×
NewsDay

AMH is an independent media house free from political ties or outside influence. We have four newspapers: The Zimbabwe Independent, a business weekly published every Friday, The Standard, a weekly published every Sunday, and Southern and NewsDay, our daily newspapers. Each has an online edition.

Zim’s cyber laws —Going nowhere quickly

Opinion & Analysis
The circulation of the Draft Computer and Cyber Crime Bill (the Draft) has resulted in a barrage of insults directed at the parent ministry and minister for attempting to gag society in light of the recent social media-initiated protests. A lot has been said about the Draft, but not all of it is technically correct nor accurate, so this piece will hopefully shed a bit more light.

The circulation of the Draft Computer and Cyber Crime Bill (the Draft) has resulted in a barrage of insults directed at the parent ministry and minister for attempting to gag society in light of the recent social media-initiated protests.

PAUL KASEKE

An illustration picture shows a projection of binary code on a man holding a laptop computer, in an office in Warsaw June 24, 2013. REUTERS/Kacper Pempel

A lot has been said about the Draft, but not all of it is technically correct nor accurate, so this piece will hopefully shed a bit more light.

Whose Bill is it anyway?

The first concern raised was that the draft was plagiarised from Lesotho. That is partially correct. In 2006, the International Telecommunications Union (ITU) started a project in collaboration with the European Development Fund of the European Commission, which was aimed at creating harmonised cybersecurity structures and systems in Africa, the Caribbean and the Pacific.

The project then drafted three fatally flawed model laws which were unfortunately endorsed and, in some cases, enacted as law in some countries. The model laws have been the subject of much ridicule in human rights and cyber law circles. The model laws were taken from the Commonwealth Model Law, which, in turn, is based on the Budapest Convention on Cybercrime.

The model law for Sub-Saharan Africa is sometimes called the Sadc Model Law, but is more accurately referred to as the HIPSSA (Harmonisation of ICT Policies in Sub-Saharan Africa) model law. The model law that Zimbabwe and Lesotho relied on was released in 2011 and adopted by the Sadc Council of Ministers responsible for ICT in 2012.

As is the case in Zimbabwe and Lesotho, the model has been used verbatim in Kenya, Swaziland and Tanzania, while Uganda, Mauritius and South Africa have appropriately changed the model framework to suit their domestic legislative set-up and needs.

I must, from the outset, state that 90% of the flaws in the Zimbabwean draft are not directly because of the Zimbabwean authorities, but are due to the original framework they blindly copied and pasted. The Zimbabwean government still remains responsible, however, for the introduction of that poorly-drafted document, but to be fair, the real culprit is the HIPSSA model law.

While both Lesotho and Zimbabwe produced draft Cybercrime Bills in 2013, Lesotho’s version contains some absurd and repressive additions, which magically appear in the Zimbabwean draft. Not wanting to be outdone, the Zimbabwean draft goes further to add some controversial, if not bizarre, features.

It is probably immaterial to discuss who stole from who — the fact is that the two documents are ridiculously similar in wording and in undermining fundamental freedoms.

Flaws in the Zimbabwean Cyber Crimes Draft Bill

Part of the problem with the HIPPSA Model that Zimbabwe willingly copied, was the lack of sufficient expertise in preparing it. The model laws were based on workshop outcomes and not a consultative process. The same problem haunts the draft. By and large, the draft, like the models law it was based on, is dressed in both technological and legal ignorance that renders it meaningless in the 21st century.

 

The draft contains the clumsy wording of a “Computer Crime and Cyber Crime”. In Cyber Law, we recognise cybercrime as an overarching term that encompasses computer crime. Computer crime is, in fact, a term that is disappearing from cyber law texts and jurisprudence. It was appropriate back in the 80s before the invention of new age technology.

This is just, but one example of the lack of technological and legal grasp of this field of law that is a permanent feature of the HIPPSA Model and, by implication, the draft.

1. Another clumsy feature is the very purpose of the draft which is to create “a Bill for an Act to criminalise offences against computers and network-related crime”. Of course, that sentence makes no sense, but the drafters saw it fit to keep that in.

