1
AFRICAN CENTRE FOR CYBERLAW AND CYBERCRIME PREVENTION
(ACCP)
WORKSHOP REPORT ON CYBERCRIME LEGISLATION IN WEST AFRICA
DATE:
11th April 2014
ORGANISATION:
ACCP
EVENT:
COE / UNCTAD / ECOWAS / ISS / ACCP –
Workshop on the harmonization of cyber legislation in
ECOWAS Accra (Ghana), 18-21 March 2014
Executive summary ( Mr Patrick Mwaita, National Coordinator, ACCP )
Cybercrime has continued to compromise the growth potentials of the Africa
region. It is a relatively new trend of crime, highly volatile and massive in
dysfunctional impact. The scourge of online criminality has followed the growing
use and application of information /communication technologies which have
recorded an unprecedented level, invariably overwhelming traditional means of
crime control.
The purpose of the workshop was to support countries of the ECOWAS region in
their collective effort aimed at discussing the challenges cybercrime poses to
their development. Governments and institutions are showing greater resolve to
commit resources in the search for empirical and action-oriented remedial
interventions to address the problem of cybercrime. Assurances of support from
the Government of Ghana as a focal point to galvanise all authorities in the
region to fight cybercrime were given by the Minister for Communications in his
statement to the participants at the opening ceremony. As expected, the visible
challenges brought by cybercrime operations overwhelm the individual capacities
of African countries to make any meaningful intervention on their own.
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
2
Accordingly, Africa has to seek technical capacity to facilitate a concerted
approach to the difficulties of cybercrime, particularly drawing lessons from better
endowed regions where practices, policies and legislation have brought
significant success in similar situations. In response to this need, the Council of
Europe has agreed to offer funding support and through this improve technical
capacity of relevant crime prevention and criminal justice personnel and
institutions to kickstart and maintain the push against cybercrime. Support in this
respect has manifested in capacity-building programmes aimed at training and
increasing awareness and encouraging dialogue about the problem of
cybercrime (starting with Southern Africa and Eastern Africa in 2013).
Due to its constantly increasing sophistication in the nature, cybercrime
continues to pose a defiant challenge to governments’ efforts for stability,
development and security. This calls for intensified attention including drawing in
several remedial strategies from a variety of stakeholders to provide additional
support in this regard. Furthermore, the extraterrestrial nature of commission of
cybercrime brings with it unique challenges to law enforcement, jurisdictional
concerns and criminal justice management. Following from these observations
this workshop was divided into two tracks which were mutually reinforcing to
address pertinent issues expressed in the needs assessment of African
countries; notably, harmonization of cyber legislation on one hand and
strengthening responses to cybercrime including appropriate criminal justice
responses consistent with the Budapest Convention on the other.
The cyberlaw harmonization track was supported by the United Nations
Conference on Trade and Development (UNCTAD), while the cybercrime track
was supported the Council of Europe in cooperation with the African Centre for
Cyberlaw and Cybercrime Prevention (ACCP), United Nations African Institute
for the Prevention of Crime and the Treatment of Offenders (UNAFRI), the
Institute for Security Studies (ISS). The input by various organisations mirrored
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
3
the multi-pronged and concerted approach required to give an effective response
to the challenges of cyber insecurity. The choice of facilitators and participants to
the workshop reflected the need by the countries of ECOWAS region to sustain
the impact and benefit of technical skill updates derived from this workshop in
their countries by tapping into the available capacities from identified sources.
It was observed that life is getting increasingly electronic, with virtually every
aspect of day-to-day routines conducted with the aid of electronic appliances.
The increasing use of internet and other ICT developments in Africa, for
legitimate purposes, but also for commission of crime (online) were testimony to
this advancement.
Consequently, the need to integrate telecommunication
service providers as major stakeholders in resolving e-crime was emphasised,
principally for the unprecedented level of traffic and content data in their custody.
Accordingly, it was stressed that special initiatives in legislation; expedited
preservation of data were of essence in meeting the necessity to act with the
necessary promptness to ‘capture’ electronic evidence from the service providers
without being lost or interfered with for effective management of e-crime. Other
concerns raised included the need for preserving privacy in the wake of
increasing online intrusions, observing the rights of internet users, including
cybercriminals
in
emerging
litigations
and
protection
of
children
from
pornography and the general population from xenophobic material and other
forms of abuse.
Participants came from middle level functional categories with ability to influence
necessary legislative and policy review/development in their countries pursuant
to the recommendations/proposals from the workshop. Their domain at home
focused on routine operations as well as supportive policy development and
legislative authorities of government departments and national assemblies. The
workshop content on both tracks gave participants opportunity to critically
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
4
examine a variety of relevant regional and international instruments including the
Budapest Convention.
The strengths and opportunities in these were acknowledged as a basis to give
momentum to the national frameworks for cybersecurity. The countries
represented included, Cape Verde, Cote d’Ivoire, The Gambia, Ghana, Guinea
Bissau, Liberia, Nigeria, Sierra Leone. All the participants invited to the workshop
attended, with many others offering to sponsor their participation from alternative
sources, an indication of the desire for technical capacity by the countries in
Africa.
They met and interfaced, exchanging experiences with each other and acquired
knowledge from a set of purposed facilitators from whom best practices and skill
updates were solicited. Using a diversity of techniques, ranging from lectures,
discussions (groups), tutorials and demonstrations, the facilitators aroused free
exchange of views and sharing of experiences, including critical analyses of
situations and circumstances which give rise to cyber insecurity. Focusing on
Africa, it was noted that the region was disproportionately affected by cyber
frauds given its low level of technical capacity.
This was seen to be a sure source of uncontrolled loss of value and resources.
Considering that there is an increasing call for electronic transactions following
the growth of ICT developments (e-commerce, e-signature, e-governance),
which Africa has to embrace, the region’s vulnerability was expected to continue
rising. It is against this background that the workshop scored a fundamental
breakthrough in meeting the needs of Africa for knowledge and capacity building
through training and emphasis on regional and international collaboration as
avenues for skill development to cause necessary intervention.
It was noted that each country was at various stages of enacting effective
legislations and the Budapest Convention offered a unique opportunity to guide
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
5
and inform this process, providing inroads for further technical support in
adoption of relevant provisions and continued exposure to skill updates as well
as offering a bedrock of cross references to steer national roadmaps of planned
activities for cybersecurity. Appropriate care and attention was taken in adopting
relevant provisions from the convention and tailoring them to situations as they
obtain in their respective countries.
The workshop received added thrust from the prospects of strengthened capacity
that came with the launch of the collaboration between the Government of Ghana
and the Commonwealth Cybercrime Initiative expected to promote home-grown
measures to provide a basis for practical cyber security policies. In their resolve
to consolidate the gains attained from this dual training the participants made a
number of vital recommendations as given herewith:
•
Increase the opportunities for training sessions in all the regions and
include more personnel and introduce other modules to target
enforcement of legislation
•
Improve awareness raising and sensitization of stakeholders, especially
the judiciary
•
Disseminate the information derived from the workshop.
