Census 2019: Do you know your rights?

Sigi Mwanzia contributed to this post. This article was originally published at page 20 of the Star Newspaper of December 17, 2018

Kenya plans to roll out a national census at midnight August 24, 2019, at a cost of Sh18.5 billion. The census seeks to collect various data, including marital status, ethnicity, disability, number of children in households, deaths in the family and ownership of household goods, among others.

Crucially, Treasury CS Henry Rotich has declared it would be an offence to fail to provide the information. Doing so will earn you a prison term of not more than one year or a fine not exceeding Sh100,000 or both.

oped3

The census provides an opportunity for more discussion about the right to privacy and data protection. The collection of personal data and its use by private and public legal persons has gained prominence in public debates following the introduction of the 2018 Data Protection Bill and Policy and the recent passage of the European General Data Protection Regulations.

Legal Notice 205 published on November 13 provides that, a person who discloses census information to another person without lawful authority risks imprisonment of up to one year or a fine of Sh100,000, or both. This does not however provide clear information on who to raise the complaint with in case of data breaches.

Kenya can draw lessons from countries such as Germany on how to conduct censuses in a manner that respects citizens’ rights. Germany’s 1982 Act on a Population Census was declared unconstitutional by the country’s Constitutional Court. The census was postponed to 1987 (which was Germany’s last census mandating all citizens to provide information).

This court case helped explain the right to informational self-determination, which has always been restricted to natural persons and cannot be invoked by legal entities. Germany has since resorted to using ‘micro-census practice’, which relies on surveys of only around 10 per cent of the population and supplementing this information with official data on residents from a range of government agencies.

Drawing lessons from home, since May 2018, Article 19 Eastern Africa has conducted nationwide surveys and held three data protection awareness forums in Kisumu, Mombasa and Nairobi counties. We sought to find out whether citizens in these counties were aware of who is using their personal data and for what purpose as stipulated under Article 31 of the 2010 Constitution. We also sought to find out whether they were aware of any legal recourse they can take to protect their personal data. Our surveys have shown us the following:

First, participants from Nairobi county have more awareness of their right to privacy compared to those from Kisumu and Mombasa. This means that more people in Nairobi are likely to be unwilling to provide accurate information on data they may deem to be sensitive such as ethnicity.

Second, 70 per cent of participants (state and non-state actors) pointed out that there was a countrywide lack of implementation of data protection policies. This included government and NGOs at various organisational levels. Lack of training on established policies was also pointed out. Legal Notice 205 fails to provide procedures on how to report data breaches.

Third was the notable gender dimension in the data protection forums and surveys. There were more women than men in the data protection forums and surveys held in Nairobi and Mombasa than there were in Kisumu. Our findings on this gender dimension to data protection are an important aspect that the Kenya National Bureau of Statistics needs to take cognisance of. Some of the questions might be considered invasive to people due to various cultural gender roles.

From the foregoing, it is clear that citizens deeply care about their privacy, especially after the recent barrage of unsolicited messages from political parties, telemarketers, M-Pesa scammers and even cyber fraudsters. While census data is important in national planning, the Kenya National Bureau of Statistics needs to uphold the rights of citizens by adhering to the 2010 Constitution and the Data Protection Bill, 2018 that will soon be tabled in Parliament.

Sigi Mwanzia contributed to this post. This article was originally published at page 20 of the Star Newspaper of December 17, 2018

Banks should protect the data of customers and their next of kin

Hibo Hussein contributed to this post. This article was originally published at page 11 of Business Daily Africa Newspaper of December 11, 2018

This week, banks have approached the High Court to declare unconstitutional some clauses in the Finance Act 2018 that requires them to record details of customers’ next of kin and to keep updated next of kin registers of their customers. The clause makes it an offence for lenders to fail to keep this register.

oped2

The banks are relying on two arguments. Firstly, that introduction of these provisions was not subjected to public participation. Secondly, that the law violates Article 31 (C) of the Constitution that protects individuals from being compelled to reveal private information.We note that despite good intentions of coming up with the law, the drafting of this section is flawed. The Finance Act 2018 in attempting to address very important issues of consumer rights, however is far reaching and breaches the rights of privacy of another citizen.

Kenyans should be able to choose whether to provide and to have a right to correct any inaccurate data about them. This burden should not lie with the lender as it is upto Kenyans to choose to provide their data. As general practice, lenders collect personal data from their clients; from names, date of birth, passport/ID numbers, physical addresses, email addresses, signatures to photographic data.

By law, banks are bound by the common law principles of confidentiality as well as statutory requirements relating to non-disclosure of information on the other hand individuals have rights to know why information is being collected from them, for what use and for how long. Data subjects have a right of access to their personal information and a right to demand correction if such information is inaccurate or complete. Despite, well intended; the introduction of next of kin register is a concern for all Kenyans.

This creates an opportunity to discuss the lending industry and whether they protect the data of their customers. Despite clients giving all their information there is little understanding of their privacy rights. The processing of the next of kin data should only be allowed for legitimate purposes of the data subject.

A potential legitimate interests would be when the lender would need to contact the next of kin incase the bank customer pass away. However, the next of kins have certain data protection rights which the Finance Act 2018 should cater for in its drafting.

Firstly, as it relates to next of kin; the responsibility should be on the bank customer to inform their next of kin whenever they are selected as a next of kin since the lenders will be processing their personal data.