If one can’t even articulate the purpose of the Bill, what point is there in reading everything else that follows? As trivial as this may sound, this, in some jurisdictions, is reason to have a Bill revised since courts interpret legislation through the lens of the purpose which gives guidance as to how it should be interpreted.

2. If one wants to see what the Zimbabwean authorities added to the draft, a simple look at the very visible change of fonts will suffice. The draft was produced in such a rush that the basic tools of cut and paste were applied without taking time to ensure uniformity.

Any change of font size in the text will reveal what the Zimbabwean authorities added. The definitions used in the draft are either inadequate or outdated, thus creating both a lacuna and an absurdity, which will become apparent when or if the draft is enacted.

3. This “modern-day” draft says nothing about decryption, encryption, encrypted information, decryption keys or decryption holders. The draft doesn’t even define what data is and yet creates an offence of corrupting using “false data”. That’s not all it does.

The draft then creates an offence of data espionage, which is not just weird, but unfortunately inoperative, secular in meaning and quite frankly, nugatory, given the fact it is a duplicate, if not triplicate, offence. This is because the elements of this ancient offence of data espionage are already offences within the draft, which means that one would essentially get charged for doing the same thing twice, if not thrice, in terms of the same draft.

4. The absurdity of the draft doesn’t end there. There is constant reference to offences created “in excess of a lawful excuse or justification”. With respect, that simply cannot be read logically without making a mockery of the law. Those phrases are not only foreign to Zimbabwean law, but law in general and in this regard, I want to challenge the relevant ministry to detail what those concepts mean and to demonstrate how one can ever exceed a justification.

5. The most obvious flaw in the draft and model law is that there is blatant intrusion on the privacy of citizens by authorising interception of data communication without sufficient oversight and checks and balances to prevent abuse which is, of course, contrary to the Constitution.

In terms of the draft, police would be able to approach any court and, on the basis of an affidavit and if satisfied, the magistrate will allow interception to take place. Interception would mean that the State can lawfully have access to your private communication — at all levels. The magistrate can similarly grant an order for devices to be searched and seized. This intrusive power is weirdly unchecked. Here’s the first problem with that: The Zimbabwe Republic Police (ZRP) will have no problem in producing false affidavits to a magistrate. Simply asking that one be produced is to create a situation open to abuse.

The lack of integrity within the police force is a cause for concern. For example, the ZRP has, on more than one occasion, alleged that a helmet and baton stick were stolen and on that basis, secured warrants without any substance to those warrants.

They have never proved their claims, but they continue to use the charge on various perceived enemies of the State.The fact that some magistrates keep supporting the police in securing such warrants is a reason why more checks are needed. History has shown us that such processes are easily abused. Privacy is one of the most dearest and personal of rights in our constitutional order so it only makes sense that intrusions are sufficiently justified.

6. The inclusion of an offence relating to spam is welcome but in its present form is open to abuse as potentially anything can be seen as spam. Spam is not a subject that can easily be dealt with in a few lines as the draft does. Some countries have specific legislation dealing with spam and a good example of this is Singapore. Without the necessary amendments, the spam offence is overbroad and will criminalise innocent actions that are not seen as spam in most countries.

7. The draft unfortunately narrowly defines what child pornography is and confines it to instances of explicit sexual conduct. The draft criminalizes possession of pornographic material in general apart from the usual distribution or procurement. It will thus be an offence to record a sex tape or have one in one’s computer library. It would also be an offence to publish it or provide links of the same. H-Metro will be the biggest loser in this regard but perhaps that’s not such a bad thing. To its credit however, the Draft seems capable of dealing with revenge porn since it criminalises the possession and distribution of pornography.

8. In striving to be unique, the draft like the Model Law comes up with worryingly bizarre terms that are not found anywhere else in the world which thus makes it almost impractical to seek international cooperation and extradition assistance. Such terms include access providers, caching providers, hosting providers, hyperlinks providers and search engine providers. To further show that the cyber legal understanding informing the draft is both inept and elementary , the draft defines illegal ‘access’ as ‘the entering of a system’. Not only is that formulation surface level but it is also outdated and rarely used to handle cybersecurity in the 21st century.