•
Consolidate the benefits derivable from international and regional
cooperation,
by
promoting
collaboration
within
institutions
and
governments
•
Improve criminal justice responses to cyber threats by offering specialised
training and strengthening research to identify emerging challenges
1. Welcome address by Prof. Alhas Maicibi, Secretary General (ACCP):
Professor Maicibi welcomed participants to the workshop in Accra, Ghana and
paid tribute to the Government of Ghana and the National team led by Mr Albert
Antwi-Bosiakako for hosting the workshop in Accra at the Kofi Annan
International Peacekeeping Training Centre (KAIPTC). Professor Maicibi then
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
6
acknowledged the collaborative links between the Council of Europe and the
African Centre for Cyberlaw and Cybercrime Prevention (ACCP) which started in
Vienna, February 2013 at the occasion of the Inter-governmental Expert Group
Meeting where the crippling impact of cybercrime to development was discussed.
He gave special thanks to the Council of Europe for funding the Cybercrime track
of the workshop and the United Nations Conference on Trade and Development
(UNCTAD) for funding the cyberlaw harmonization track. He also recognized the
participation and importance of the roles played by the United Nations African
Institute for the Prevention of Crime and the Treatment of Offenders (UNAFRI)
and the Institute for Security Studies (ISS). He conveyed apologies from the
Directors of ACCP, Dr Mohammed Chawki and Mr John Kisembo who could not
attend the workshop due to other pressing obligations.
Setting out the mandate of the ACCP as an organisation that coordinates the
fight against the impact of cybercrime on African countries, he urged participants
to utilize the Centre as a resource for acquiring necessary skills and knowledge
exchange with experts in Africa and other regions of the world. That way, there
is enhanced capacity building in Africa to promote the useful attributes of
technological developments. Professor Maicibi decried the fact that the same
technological advancements that aim to make communication faster, increase
productivity, and enhance innovations store data easily, had been hijacked by
criminal groups for illicit activities. These activities have caused considerable
economic malaise to the global economies, with Africa suffering significantly. He
therefore called upon the participants to be the core of West Africa’s resource
team and crucial task force to disseminate information, strategies and good
practices acquired from the workshop to the rest of Africa to the benefit of
increased cyber security.
Finally, he asked participants to be the ambassadors of their respective countries
in this fight against cyber-crime, while emphasizing that they were trainers in their
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
7
own right for this purpose – since the workshop was a ‘Train the trainers’
function. He assured them of the support of the ACCP and related partner
agencies in the fight against cybecrime. Prof Maicibi, assisted by Dr Maureen
Owor chaired all the sessions of the cybercrime track of the workshop.
2. The Council of Europe Convention on Cybercrime and the Additional
Protocol concerning the criminalisation of acts of a racist and xenophobic
nature committed through computer systems by Barrister Russell Tyner:
Mr Russell Tyner represented Dr Alexander Seger and the Council of Europe at
the opening formalities of the workshop. He urged member states of the
Economic Community of West African States to collaborate and harmonize their
legislation and practices that would facilitate an effective onslaught on
cybercrimes by catering for extra territorial offences.
Cybercrime was prevalent in a number of day to day activities which were now
increasingly evident on-line. These included internet frauds, child pornography,
internet hacking and breaking into people’s computers, which activities neither
acknowledged nor respected physical boundaries. He stressed that it was
through effective legislation in the sub-region that perpetrators of these illicit online activities could be made to face justice, particularly in view of the fact that the
internet was increasingly becoming a tool for vital activities such as electronic
banking, e-commerce,and online communication.
He expressed concern that criminals were now exploiting the internet to the
detriment of the public, adding that if such cybercrimes were allowed to continue
unabated, it would erode the public confidence in online commercial activities
such as trading, e-banking and e-commerce, which would have serious
consequences on the economies of many countries. He cautioned that because
of their sensitivities to electronic controls, some industries such as civil aviation
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
8
were more vulnerable to cyber attacks and urged law enforcers to take
appropriate care in this respect.
Mr Tyner, who is also a Crown Prosecutor in the United Kingdom, Organised
Crime Division offered his services to meet any requests for professional
assistance in prosecuting cybercrimes in ECOWAS region – a direct reference to
the calls for technical support which was conspicuously inadequate in the region.
Mr Tyner said appealed to countries in the sub-region to put in place proactive
measures to detect cybercrimes and also to train their law enforcement officers
and other criminal justice personnel on how to identify cybercrimes, utilizing
specialized skills and expertise as tools to gather forensic evidence and properly
present them to court for adjudication.
He also tasked the law enforcement officers with extraordinary expedience when
fighting cybercrime. He added that they should be prepared with matching
strategies for expeditious gathering of relevant data from communications service
providers such as the mobile companies, google search, yahoo and hotmail in
the nick of time before such information were lost from their system or
manipulated for destruction of evidence.
Due to the visible threats of possible intrusion, he cautioned that the internet was
not a safe tool for storing vital information and passionately cautioned the youth
against putting certain vital information about themselves such as videos and
photographs on the internet, since once placed on the internet such information
could not easily be retrieved or withdrawn.
Aims of the Convention
•
A guideline for legislation leading to the harmonisation of domestic legislation
•
Establish the necessary procedural powers for investigation and prosecution
•
Establish a fast and effective regime of international co operation
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
9
•
That Human rights are protected
•
Flexibility so that it can be implemented nationally
Cybercrime is international. Perpetrators can situate themselves anywhere in
the world. Thus one of the principal aims of the BCC is to reduce the number of
safe havens. To avoid becoming a safe haven a country needs -
1.
Legislation – both substantive and procedural - criminalise cyber activity that
may otherwise not fall within the scope of existing criminal law –including
issues of jurisdiction - provide sufficient power for investigators to obtain
access to evidence – enable requests for MLA and extradition
2. Police capability –a sufficient number of officers who understand the technical
issues and have the ability to undertake enquires which will involve the
examination of computers and obtaining access to communications data
3. Co-operation with Industry – a close working relationship with communication
service providers in your county ideally pursuant to a voluntary code or MOU
to allow you to obtain access to data held by service providers is vital
4.
Training Judges and Prosecutors –must have some basic understanding to
ensure that they understand the evidence , are able to identify potential
sources of evidence , assist in MLA requests , assess evidential admissibility
and manage cases
Cybercrime causes real harm, either to individual victims of fraud, children who
have suffered bullying or who have been abused to feed the market for child
abuse images, or to financial institutions and governments seeking to expand
and develop e commerce.
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
10
The investigation and prosecution of cybercrime can be challenging. This is due
to a number of factors:
•
the nature of digital material – it needs to be extracted and interpreted and
presented in court in a manner that ensures its evidential integrity- it is
volatile it is easily changed – it may only be in existence for a short time;
•
The volume of material – investigators need to identify the evidential
material. In the UK the prosecutor is also obliged to identify material that
may assist the defendant or undermine the prosecution case as part of the
fair trial process;
•
The location of material – not only is it stored within digital devices it may
be located in another jurisdiction or in the hands of an innocent third party;
•
Investigators lack expertise;
•
Prosecutors and judges may fail to understand the nature of the material;
•
Domestic legislation may not ‘fit ‘cyber crime- there may be issues relating
to jurisdiction;
•
Industry - co operation may be lacking;
•
Perpetrators may be located overseas- mutual legal assistance may not
be available -extradition may not be available.
Having focused on the negative it is useful to remember that much cybercrime is
committed overtly providing a wealth of evidence to prove that a crime has been
committed, the issue then is one of proving that the defendant was responsible.
Stored material can provide vital evidence as can evidence from service
providers. The online environment also offers opportunities for police officers to
covertly infiltrate online criminal groups.
