Lone Voices Leading the Way: How Civil Society in Africa is Successfully Countering Government Narratives on Cyber Security
As the international cyber security debate searches for new direction, little attention is paid to what is going on in Africa. Stepping over the remains of the UN Group of Governmental Experts, and passing by the boardrooms of Microsoft struggling to deliver their Digital Geneva Convention, African nations are following their own individual paths.
Unfortunately, these paths increasingly prioritise intrusive state surveillance and criminalisation of legitimate expression online as cyber security, rather than securing systems against attacks.
A flurry of activity is happening in Africa, simultaneously boosted by Chinese investment in infrastructure and marred by a lack of regional policy cohesion and political instability. The African Convention on Cyber Security and Personal Data Protection has not been widely ratified by African Union member States, despite its adoption in 2014. In 2017 and 2018, Presidents were forced to resign in both South Africa and Zimbabwe. Kenya went through another tense Presidential election in 2017, which was annulled and rerun among claims of hacked voter systems. And yet, draft cyber security or cybercrime laws found their way onto the table, and are pending in South Africa and Zimbabwe and passed in Kenya in May.
Amidst this upheaval, the one constant is a civil society that continues to push for strong human rights protections, despite operating under increased threats of arbitrary arrests, unlawful searches and raids or funding restrictions. Civil society is often the front line of defence, and find themselves having to build expertise quickly on complex topics like cyber security when draft legislation appears out of nowhere and must be challenged.
As part of Privacy International’s work on cyber security, we support civil society organisations in our international network of partners to challenge government narratives around cyber security, including in Africa. The resilience, campaign creativity and effective advocacy of civil society have been successful in challenging some of the worst cyber security initiatives in Africa.
Civil society in South Africa successfully prevented a draft cybercrime law from being passed in 2015 due to the lack of a public interest defense and perceived criminalisation of journalists and whistleblowers. As it stands in 2018, civil society still has many concerns about the revised bill. Privacy International’s partner ODAC is heavily involved in this process and charted the progress of the Bill in a policy brief and their lessons learned - essential reading for any civil society group around the world challenging similar legislation. As ODAC reports, even the Chair of the Justice Committee dealing with the Bill has questioned the drafters as to why concerns remain unresolved. There is an indication that splitting the bill, and dropping the cyber security section altogether, is now on the table.
In May 2018, the government of Kenya passed the Computer Misuse and Cybercrimes Act. The law contains no reference anywhere to human rights provided either by Kenya’s Constitution or international obligations. It also introduces an overwhelming list of crimes, including those not considered crimes under international human rights law, such as the publication of false information. In addition, the Act grants new investigative powers, such as real time collection of traffic data and interception of content, to police officers. This is a huge leap in Kenya’s surveillance regime, essentially hidden in a cybercrime law, raising significantly the risks of unlawful surveillance and abuse of power.
A petition by the Bloggers Association of Kenya, supported by the Kenyan Union of Journalists and Article 19, claimed that the government was trying to reintroduce criminal defamation into law through the Act, after those offences were declared unconstitutional by the Kenyan High Court in February 2017. As a result, the High Court ultimately suspended 26 provisions in the Act, relating to offences that threatenfreedom of expression, freedom of the media and the right to privacy, as well as the new investigative powers.
Civil society groups are the ones who call out when cyber security is not cyber security. In Zimbabwe for example, the draft Cyber Crime and Cyber Security Bill (2017) conflates cyber security with restrictive control of the online space. Controlling social media is not cyber security. As the Media Institute of Southern Africa (MISA) outlined in a briefing supported by Privacy International, “the government is giving the impression of wanting to shield itself from criticism rather than protect the people from actual harm.”
The bill is expected to be signed into law before Zimbabwe’s historic elections in July 2018. There is a window of opportunity to address the deficiencies of the draft bill and to ensure that the law is in line with international standards and provides strong protections for people’s privacy and security. Currently, the draft bill does not reflect this, and given the examples in South Africa and in Kenya, failure to include human rights protection may lead to challenges in the courts.
Society left vulnerable
A very important part of a cyber security framework is data protection legislation. Absence of data protection is a problem, particularly as countries want to grow their online economy, or introduce complex, data intensive initiatives like biometric voter registers (BVR), which Zimbabwe and Kenya already have. Our partner CIPIT, at Strathmore University in Kenya, recently documented the lack of protections and privacy implications of the BVR process in Kenya. Zimbabwe also reportedly plans to introduce a national facial recognition database using technology supplied by Chinese company ClouldWalk Technology Co., with no parliamentary debate and no protections. Privacy International has documented a long list of examples where the use of facial recognition technology has been abused globally. With no basic protections to underpin the collection, storage and sharing of data, particularly sensitive data such as biometrics, there will be consequences, as many people are left vulnerable to their data being stolen or being used for purposes they did not consent to. A lack of privacy protection legislation is also a threat to civil society, leaving them exposed to office raids and seizures as part of crackdowns on NGOs in particular, such as in Uganda.
Civil society voices must be included in cyber security initiatives, from conception all the way through to implementation. Yet these examples show this is often not the case, and that the valuable contributions of these groups are being excluded from the process. By including civil society, and therefore building in human rights protections from the outset, governments could avoid the kind of challenges that ultimately send initiatives back to the drawing board.
And so, while the international community looks the other way in search of cyber norms, it is left to the courageous groups in Africa to fight their corner and highlight that proposed cyber security laws are likely to ultimately weaken rather than strengthen security.