Africa Needs A Cybersecurity Law But AU's Proposal is Flawed, Advocates Say
BY Joel Macharia | Friday, January 31 2014
Kariuki Kaboro is the co-founder of a local cloud services start-up in Nairobi. He does not use ATM cards as frequently as he used to. In fact, he avoids using them at all when he can. He does not have a fear of technology; as the co-founder of a cloud computing services company, he is more at home with technology than most people would be. His aversion for ATM cards stems from a different source.
“My card was skimmed and money taken out of my account,” he explains. “Twice.”
Kaboro’s story is not a unique one. Just over a year ago, several Kenyan banks were hit with cases of ATM fraud. Local media reported that the banking industry lost almost US$20 million to ATM fraudsters between April 2012 and March 2013.
It is against this backdrop that The African Union (AU) drafted a convention on cyber security in 2011 that would provide legislation and guidance on “organization of electronic transactions, protection of personal data, promotion of cyber security, e-governance and combatting cybercrime.” Originally slated to be passed at January’s AU meeting, the bill is now tabled for July 2014 or January 2015 at the latest.
Over the past 12 years, Africa has experienced a boom in telecommunication use; in fact, between 2000 and 2012, compared to any other region, Africa had the fastest rate of Internet penetration, at 3,606.7% over that period. Kenya has the world’s largest mobile money transfer service, MPESA.
Evidently, the increasing growth in Internet and mobile use has created a need for legislation that helps deter crime, and that enhances confidence and security in African cyberspace leading to the drafting of the Africa Union Convention on Cybersecurity (AUCC). The convention, however, has met with some resistance from the tech and civil society sector who claim the bill has not been drafted with their input and does not do enough to protect privacy and freedom of speech.
The Strathmore University Centre for Intellectual Property and Information Technology Law (CIPIT) in Kenya has been at the forefront of campaigning against the draft AUCC in its current form, even though they do believe Africa needs a cyber security law to protect against fraud.
In September 2013, CIPIT launched an online petition opposing the passage of the AUCC in its current form. It has only received 152 signatures to date out of a targeted 20,000 by February 1, 2014. Robert Mureithi, Project Manager at CIPIT says that the online petition was only one avenue in which they sought to mobilize support and admitted that the 152 signatures is low.
Mureithi wrote to techPresident in an email, “One more thing you have to contend with is that very few folks have taken their time to read the convention. Plus, in my opinion, we are yet to develop a culture of signing on-line petitions.” He further explained that “after talking to a number of people acquainted with the workings of the AU that an on-line petition would not have the sway we thought it might have.
Instead, CIPIT chose to engage with the AU Info society division, the AU's arm that deals with technology and information by participating in ICT Week, an annual event held to celebrate achievement and discuss challenges in the African ICT space. ICT week was held at the AU headquarters in Addis Ababa in December 2013, where CIPIT held a closed door session with the AU Info-Society division. The AU agreed to take one submission from Kenya on suggestions of changes to the draft that would be discussed at the Ministers of Justice meeting set for June 2014.
Enoakpa Rene, a Google Policy Research Fellow with the Centre says that they established the petition to request the AU not to pass the convention in its current form, and to involve more stakeholders in the development of the laws. The Centre also wrote a letter to the AU requesting additional private sector input and another to the Kenyan Parliament requesting a parliamentary referendum opposing the convention. CIPIT has also held round table discussions with technology players in Kenya, such as the iHub and Google to try and raise awareness of the AUCC.
Enoakpa says that the convention provides too much power to the government, particularly in accessing private information. Articles II (8); II (9); II 28(2) and II 36(9), which allow for the processing of personal data and sensitive data without consent of the owner for the purpose of state security and public interest could be misused.