The Convention
•
defines key terms
•
defines the common minimum standards of relevant offences
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
11
•
provides the necessary procedural measures required in the investigation
of cybercrime
•
operates as an instrument of international co-operation both in terms of
mutual legal assistance and extradition
The Additional Protocol to the Convention and the additional protocol to
the Convention on Cybercrime, concerning the criminalisation of acts of a
racist and xenophobic nature committed through computer systems
Article 3 – Dissemination of racist and xenophobic material through computer
systems distributing, or otherwise making available, racist and
xenophobic material to the public through a computer system.
Article 4 – Racist and xenophobic motivated threat, through a computer system,
with the commission of a serious criminal offence as defined under
its domestic law, (i) persons for the reason that they belong to a
group, distinguished by race, colour, descent or national or ethnic
origin, as well as religion, if used as a pretext for any of these
factors, or (ii) a group of persons which is distinguished by any of
these characteristics.]
Article 5 –
Racist and xenophobic motivated insult insulting publicly, through
a computer system, (i) persons for the reason that they belong to
a group distinguished by race, colour, descent or national or ethnic
origin, as well as religion, if used as a pretext for any of these
factors; or (ii) a group of persons which is distinguished by any of
these characteristics.
Article 6 –
Denial, gross minimisation, approval or justification of genocide or
crimes against humanity distributing or otherwise making available,
through a computer system to the public, material which denies,
grossly minimises, approves or justifies acts constituting genocide
or crimes against humanity, as defined by international law
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
12
3. Substantive Law in the Budapest Convention ( Mr Sizwe Snail Ka Mtuze)
The presentation began with discussing and making the participant understand
the substantial law provisions on offences against the confidentiality, integrity and
availability of computer data and systems (e.g. illegal access , illegal interfering ,
data interference, misuse of devices etc.), computer-related offences (computer
related fraud and computer related forgery), content-related offences (such as
pornography and child pornography) and ancillary liability and sanctions. The
section was concluded with recap on the model provisions in the form of a
lessons learned slide shortly capturing the substantive law provisions of the
Budapest Convention.
Cybercrime involves both traditional crime facilitated by the internet and new
crime, crime where the internet the tool or the target or both. Examples include
the use of botnets to acquire financial data and the use of Distributed Denial of
Service attacks in support of an ideology.
The substantive law provisions of the Convention:
Art 2 Illegal Access
… the intentional access without right of any part of a computer system
Art 3 Illegal interception
.. the intentional interception without right by technical means of non public
transmissions of computer data to from or within a computer system
Articles 4 and 5 Data Interference and system interference –
.. damaging deleting –deterioration – alteration – suppression of computer data
..the serious hindering of the functioning of a computer system by the inputting –
transmitting- damaging deleting –deterioration – alteration – suppression of
computer data
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
13
Article 6 Misuse of devices
.. the production – sale- procurement for use- import- distribution or the making
available of a device ( including a computer program ) a computer password –
access code or data by which the whole or part of a computer system is capable
of being accessed – with the intent that it be used for the purpose of committing
one of the offences established under the convention
Article 7 Computer related forgery and Article 8 Computer related fraud
Forgery: ... the input – alteration – deletion – suppression of computer data
resulting in inauthentic data with the intent that it be considered or acted upon for
legal purposes as if it were authentic
Fraud : .. causing loss of property to another by the input – alteration – deletion –
suppression of computer data or by interfering with the functioning of a computer
system
Article 9 Child Pornography: .. the production – for distribution of CP - offering or
making available – distributing or transmitting - through computer systems
Possession in a computer system or on a computer data storage system
Article 10 Copyright infringement: Copyright infringement is one of the most
widespread of offences on the internet – include software – films – books – music
Additional inputs were made by Dr Seger on some guidance notes and additional
protocols that discuss and explain certain newer offenses which could previously
not be categorised with certainty in the Budapest convention.
The presentation then went on further to discuss briefly the South African
Common Law on Cyber crime before the coming into law of the Electronic
Communication Transaction Act, Act 25 of 2002. This was followed by a
comprehensive examination of the South African Law cybercrime substantive law
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
14
provisions in the context of the ECT and how South Africa has substantially
complied with the substantial law provisions of the Budapest Convention save for
some exception (which were also discussed in detail) as dictated by domestic
law already in force at the time of bringing into the Law of the ECT.
As per the initial brief from the COE a study was made on the Ghanaian
Electronic Transactions Act, 2008, Act 772 with regards to its substantial
compliance with the Budapest convention and additional provisions introduced in
its domestic laws with regards to the substantive law in the fight against Cyber
Crime.
4. African Approaches to Cyber Crime ( Mr Sizwe Snail Ka Mtuze)
African Approaches to Cyber Crime were discussed by giving a brief overview on
the regional initiatives on the African Continent such as the EAC 1 and EAC 2
( East African Community) , ECOWAS , SADC Model Law and reference was
also made to the COMESA Model Law and their compliance with the Budapest
Convention were also examined.
The pitfalls and some of the interesting new provisions in the Draft African Union
Cyber Crime Convention and its compliance with the Budapest Convention were
also examined and critically discussed. It was however agreed that the
Convention drew much from the Budapest Convention and that its main focus is
more on the harmonization of African Cyber Crime laws and cross boarder cooperation.
Another comparative study was made with the Tanzanian Cyber Crime Bill
(2013) with reference to its adherence to the proposed provisions relating to
substantive law and procedural law as contained in the Budapest Convention.
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
15
The contentious aspect of Jurisdiction and Extradition as contained in the
Tanzanian Cyber Crime Bill were also examined which seemed to show a slight
deviation from the Budapest Convention when it came to Service provider
liability. The provision dealing with a forensic tool was discussed and its origin
from the German law acknowledged.
5. Procedural Law in the Budapest Convention (Dr Maureen Owor and Mr
Sizwe Snail Ka Mtuze )
The aim of the session was to discuss the procedural law in the Budapest
Convention and develop a check list on investigative powers, procedural tools,
electronic evidence and the conditions and safeguards using the Budapest
Convention as a guide. The justification for using the Convention for guidance
was the fact that the legislation and draft law on cybercrime in the West African
region incorporated aspects of the Budapest Convention. Examples include
Nigeria’s Executive bill on Cybercrime (referred to as the Nigeria Cybercrime Bill
2013 that has gone through the first reading and is pending scrutiny by
committees of the Nigerian National Assembly like that on the Judiciary, Human
Rights and Legal Matters. The laws of Benin, for instance, also have provisions
on expedited preservation of data and search and seizure that incorporate some
provisions of the Budapest Convention. The session was facilitated by Dr.
Maureen Owor and Mr. Sizwe Snail Mtuze.
Dr Owor began by establishing a link between Session 3 on substantive criminal
law and Session 4 on procedural law under the Budapest Convention. Next was
an overview of the scope of powers and procedures under Article 14 that is to
say criminal offences established under Articles 2 to 11; other criminal offences
committed by means of a computer system and the collection of electronic
evidence.
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
16
Electronic evidence
Participants explored the nature of electronic evidence and its possible sources
like computer systems, computer data, traffic data, Internet data, subscriber data
and other electronic devices. The next area for discussion was the threats to
electronic evidence at the investigation and trial stage. These threats included
the discovery of electronic evidence, possible defences like the Trojan horse, and
the evidential rules relating to establishing the relevance, admissibility, reliability,
and evidential weight of electronic evidence in court; as well as any exclusionary
rules like the hearsay rule of evidence. A final point of discussion was the
restrictive approach sometimes adopted by judges towards the admissibility of
electronic evidence.