Secondly, the nominated next of kin has a right to provide consent and to withdraw their consent, in instances where they had agreed to be nominated and later change their minds; they can later revoke the permissions granted to the companies.

Thirdly, the nominated next of kin have a right to limit the way the lender uses their data and only allow for storage of the personal data but no other purpose such as marketing products to them. Fourthly, both the customers and their next of kin should be able to complain a competent authority that is impartial and independent and seek remedy whenever their data has been misused. In conclusion, the Finance Act 2018 should be amended to take care of the rights of the customer and their next of kin.

Hibo Hussein contributed to this post. This article was originally published at page 11 of Business Daily Africa Newspaper of December 11, 2018

Seven steps to reform the CA

This article was originally published at page 21 of the Star Newspaper of October 1, 2018

The past month has been eventful for the Communications Authority of Kenya (CA), with the election of John Omo as the secretary general of the African Telecommunications Union. He will represent the CA and the government at the union. Kenya will therefore lead all the regulators in Africa through the regional organisation and coordinate the continent’s engagement with international telecom partners.

Additionally, Kenya, through the communications regulator, recently bagged three top positions within the Universal Postal Union, which is a UN agency dealing with postal operations.

Three weeks ago, the CA launched a new system allowing customers to monitor the quality of service of telecommunication providers and contribute to the annual report prepared by the authority. The previous system did not take into account customer feedback as much and was disputed by some of the telcom providers who had been previously fined.

Additionally, the regulator, together with the Central Bank of Kenya (CBK), have been cracking the whip on banks, mobile money firms and other operators to file reports within 24 hours of any cyber-attack in addition to a quarterly incident reports detailing procedures followed in handling the incidents.

The above actions are laudable but the CA needs to do more to remain a leader among peers in Africa and the world. I propose that the CA work on seven key areas to ensure that it is effective and independent, and that it meets its mandate of enabling access to affordable, reliable, and efficient telecommunications services.

First, the CA needs to reassert its independence. There have been damning allegations of interference from the parent ministry and other actors. The CA should push to amend the law to reduce the number of Principal Secretaries on its board.

Second, although the country successfully migrated from analogue to digital broadcasting, not enough investment has been made into enhancing local content for the platforms. There is dire need for the CA to create incentives for more local content.

Third, in April 2017 the CA granted $8.3 million (Sh838 million) from the Universal Service Fund (USF) to three companies—Liquid Telecom, Xtranet Communications and Commcarrier Satellite Services—to connect 896 schools at a cost of Sh836 million. Going forward, the CA needs to ensure sustainability of these projects and proper use of the USF. This will bring more women and elderly people, especially in the rural areas, into the digital age as these two demographic categories have been historically under-served.

Fourth, between 2014 and 2018 telcos have paid a total fine more than Sh500 million for poor quality service, which equates to 0.15 per cent of the gross turnover of each of the companies. This has been an effort to improve quality of services offered by telcos. Going forward, the CA needs to device new incentives to improve quality of service and increase universal access. The regulator should also find ways to encourage further multi-stakeholder discussion around the 2017 Telecommunication Competition Market Study in Kenya report carried out by London-based Analysys Mason Limited.

Fifth, the CA needs to work with all stakeholders in the industry to fast track the draft data protection bills. Infact, the regulator needs to support effective public participants and all engagement with relevant state organs whenever new regulatory issues are being discussed and relevant policies developed.

Sixth, The regulator must also endeavour to enhance transparency around frequency spectrum management and should allow for more public participation during the awarding of prime frequencies for broadcasting or telecommunications.

Seventh, going forward, the CA needs to stick to its constitutional mandate by avoiding regulatory overreach. An example of this overreach are 2017 Guidelines for the Prevention of Dissemination of Undesirable Bulk Political SMS and Social Media Content which sought to regulate internet users not licensed by the authority. This was despite the High Court decision in Geoffrey Andare v Attorney General & 2 others holding that the Kenya Information and Communication Act (KICA) was not intended to regulate bloggers or individual Internet users.

The Communications Authority is better grounded as an institution than it was before the legislative transformation that saw it shed the “Communications Commission of Kenya” identity. To safeguard investor and consumer confidence, the CA must ensure that it improves on regulatory independence, digital migration, affordable access, consumer protection, public participation and transparency.

This article was originally published at page 21 of the Star Newspaper of October 1, 2018

Data Breaches Imperil Privacy

This article was originally published at page 21 of the Star Newspaper of September 20, 2018

We have recently witnessed data breaches that have led to the publication of private facts about many Kenyans. These private facts have been obtained from telephone conversation records , intrusion into individual digital photo libraries, and breach of public institution’s databases.

We also suffer a barrage of unsolicited messages from telemarketers, scammers and even cyber frauds.

Oped1

August 2018 was a peak month in media reports of Kenyans reporting an increase in phone scams. Kenyans were asked, via texts, to send their personal details and ended up having their SIM cards swapped and their mobile money accounts emptied. The Kenyan Directorate of Criminal Investigations (DCI) ended up arresting a total of 22 suspects, among them Safaricom employees and University students, in connection with the scam.

Now more than ever, there is a need for awareness among Kenyans regarding data rights. Personal data is any information relating to an identified or identifiable natural person. Some of the information includes: personal email addresses, tax records, immigration records, health records, police records, finger prints, bank records, consumer habits, and marriage status.

While Article 34 of the Constitution of Kenya, 2010 guarantees the right to privacy, Kenya lacks a legally binding comprehensive data protection framework. The country also retains laws which permit undue violation of privacy on citizen data.