In the letter to the AU, CIPIT states:
Articles III-50 and III-51 give broad and unchecked powers to “investigating judges”. Such powers include the power to issue search and seizure warrants for any electronic records that the judge considers to relevant to a crime (whether the crime is verified or merely suspected), as well as the power to hold such seized information for any period of time deemed necessary by the judge. Article III-55 gives judges almost unlimited power to order the interception in real time of transmitted messages (i.e., wiretapping and other surveillance measures). The judge has sole discretion to determine necessity and appropriateness of these broad powers. These provisions ignore the nearly ubiquitous lack of qualified investigative judges, omit any requirement for checking such authority or permitting appeals of such intrusive powers, and are highly likely to be subject to abuses of power.
“In Africa, state security could be interpreted to mean regime security. This law would give the government of the day permission to seize data and prosecute anyone they feel is acting against them. This is particularly unfortunate for the civil society,” Enoakpa says.
Nanjira Sambuli, the Governance and Technology Research Manager at iHub in Kenya, says that the convention also imposes limitations on free speech and freedom of expression.
“Article III (34-37) call for the prosecution of anyone seen to promote “theories” of racism and xenophobia, but does not provide a definition of what these theories might be. If I put up a photo, and you decide it is racist, can you forward me to a judge?," Sambuli said to techPresident.
Sambuli's other concern about the draft was that Article II- (14 -20) call for the creation of a national data protection authority that would not be answerable to any other party. This authority could collect and process data at their own discretion. She explained, “If this authority is not answerable to anyone, what are the chances, given Africa’s history, that it would abuse its power?”
CIO Magazine, a technology-focused magazine based in Kenya, reviewed the draft law and highlighted several key concerns in the space of e-commerce. The first was that the convention also compels all individuals and corporate bodies taking part in electronic financial transactions (e.g M-PESA) to provide full identity information as prescribed in Article I-4. It however remains unclear how such data will be protected and how confidentiality will be maintained. The second was that Article I-26 states that only approved e-commerce payments may be used in a country. This requirement would force popular global platforms, such as Paypal, to seek regulatory approval, considerably slowing down the rate at which they could spread their services across Africa. It would also make illegal peer-to-peer formats such as Bitcoin that do not have an “owner.” The third was that Article I-9 prevents the sending of unsolicited electronic communication, which while aimed at curtailing spam, could be misinterpreted in relation to online marketing.
The convention, oddly, excludes from its coverage gambling and provision of legal services as part of e-commerce.
In addition, in its letter to the AU, CIPIT adds that the AUCC requires, through Article III-21, that ICT product vendors submit products for “vulnerability and guarantee tests.” Such a requirement, although intended to protect consumers actually increases the risk to consumers. An ICT product vendor, having complied with the standardized testing required of the AUCC, can reasonably argue that such compliance completely eliminates their liability for security breaches of their products. For consumers, this may mean having their accounts hacked without recourse for any stolen information. Furthermore, standardizing security measures across all ICT products benefits criminals because vulnerabilities apply to a larger number of devices and systems.
The Kenyan government, however, does not back CIPIT’s stand as it feels there is a strong need for cyber-law in place as soon as possible. Speaking at a Cyber Security conference in Nairobi in November 2013, the Information, Communications and Technology Cabinet Secretary Fred Matiang’i said he expects President Uhuru Kenyatta to attend the AU meeting where the draft convention will be adopted, as as reported on the ICT Authority website. “We must work with our neighbours in COMESA [Common Markets for East and South Africa] in ratifying the AU Cyber security convention. Our President will go to AU in January for the convention,” Mr Matiangi said.
“There is no doubt that Africa needs this legislation in place and soon,” Mureithi says. “Africa is home to 4 of 10 countries with highest cyber-crime rates in the world. However, in as much as it is needed, we have to ensure that the legislation does not come at the price of our privacy and freedom of expression.”
Kaboro, on his part, looks forward to using his ATM cards again, contingent on there being a law that deters fraudsters from skimming his card. And, hopefully, he will be able to blog and tweet about it without worrying that the “National Data Protection Agency” police will come crashing through his door waving a search and seizure warrant for his company’s servers.
Joel Macharia is an entrepreneur and consultant working in finance and digital media in Nairobi.
Personal Democracy Media is grateful to the Omidyar Network and the UN Foundation for their generous support of techPresident's WeGov section.