The Procedural Provisions of the Budapest Convention on Cybercrime
The next part of the discussion led by Mr Snail Mtuze noted that one of the
principal attractions of cybercrime is the apparent anonymity when a user
connects to the internet. To use the internet to communicate involves reliance on
the infrastructure of a service provider. Service providers, subject to data
protection law, require formal legal process to obtain such data and thus need to
establish a necessary threshold of suspicion. Data retention periods vary, so it is
important that the provider has the ability to preserve data pending a legal order.
Mr Mtuze then examined the procedural provisions in the Budapest Convention
as summarised below.
Art 16 Expedited preservation of stored computer data
A freezing order allowing data to be preserved without the need for formal legal
process pending court order or other mechanism requiring its production.
Art 17 Expedited preservation and partial disclosure of traffic data
This is a useful provision. It recognises that a number of service providers may
be involved in the transmission of communications and provides that where more
than one provider is involved sufficient traffic data is disclosed in advance of the
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
17
receipt of any formal court order etc. to allow for the identification of those other
providers thus allowing preservation and or court orders to be served.
Art 18 Production Order
Provides for a computer data including subscriber information to be produced.
Envisages court order or other legal process.
Art 19 Search and seizure of stored computer data
Aims to establish an instrument that enables investigators to search computer
systems as efficiently as they are able to perform traditional search procedures.
It allows them to copy data rather than seize the hardware on which the data is
located. Some suspects may store data at an off site location i.e. on an internet
server - This article also seeks to extend the powers of search to data that is not
stored physically at the location at which the search takes place. It is noteworthy
that the Budapest Convention limits this power to data off site but within the
same jurisdiction – however this may be too limited – cloud storage systems for
instance may be located anywhere in the world and indeed the provider
themselves may not know where the computer holding the physical data is
actually situated.
Article 20 Real time collection of traffic data
Power for authorities to collect or record and compel a provider to collect and
record traffic data in real time which is useful depending on the data retention
policy of the CSP.
Article 21 Interception of content data
Generally there is a high threshold that has to be met in order to obtain such
data give the intrusive nature of this provision
Article 22 Jurisdiction
Parties to establish jurisdiction over the substantive offences set out in the
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
18
convention and in particular to establish jurisdiction over those offences in cases
where an alleged offender is present it its territory and it does not extradite him to
another party solely on the basis of nationally.
Art 23 General principles of international co operation
This Article states the general principal that countries will provide each other with
assistance to the widest extent possible
Article 25 General principles relating to mutual assistance
Permits urgent requests to be made by fax or e-mail.
Article 26 Spontaneous Information
Allows countries to provide information to another state without a prior request it
may be that the other country is unaware that this information exists and, by the
time they are likely to do the data may have been lost
Article 27 Absence of international agreements
A very important and valuable Article - In the absence of an Mutual Legal
Assistance (MLA) treaty or other instrument the Convention may form the basis
of a request for MLA.
Article 24 Extradition
This is a very important and valuable article – it provides that the treaty may
operate as the basis for a request for extradition in respect of the offences set out
in the convention in the absence of a treaty between the parties.
Article 29 – 34
Provides for the availability by way of a MLA of:
 The expedited preservation of stored data

Expedited disclosure of preserved traffic data

Accessing stored data i.e the search and seizure of data the request may
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
19
include a request to expedite the seizure

Trans border access to stored data – this is in interesting provision –
firstly allows cross border access to open source data without the need for
authorization of the party within whose jurisdiction the data is held ,
secondly where data is in one jurisdiction but accessible from another it
may be accessed without authority if the person with lawful authority to
disclosure the data consents

Real time collection of traffic data

Interception of content
Article 35 provides for the creation of a 24/7 network to provide for urgent
assistance in investigations – extremely valuable in cybercrime investigations.
Generally the 24/7 contact will be based with the Police Cybercrime or Hi Tech
crime unit. They will know how to preserve and obtain evidence within their own
jurisdictions and how to do so quickly – they can also help in locating suspects
The participants explored the use of a ‘stand-alone’ legislation or amendment to
existing laws on criminal procedure and evidence, as an alternative method of
regulating the collection of electronic evidence and the preservation and
production of evidence. These options were preferable to the use of an omnibus
piece of legislation that covered all aspects of cyber law including the substantive
and procedural provisions on cyber crime such as that contained in the Budapest
Convention.
Conditions and safeguards
Drawing on the Preamble to the Convention, Dr. Owor discussed the
justifications for having conditions and safeguards in Article 15, namely to
balance the sometimes intrusive powers of law enforcement agencies with
respect for human rights including the right to the protection of personal data.
This balance was achieved by setting out principles and requirements for states
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
20
to meet their positive obligation to protect rights and civil liberties within rule of
law and human rights framework. The need for explicit provisions on judicial or
independent oversight, the safeguard of proportionality and the opportunities for
judicial review or review by an independent body of the use of procedural tools
and powers was underscored.
Additionally, the grounds that justified the
application, limitation and the duration of investigatory powers or procedural tools
had to be specified. The ways in which the powers and procedures may impact
upon the rights, responsibilities and legitimate interests of third parties was also
examined. Although the lack of awareness of cybercrime legislation among
citizens and big companies like MTN was an area of concern, what is most
worrying to participants was the lack of knowledge among the legal profession,
law enforcement agencies and the judiciary.
Three important questions on the adequacy of human rights frameworks and the
interplay between domestic and pluralistic systems were then investigated. Does
the national legislative framework provide equal protection of the law? What is
the effect of criminalising intentional access of computer containing information
on security matters on the right to free speech and the right to information? Is it
possible to ‘Africanise’ cybercrime legislation? These questions were set against
a backdrop of the diverse African cultures in West Africa and the fact that the
most vulnerable victims of cybercrime are poor people in the peri urban or rural
areas whose first ‘responder’ may be a customary court like the Afikpo (Ehugbo)
of Nigeria, a juju priest, or spiritual leader.
The participants considered the question of how a state could reconcile
normative conflicts between cybercrime law and customary investigation and
adjudication procedures. Using the example of the Community Impact Statement
in Form B to the First Schedule to The Constitution (Sentencing Guidelines for
Courts of Judicature) (Practice) Directions, 2013 of Uganda, Dr. Owor
demonstrated how a court could engage with rural communities through the
admittance of a “written or oral account of the general harm suffered by members
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
21
of a community as a result of the offence.” Such subordinate legislation could
help reconcile these diametrically opposed ‘pluralistic’ systems.
Checklist on procedural powers, electronic evidence, conditions and
safeguards
This checklist on procedural powers and tools, electronic evidence, conditions
and safeguards was developed by participants working in groups. The groups did
not restrict themselves to the Budapest Convention as a benchmark. Instead
they drew from a range of regional initiatives like the ECOWAS Directive CIDIR.
1/08/11 of 2011, and the Draft African Union Convention on the Establishment of
a Credible Legal Framework for Cyber Security in Africa or the Draft African
Union Convention on the Confidence and Security in Cyberspace (version 2012);
as well as constitutional and statutory arrangements at the domestic level to
develop their checklists.