The need for a comprehensive data protection framework cannot be opposed. Such a framework must of necessity guarantee at least seven key rights for all Kenyans as data subjects. A brief on each of the said rights suffices.

RIGHT TO ACCESS TO PERSONAL INFORMATION

Firstly, Kenyans have a right to know what personal data an organisation holds about them and be provided with a copy.

RIGHT TO BE INFORMED WHETHER PERSONAL DATA IS BEING PROCESSED

Secondly, Kenyans should be informed whenever anyone is processing their personal data, how long they will retain the data and and who it will be shared with.

RIGHT TO RESTRICT PROCESSING

Thirdly, Kenyans have a right to limit the way that an organisation uses their data and only allow for storage of the personal data but no other purpose.

RIGHT WITHDRAW CONSENT FROM PROCESSING

Fourthly, in instances where Kenyans had authorised the processing of their personal data and later change their minds; they can later revoke the permissions granted to the companies.

RIGHT TO OBJECT TO AUTOMATED DECISION MAKING AND PROFILING

Fifthly, Kenyans have a right to reject any attempt to allow only machines to make legally binding decisions over them based on profiling of their race, sex, pregnancy, marital status, health status, ethnic or social origin, colour, age, disability, religion, conscience, belief, culture, dress, language or birth.

RIGHT TO REDRESS AND EFFECTIVE REMEDY

Sixth, Kenyans should be able to complain a competent authority that is impartial and independent and seek remedy whenever their right to privacy has been infringed.

RIGHT TO RECTIFICATION

Seventh, Kenyans should be able to correct any inaccurate data about them by providing additional information to make the rectifications. An example is when the date on the birth certificate is different from the date in the Identification Card.

Personal data protection is an essential pre-requisite to the meaningful exercise of freedom of expression, as people are much more likely to express themselves openly in the knowledge that their communications are private and secure.

As many of us would not go to bed at night and leave the door unlocked, fearing that someone would come into the privacy of our homes and rob and harm us, or even just go through our belongings, we should exercise the same amount of caution with our personal information.

This article was originally published at page 21 of the Star Newspaper of September 20, 2018

Access Now brief: how African countries can shape cybercrime laws that protect rights

Today Access Now releases a policy brief analyzing draft cybercrime laws in four African Union countries to help legislators meet human rights obligations as they craft laws under the African Union Convention on Cyber Security and Personal Data.

We urge all AU countries to ratify the convention, and to implement it in a way that upholds their obligations under the African Charter on Human and People’s Rights, as well as international human rights law. We also encourage states to aim at a culture of involving the multistakeholder community in public-private partnerships. This simple act of opening up the legislative process can enable development of legislation that protects internet users, ensuring a secure internet without sacrificing human rights.

Specifically, our brief looks at draft laws in Kenya, Ethiopia, South Africa, and Zimbabwe.

We examine:

  • Draft Zimbabwe Computer Crime and Cybercrime Law
  • Draft Kenyan Computer and Cyber Crimes Bill 2016
  • Ethiopia Computer Crime Proclamation 2016
  • Draft South African Cybercrimes and Cybersecurity Bill 2015

Background: the African Union Convention on Cyber Security and Personal Data

Leaders in the African Union — a group of 54 African governments launched in 2002 — approved the AU Convention in June of 2014.

The convention covers a broad range of issues, including those important to human rights on the digital age: electronic commerce, data protection, and cybercrime, with a special focus on racism, xenophobia, child pornography, and national cybersecurity.

As of July 2016, eight African nations had signed the convention, including: Benin, Chad, Congo, Guinea Bissau, Mauritania, Sierra Leone, Sao Tome & Principe, and Zambia. Senegal ratified the convention in the July-November period, and remains the first and only AU country to have done so. Once it is deposited for ratification with the AU secretariat, many African nations will enact personal data protection laws for the first time, which would be upheld by new, independent public authorities. This could be a huge boon for users’ control over their private information.

In addition, each state would be required to develop a national cybersecurity strategy, pass cybercrime laws, and ensure that e-commerce is “exercised freely.” This will have a deep impact on digital rights in Africa.

The issues at stake for people in African Union countries

In our analysis of draft cybercrime laws in Kenya, Ethiopia, South Africa, and Zimbabwe, we identified common elements and issues of concern, including:

  • Restrictions on whistleblowers and digital security researchers;
  • Vague provisions regarding criminal defamation, which are open to abuse;
  • Imposition of intermediary liability and criminalization of computer use;
  • Data retention mandates;
  • Issues surrounding illegally obtained evidence and government hacking;
  • Issues surrounding the provision, or lack thereof, of competent judicial authority and due process,user notification, and transparency

What’s next

We need to increase the viability and usability of the internet as a platform for communications in Africa. This will enhance its effectiveness as a driver of commerce, education, health, and development generally. Improving digital security is integral to this effort, helping to expand global access to information and communications technologies

However, improving security entails protecting human rights. When new users connect to the internet, they should connect to a free, open, and secure internet.

You can read the full policy brief here. Access Now will continue to engage with the African Union and countries across the continent to ensure that laws to increase cybersecurity do not undermine human rights.

Telcos warned against shutting down DR Congo networks

Peter Micek contributed to this post.

