Private sector wary of the Africa cyber security recommendations
The African Union Convention on Cyber Security (AUCC) is to be voted on in January 2014, but after reading the fine print stakeholders in the ICT industry are already voicing their displeasure at some of the submissions that could be passed.
The AUCC consists of 15 African member states and among its chief proposals is establishing a credible framework for cyber security in Africa through the organisation of electronic transactions, protection of personal data, promotion of cyber security, e-governance and combating cybercrime.
Rene Eno-Akpa a policy research fellow at the Centre for Intellectual Property and Information Technology Law (CIPIT), maintains however that the submissions contain loopholes that will, among other things, infringe on people’s civil liberties and as such cannot be made into law in their current form.
“These submissions need to be addressed to ensure civil liberties are not violated,” Eno-Akpa told HumanIPO.
The research fellow is emphatic that some of the submissions could abuse the right to African’s privacy, citing Articles II (8) and II (9) which allows for the processing of personal data without consent of the owner for the purpose of state security, defense or public security.
This is not right as, according to Eno-Akpa, there is no unified meaning among member countries for those situations and therefore causes political rifts among countries.
On the issue of public interest, it will also be possible for judges to intercept any content and traffic data for the sake of public interest without their consent according to Article II (21).
This will make people afraid to post whatever they want and end up affecting communication and e-commerce.
In an atmosphere where governments are still wary of social media, such as Facebook and Twitter, because of its nature of being an avenue for undue criticism for governments or officials in governments, interception might work to muzzle people against criticism of their governments.
CIIPIT is also of the opinion the problem of legislation overkill will come up if the bills are passed into law and hence punishment for some offences could get a stiffer penalty than what they were originally meant to attract in cases of aggravation.
Some of the legislation could have an impact on corporate bodies and these should be within the context of individual member states.
“Each Member State of the African Union has to take necessary legislative measures to ensure that corporate bodies other than the State, local communities and public institutions can be held responsible for the offenses defined in this Convention, committed on their behalf by their organs or representatives,” reads Article II (40).
“The liability of the said corporate bodies does not exclude that of the physical persons who are the authors or accomplices of the same offenses.”
Article II (48) on the other hand compels member states to take necessary legislative or regulatory measures to compel ICT product vendors to submit their products for vulnerability and guarantee tests to be conducted by independent experts and researchers.
Additionally, they should divulge to the public any form of vulnerability found in the said products and the measures recommended for a solution thereto, a move that is likely to negate the gains made so far in e-commerce.
The proposals will also allow a judge to access data held in a computer system or in a facility that allows for the conservation of computerised data in the territory of a Member State, if it is deemed useful in revealing the truth in an investigation.
In such a case the investigating judge will issue a search or seizure warrant, to access or seize a computer system or part of the system or any other computer systems where the said data are accessible from the original system or available in the initial system.
This could potentially have a further effect civil liberties and also media houses who sometimes have to ensure anonymity of sources when working on a story.
Additionally, once seized, the information could be manipulated to suit certain interests. Therefore this should not come into play unless a crime has really been committed and there is electronic evidence.
At the momentm according to Eno-Akpar, there is no well placed mechanism for computer emergency response in Africa.
“There is need for African countries to put in place a computer emergency response team that gives early warning of cyber crime,” said Eno-Akpar. “There should be a model law and authority that fights cyber crime.”
He also decried the fact that while judges had been given absolute powers in the bills, they are not trained in cybercrime and forensics.
The private sector was also not included in discussions for the proposals. CIPIT is asking that the private sector to be included in the discussions for the bills.
The organisation has a petition site where it is requesting people to sign against the convention in addition to it petitioning parliament in an open letter backed by stakeholders such as Google, iLabAfrica and iHub.
15 African states are expected to approve the convention at an AU summit in January, upon which the AUCC will be passed into law.