Draft cyber law: Is it a case of putting the cart before the horse?
MORDEKAI MUSUNDIRE
MASERU – The government is on a spirited drive to quickly enact legislation to curb illegal activities in cyberspace through the cyber security bill, but analysts warn that the bill needs exhaustive consultations with all stakeholders.
Transformation Resource Centre Research, Information and Communication Co-ordinator, Advocate Mokitimi Tsosane says enactment and devolution of cyber responsive laws, policies and strategies is long overdue. He therefore commends the government for pushing for the passage of cyber security law.
“. . . TRC wishes to take this opportunity to commend the Ministry of Communications for its recent efforts to devolve comprehensive National Digital Transformation Policy and Digital Transformation Strategy and the Cybersecurity Strategy after years of our advocacy,” he said.
“However, there are still outstanding constitutional and human rights issues with the Computer Crimes and Cybersecurity Bill which we hope will be dealt with in good faith.
“It is important to emphasise that TRC is not opposed to the Bill but as a human rights and good governance watchdog, it raises substantive concerns. The Bill has the potential to shrink civic, political, and media spaces. The Bill justifies overreach of enforcement powers suffocating the very essence of a responsive democracy – Freedom of Expression and Speech.
“There are serious threats to privacy, right to a fair trial, and separation of powers,” he said.
Academic and political analyst Nthakeng Selinyane says, “It would be good if the government were to workshop the draft properly with all stakeholders.”
“The draft tends to place too much emphasis on the security of state or public information, almost criminalising access to public information. The penalties proposed are more punitive than corrective, which is worrisome in the context of the prevailing democratic environment where not long ago we witnessed the unlawful seizure of politicians’ mobile phones,” he adds.
Selinyane says the draft bill could potentially be abused through a heavy-handed smothering of stakeholders’ desire to share and publish public information.
“We are also witnessing the evocation of a draconian 40-year-old internal security law. It seems like we may be copycatting the American Patriot Act, which took advantage of the so-called war on terror environment,” he adds.
Clauses of concern
Adv Tso’sane urges authorities to reconsider some sweeping clauses and rid them of vagueness before the bill passes into law. He cites the following examples:
- Part of the bill reverse onus to compel witnesses to give evidence during a trial because of the clause “intentional and without lawful excuse” which could be deemed unconstitutional because Section 12(7) of the constitution states that “no person who is tried for a criminal offence shall be compelled to give evidence at the trial. In criminal law the burden of proof lies completely with the Crown. There is no doubt that it is a heavy and onerous burden and completely favours the accused. The Crown has to prove beyond a reasonable doubt that the accused has committed a crime.
- Provisions that threaten/violate Freedom of Expression, Opinion and Speech
- For instance, Section 43 relating to publication of false information evokes the moribund criminal defamation law. In terms of the Constitutional Court ruling in Basildon Peta v. The Minister of Law and Constitutional Affairs and Human Rights and Others, CC/11/2016 criminal defamation is no longer part of our law.
It is likely to be abused by powerful groups against socially constructive exertions of the categories like conventional and social media including citizen journalism, artists and cartoonists, and even mainstream scholars.
- Data Interference
Section 24 (2) criminalises whistleblowing and the receipt of such information which is a serious threat to journalism. In terms of the section deleting or altering of such is an offence.
(iii) Data Espionage
Section 26 of Computer Crimes and Cybersecurity Bill is vague and therefore open to abuse.
The dangers of data espionage are illustrated in Manning trial, Assange-Wikileaks saga, and Edward Snowden controversy
(iv) Unsolicited messages
Section 38(1)(a) The section is vague and too expansive such that it can be abused to shrink media and civic space. Labelling undesired information as “misleading” and criminalising such is not justifiable in a liberal democracy.
(v) Disclosure of details of investigations
Section 39 has the potential of preventing reporting on weaponization of investigations aimed at dissidents or those the government does not like.
3. Search and Seizure
While this Section 59 is useful in requiring that a law enforcement officer must obtain a search and seizure warrant, it is an error to give the officer discretion to extend the warrant to cover areas and facilities and objects not detailed in the warrant.
4. Prescription of Maximum Fines
Parliament prescribing maximum sentences and fines violates the principle of separation of powers as the judicial powers vest in the courts in section 118(1) and independence of the judiciary as espoused in section 118(2) of the constitution.
