The computer crime law: another inroad on human rights?
Internet in Ethiopia is only 20 years young and in the last two decades, like many other countries around the world, Ethiopia has embraced the ICT as a key enabler for social and economic development of the country. With the introduction of the Fourth Generation (4G) Long-Term Evolution (LTE) wireless technology, various efforts are also underway to significantly increase Internet connectivity speeds and access. But this will not only mean faster and better internet access but also faster and better means to launch cyber-attacks and opens more opportunities for criminals operating in the virtual world. It is under this impression that the Ethiopian Government recently tabled the cybercrime bill, which is expected to be enacted by the legislature, writes Solomon Goshu.
A few weeks after the controversial draft law establishing the Office of the Federal Attorney General got the approval of members of the parliament (MPs), the government has submitted yet another controversial draft law to provide for the computer crime.
The draft law seems to touch many aspects of the computer or cybercrime unlike the existing legislations which incorporate the fragmented elements of it. Ethiopia first introduced cybercrimes in the 2004 Criminal Code which penalizes only cybercrimes of ‘hacking’, ‘dissemination of malware’ and ‘denial of service (DoS) attacks’. In addition, the Telecom Fraud Offense law also regulates a broad range of matters in connection with telecoms. Moreover, a number of other Ethiopian laws as well cover activities and behaviors in the context of the internet.
However, the effort to come up with the comprehensive law governing the computer crimes was initiated in earnest three years ago. In 2013, the Information Network Security Agency (INSA) released a new comprehensive cybercrime legislation that not only extended the range of outlawed cybercrimes but also introduced crucial evidentiary and procedural rules for the investigation and prosecution of cybercrimes.
Unlike the 2013 draft, the latest draft proclamation is redrafted by the Ministry of Justice (MoJ). It has been adopted by the Council of Ministers in March 2016 and is now tabled before the Parliament. For Kinfe Micheal Yilma, a computer law expert at Addis Ababa University, School of Law, the latest version, by and large, is similar in content—in terms of both substantive and procedural provisions—with the initial version save some new injected provisions and minor structural as well as linguistic changes.
One wonders what immediate factor has triggered the government to table the law at this particular time. The preamble of the draft law has provided a partial response. While the draft law submits that information and communication technology plays a vital role in the economic, social and political development of the country, it asserts that unless appropriate protection and security measures are taken, the utilization of information communication technology is vulnerable to various computer crimes and other security threats that can impede the overall development of the country and endanger individual rights. It also highlights that the existing laws are not adequately tuned with the technological changes and are not sufficient to prevent, control, investigate and prosecute the suspects of computer crimes. It also justifies that it has become necessary to incorporate new legal mechanisms and procedures in order to prevent, control, investigate and prosecute computer crimes and facilitate the collection of electronic evidences. One can clearly see that the same justification was provided in the preamble of the previous draft. So what is the new development?
According to Kinfe, in relation with the Oromo protest, the websites of major government institutions including the Ministry of Defense, Ethio Telecom and Addis Ababa University were hacked. Moreover, while presenting the performance report of his ministry, Debretsion Gebremichael (PhD), Minister of Communication and Information Technology, told MPs that there was an attempt to illegally access the data server of the county situated at the Office of the Prime Minister. On the day, Debretsion also informed the parliament that in response to such challenges the government will soon enact legislation. Surely, he was talking about the draft computer crime law. However, one cannot avoid but ask if such threats are incidental or a well-coordinated one that poses a national security threat if not met with serious legal measure.
“Enacting a law to respond to the heat of the moment is problematic. Of course, the country has a cyber-security and ICT policies since 2009. Yet, the legislative measures are reflections of the current situation in the country. It would have been better if the draft was enacted in advance consideration,” Kinfe comments.
Is cyber-attack an imminent threat?
In Ethiopia, the internet was introduced in 1997 with limited access. Ethiopia is currently amongst countries with the lowest level of Internet penetration and use. As a result, some argue that internet related crimes are not imminent threats to Ethiopia.
However, Kinfe contends that several cybercrimes have been perpetrated against the Ethiopian cyberspace since the enactment of the computer crimes rules. “Every year hundreds of cybercrimes are committed in this country without even the government being aware of,” he says. But he admits that there are only a few reported court cases.
Contrary to this, others are of the view that the Ethiopian government is wary of the negative impact of the internet on its power. The government allegedly fears that the use of the new technology or the internet unsettles the existing power structure. As a result, the neglect of providing reliable and affordable internet connections in the major towns, including the capital, is attributed to such fear. For instance, Nicole Stremlau (PhD), a Comparative Media Law and Policy expert, in her research entitled: ‘The Press and the Political Restructuring of Ethiopia’ stated that in the aftermath of the 2005 elections, the Ethiopian Peoples’ Revolutionary Democratic Front (EPRDF) has sought to use new technologies in the state-owned media as a means to strengthen centralized control, making ambitious efforts to block critical websites and blogs, monitoring email, text messaging and other electronic communications. Stremlau contends that the EPRDF has embarked on ambitious efforts to shape the internet in ways that are beneficial for the state, if less so for the free flow of information.
