, and notify users when continuing to use a device poses a risk to their privacy or security.
  3. TECNO should minimise the amount of bloatware, superfluous apps and other extras that come pre-installed on their phones. Whenever bloatware is included, it should exist in the user partition and therefore be removable by the user.

“It’s vital that TECNO listen to civil society and make these small changes to protect their users. TECNO users across Africa and the world deserve to know what they’re buying, especially when their phone will no longer receive security support,” said Caitlin Bishop, Privacy International’s project lead on work around low-cost technology.

Skills in digital security and safety are lacking among some of the most at-risk groups in many African countries. Surveillance schemes by state and non-state actors leverage this skills and knowledge gap. It is important therefore that leading device manufacturers, such as TECNO, guarantee privacy and security by design in order to ensure the safety of users,” said Ashnah Kalemera, CIPESA’s Programme Manager.

A copy of the letter can be accessed here.

CIPESA Conducts Digital Safety Training for Journalists and Activists in Tanzania and Uganda

By Ashnah Kalemera |
This month, the Collaboration on International ICT Policy in East and Southern Africa (CIPESA) has given training to human rights defenders, journalists, bloggers and media practitioners in Tanzania and Uganda in safety and security tactics to promote privacy and freedom of expression online.
The training, conducted in Kampala on April 10 and in Dar es Salaam on April 14 and 15, also helped participants to understand the laws and policies governing digital communications in the two east African countries.
The trainings explored basic computer security for operating systems, data storage and software updates. In addition, safety and security tips for using social media such as Facebook and Twitter, email and mobile communications were shared. Strong emphasis was placed on ensuring privacy of these communication tools and creating strong passwords. The trainings also explored techniques for responding to surveillance and censorship using anonymous browser tools, Virtual Private Networks (VPN) and Encryption.
Participants in the two countries shared their experiences – with varying levels of expertise – in securing their communications.
“I do not share my laptop regardless of who you are,” stated one Ugandan participant. He added that he did not access his email on phone or at internet cafes, cautioning the participants who did. “Any email has to wait until I get to my encrypted laptop,” he said.
A Tanzanian journalist said that whereas she makes the effort to secure all her devices and online user accounts, she often used the same password across board. This highlighted the shortage of digital safety skills among some of the most regular users of digital technologies in the country.
Participants in both trainings noted that in some cases, civil society organisations were “lazy” in adopting the latest technology to ensure the safety and security of their operations and their staff online. In other cases, financial resources were a limitation. Another challenge highlighted was the slow internet speeds in both countries, hence forcing users to access the internet on several devices.
On the legal and regulatory front, discussions centered around the proposed Cyber Crime Bill in Tanzania and the Uganda Data Protection and Privacy Bill and the need for the two countries to adopt laws that support internet freedoms.
Participants also raised concern about recent developments in neighbouring Kenya and their potential impact on the use of information and communication technologies (ICT) across all member states of the East African Community.
Participants in both the Tanzania and Uganda trainings called for increased awareness of online freedom amongst internet users, particularly vulnerable groups such as women and youth to promote greater appreciation for the need to adopt safety and security practices online.
Overview of training beneficiaries
Individuals from 27 organisations benefited from the training, out of which an average of 33% were women and 67% were men.
Figure 1: Training beneficiaries by gender
gender
Figure 2: Training Beneficiaries by user/organisation category
TZ
 
UG
The trainings were organised by CIPESA in partnership with the Pan African Human Rights Defenders Project and Jamii Forums in Uganda and Tanzania respectively in the context of CIPESA’s OpenNet Africa project supported by Hivos, the Open Technology Fund and the Association for Progressive Communications.
Upcoming digital safety skills engagements include for journalists in Uganda (to coincide with World Press Freedom Day on May 3) and for the local tech community.

Online Privacy and Security: The Debate And The Dilemma

By Ashnah Kalemera
The issue of internet users’ privacy and security has been widely debated since the Edward Snowden revelations last June put a magnifying glass on the extremes that some governments, such as the U.S., are prepared to go to in the fight against terrorism and cybercrime.
To-date, debate rages on amongst human rights activists, government, media, academia and the private sector on the effects of surveillance on internet freedoms. It is also becoming apparent that some developing countries are also taking to surveillance of their citizens’ communications.
These discussions continued at this year’s Stockholm Internet Forum (SIF), themed “Internet: privacy, transparency, surveillance and control”. The annual forum hosted by the Swedish Ministry for Foreign Affairs in partnership with the country’s Internet Infrastructure Foundation (.se) and the Swedish Development Cooperation Agency (Sida), took place in Stockholm, Sweden, May 27–28, 2014.
In her opening address, Anna-Karin Hatt, Sweden’s Minister for Information Technology, said there would be grave consequences to basic human rights if states across the world continued to undertake unrestricted surveillance.
“During the last year, we have had more than one reason to discuss the behaviour between states and the behaviour of states within their borders,” she said. “The most valuable lesson has been that all surveillance must be subjected to strict limitations.” She added that “no system of surveillance must be justified because it is technologically possible.”
Rather, where legitimate cause exists, “surveillance must be proportional to the benefits it brings to citizens in terms of reduction in crime and improved security”. Furthermore, she argued, it must be based on transparent laws that are adopted through democratic processes.
She also noted that the last year had seen many multi-stakeholder meetings and processes on the matter. These included the 2013 global Internet Governance Forum, NetMundial, the Freedom Online Coalition, and the 2014 Cyber Dialogue. However, she added, it was still important to continue these discussions with participation from a broad range of state and non-state stakeholders in order to reach a consensus.
According to the International Telecommunications Union (ITU), only 19% of Africans use the internet compared to 75% (Europe), 32% (Asia) and 65% (the Americas). Africa also has the lowest mobile phone penetration rates. Low literacy levels, high cost of accessing and owning ICT, acute shortages of electricity, gender inequalities and a shortage of skilled human resources have contributed to the continent’s low ICT use. Even with this limited access, internet use is further impeded by government policies and practices that threaten internet freedom.
While African governments may not be blatantly or capably conducting surveillance on the scale of the National Security Agency (NSA) in the U.S., in recent years they have not shied away from requesting for social media users’ information and seeking content take downs. This is a reflection of the growing interest in what citizens are doing online.
According to the recently published State of Internet Freedom in East Africa report, national constitutions and a number of legislations on the continent provide for freedoms of expression, assembly, privacy and access to information. However, various recently enacted laws take away from citizens’ enjoyment of these freedoms in the online space.
James A. Lewis, director and senior fellow at the American Centre for Strategic and International Studies, asserted that post-Snowden, the debate had shifted from freedom of expression to privacy versus security. The latter were not guaranteed on the internet. “I have never seen a government that does not conduct surveillance on its own citizens. The challenge is extending sovereignty without sacrificing human rights,” he said.
But what is the perception in the developing world where it is estimated that the next billion internet users will come from? Should Africa prioritise access over security? Alison Gillwald, executive director of Research ICT Africa, noted that many people on the continent are more concerned about getting access to the internet and less so their privacy online.
Meanwhile, emerging threats from terrorist and militia groups in Africa seem to have influenced the way some governments perceive internet freedom. In Nigeria, Gbenga Sesan noted that the abduction of 300 schoolgirls by a Muslim extremist group had re-enforced state surveillances measures. “The government is using such incidents to justify ‘rule of law’: ‘if we should provide you with more security, we need to access your privacy’,” said Mr. Sesan.
Perhaps, as Eileen Donahue, Director of Global Affairs at Human Rights Watch pointed out, even with continued discussion and research on the matter, “we may not be able to figure out how to proactively reconcile the internet and human rights.”