By July 2014 or January 2015, the African Union (AU) is expected to ratify the African Union Convention on Confidence and Security in Cyberspace (AUCC). The AU is having its 22nd assembly in Addis Ababa currently, running until 1st February, and the ratification was to take place at this meeting until it was postponed.
Such legislation is necessitated by the rapid globalization of crime, largely made possible by the internet. Africa lags behind and is an easy target due to poor understanding of the security risks it faces, the lack of tools to ensure cyber security and lack of human resources to create a proper legal framework.
Cybercrime is a huge problem in Africa. It is defined as any crime committed using a computer, network or hardware device, for example computer hacking, child pornography and cyberbullying. By 2012, South Africa was home to the third highest number of cybercrime victims in the world, trailing only Russia and China. 419 scams, in which the victim is contacted by a “rich person” with a conundrum and asked to help out (usually by sending some money or sharing bank account numbers and other personal information) for a share of the wealth, did originate in Nigeria after all.
Kenya was estimated to have lost KES 2 billion ($23 million) to cybercrime in 2013 – and close to 1,000 Kenyans fell victim to fraud on a daily basis. The hardest hit industry was banking, with many attacks going undetected due to poor prevention and detection mechanisms. Sensitive data such as stolen debit and credit card information from banks can be easily purchased online. It is easy to see why a legal framework for cybersecurity in Africa is necessary.
The AUCC, however much it is well intended, must not be ratified in its current form. It infringes on Africans’ right to privacy and freedom of expression, is heavy-handed, places too much power in the hands of judges and could kill the free sharing and innovation that fuel the engine that is the internet.
Judges are allowed to intercept the electronic communications of individuals without their permission if it is found to be within “public interest”.
But what is public interest?
Its definition is vague, and the interpretation is subjective. For example, we may justify the jailing of a dissident based on interception of emails criticizing the government as being “good for the country”. As is wont to happen in many African countries, this “public interest” will likely end up being the interests of politicians and wealthy corporations/individuals, or even worse, the government. Your information may easily fall into any of these hands, and there is nothing you would be able to do to stop it.
The same applies to hate speech, racist and xenophobic content, which are not clearly defined and are left up to the judge’s interpretation. Ironically, the draft does not include hate speech due to gender or sexual orientation, which are two of the biggest reasons people are bullied online. Many judges on the continent, let us face it, are also not well versed in matters internet. To give them such power is akin to handing a power saw to a child.
The possibility of such interception will also lead to the curtailment of the freedom of speech, either due to self-censorship or interception by the government. Due to fear of prosecution and the subjectivity in the interpretation of public interest, the internet may cease to be a space for active discussions on the state of African countries and instead become permeated with fear and silence.
The AUCC also gives states the mandate to create a data protection authority, and then goes ahead to contradict itself. It says: “The protection authority shall comprise parliamentarians, deputies, senators, senior judges of the Tribunal of Accounts, Council of State, Civil and Criminal Appeal Court…” then one paragraph later, says that members of the authority should not be serving in government. Members of the authority would also enjoy full immunity for views expressed in the exercise of their functions, and would not receive instructions from any authority. This sounds very ripe for abuse.
In these times when user-generated content is king, one wonders who would be held responsible if content on a website was found to be in contravention of this law – the site owner or the user? How easy would it be to locate this user, what with anonymity and geographical dispersion? If we were to hold the site owner responsible, wouldn’t this curtail the recent IT boom we have witnessed in Kenya and other African countries so far? The AUCC wants to hold corporations accountable for offences committed using their technology, and for them to frequently test their technologies for vulnerability. Who would want to innovate when they could end up responsible for content they did not generate? Wouldn’t the cost of compliance be too high? Should we stifle innovations such as ecommerce and m-banking in the war against cybercrime?
The AUCC was drafted with little consultation with stakeholders in the industry across the continent. This is evident, as the scope in many cases is too wide, and the measures impractical. How can we attempt to regulate a space so crucial to African economies without consulting the people who work in the industry day-to-day, especially when there is little understanding of cybercrime and cybersecurity by the lawmakers themselves? The last time the world witnessed such an attempt was with the SOPA and PIPA bills in the USA, and they failed because of a similar approach.
The internet succeeds because it allows freedom of expression, sharing and collaboration. The cost of owning a web-page is currently also low. This is how it accelerates innovation. The AUCC is a half-baked solution to a serious problem. It will cost us potential jobs and infringe on fundamental freedoms and rights, all while stifling innovation and barely reducing cybercrime. Yes, we need a solution to poor cybersecurity in Africa, but the draft AUCC is not it, and we must stop it from being ratified.
What can you do?
1. Read the draft AUCC here.
2. If you are in Kenya, sign this petition to parliament and follow this blog to keep abreast with the happenings with regards to the draft. Contacting your MP with your contention will also go a long way.
3. If you are not in Kenya, please set up a petition for your country directed to your legislative body and ask them to oppose this legislation.
4. Share this widely to ensure that your networks understand the effects of this draft.
We are lucky that the ratification has been postponed, and that the CIPIT was given until May 2014 to come up with a memo from Kenya on the issues they have with the AUCC and suggested solutions. This battle will be easier won if other countries join the fight to keep the internet free and fair, a space where people can actually experience democracy.
We stand to lose our freedom to express ourselves on one of the few platforms through which we can hold our leaders accountable, through which we can, and have used to create change in our countries. We stand to lose our right to privacy, and dominion over our information. We stand to lose the internet as we know it.
Many things have been taken from Africa. Don’t let them take the internet.