1. Scope of procedural powers: Participants noted the wide scope of
procedural powers within the Ghana Electronic Transactions Act 2008
under Section 142 which grants extra territorial jurisdiction. However,
they pointed to the challenge of applying these powers extra
territorially. Similar comments were made regarding Nigeria cybercrime
Bill (Clause 33).
2. Procedural tools: The groups appreciated the wide powers granted
under the procedural tools such as the power to order the production,
disclosure and preservation of data under Sections 100-104 of the
Ghana Electronic Transactions Act 2008. Investigation agencies like
the Economic and Organised Crime Unit and Financial Intelligence
Unit in Ghana have in addition been given powers of the High Court to
obtain information from corporate bodies and institutions without
having to file cases in court. Nonetheless, law enforcement agencies
were still faced with the challenge of expediting preservation of data
without a court order as S.100 ETA states that a service provider is not
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
22
obliged to preserve evidence in the absence of a court order. The
participants also observed that the provisions in the ECOWAS
Directive 2011 on non-disruption of business have not yet been tested.
3. Electronic evidence: the laws of countries like Ghana allowed the
admissibility of electronic evidence and set clear parameters on the
criteria for assessing the weight of electronic evidence (Section 7 of
Ghana’s ETA). However, due to the lack of a computer forensics
laboratory it was difficult for investigators to collect electronic evidence.
Furthermore, as the Ghanaian participants pointed out, collection of
evidence was sometimes hampered by the telecom service providers
like MTN who refused to comply with court orders to provide transcripts
of text messages. Even where the evidence was adduced, the courts
sometimes gave little weight to electronic evidence, due in part to a
lack of knowledge on the part of judges about the intangible nature of
electronic evidence. Elsewhere, Nigeria in 2011 reformed its Evidence
Act Cap 112 but similar challenges with this approach exist. For
instance, the discretion to admit the evidence remains with the judge.
4. Conditions and Safeguards: the groups considered in detail the
following conditions and safeguards:
-
Judicial oversight: participants were of the view that the judicial
oversight through court orders in the different countries was adequate
and that the laws set stringent conditions that law enforcement
agencies had to satisfy in order that their requests to use procedural
powers and tools were granted. Conditions for the grant of requests
were found for examples in the Ghana Electronic Transactions Act, the
Ghana Evidence Decree of 1975 (NRCD 323) and the Security and
Intelligence Agencies Act (Act 526) of 1996 of Ghana. Using Ghana
as a case in point, the members explained that police officers have to
give brief information such as the type of data required and the period
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
23
to be covered, in order to enable the court exercise its discretion in
granting requests.
-
Rights of parties: participants observed that adequate protection of
rights and freedoms existed in the constitutional arrangements of West
African states. The Constitution of Ghana 1992 for instance, has a
comprehensive bill of rights, and further under Article 33, the courts
were obliged to protect these rights. However, one group was
concerned that the law may be used more to protect the state’s
interests and less to protect the right to privacy in Article 18(2). This
was more so because privacy is subject to qualifications which include
public safety. Such law included Section 133 (2)(d) Ghana ETA that
prohibits the unauthorised access or excess of authorized access to a
computer containing information on national security of Ghana.
-
Participants also noted the lack of provisions in the ECOWAS Directive
2011 on the rights, responsibilities and interests of third parties.
-
Equal treatment: participants observed that the constitutions of the
different states guaranteed equal protection to all people. For instance,
the Nigerian Cybercrime Bill 2013 was drafted in gender neutral
language and covered every type of gender. Likewise the ECOWAS
Directive 2011 guaranteed equal protection regardless of gender
-
Reconciling pluralist systems: participants noted that reconciling the
state procedures with indigenous systems was possible perhaps at the
sentencing stage, but only in relation to the sanction. For instance,
Clause 32 of the Nigeria Cybercrime Bill enabled a court to make an
ancillary order of compensation or restitution to the victim. Likewise,
Section 138 Ghana ETA empowered a court to grant an order for
compensation.
Franco-phone West Africa (Niger):
The group’s point of emphasis was that in contrast to the common law
(adversarial) system where a judge had no investigatory powers, under the Code
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
24
Civil system in Franco-phone Africa, the investigative judge had broad powers to
order production of documents, search and seizure or the closure of an
investigation.
In 2006, Niger set up a project on the legal framework for ICT. The project
spearheaded the drafting of laws to regulate the use of ICT and bring Niger
within the Information Society. The laws included: a draft law on electronic
transactions; a draft law on the protection of personal data; a draft law on
cybercrime and a draft decree on the creation of a police center to deal with
cases of cybercrime. These drafts are being studied by the General Secretariat
of the Government which will in turn submit them to the National Assembly. For
now the Bill of Rights and the existing criminal law was used to punish
cybercrime. The mode of redress was to compensate the victim.
Recommendations:
1.
Implement public awareness about cybercrime through translation of laws
into local languages.
2.
Create specialised cybercrime units to operationalize procedural powers
and facilitate discovery and storage of electronic evidence.
3.
Develop training programmes for lawyers, law enforcement bodies and the
judiciary on the procedural powers and conditions and safeguards.
4.
Develop mechanisms for mutual legal assistance to facilitate extra
territorial investigations.
6. Training strategies and tools for law enforcement agencies, prosecutors
and judges (Dr Maureen Owor)
This session explored the features of training strategies and training tools before
moving on to develop a check list of points to consider as part of a training
strategy and training tools for the participating states. The rationale for
developing localised training content was the shared common legal tradition
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
25
among states in the region (common law and code civil) including a common
official language (English and French) and a common regional framework on
cybercrime like ECOWAS Directive 2011. The elements of a training strategy
included a critical assessment of the institution’s operating environment to
appreciate the influential internal and external factors (forward planning) and to
facilitate a common understanding of ways of dealing with the problem (training
needs). The strategy had to be adaptable and flexible to suit the intuition’s needs.
There was also need to use an appropriate learning technique like Kolb’s
experiential learning technique where participants have the opportunity to acquire
and apply knowledge and skills using diverse methods such as reflexive studies,
role plays, site visits and simulation exercises, within a setting that is relevant to
them.
The next part of the session examined how to put a training strategy into
operation using training tools. The example used was training modules that set
out clear training objectives and learning outcomes, adopt a relevant mode of
learning, give feedback to participants and allow them to evaluate the learning
activities. Training materials considered included laws, case law, regulations,
policies, ethical and professional regulations, and research studies on the
enforcement of cybercrime legislation and the socio- cultural (political, economic,
etc.) factors that influence its implementation. Participants were divided by Dr.
Owor into groups based on their professions, from which they drafted checklists
for developing training strategies and training tools (modules for training). The
results of each group are set out here.
Checklists for developing training strategies and training tools (modules
for training)
1. The Judicial Service of Ghana:
The group comprised judges of the High Court of Ghana and the Judicial Service
of Ghana. In the assessment of the judiciary’s operating environment, the group
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
26
identified several internal and external factors that affect their work. Internal
factors were the state of the infrastructure (building and ICT facilities); the quality
of support staff (human resource) and unplanned training sessions, the pitiable
quality of court room equipment especially the court recorders and transcribing
machines for fast track courts and air conditioning due in part to a poor
maintenance culture. The inadequate funding in the form of imprest was also
considered. Two external factors were the small size of the budgetary allocation:
sometimes the judiciary received only 30% of funds requested which made it
difficult to implement a training policy. The political will of the executive (of lack of
it) was a second external factor.
