The African Union Draft Convention on Cyber Security (AUCC) is to be tabled for signing on in January 2014, but after reading the fine print stakeholders in the ICT industry are already voicing their displeasure at some of the submissions that could be passed.
Rene Eno-Akpa a policy research fellow at the Centre for Intellectual Property and Information Technology Law (CIPIT), maintains however that the submissions contain loopholes that will, among other things, infringe on people’s civil liberties and as such cannot be made into law in their current form.
“These submissions need to be addressed to ensure civil liberties are not violated,” Eno-Akpa told HumanIPO.
The research fellow is emphatic that some of the submissions could abuse the right to African’s privacy, citing Articles II (8); II (9); II 28(2) and II 36(9), which allows for the processing of personal data and sensitive data without consent of the owner for the purpose of state security and public interest.
This is not right as, according to Eno-Akpa, state security and public interest are concepts that have contested meanings within the African political context and in law literature, creating the circumstance for violation of privacy if the AU draft Convention is passed come January, 2014.
It will also be possible for investigating judges to intercept any content and traffic data on almost no basis, thereby violating freedom of expression.
This will make people afraid to post whatever they want and end up affecting free flow of communication.
In an atmosphere where governments are still wary of social media, such as Facebook and Twitter, because of its nature of being an avenue for undue criticism for governments or officials in governments, interception might work to muzzle people against criticism of their governments.
Some of the legislation could have an impact on corporate bodies
“Each Member State of the African Union has to take necessary legislative measures to ensure that corporate bodies other than the State, local communities and public institutions can be held responsible for the offenses defined in this Convention, committed on their behalf by their organs or representatives,” reads Article II (40).
“The liability of the said corporate bodies does not exclude that of the physical persons who are the authors or accomplices of the same offenses.”
Article III 21 on the other hand compels member states to take necessary legislative or regulatory measures to compel ICT product vendors to submit their products for vulnerability and guarantee tests to be conducted by independent experts and researchers.
Additionally, they should divulge to the public any form of vulnerability found in the said products and the measures recommended for a solution thereto, a move that is likely to negate the gains made so far in e-commerce.
The proposals will also allow a judge to access data held in a computer system or in a facility that allows for the conservation of computerised data in the territory of a Member State, if it is deemed useful in revealing the truth in an investigation.
In such a case the investigating judge will issue a search or seizure warrant, to access or seize a computer system or part of the system or any other computer systems where the said data are accessible from the original system or available in the initial system.
This could potentially have a further effect civil liberties and also media houses that sometimes have to ensure anonymity of sources when working on a story.
Additionally, once seized, the information could be manipulated to suit certain interests. Therefore this should not come into play unless a crime has really been committed and there is electronic evidence.
Although provided for in the draft convention, there are very few institutions across Africa that have technical capacity to track and fight cyber offenses such as the Computer Emergency Response Teams. This lack of technical capacity will make the convention unworkable once passed unless emphasis is now put to first set up such technical capacity before the law comes into force.
“There is need for African countries to put in place a computer emergency response team that gives early warning of cyber crime,” said Eno-Akpa.
He also decried the fact that while judges had been given absolute powers in the draft convention, only very few judges compared with the rest across Africa are trained in cybercrime and cyber forensics.
Most stakeholders of cyber security in the private sector (apart from Microsoft) were not included in discussions for the draft bill. CIPIT is asking that the private sector to be included in the discussions for the bills.
The organization has a petition site where it is requesting people to sign against the convention in addition to it petitioning parliament in an open letter backed by stakeholders such as Google, iLabAfrica and iHub.
The Draft convention will come into force 30 days after the AU, All Heads of States and Governments Summit in January 2014 if any 15 AU member states sign the Convention.