9. Most of the offences have no sentences attached for example, the crime of illegal data interception. This again shows that the Draft was a reactionary draft that was not thoroughly prepared. Aspects of the draft that you (and the government) should be aware of

1. Possession, filming and distribution of all pornography, whether for personal or commercial use is an offence. To its credit, this provision seems wide enough to cover revenge porn and exposure journalism (the kind of journalism specialising in exposing people’s private lives for sales).

2. Assuming the identity of someone else in the cyber world is an offence. The crime seems to only deal with natural persons (humans) and not alter egos like Baba Jukwa.

3. Denying genocide via the cyber world is an offence. Unfortunately for the government, utterances suggesting Gukurahundi was not genocide fits perfectly into that offence. In fact even attempts to justify it or minimise it are an offence which probably means stating that it was ‘simply a moment of madness’ would offset the offence therein.

4. Sending chain messages via a medium like WhatsApp to people who don’t share a professional or commercial relationship with you falls squarely into the offence of sending spam messages. Because of the poor legal drafting, this could also make it possible for someone to be imprisoned for adding people to a chat group. 5. If a service provider alerts an individual that their communication has been intercepted or that they are under investigation, the service provider can be jailed for such disclosure.

6. The offence of harassment via cyberspace is drafted widely and is capable of covering disagreements on social media. Using that provision, it is possible to fall foul of that provision for presenting views that offend the government on social media. This provision is one of the clearest examples of clauses so dangerously open to abuse. This ground is what the government has been alluding to when threatening ‘abusers’ of social media with arrest.

7. The broader power of determining when interception can take place and other matters relating to interception of data communication can be decided by the Minister unilaterally without oversight. The draft thus offloads a huge part of the content to be determined by the Minister.

8. Police officers can collect data communication themselves without requiring the assistance of the Internet Service Provider. No mention is made of how this is to be done but essentially, the ZRP is empowered to use any technology to do this which can mean that your local ZROP officer can legally ‘hack’ your communication.

9. The ‘Authority’, an organ that is not defined in the draft, is able to order various providers to remove information if it deems that information to be illegal. This can extend to deleting information on websites or blogs.

10. Intermediaries are held liable where they fail to actively monitor or report specific violations. Intermediaries include mobile network operators, internet cafes, social network operators and internet service providers. In essence, Econet, Telecel, ZOL and TelOne for example, could be compelled to monitor information and disclose this otherwise private information.

11. Extradition applies to the Draft. To be fair to the government, this provision comes from the Model Law and it is not the brain child of the parent ministry (though I suspect they would still have come up with something similar). The challenge the government will face is that half the crimes it creates the Draft are not crimes in most countries hence very few countries will be willing to extradite people from crimes that are not internationally recognised.

12. Though there has been much talk about cyber terrorism, the government neglected to include it as a specific offence. Any claims that abusing social media is tantamount to cyber terrorism are therefore meant to scare people but legally, the government has not created that offence. None of the provisions in the Draft can be said to be dealing with cyber terrorism since generally, the offence of cyber terrorism is committing terrorism albeit exclusively or largely through the cyber realm. Threatening war over social media is not cyber terrorism either. Cyber terrorism would be using the cyber space to blow up places and kill civilians etc.

13. Disrupting an essential service via cyber space is an offence. Nobody knows what this really means because the drafters did not define what constitutes disruption but more importantly, what is an essential service for purposes of the Draft.

Easily classified as one of the poorest forms of legal drafting to date, the Draft is largely inconsistent with constitutional imperatives and values and should be overhauled before being brought before Parliament. The only way to aptly end this piece is to quote the late Dr. Zvobgo who said of POSA and AIPPA, “these bills constitute the most serious assault on our constitutional liberties since independence”.

Indeed this Draft also constitutes one of the most serious assaults of our constitutional liberties and should never see the light of day.