Cybercrime law in Africa’s online space: New frontier in defence of free expression.
Henry O. Maina
The internet is slowly but surely revolutionising societies everywhere and Africa has not been left behind. Internet growth on the continent has been exponential while it is yet to reach its peak. Increasingly too, many Africans are relying on the internet for business, entertainment, communication and participating in governance.
According to Internet World Statistics, internet penetration in Africa has reached 46.2% of the population with an estimated 635,000 000 users as of December 31, 2020. As such, social media platforms like Facebook, YouTube, Twitter, Pinterest, Whatsapp, TikTok, Instagram and Linkedin have gained considerable popularity in recent years. Facebook, in particular, has over 255,412,900 subscribers which are 62.18% of all users of social media in Africa.
On the other hand, electronic commerce is fast becoming the norm on the whole continent, such that most businesses, big or small, endeavour to have an online presence. Governments, as a business, have also not been left behind. Most have developed elaborate programmes and infrastructure to foster e-governments.
Journalists, political, social and human rights activists have equally not been left behind. Today, these groups use blogs, websites and portals to do their work and engage in political and social activism. Most legacy media outlets have also digitised their platforms and gained a significant online presence.
The cyberspace is thus the new public space and sphere akin to the legacy media that the proponents of the Windhoek Declaration sought to protect and promote 30 years ago.
As such governments, security agencies, businesses and citizen groups are grappling, not only to have access but to also control the internet and related cyberspace.
As a result of the multiple interests in the availability, accessibility and integrity of cyberspace it shall remain the next battlefield for the foreseeable future.
Ostensibly to foster electronic commerce and secure availability, integrity and accessibility of cyberspace most governments are fast enacting comprehensive sets of cybercrime laws. A brief about the current state of cybercrime laws suffice.
So far 46 African countries (85%) have passed comprehensive cyber crime laws and two (2) countries (Congo, eSwatini (formally Swaziland until 2018) have draft legislation. Central Africa Republic (CAR), Chad, Zimbabwe Comoros, Democratic Republic of Congo, Eritrea, Equatorial-Guinea, Gabon, Guinea-Bissau, Liberia, Libya, Namibia, Somalia and Tunisia have recently passed the law or are at different levels of consideration.
We identify these countries as sites for media freedom and other civil liberties advocates to keep their eyes set on them as these laws, “if passed without clear human rights safeguards can be inimical to rights as we will show later in this article.”
Globally, over 177 countries have enacted comprehensive cybercrime laws. The trends above may look lower compared to Europe which has the highest adoption rate (100%) while Asia and the Pacific have the lowest adoption rate of 55%. Most of the countries seem to have fashioned their laws around the Budapest Convention on Cybercrime which has so far 65 ratifications with five (5) of them from African states namely Cape Verde, Ghana, Mauritius, Morocco and Senegal. Other five (5) namely Benin, Burkina Faso, Nigeria, South Africa and Tunisia have been invited to accede.
The Budapest Convention is the first international treaty seeking to address cybercrime by harmonising national laws, improving investigative techniques, and increasing cooperation among nations. Ironically, the African Union Convention on Cyber Security and Personal Data Protection, adopted on 27 June 2014 has only been ratified by eight member states namely: Angola, Ghana, Guinea, Mozambique, Mauritius, Namibia, Rwanda and Senegal. It requires ratification by 15 member states for it to enter into force.
But before we delve into the threats posed by the litany of cyber-crime laws recently enacted by most African states, a brief on the supposed use and value of and the contagion effect of enactment of such laws suffices.
To security sector actors and cybercrime law proponents, cybercrime is not just a growing concern to countries at all levels of development as it affects both buyers and sellers, citizens and governments, It is a criminal enterprise that can wreak havoc to all economies of the world. Increased cybersecurity, they argue, will help protect consumers and business and ensure the availability of critical infrastructure.