Update 12/20/2016: Vodafone Group and Orange have confirmed the order from the government of the Democratic Republic of Congo, which specifically targets social networks that use Voice over internet protocol (VoIP), images, and video. Access Now has offered circumvention advice for users in the Congo in this post here (français | English) and we continue to demand that the government lift the blocking order.

The government of the Democratic Republic of Congo asked telcos, including Vodafone, Orange, and Airtel, to block applications and social media and messaging services beginning on Monday.

Monday marks the first day that President Kabila is meant to leave office after completing two terms. Protests are planned in the event the president does not step down.

We call on the government to immediately rescind the order, which stands in violation of international human rights law.

Access Now has written to the three telcos, urging them to jointly resist the shutdown order, which conflicts with their commitments to uphold human rights like freedom of expression and association. Joint pushback, in coordination with other operators, is one key way we’ve seen telcos prevent shutdowns, and it could be effective here. The government seems stung from its complete internet shutdown in January 2015, which negatively impacted the economy, and has called for more targeted blocking in this instance. One telco claims that the government asked that only voice, video, and image data be blocked.

However, according to Reuters, the telcos have “signed an agreement to respect national security injunctions” from the DRC government. Secret deals with governments that harm human rights fail to comport with the open and multistakeholder approach to internet governance. Inclusive policymaking is necessary to protect human rights, as it is where civil society and human rights defenders have a voice. For these reasons, we asked the companies to share this agreement and its terms, and thereby open it to public dialogue.

We also asked telcos to confirm receiving the shutdown order from the regulator, and to share the order or its terms.

If the telcos decide to carry out the order, which we strongly advise against, we demand public transparency regarding 1) the geographic scope and services blocked, 2) the duration of the block, or what would be required to lift it, 3) information about how affected users can access remedy or compensation, and a 4) clear statement opposing the blocking, detailing the steps telcos are taking to end it.

Internet shutdowns harm human rights and economic growth, often with severe consequences to life and livelihoods.

There is a growing international consensus that shutdowns violate international human rights law and are never justified, even in times of conflict. In June, the United Nations Human Rights Council passed a resolution that specifically condemns internet shutdowns.

Additionally, in November, the African Union passed Resolution 362: on the Right to Freedom of Information and Expression on the Internet in Africa – ACHPR/Res. 362(LIX) 2016, which calls on states parties “to respect and take legislative and other measures to guarantee, respect and protect citizen’s right to freedom of information and expression through access to internet services…”

Access Now has launched the #KeepitOn campaign to fight internet shutdowns. It is supported by more than 100 organizations from more than 50 countries around the globe who are pushing back on internet shutdowns at every level, from governments to telcos to tech companies to everyday internet users. The coalition recently launched a petition asking world leaders to commit publicly to ending shutdowns. Access Now delivered 45,927 signatures at the United Nations’ Internet Governance Forum 2016.

Access Now at the 2016 Internet Governance Forum

Peter Micek contributed to this post.

The United Nations is holding the 11th annual Internet Governance Forum (IGF) on December 6-9, 2016 in Guadalajara, Mexico.

Access Now staff will be there to lead or participate in pre-events, workshops, and high-level meetings. We are also delivering the #KeepItOn petition that asks government leaders at IGF to commit to ending internet shutdowns, a pernicious practice that is harming human rights across the globe.

The IGF is an annual gathering that brings together diverse stakeholders in internet governance, including representatives from government, civil society, academia, the private sector, and the technical community. It was first convened in 2006 by the United Nations Secretary General, and today continues to be an important forum for digital rights advocates around the world.

The 2016 IGF comes at a critical moment for internet governance. Since last year’s IGF, oversight of the internet’s domain name system has been transferred from the U.S. to a global, multistakeholder community through the “IANA transition,” which we strongly supported. In addition, representatives at the United Nations reached an agreement from World Summit on the Information Society (WSIS) process, finding that human rights are central for the future of the internet — and extending the IGF’s mandate for another decade.

This year, we’re focusing on issues that span from connectivity to internet shutdowns, to Net Neutrality, to regulating Over the Top (OTT) services, to human rights and the ICT sector. We’ll also lead an open forum session on Access Now, giving an overview of who we are and what we do (here’s our background paper).

If you’re attending IGF 2016 or following along online using the tag #IGF2016 or watching the live stream, here’s a guide to the specific panels and events we’re organizing, co-organizing, or participating in:

Pre-event, Monday, December 5

  • 2:00pm-4:00pm: Digital Rights Litigators, details to follow, Access Now staff, Bilateral 5

All days, Tuesday, December 6-Friday, December 9

  • Every day at IGF 2016, Access Now Digital Security Helpline staff will hold a Digital Security Clinic. We’re here to help any conference participant with questions or concerns about digital security practices, needs, and capacity. We assist civil society globally, and can provide one-on-one consultations in several languages, or set up future trainings to enable your organization to audit and harden its digital security infrastructure. Location: IGF Village

Day 1, Tuesday, December 6

  • 10:15am-12pm: WS168: Implementing Human Rights Standards to the ICT Sector –  Peter Micek, speaker, Workshop Room 7

Day 2 – Wednesday, December 7

Day 4 – Friday, December 9

This article was originally published on Ephraim’s professional page on Access Now.

Testimony about the Cyber Security and Protection Bill before before the Kenyan Senate ICT- Committee

On 05th July 2016, the Kenyan Senate ICT Committee published the Cyber Security and Protection Bill. This was followed by a public hearing on the same draft bill on 19th October, 2016.