In fact, the Ethiopian government is criticized by international rights groups for creating a political context privileging peace and development over allowing a plurality of voices to compete in the marketplace of ideas. In the process, it is also accused of downplaying critical voices, such as those of civil society organizations, lamenting that grave misconducts and violations of human rights had been marginalized in the name of a peaceful development that could benefit the country.
Similarly, Iginio Gagliardone’s paper ‘China and the African Internet: Perspectives from Kenya and Ethiopia’ asserts that the Chinese influence is very much visible in the way Ethiopia is trying to govern the internet. For some, the ‘Chinese media model’ aims at facilitating a controlled expansion of the internet while leaving the established power structure unchallenged. Gagliardone shows that China has provided substantial financial and technical inputs to the expansion of the ICT infrastructure in Ethiopia. Since 2006 the Chinese government and Chinese companies have also begun to play an increasingly important role in Ethiopia’s telecommunications sector, as symbolized by the multi-billion dollar loan from China’s EX-IM Bank to the Ethiopian government’s Ethio-Telecom, the country’s sole telecom operator, to increase access to the internet and mobile phones, a project later undertaken by Chinese telecom giants ZTE and Huawei.
For Gagliardone, Ethiopia is the only country on the continent where internet provision is still a state monopoly, whose government actively blocks opposition websites, but has also heavily invested in Information and Communication Technologies (ICTs) to improve service delivery, even in the most remote areas.
According to Gagliardone, at an ideational level, China’s ability to balance control of information and dramatic growth of Internet users started to be looked at as a model and source of legitimation for the restrictive practices the Ethiopian government had started employing in the aftermath of the 2005 elections. The conception of the information society that has progressively emerged in China appeared more in line with the EPRDF’s ambition to make Ethiopia a developmental state that could pursue sustained growth and stability. He indicates that China obliged by offering the largest loan in the history of telecommunication in Africa: USD 1.5 billion to overhaul Ethiopia’s telecommunication system, expanding mobile service and Internet connectivity while keeping Ethio-Telecom as the only player in the market.
“In part, this has to be seen in light of the government’s ideology. The Developmental State ideology invites the government to take part in the great majority of sectors. Services like telecom and electricity which are totally run by the government are highly susceptible to cyber-attacks,” Kinfe points out. Kinfe highlighting the fact that protecting national, military, foreign policy and international relations is a good thing, he believes that such a measure should not violate individuals’ freedoms and rights.
However, Kinfe points out that considering the small number of internet users and the limited chances of cyber-attacks, the introduced measures are disproportionate. “The penalty and punishment regime in the draft law does not take the country’s specific situation into account. On the one hand, cybercrime by its nature requires preparation, intent and knowledge. On the other hand, the literacy rate and internet access is Ethiopia is extremely low. In this context, the penalty does not give meaning. It includes overly excessive punishments including ill-defined ‘aggravated cases’ of cyber criminality,” Kinfe elaborates.
Encroaching on the constitutional freedoms and rights
According to Kinfe, the latest draft law on cybercrime, like its predecessor but perhaps with some level of gravity, incorporates rules that significantly encroach on constitutionally safeguarded rights mainly the right to data privacy as well as some core principles of procedural justice. “The track records of the government show that there is a little bit of apathy for the human rights protection of its citizens. Particularly, the concern for privacy protection and freedom of expression is extremely low” Kinfe maintains. However, he is of the opinion that the government is not prioritizing national interest and security over human rights just to suppress the interests of citizens. “I don’t think it is the government’s belief. Rather it is the problem of ignorance,” he says.
It may be argued that the most worrisome part of the draft law is concerning warrantless ‘digital forensic investigation’ that it authorizes INSA to conduct. Where there are reasonable grounds to believe that computer crimes are likely to be committed, INSA investigators can conduct—without any judicial oversight—virtual forensic investigation into computers suspected to be sources of attack or to be subjected to attacks.
“When compared with other developing countries, what makes our law unique is that it shows our attitude to court warrant. The law restricts the role of the court. The court has no involvement whatsoever in the most crucial investigation processes. The INSA people can conduct the forensic investigation virtually without presenting at your office and physically touching your computer but without court authorization. This is unprecedented elsewhere,” Kinfe emphasizes on.
It is interesting to note that even if this provision was not stipulated in the initial version of the draft, it is already provided in the law that re-established INSA in 2013. It should also be noted in this connection that physical examination requires a court warrant. Moreover, in relation to this, INSA investigators are also allowed to carry out, again, warrantless ‘sudden searches’ against suspected computers for preventive purposes.
The draft law also introduced an onerous data retention obligation on communication service providers to retain data running through their networks for at least one year. “This requirement is a clear legislative overreach that opens the door for violation of data privacy rights. The problem is that the length of the data retention period introduced by the law is quite long, and it might prove to be cumbersome to keep data of innumerable customers for a long duration,” Kinfe states.