The proponents of cybercrime law hold that such laws identify standards of acceptable behaviour for Information, Communication, Technology (ICT) users; establish socio-legal sanctions for cybercrime; protect ICT users in general, and mitigates, and/or prevents harm to people, systems, services, and infrastructure. They add that the laws protect human rights and enable the investigation and prosecution of crimes committed online or through the facilitation of online platforms. To them cybercrime laws provide rules of conduct and standards of behaviour for the use of the internet, computers, and related digital technologies and spell out both substantive, procedural and preventive provisions of law.
As such, most of the laws seek to provide an effective, unified, and comprehensive legal, regulatory, and institutional framework for the prohibition, prevention, detection, prosecution, and punishment of cybercrimes. The laws mimic each other. They all take a one-size-fits-all approach that ignores nuances specific to each sector and country, and this could be problematic given some countries do not have proper procedural safeguards to ensure security agencies do not misuse their investigatory powers.
Today, as we celebrate the legacy of the Windhoek Declaration, a new challenge- cyber-security legal regimes is fast emerging. The one-size-fits-all approach masks ongoing national struggles around freedom of expression, right to privacy, freedom of assembly and association.
Most of these laws, mostly enacted in the last two decades, do more than just provide for criminal offences against and by means of computers.
First, in their bid to criminalise certain conduct, they fail to clearly define what conduct constitutes a criminal offence. Put differently, they use overbroad terms to cast the net too wide beyond just establishing crimes under unauthorised access to computer material (hacking), unauthorised access with intent to commit or facilitate the commission of further offence; unauthorised modification of computer material, unauthorised interception, denial of service, computer-related forgery and fraud.
To elaborate on the first point, through use of overbroad cybercrime laws countries like Zambia, Uganda, Zimbabwe, Cameroon, Tanzania, Rwanda to name but a few, have witnessed the indefinite banning of websites and online publications and portals. Some cybercrime laws in Africa, like Tanzania’s Cybercrime Act, 2015, have deliberately included espionage and criminalise justifiable causes like investigative journalism, research and penetration testing by cybersecurity experts.
As such these laws seek to open the floodgates to criminalisation of ordinary online behaviour that is guaranteed under most constitutions and is protected under international human rights law.
Second, most laws seem to introduce broad content-related offences that unduly limit freedom of expression, right to privacy and freedom of association and assembly. While it is universally accepted that there is need to provide for laws against online child sexual abuse material, some of these laws have introduced more offences on pornography, cyber obscenity, cyber stalking, sharing of unsolicited messages, and publication of false news. Some also introduce copyright offences.
For example, the Tanzanian Cybercrime Act, 2015 and the South African Electronic Communications and Transactions Act, 2002 ban pornography. This ban is far beyond what international human rights law permits. It also goes far above proscribing procurement and distribution of child pornography. To many freedom of expression advocates, this is an undue limitation to freedom of expression given that adults may of their own volition want to watch such content created by two consenting adults.
Also activists campaigning against child pornography, investigative journalists and academics may have access to such material with a view to put a spotlight on the vice but the fact that security agents can lay their hands on such materials and prefer criminal charges against them leaves a lot to be desired.
Third, the laws tend to negate procedural safeguards on investigation, adducing of evidence and prosecution. For instance, investigators are under such laws permitted to enter, search and seize material without procedural safeguard and oversight from the courts of law.
From the above, it is evident that a surge in legislation and policies aimed at combating cybercrime has also opened the door to punishing and surveillance of journalists, activists and protesters in many countries in Africa.
“States are increasingly using cybercrime legislation and enforcement resources as a vehicle for restricting speech or controlling content that may hold them to account and even question the decisions of those in leadership,” said Ms Irene Khan, the UN Special Rapporteur on Freedom of expression.
In sum, while cybersecurity is a significant problem in Africa and the world, solutions should not threaten user privacy and fundamental rights of freedom of expression and association under the veil of national security. Counter-cyber attacks programmes must be transparent and respect fundamental human rights. If not, “cybercrime law is likely to remain the new frontier for those keen to secure media freedom and independence, freedom of assembly and association and right to privacy.”