Here is a call for public input into the process:

img_20161017_103032

Please see below my prepared statement that I presented on key clauses:

Ephraim Percy Kenyanito LL.B (Hons)

ICT Policy specialist,

experienced in human rights work and technology policy work in Africa

PREPARED STATEMENT

Dear Chair of the Senate ICT Committee and esteemed members. As a Kenyan citizen and  a Legal Researcher/ Policy Analyst working on the connection between African ICT & Media Law, Human Rights, Intellectual Property Rights and International Development; I am pleased to have this opportunity to present my thoughts on the important work of protecting Kenyan citizens online.

I congratulate the Senate for this draft but would like to point out that there is an already existing similar process under the Ministry of Information, Communications and Technology (ICT). This process has been carried out under a multistakeholder format and has resulted in drafting of the Computer and Cyber Crimes Bill 2016. I would thus urge the Senate to look into this process and to find ways to merge the two draft bills.

However, despite my above comments, I would be happy to point out a few clauses in the senate Bill that I would request that they be considered for redrafting:

KEY CONTENTIONS PROVISIONS THAT THE COMMITTEE SHOULD REDRAFT

Section 12- 14:- Protection for digital security researchers

I would urge that the Senate Committee should redraft this section and ensure that it allows for protection for digital security researchers as they find and demonstrate the existence and extent of systems vulnerabilities. This has been considered under Section 4 (2), Section 6 (2) as read with Section 8 (3) (a)  of the Computer and Cyber Crimes Bill 2016

The Senate Bill unfortunately does not recognize the important work carried out by researchers to enhance the protection of internet users unlike the Bill drafted at the Ministry which would allow for digital security research in conditions where, “…intended for the authorised training, testing or protection of a computer system;…” This is a good guidance as to when access to such systems exceeds an individual’s lawful authority.

Section 17, 18, 24, 25, 26 and 29- Criminalisation of Computer use

Esteemed committee members, I would like to point out that the offenses listed out in this clause are already covered in various Kenyan Laws and thus no need to create different penalties for the same offenses had they been carried out offline. These laws include the: Penal Code, Sexual Offenses Act, National Cohesion and Integration Act, Media Act No. 3 of 2007, and Films and Stage Plays Act. It is unnecessary and disproportionate to increase penalties for existing crimes if they have a computer component as it can potentially discourage ICTs adoption by the Kenyan community, a goal which the government has been advocating for under Kenya’s Vision 2030, the Africa Union Agenda 2063 and the United Nations Sustainable Development Goals.

I would further urge that in-case the committee sees a lacuna in how the offenses are addressed in those laws, they ought to amend each law separately and not potentially criminalize the use of Computers.

Specifically, I would cite Section 29 of the draft Bill as an example of the dangers of this trend. The draft law attempts to criminalise the use of names of others without looking into Limitations and Exceptions to domain laws, Copyright and Trademark laws. For example some names have meanings in other languages and would thus not be afforded protection, for example the name “Uhuru” is a name and is also a swahili word. In the manner that the draft law has been provided, it would provide blanket penalties without these considerations.

Section 14, 19 and 24: Need for comprehensive data Protection laws

I congratulate the senate for attempting to protect the data of Kenyan citizens through these provisions but would urge that there exists a Kenyan Data Protection Bill. I therefore urge the Senate that the best way to protect and advance the rights of Kenyans is to work for speedy passage of a comprehensive privacy and data protection law framework, building on these earlier efforts and would urge that as the Senate looks into this Bill, they should ensure that the Bill additionally ensures that the Private Sector is affords more protection of citizen’s data given their important role in service delivery to the Kenyan public.

THANK YOU VERY MUCH.

EPHRAIM PERCY KENYANITO

Legal Researcher/ Policy Analyst.

P.S- The Picture below was taken after the testimony before the Kenyan Senate ICT Committee.

fullsizerender

From Left Senator Juma Boy, Senator and Senior Cunsel Mutula Kilonzo Jnr, Ephraim Percy Kenyanito and Senator Mutahi Kagwe (former Minister for Information and Communication and chair of the Senate Committee).

 

What steps can Africans take and lead in Internet governance and social justice?

Almost three years ago, I published a blogpost on CircleID titled “Internet Governance: Why Africa Should Take the Lead.” I argued that African Internet stakeholders use a ‘wait and see approach’ in matters as critical as Internet governance,” and that African voices are missing in key Internet governance discussion fora. Additionally, I suggested that some reasons for this approach, including that Africa lacks well-trained Internet governance experts and Africans see foreign affairs and international relations as an East versus West dynamic. I further urged for a change in this situation, as the “wait and see approach” is gravely interfering with the basic human rights of Africans.

As a follow-up to the post above, and building on previous work on the African Media Law and Digital Native Roundup  with the University of Pennsylvania, this post is a summary of a major forthcoming publication focused on the 2014-2016 period that highlights  the regional trends concerning Internet governance and information and communications technology (ICT) policymaking processes in Africa.

This post is divided in two parts. The first relays my observations about trends over the past three years in African ICT policy, human rights, and development processes, and highlights key challenges and opportunities. The second provides  recommendations for African citizens on what can be improved.

What are the key processes and trends?