As part of their training strategy to help plan ahead, the group considered the
recruitment of trainers from experts in the relevant field of cybercrime to train
judicial officials and support staff. An in-service training divided into a basic
course for early career staff and an advanced course for established staff was
deemed most appropriate with computer literacy or knowledge of ICT as a
course prerequisite. The duration of the training would not exceed 3 days and
would take place during term time given the heavy workload of judicial officials.
For support staff, the training would take place during the legal vacation at the
proposed venue of the Judicial training institute. On the question of funding for
training, the group decided that funds should be sourced both internally and
externally.
Turning to the training tools, the participants decided on New Trends in
Cybercrime as the course title for their training module. The training objectives
were to equip trainees with tools/knowledge to determine emerging cybercrime
matters. Within this module there were two topics: Understanding cybercrime and
Electronic evidence. The intended learning outcomes were to enable participants
appreciate the collection, storage and use of electronic evidence; and the
admissibility of electronic evidence. The preferred mode of learning was through
sharing of experience and case studies using reference material like legislation,
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
27
textbooks and lecture notes. The group proposed the use of questionnaires for
feedback on the course.
2. The Police:
The police officers, who were drawn largely from the criminal investigation
department, cited two main internal factors that affected their operating
environment, namely the lack of skills development or capacity building and
inadequate infrastructure. External factors were the emerging and every
changing trend in cybercrime around the globe. Based on these factors, the
group decided that every investigator should receive training conducted by
experts with requisite skills. This in-service training would have no course prerequisites and would last no more than one week, preferably in June or the
middle of the year. The group proposed that the Police Training School was a
good venue for training but equally the courses could be held elsewhere; say in
another country. It was envisaged that training funds would be sourced both
internally and externally.
In developing their training tools, the group decided on Cybercrime Investigation
and Digital Forensic Training as a suitable course title. The training objectives
were to keep abreast with current trends in cybercrime, investigation techniques
and adducing admissible evidence. In this context, the proposed topics were:
money laundering, identity theft, hacking, fraud, forgery, email tracking and laws
on cybercrime. The intended learning outcomes were to increase knowledge on
investigating cybercrime and related offences, and tracking criminals; knowledge
on the production of admissible evidence in court; and the competency in
conducting training of trainers’ courses. The group preferred a practical mode of
learning that included pictographic materials and the assessment by examination
and simulation exercises. Other learning materials included documents on
cybercrime, lecture notes and slides from the training session.
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
28
3. Prosecutors:
The prosecutors came from the Attorney General’s office in the Ministry of
Justice of Ghana and the Computer Crime Prosecution Unit, from the Federal
Ministry of Justice of Nigeria. The group evaluated their operating environment
and considered the internal factors that affected training programmes namely:
time to hold training, availability of trainees at any one point in time, and the
quality of resource persons. The external factor was the availability of knowledge
exchange programmes both internally and abroad.
For the prosecutor’s training strategy, the group considered the selection of
trainers (experts) from within and outside the country. Trainees would be
recruited from all levels of prosecutors and would have a basic knowledge of ICT
applications as a pre requisite for the course. It was determined that trainees
would have some formal training (for example, a degree and/or a post graduate
qualification in legal practice) and then attend an advanced course during inservice training. The duration of this advanced course would be 5 days held once
every quarter (periodically) at a venue away from the work environment. The
funding would come from both internal and external sources that ought to include
government and other stake holders like telecommunications service providers.
The group developed their draft training tools (module) with the two course titles:
The Use of Electronic Evidence in Cybercrime Prosecution and Strategies in
Court Room Presentation. The objectives were to familiarise prosecutors with
current trends in the collection, preservation and presentation of electronic
evidence in computer related evidence. Two proposed topics were: the
presentation of electronic evidence in court, and the preservation of electronic
evidence in court. It was hoped that at the end of the training, trainees would
have gained knowledge on the presentation of electronic evidence, the handling
of electronic evidence and detection of authentic electronic evidence. The course
would be taught though seminars and training workshops; while assessment and
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
29
feedback would be through group work and presentations. The starting points
included materials on the Council of Europe website and books.
4. Policy and regulatory bodies:
Group 4 comprised representatives of the legislature, ministry of justice, ministry
of information and communication, national regulatory bodies and leading
telecom companies. The group identified a lack of expertise and a failure to keep
up with new trends of cybercrime as two internal factors that influence their
training environment. Interference from political bodies and the dynamic nature of
the industry were the external influencing factors.
The group as part of their training strategy set the criteria for selection of trainers
who were experts on the subject matter both at the local and international level.
Trainees would be recruited at various levels in the institution depending on the
nature of training required. Training would begin with formal training, followed by
in-service training at both a basic and advanced level. Trainees would also be
able to take part in continuous professional development, where required. For
that matter, course pre requisites would depend on the requirements of the
various training institutions. The duration and timing of the training would depend
on the training needs of each department. The cost, effectiveness, number of
trainees and the type of training would determine the venue for training, but the
group recommended that the venue should be away from the work place for
maximum concentration. The internal budgetary allocation and external
sponsorship were considered as possible sources of training funds.
The course title selected by the group was Policy and Regulatory frameworks for
cybercrime. Training objective was described as combating cybercrime and
creating awareness and three topics were identified: the review of current
legislation on cyber or related matters, developing a legal framework and best
practices on combating cybercrime. The intended learning outcomes were to
increase the capacity to combat cybercrime; develop an understanding of
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
30
cybercrime and related issues and promote the rule of law. A recommended
mode of leaning was a blend of different approaches dependent on the outcomes
of the department’s needs assessment survey. Still, the group thought that
sharing of experiences and group work were appropriate modes of learning;
further that questionnaires and surveys could be used to give feedback.
Suggested reference materials included books, online materials, magazines,
journals and legislation like the ETA.
5. Cote d’Ivoire and Niger:
Group 5 included officials from the Ministries of Justice and some Magistrates
from Cote d’Ivoire and Niger. The group identified internal factors that impacted
on their work setting namely, a lack of political will, a limited use of the internet
and electronic transactions, non-adherence to the Budapest Convention, and an
unwillingness on the part of prosecutors to take up cybercrime cases in contrast
to law enforcement agencies who were very engaged in investigating cybercrime
but lacked the technical knowledge.
External factors included the lack of
knowledge of cybercrime across the region despite the fact that countries like
Cote d’Ivoire had a range of laws that could be used to deal with cybercrime. The
participants pointed out that although the Budapest Convention was used as a
benchmark to scrutinize legislation, no African states participated in its drafting.
In developing a training strategy, the group decided that trainers at the local and
international level should have competence, knowledge and also share
experiences. The trainees should be selected largely from the law enforcement
agencies, and should have practical experience of work in the field of cybercrime.
The training modules would be part of existing training modules and the training
could be conducted in-house. The group was emphatic that funding for training
must be at the domestic level, primarily the responsibility of the state. Regarding
the objective of the training, the view was that training should aim to harmonise
procedures and rules on cybercrime.
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
31
Recommendations from group discussions:
1. Institutional review of the internal and external factors that influence the
work environment and specifically training programmes should be done
periodically.
2. Resource constraints that affect training programmes should be
addressed by the Executive or responsible department.