Another worrying provision of the law relates to the newly injected ‘duty to report’ proviso on communication service providers. It requires service providers to report to INSA and the Police when they come to know of cybercrimes being committed or circulation of illegal content (such as child pornography) over their computer systems. “The concern with such an obligation is that it has the potential to prompt service providers to preemptively monitor communication on their networks under the pain of serious penalties envisaged by the law for failure to cooperate with law enforcement. Worse, compelled by such technically onerous statutory obligation, service providers would be impelled to employ algorithmic bots to automatically detect illegality which, as we know, could encroach upon not just the right to privacy but also free expression online,” he elaborates.
“It is just like monitoring your compound 24/7 to ensure that crime is not committed there,” Kinfe analogizes.
For Kinfe, the draft cybercrime law also entails rules that negate crucial principles of procedural justice such as ‘due process of law’. The draft law, for instance, allows courts to rule ex parte on a request by investigators for a production order against a person thought to be in possession of computer data needed for investigation. Giving a production order even without the presence of the person concerned, who could have legitimate reasons to protest an otherwise unreasonable request, erodes due process rights, argues Kinfe.
As Kinfe remarked, another important principle of procedural justice apparently abrogated by the draft law relates to burden of proof in cybercrime proceedings. The law states that where the Prosecutor has proved ‘basic facts’, the court may on its own motion shift the burden of proof to the accused. This proviso violates a long-established principle of criminal justice which levies on the government the burden to prove guilt beyond any reasonable shadow of doubt and the constitutional principle which requires the accuser to prove the guilt of the accused.
Article 14 of the draft law states that intentionally disseminating through a computer system any written, video, audio or any other picture that incites fear, violence, chaos or conflict among people shall be punishable with rigorous imprisonment not exceeding three years. The provision seems to be vague and ambiguous. To say the least, how do we measure inciting fear? “It is subjected to different interpretations. This will definitely force internet users to self-censorship,” Kinfe says.
Would the deliberations matter?
The draft law as it is has both positive and negative sides. “Content wise, substantively the draft proclamation is modern and comprehensive. The draft computer crime law adds a range of newly emerging cybercrimes into the existing laws. It also introduces detailed procedural and evidentiary rules that are vital in investigating and prosecuting computer crimes particularly on admissibility of electronic evidence, preservation and production of electronic data and search and seizure of computer data.
The computer crimes listed under the Criminal Code of 2004 are punishable when committed both intentionally and negligently. However, under the draft law is most of the crimes are punishable when they are committed intentionally and therefore only a few cybercrimes are punishable when committed negligently.
Negatively, the draft law encroaches on fundamental constitutional freedoms and rights of citizens such as privacy, freedom of expression and due process of law. “This is in contradiction with the argument of the government that holds Ethiopia is a democratic country,” says Kinfe.
However, Kinfe points out that the fact that the country’s cyber legal landscape is not uniform needs a revisiting. The number of laws and institutions are at work. Besides the computer crime law proper, cybercrimes are also addressed in other Ethiopian laws including the telecom fraud offence legislation and the anti-terrorism legislation. In similar ways, the fact that different institutions are involved in the governance of internet is also considered by Kinfe as hindrance. The Ministry of Communication and Information Technology (MCIT), the Ethiopian Information Network Security Agency (INSA), the Federal Police Commission, the National Intelligence and Security Service (NISS), the Ethiopian Telecommunications Agency (ETA), the Ethiopian Broadcasting Authority (EBA), and the Ethiopian ICT Development Agency (EICTDA) all have a part to play in the internet governance.
“It brings enforcement and resource related problems with it. Harmony with other preexisting laws is missing. This creates fragmentation and haphazard approach as who will be in charge is not clearly stated. Efforts and institutions duplication is not good for the justice system. It is a hindrance in our aspiration to create a unified system. It will not be efficient, and invites unhealthy competition among institutions,” Kinfe explains.
Positively, Kinfe holds that the law would assist on the digitalization efforts of the country. “There is a national data center. National identity card database is on the making. So cyber-attack will be a real risk soon. Issues of government national security, critical infrastructures, individuals’ privacy and information security would soon be real national concerns. The law is good for such preparations. Even without a change, if the government enforces it, it will be important and beneficial,” he submits.
“In conclusion, the law, as it currently stands, has a lot to be rectified and redrafted. One cannot but hope that respective Standing Committees of the Ethiopian Parliament closely review the bill now tabled before them and make necessary reforms before the law enters the statute book. The benefit of amending the draft law that concerns many relevant stakeholders outweighs its costs. By now, the government should have taken a lesson from the infamous anti-terrorism proclamation,” Kinfe states.
In the case of the Attorney General draft law, the government sets aside the comments, suggestions, and questions from the public and professionals that calls for amendment and approve it without change despite conducting a public hearing for feedbacks. Could the cards sway otherwise this time around?