 

screen-shot-2016-11-08-at-22-43-41

Over the past three years, there have been key policy and advocacy processes across the world that have both direct and indirect implications on African Internet governance and ICT policymaking processes, including: African Union Agenda 2063; African Convention on Cyber Security and Personal Data Protection; NETmundial; the African Declaration of Internet Rights and Freedoms; the Feminist Principles of the Internet; International Telecommunication Union (ITU); ICANN events in Africa; the renewal of the UN Human Rights Resolution on the Internet; Global Forum on Cyber Expertise; the BRICS Summit; the Open Government Partnership; Freedom Online Coalition; and the Community of Democracies. The existence of these processes show the importance of access to the Internet to the advancement of socio-economic, political, and gender rights in Africa. In sum, Africa is on a trajectory toward better Internet access but on a downward trajectory in terms of  human and digital rights.

african-digital-rights

Trends on access to the Internet

Across Africa, despite the increase in Internet penetration through various strategies such as those in Botswana and Kenya; – governments (such as Ethiopia, Uganda and Togo) and non-state actors (such as the extremist Somali militia Al-Shabaab) have attempted to roll back these gains to prevent transparency and accountability.

Given this challenge, it has been necessary for Africans stakeholders to take the lead at addressing solutions going forward, such as by drafting a joint letter, and producing the African School on Internet Governance (AfriSIG) October 2016 Statement on an intentional Internet Shutdown relevant to national stakeholders and authorities at the African Union and the United Nations, among others.

Trends on multi-stakeholder policymaking

Recent research on multi-stakeholder policymaking processes have identified gaps in Africa, which can be addressed by citizens being at the forefront in demanding their rights to participate in an organized manner. As I noted, “In 2013, a draft African Union Convention on the Confidence and Security in Cyberspace (AUCC) … was scheduled to pass during an AU meeting in January 2014, but was delayed as a result of protests from the private sector, civil society organizations, and privacy advocates who had very little involvement in the process.”

Trends on intermediary liability, business, and digital rights

A June 2016 publication on the Association for Progressive Communication (APC) stressed that there were attempts at imposing intermediary liability on businesses, which would affect human rights across Africa. As I  previously wrote: “In contrast to U.S. telcos, African operators push back on rights-violating demands. Three telecommunications companies in the West African nation of Guinea Conakry (formerly French Guinea) just said “no” to demands that they hand over all subscriber and call data.”

Trends on cybersecurity, rule of law, and human rights

With the adoption of the 2014 African Union Convention on Cyber Security and Personal Data Protection, a trend of enacting cybercrime legislation has emerged across Africa. This convention is now at the stage where it is undergoing ratification across various national assemblies in African Union member countries, which will take effect after the 15th instrument of ratification has been deposited at the African Union. For example, in Sub-Saharan Africa, 13 countries engaged in attempted domestic reforms on ICT laws by coming up with 20 draft/new regulations/laws between the June 2014 and September 2016 period.

Trends on freedom of expression

While enacting the abovementioned laws, governments have inserted provisions that  can extend criminal libel/defamation to apply online, which is having a chilling effect  on online speech. This negative development has been further enhanced by vague legislation banning “misuse of telecommunication gadgets,” which I wrote: “[Such laws] represent a powerful tool for silencing the voices of people who are dissenting from the government or otherwise critiquing those in power.”

Trends on privacy and data protection

We can note that not more that 20 African governments have enacted privacy and data protection legislation, a reality that has not changed much over the past three years.

Moving forward: What should citizens and civil society do differently to achieve more equal and just societies in Africa?

  • Call on their governments to engage on all recommendations accepted at the United Nations Universal Periodic Review process.
  • Call on their governments and other stakeholders to engage in development of National Action Plans on business and human rights, with the following countries taking the lead: Ghana, South Africa, and Zambia.
  • Call on International Institutions, such as the African Peer Mechanism (APRM), and the African Commission on Human and People’s Rights to work with all stakeholders to develop a comprehensive strategy to resist government pressure to circumvention of the rule of law using the African Declaration on Internet Rights and Freedoms.

What’s happening in Ethiopia and how can we protect human rights?

Protests, internet shutdowns, deaths — and a new law that threatens digital rights when the people of Ethiopia need them most

Ethiopia has issued a six-month state of emergency in the country following months of citizen protests. The state of emergency comes in an environment of increasing repression. Government forces have killed more than 500 people since November 2015 and authorities have already shut down access to social media in the Oromia region four times this year: in January, July, August, September, and October. Now the situation is escalating, with the government cutting mobile internet in the capital Addis Ababa for more than a week (the previous shutdowns affected only the Oromia region).

Human rights advocates are taking action. On October 10th, seven U.N. human rights experts issued a statement calling on the Ethiopian government to allow an international investigation into allegations that it has violated the human rights of its citizens. Additionally, on October 12th, the African Commission on Human and Peoples’ Rights released a statement highlighting the fact that it will investigate the Ethiopian situation with regard to human rights.

More atrocities to come?

Ethiopia began a series of shutdowns in January 2016 after activists shared a video online showing police brutality. The deaths during protests ­­– and the government’s decision to disrupt the internet — ­­ underscore how shutting down the internet often precedes or is accompanied by atrocities. This new state of emergency could not have come at a worse time, because it will set a lower threshold for arresting and detaining citizens, just when more human rights protections are needed.

This is a dark time for human rights in Ethiopia. Shutting down communications networks, even during times of conflict, violates the human right to freedom of expression and access to information. Shutdowns also cause knock-on effects.