3. Training strategies should be developed as part of the institutional
planning process. The strategies should fit within government policy,
regulatory and legal framework, but should also be flexible to
accommodate best practice, human rights and rule of law concerns.
4. Training tools should be reflect an institution’s training needs and where
necessary, the practice in the different disciplines.
7. African Regional Perspectives to Cybercrime (Mr. Uchenna Jerome Orji)
The presentation began by providing a brief overview of the concepts of
“cybersecurity” and “cybercrime”, while also highlighting the critical components
of cybersecurity governance. Approaches to the development of cybercrime laws
and the essence of regional responses to cybercrime were also discussed. The
presentation then gave a historical overview of the development of cybercrime
initiatives by the Africa Union and analyzed the cybercrime provisions of the Draft
African Union Convention for the Establishment of a Credible Legal Framework
for Cybersecurity in Africa (AU Draft Convention). One of the highlighted defects
of the Draft Convention is the absence of adequate mechanisms for mutual legal
assistance and extradition. Thus, it was shown that the Draft AU Convention
does not create a mechanism for Member States that do not have mutual
assistance treaties between themselves to use the Convention as a legal basis
for rendering international assistance especially with respect to extradition and
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
32
other issues requiring cross-border cooperation in the enforcement of cybercrime
laws.
The presentation then went further to provide an overview of the development of
cybercrime initiatives by other regional bodies in Africa namely: the Common
Market for Eastern and Southern Africa (COMESA), the Economic Community of
West African States (ECOWAS), the East African Community (EAC), and the
Southern African Development Community (SADC). The COMESA Model
Cybercrime Law (2011) was analyzed and it was shown that it met all the
standards of the Convention on Cybercrime with elaborate provisions for
international cooperation. It was also shown that the COMESA Law goes further
to include provisions on consumer protection and the liability of service providers
which were not contained in the Convention on Cybercrime. However, many
COMESA Member States including Djibouti, Eritrea, Libya, Sudan, Comoros,
Madagascar, Burundi, Malawi, Rwanda, Swaziland, Democratic Republic of
Congo, and South Sudan were yet to enact cybercrime laws, although there are
some ongoing efforts to develop laws in some of the countries.
The presentation also analyzed the SADC Model Law. It pointed out that the
SADC Model Law falls short of some of the standards under the Convention on
Cybercrime as it failed to establish provisions for international cooperation,
mutual assistance and extradition. It also showed that many SADC States such
as Angola, Democratic Republic of Congo, Lesotho, Malawi, Mozambique,
Swaziland and Tanzania have not enacted cybercrime laws, although there are
some ongoing efforts to develop cybercrime laws.
The 2008 Draft Legal Framework for Cyberlaws in the East African Community
and the ECOWAS Directive on Fighting Cybercrime (2011) were briefly
discussed. (A detailed analysis of the ECOWAS Directive on Fighting Cybercrime
was later done during the session titled “ECOWAS Approach to Cybercrime”
(March 20, 2014). The presentation ended with several proposals to strengthen
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
33
cybercrime responses in the African region. Some of the proposals include the
following:
(1) The AU should consider the establishment of a model law within the
framework of the Draft Convention on Cybersecurity to provide an
effective guide for regional harmonization and also facilitate the timely
establishment cybercrime laws in Member States.
(2) The Draft AU Convention should include provisions for Member States
that do not have mutual assistance treaties between themselves to use
the Convention as a legal basis for rendering such assistance as seen
under the Convention on Cybercrime.
(3) The AU should establish a regional extradition treaty to enhance the
extradition of cybercrime perpetrators within Africa.
(4) The establishment of cybercrime laws by states in the African region
should give cognizance to mechanisms for judicial review or the
independent review of law enforcement activities and the protection of
fundamental rights.
(5) There is need to develop a system for cooperation between national law
enforcement agencies of African states through the establishment of
national 24/7 points of contacts and national CERTs that will coordinate
with a regional 24/7 point of contact and CERT or network security agency
under the auspices of the AU.
(6) African states should prioritize cybersecurity on their national security
agenda through measures such as increased government funding of
cybersecurity initiatives.
(7) To effectively enhance international cooperation and harmonization,
cybercrime laws in African states should address the minimum standards
recognized under international legislation models on cybersecurity such as
the Convention on Cybercrime.
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
34
(8) There is need for capacity building in legislative institutions as this may
also help in addressing issues of unnecessary legislative delays that has
hindered the timely passage of cybercrime laws in many African countries.
(9) Building capacities in regulatory institutions and “bridging the digital divide
in cybercrime law enforcement capacity” by providing technical support to
African states that are making viable efforts to promote cybersecurity.
(10) Building capacities in the judiciary including the training of Judges and
prosecutors on the handling of electronic evidence and other related
issues in the judicial enforcement of cybercrime law.
(11) Building capacities for end-user education by encouraging institutions
such as universities, NGO’s, and other stake holders to create user
awareness on cybersecurity.
(12) Encouraging African research and development initiatives in the areas
of cybersecurity and cybercrime control.
(13) There is need for African states to provide adequate on information on
cybercrime control initiatives even when they are still being developed.
There was an inquiry as to whether the Convention on Cybercrime or the Draft
AU Convention or the ECOWAS Directive should be used as the basis for the
drafting of cybercrime laws in African states?
In response it was noted that
African states are sovereign states who are entitled to draft their cybercrime laws
on the basis on any framework they deem might confer them with more benefits
for international cooperation. It was also noted that the AU Draft Convention
already requires Member States of the AU (when developing their cybercrime
laws) to take into account the language used in international cybercrime
legislations such as the Convention on Cybercrime and the Commonwealth
Model Law where necessary.
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
35
8. ECOWAS Approach to Cybercrime (Mr. Uchenna Jerome Orji)
The presentation commenced by rendering an overview of the development of
cybercrime control initiatives by the Economic Community of West African States
(ECOWAS) and then went on to analyze the provisions of the
ECOWAS
Directive C/DIR.1/08/11 on Fighting Cybercrime. It was shown that the Directive
conformed to most of the standards of the Convention on Cybercrime by
adapting substantive provisions criminalizing acts such as illegal (fraudulent)
access to computer systems, illegal remaining in a computer system, illegal input
of data into a computer system, illegal interception of computer data, illegal
modification of data, computer data forgery, misuse of devices, child
pornography, and the use of a computer system to commit Xenophobic offences.
However, it was shown that article 6 of the Directive which criminalizes the act of
interfering with the operation of a computer system does not explicitly limit the
criminalization of interference with a computer system to instances where such
acts were intentionally carried out “without right” as seen under article 5 of the
Convention on Cybercrime. Hence, it was submitted that the implementation of
the article 6 of the Directive in its present form may be problematic for IT
professionals testing products and for persons who may have interfered with the
functioning of a computer system with lawful intentions. It was also shown that
article 27 of the Directive which provides for corporate criminal liabilities exempts
State, local authorities and Public establishments from liability. Hence, it was
submitted that such exclusion of liability may permit the arbitral exercise of state
powers such as the searching and interception of electronic data resulting in the
violation of the human rights to privacy. As such, it was advised that it may be
necessary for States to be careful while implementing the Directive by limiting the
liabilities of State institutions to situations where acts that could have given rise to
liability for cybercrime offences were judicially authorized or carried out on the
basis of criminal law provisions or in the interests of national security. The
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
36
presentation also showed that the Directive fails to create safeguards to ensure
that procedural instruments for do not violate fundamental human rights.
