Revamped AU Convention on cyber security timely, but...

A HACKER going by the handle @Anon_0x03 and claiming allegiance to the movement of Internet hacktivists, Anonymous, breached the Kenya Defence Forces (KDF) Twitter account last week.

A HACKER going by the handle @Anon_0x03 and claiming allegiance to the movement of Internet hacktivists, Anonymous, breached the Kenya Defence Forces (KDF) Twitter account last week.

The hacker could have been anybody out to make a point on any website in any country on the continent.

As use of internet and mobile phones expands throughout Africa, the continent is alive to this criminal possibility and is already instituting a collective policy to deal with multiplying cyber threats coming from transnational crime groups to terrorist groups.

The collective policy, encapsulated in the AU Convention on Cyber Security and Personal Data Protection, was due to be adopted last month during the 23rd Ordinary Session of the Summit of the African Union in Malabo, Equatorial Guinea.

I say it was due to be adopted because, though one can find it somewhere on the internet, as far as I am aware, the Convention is yet to be officially unveiled. You cannot even find it on the official AU website.

However, one can talk about the Convention’s preceding, if controversial, draft policy to guide e-commerce and data privacy rules: the Draft African Union Convention on the Confidence and Security in Cyberspace.

The draft convention proposed “establishing a credible framework for cyber security in Africa through organisation of electronic transactions, protection of personal data, promotion of cyber security, e-governance and combating cyber crime.”

However, a vote on the draft was shelved following opposition from the business, tech and civil society actors that that among others, the convention did not adequately protect freedom of speech and privacy.

Take hacking, for instance. A letter of dissent to the AU showed how a requirement intended to protect consumers of information, communication and technology (ICT) products, could actually be injurious or increase the risk to the end user.

The suggested requirement was for ICT vendors to submit their products for “vulnerability and guarantee tests”.

But, having complied with the standardised testing suggested in the draft convention, an ICT product vendor could make a plausible argument that such compliance absolved their products from liability for any security breaches.

In effect, this would mean that if the product consumer’s account was hacked, he would have no legal remedy for any injurious breach or loss of information.

The letter further showed how standardising security measures across all ICT products could benefit criminals, as the vulnerabilities could apply to an ever increasing number of device models and systems.

Nevertheless, some of the contentious issues have been addressed in the revised version of the policy, as now set out in the AU Convention on Cyber Security and Personal Data Protection.

The revised Convention seeks to establish a legal framework by building on the existing commitments of African Union Member States at sub-regional, regional and international levels and now emphasizes protection of personal privacy, especially in the context of e-commerce.

However, the Convention is still not watertight. Although it enjoins state parties to enact laws that take into account their constitutions and international conventions, it seems to emphasise the African Charter on Human and Peoples’ Rights.

As has often been noted, the African Charter does not have an explicit right to privacy in relation to access to information and processing of personal data. This means that, broadly speaking, with the partisan and inherent weaknesses in most African security sector mechanisms, it may not adequately restrain political influence on data management, thus breaching the right to personal privacy.

The Convention could, therefore, do with some fine-tuning.

Along with the fine-tuning is the need to increase the number of IT professionals and people well-versed in cyber security in the region and across the continent.

Therefore, encouraging IT education will be a boon to the principles we collectively aim to use in pursuing cyber security, including setting up an institutional framework for ensuring a safer Internet and laying a rights-based foundation for penal practices.

The writer is a commentator on local and regional issues.

Twitter: @gituram

 

Have Your SayLeave a comment