Internet shutdowns do not restore order. They hamper journalism, obscure the truth of what is happening on the ground, and stop people from getting the information they need to keep safe.  Further, shutdowns harm the local economy; by June 2016, Ethiopia had already lost $8.5 million due to internet disruptions, according to a recent report by the Brookings Institution.

In the U.N. statement last week, special rapporteurs Maina Kiai and Dr. Agnes Callamard said, “We are outraged at the alarming allegations of mass killings, thousands of injuries, tens of thousands of arrests and hundreds of enforced disappearances…We are also extremely concerned by numerous reports that those arrested had faced torture and ill-treatment in military detention centres.”

This statement highlight dangers exacerbated by the ongoing internet shutdowns, which are happening concurrently with the state of emergency. As we have pointed out, research shows that internet shutdowns and state violence go hand-in-hand. We are deeply concerned that the casualties due to state actions will increase over the next six months.

New computer crime law threatens privacy, free expression

The shutdowns are not the only cause for worry when it comes to fundamental rights. There’s also a new computer crime law that legislators in Ethiopia have approved and have forwarded for presidential signature, the Computer Crime Proclamation of 2016 (draft text). It threatens people’s free speech and privacy just when they need it most.

Our analysis of this new law shows it would hobble digital rights. The proclamation aims “to prevent, control, investigate and prosecute computer crimes and facilitate the collection of electronic evidences.” However, the legislation would infringe human rights and chill cybersecurity research not only in Ethiopia but throughout the African continent.

The law goes against Ethiopia’s commitment to the International Covenant on Civil and Political Rights, among other international instruments, which support the right to privacy (Article 17, ICCPR), the right to freedom of expression (Article 19, ICCPR), and the right to freedom of association (Article 22, ICCPR). Ethiopia is also a party to the African Charter on Human and Peoples’ Rights (Banjul Charter), which establishes the rights to dignity (Article 5) and freedom of information and expression (Article 9), among other rights.

This proclamation hasn’t been signed into law yet, so there’s still time to strip out harmful provisions. This should take place as part of the electoral reforms that were announced last week by Ethiopia’s prime minister, Hailemariam Desalegn, after pressure from German Chancellor Angela Merkel.

How to promote human rights in Ethiopia now

It will take effort from many corners to restore Ethiopia from its human rights crisis, stop rights violations from happening, and protect privacy and free expression in the long term.

Our recommendations are:

For the government of Ethiopia and the federal Attorney General

  • Call on the Ethiopian government to immediately restore full internet access in the country.
  • Urge the government to safeguard human rights in the Computer Crime Proclamation 2016 and to recommend repealing or amending sections of the law that threaten human rights.
  • Advise the government on international best practices to protect democracy and free speech in the country. This includes acting on all recommendations accepted at the United Nations Universal Periodic Review process.

For donors and governments trading with Ethiopia

  • Push Ethiopia to fulfil its human rights obligations and reforms its practices impacting access to the free and open internet.
  • Hold corporations registered in Ethiopia responsible for any of their technology used to infringe on human rights in Ethiopia.

For companies selling products or services in Ethiopia

  • Desist from selling or servicing technology that is used to infringe on human rights in the country. This includes technology used to surveil citizens or technology used to disrupt access to information online. Some of the companies with a record of bad practices in Ethiopia include Hacking Team and Gamma International.

For civil society organizations and individuals who want to make a difference in Ethiopia

  • Request that your government question Ethiopia about human rights at its mid-term review for United Nations Universal Periodic Review, taking place in May 2017.

Right now, our thoughts are with the people of Ethiopia. We call on humanitarian and digital rights organizations globally to draw attention to what is happening and join us in our efforts to #KeepItOn so Ethiopians can exercise their rights and freedoms, and above all, stay safe from harm.

This article was originally published on Ephraim’s professional page on Access Now.

Internet shutdown in Zimbabwe: what happened?

Only five days after the United Nations passed an historic resolution specifically condemning internet shutdowns, reports from Zimbabwe suggest that the government may have ordered WhatsApp blocked. Zimbabweans and local news outlets reported an internet shutdown in the context of massive social unrest. Thousands of people are protesting about bad governance and a collapsing economy in President Robert Mugabe’s government. News outlets identify Econet Wireless, Liquid Telecom Zimbabwe, Telecel, TelOne, and ZOL Zimbabwe as the telecom providers that are part of the service disruption.

While the full extent of what’s happening in Zimbabwe is not yet clear, we’re concerned about the safety and security of the people protesting. Internet shutdowns do not restore order, help victims, or protect rights.

Zimbabwe’s telecommunications regulator, the Postal and Telecommunications Regulatory Authority of Zimbabwe (Potraz), released a statement that warned all citizens against, “the gross irresponsible use of social media and telecommunication services.”

This statement follows the April 2016 statement by President Robert Mugabe, that the government would emulate China’s Great Firewall and regulate access to certain websites. At the time, he emphasized, “The Chinese have put in place security measures and we will look at these so that we stop these abuses on the internet.”

Shutdowns are a growing trend in Sub-Saharan Africa

Over the past two years, Access Now has recorded shutdowns in the following African Union member countries: Burundi, Central African Republic, Chad, Congo Brazzaville, DRC, Uganda, Ethiopia, Niger, Togo, and Uganda. In February, we joined a coalition of groups to demand that the Ugandan government stop its shutdown during presidential elections.