The presentation briefly discussed the ECOWAS Convention on Mutual
Assistance in Criminal Matters (A/P1/7/92) and the ECOWAS Convention on
Extradition (A/P1/94) which could be used by Member States to render mutual
assistance on cybercrime issues. It was shown that despite the existence of
article 35 (1) of the ECOWAS Directive on Cybercrime which mandated Member
States to adopt the measures in order to comply with the Directive not later than
1st January 2014, that many of the Member ECOWAS States such as Burkina
Faso, Cape Verde, Guinea, Guinea-Bissau, Liberia, Mali, Nigeria, and Togo have
not enacted cybercrime laws, although, there are some ongoing initiatives to
develop such laws in some of the states. The presentation also submitted that “in
the absence of an effective mechanism to ensure that Member States timely
comply with their obligations to under the Directive, the assurance of timely
regional harmonization and even cross border cooperation within the ECOWAS
may be uncertain to a great extent”.
The presentation also gave a brief overview of the development of cybercrime
laws in Liberia, Sierra Leone and Senegal and then provided a comprehensive
analysis of the cybercrime laws (including draft laws) of ECOWAS Member
States namely: Gambia, Nigeria and Ghana. In the case of Gambia it was shown
that its cybercrime law fell short of some of the standards in the Council of
Europe Convention on Cybercrime as it failed to provide for copyright offences,
xenophobic offences, criminal liabilities of corporate offenders, procedural
mechanisms for the investigation and prosecution of cybercrime offences, and
mechanisms for the rendition of mutual assistance and international cooperation.
In the case of Nigeria, it was shown that the Nigerian Cybercrime Bill 2013 met
most of the standards of the Convention on Cybercrime and also added some
other provisions that were not established under the Convention. However, the
Bill appeared not to provide adequate procedural safeguards for the protection of
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
37
fundamental human rights. It also failed to explicitly provide for judicial review
and independent supervision mechanisms to regulate the powers of law
enforcement agencies in the investigation and prosecution of cybercrime. The
Bill also failed to establish provisions for copyright offences and the liabilities of
service providers for cybercrimes committed through the use of their networks or
facilities.
Special focus on Ghana’s Cybercrime Law
The presentation focused more on Ghana’s Cybercrime Law contained in the
Electronic Transactions Act (2008). It showed that Ghana’s cybercrime law met
most of the standards under the substantive criminal and procedural law
provisions of the Convention on Cybercrime and that the law further added
several provisions that were not explicitly established under the Convention such
as cyber theft, cyber appropriation, charlatanic advertisements, spamming and
the intentional dissemination of viruses to disrupt the function of a computer.
However, the Act fails to establish criminal liabilities for corporate offenders. It
also fails to establish explicit provisions to govern international cooperation, the
rendition of mutual assistance, and the extradition of offenders. The presentation
suggested that the absence of mechanisms for international cooperation, mutual
assistance, and the extradition of offenders under Ghana’s Cybercrime law can
be remedied to some extent if Ghana accedes to the Convention on Cybercrime.
Through this process, Ghana would be able to leverage the Convention as a
legal instrument for rendering or receiving cooperation from countries that are
parties to the Convention.
The presentation then went on to highlight the absence of information on the
development of cybercrime laws in Burkina Faso, Cape Verde, Guinea, GuineaBissau, Mali, and Togo. At this point, Dr. Seger, pointed out that Côte d’Ivoire,
and Benin have adopted substantive Cybercrime laws.
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
38
Challenges to cybercrime control initiatives in the ECOWAS were also discussed.
These include: the absence of mechanisms to compel ECOWAS Member States
to implement the Directive on Cybercrime; the absence of regional mechanisms
for the coordination of cybercrime initiatives; very slow legislative responses at
the national levels; poor regulatory awareness; lack of information on national
cybercrime initiatives; lack of expertise; weak law enforcement capacity; poor
judicial awareness; poor funding of cybersecurity initiatives; under reporting by
both corporate bodies and individuals; lack of end-user awareness; and poor
socio-economic conditions.
The presentation ended with several proposals to strengthen cybercrime
responses in the ECOWAS region. Some of the proposals include the following:
(1) The ECOWAS Commission may have to consider the option of incentives
and sanctions for Member States that implement or fail to implement the
Directive on Cybercrime in their national laws.
(2) There is need to establish rules for cross – border cooperation and
technical
assistance
on
cybercrime
issues
under
the
ECOWAS
Convention on Mutual Assistance in Criminal Matters (A/P1/7/92).
(3) The Commission should establish a regional Office to effectively
coordinate regional cybercrime responses and also assist Member States
in the development of their national cybercrime regimes in order to
enhance the effective harmonization cybercrime laws.
(4) The Commission should establish a data base of national and
intergovernmental cybercrime initiatives in the ECOWAS region.
(5) The Commission may consider the option of encouraging Member States
to accede to the Convention on Cybercrime in order to leverage the
Convention as a legal instrument for rendering or obtaining cross border
cooperation from other State parties to the Convention.
(6) The Commission should promote research and development activities in
the area cybercrime control.
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
39
(7) Member States of the ECOWAS should also develop rules on the handling
of digital evidence.
(8) There is need for capacity building in legislative institutions to enhance the
timely passage of cyber laws.
(9) There is need for capacity building in regulatory and law enforcement
institutions and the judiciary.
(10) The Council of Europe may consider the development a policy of cyber
diplomacy for the ECOWAS region and also consider the option of
incentives such as technical assistance and capacity building measures to
States that accede to the Convention on Cybercrime.
(11) The Council of Europe may also consider working with the ECOWAS
Commission to develop programmes to strengthen cybersecurity in the
region.
Issues were raised as to whether there were any regional follow-up mechanisms
for monitoring the implementation of the ECOWAS Directive on Cybercrime. In
response, it was noted that there appeared to be none in the circumstance. It
was also pointed out that the ECOWAS also lacked mechanisms to sanction its
Member States that had failed to implement the ECOWAS Directive on
Cybercrime after its deadline of 1st January, 2014. Other comments were also
entertained from participants.
9. Future plans for ACCP
1. Encourage the ECOWAS Commission to develop follow-up mechanisms
for monitoring the implementation of the ECOWAS Directive on
Cybercrime.
2. Organise a two day follow up event in 6 (six) month time to assess how
the participating states have implemented what was learnt in Accra,
Ghana.
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp
40
3. Develop proposals for additional workshops to be hosted in the Arab
Maghreb region and Central African region.
Acknowledgments: ACCP thanks the Council of Europe (Cybercrime OE, the
Government of Ghana and the United Nations Conference on Trade and
Development (UNCTAD) for its generous support in hosting the workshop.
Report compiled by: Prof Maicibi Alhas, Dr John Kissembo , Dr Mohamed
Chawki, Jemima Njeri, Barrister Russel Tyner, Mr Patrick Mwaita , Mr Albert
Antwi-Bosiakako, Dr Maureen Owor, Attorney Sizwe Lindelo Snail ka Mtuze and
Barrister Uchenna Jerome Orji.
African Center for Cyberlaw and Cybercrime Prevention (ACCP)
P.O Box 10590, Kampala, Uganda.
Tel. +2566 414 221 119
Fax +256 312 263 797
Web site http://cybercrime-fr.org/index.pl/accp