We would like to emphasize to the Zimbabwean government what we told the Ugandan government in February:

A growing body of jurisprudence declares shutdowns to violate international law. In 2015, various experts from the United Nations (U.N.) Organization for Security and Co-operation in Europe (OSCE), Organization of American States (OAS), and the African Commission on Human and Peoples’ Rights (ACHPR), issued an historic statement declaring that internet “kill switches” can never be justified under international human rights law, even in times of conflict. [16] General Comment 34 of the U.N. Human Rights Committee, the official interpreter of the International Covenant on Civil and Political Rights, emphasizes that restrictions on speech online must be strictly necessary and proportionate to achieve a legitimate purpose. Shutdowns disproportionately impact all users, and unnecessarily restrict access to information and emergency services communications during crucial moments.

Call to action

We cannot allow this trend to continue and that is why we launched the #KeepitOn campaign — now supported by nearly 90 organizations from 41 countries around the world.

We call upon the government to provide redress to the victims of the internet shutdown, and pledge not to issue similar orders in the future.

We also call upon the African Union and Human Rights Council at the United Nations to condemn the internet shutdown in Zimbabwe, as it is a violation of international law. Further, we ask all telcos in the country, including Liquid Telecom and Econet among others, to push back against the order using every tool at their disposal, whether legal, political, or commercial. Already in 2016, telcos in Guinea and Kenya have pushed back against orders violating the human rights of internet users.

You can learn more at https://www.accessnow.org/internet-shutdowns, where we will be drawing attention to campaigns globally and sharing opportunities to take action. If you’re part of an organization that wants to help stop shutdowns in Africa or anywhere else, you can reach out to deji@accessnow.org. Meanwhile, we encourage you to stay tuned by following us on Twitter or Facebook, and to participate in the conversation using the hashtag #KeepitOn.

This article was originally published on Ephraim’s professional page on Access Now.

Kenya: draft laws for the internet need redrafting

Access Now files comments on the regulations with Kenya’s Communications Authority

Last week, Dennis Itumbi, the Kenyan Presidency State House Director for Digital and Diaspora Media, hinted that the Kenyan government was preparing a bill to regulate the use of the social media, with the aim of preventing hate speech. The announcement came as a surprise, given the recent landmark legal ruling in Kenya that found that a similarly vague law had been abused, infringing on internet users’ rights.

It’s possible that government officials preparing the bill were emboldened by another High Court ruling —  the one on May 27th that dismissed a challenge mounted by Kenyan citizens and media consumers to the Kenya Information and Communications Act (KICA). Challengers had argued that KICA is unconstitutional, asserting that the law limits free speech online and imposes hefty fines on journalists and media firms.

Kenyan bloggers are up in arms about the new hate speech bill, which they point out cannot be realized without disregarding core constitutional provisions in Kenya.

It’s a legitimate criticism. And Access Now would like to highlight the fact that there are similarly dangerous provisions in draft regulations being proposed for implementation under KICA, collectively called the Draft 2016 Kenya Information and Communications Regulations. We have repeatedly warned against adopting these provisions since January of this year, attending and speaking out during the public consultations organized by Kenya’s Communications Authority. We have also prepared a written submission (PDF) that we have now filed with the government.

What are the problems with the draft regulations?

We commented on the following regulations:

  1. Cybersecurity Regulations 2016
  2. Electronic Transactions Regulations 2016
  3. Electronic Certification and Domain Name Administration Regulations 2016

The bulk of of our comments are focused on the cybersecurity rules. Several clauses in the draft regulations focus on privacy and the security of user data, and we appreciate the Communications Authority’s stated intent of improving data privacy in Kenya. We generally welcome these initial steps, even though we believe that the best way to protect and advance the rights of Kenyans is to work for speedy passage of a comprehensive privacy and data protection law framework, building on earlier efforts.

We have concerns about several of the proposed clauses, most notably:

  1. the proposed data retention mandate and the unclear powers the Communications Authority would have on this, and
  2. the dangerously broad requirement to proactively monitor and report on cybercrime incidents, which would increase surveillance of internet users and chill free expression online.

Many of these troubling clauses stand in contravention of international human rights standards for surveillance. Specifically, the principle of Necessity requires that “[s]urveillance laws, regulations, activities, powers, or authorities must be limited to those which are strictly and demonstrably necessary to achieve a legitimate aim. Communications Surveillance must only be conducted when it is the only means of achieving a legitimate aim, or, when there are multiple means, it is the means least likely to infringe upon human rights. The onus of establishing this justification is always on the State.”

What is the way forward?

Improving digital security is a way to increase the viability and usability of the internet as a platform for communications, and its effectiveness as a driver of commerce, education, health, and development generally. Security measures are integral to the effort to expand global access to information and communications technologies.

In May the Kenyan ICT Cabinet Secretary gazetted a new board to serve at the Communications Authority of Kenya for a period of three years, effective  April 29, 2016.

Access Now believes that new Communications Authority Board can use the proper drafting of these regulations as an opportunity for leadership. By making the right choices and ensuring that the regulations accord with international human rights law, the board can establish Kenya as a key player in shaping an open, secure internet that empowers its citizens and strengthens Africa’s internet ecosystem.

Access Now commends the Communications Authority of Kenya for approaching the challenging work of drafting these regulations. We remain engaged in this multi-stakeholder process in accordance with Article 10 of the Kenyan Constitution, which binds all State organs, State officers, public officers, and all persons, to engage in multi-stakeholder dialogue when making or implementing public policy decisions.

This article was originally published on Ephraim’s professional page on Access Now.