Local Terror
Lesotho lags behind in this respect compared to some of her peers in the neighbourhood, such as South Africa.
While Lesotho is not counted among Nigeria, Kenya, and South Africa, which have the highest cyber threats on the continent, no nation is immune.
What makes the case for the speedy passage of the bill even more compelling is the fact that, to this day, digital evidence remains inadmissible in the country’s courts of law.
The impact of legislative loopholes on cyber security is seen every day through, for instance, libellous information purveyed by faceless “ghosts” in cyberspace and money laundering activities, among other ills.
The worst encounter with cyber-terror so far was seen when the Central Bank of Lesotho (CBL) experienced a crippling attack sometime in December last year, leaving an untold toll on business through commercial banking delays.
Despite the compelling case for cyber laws, experts warn against railroading relevant laws without exhaustive consultations.
As at 2021, countries like Botswana, eSwatini, Tanzania, Malawi, and Zambia had already passed cybersecurity and cybercrime laws. On the other hand, countries such as Namibia, South Africa, Lesotho, and Zimbabwe had only gazetted draft legislation on cybersecurity and cybercrime.
Published on October 17, 2021, a paper titled Cybersecurity and Cybercrime Laws in the SADC Region, warns against “omnibus-type” legislation as seen in Namibia, Malawi, and Zimbabwe.
“Public consultation processes in coming up with cybersecurity and cybercrime legislation must follow clearly laid out procedures. Input from marginalised and vulnerable constituencies must be taken on board.
“Any cybersecurity law and institutional framework should be the product of an extensive and meaningful cooperative multi-stakeholder consultative process, and the eventual frameworks should make provision for some level of multi-stakeholder oversight involvement.”
Frantic moves
In Lesotho, the bone of contention between the Government on the one hand and journalists and civic groups on the other is mainly around what the media says are heavy fines running into millions of Maloti that the bill seeks to establish in order to deter abuse of cyberspace.
But Adv. Tsosane says that is a faulty interpretation of the draft because the huge figures running into millions are a ceiling proposed and nothing stops competent court officials from ordering much smaller fines.
Instead, Adv. Tsosane says, the shortcoming should be sought in “directing” competent legal officers to suspend their discretion in determining quantum to be placed on offenders.
For instance, if a cyber terrorist who crippled the entire country’s banking system last December were to be caught and then fined a mere M1 million or M5 million maximum would be a slap on the wrist for the gravity of such an offence.
The Minister of Information, Communications, Science, Technology, and Innovation, Nthati Moorosi, last week shot down suggestions that she had tabled the dreaded cyber bill as it was without factoring in concerns raised by the other media stakeholders.
Despite the tabling of the Computer Crimes and Cyber Security Bill, 2024, by Moorosi in the National Assembly on May 22, the MISA Lesotho Chapter is dissatisfied, insisting some of the clauses should be revised, including clause 21 on “illegal access,” to mention a few.
MISA Lesotho Chapter National Director, seasoned journalist Lekhetho Ntsukunyane, says they are not satisfied with the Computer Crimes and Cyber Security Bill, 2024 draft.
He says their concern is not about any missing clauses, but they believe it would be wiser if some clauses could be revised, including the clause that refers to “illegal access” and others that touch on access to information.
“The Minister called meetings with us many times, about three times to be exact, but she does not seem to have taken into consideration any of the recommendations we made either verbally or written,” he said.
MISA Lesotho made recommendations on the Computer Crimes and Cyber Security Bill, 2023, before it is passed into law as a written submission to the Ministry of Information, Communications, Science, Technology, and Innovation.
The recommendations, in summary, were as follows: that all terminologies that could attract double meanings in interpretation be clearly and sufficiently defined in the terminologies section; and that the bill must be crafted in simple, ordinary, and easy-to-understand language if it is going to apply to ordinary citizens, not computer engineers, ICT experts, and other people of specialised disciplines related to computers and the digital space.
Key Structures
Beyond the finer details contained in the bill, local experts say that without an elaborate cyber security strategy, legislation alone would not protect Lesotho and Basotho.
Instead, apt legislation, along with setting up the requisite key structures, would make for a holistic approach to plugging this gaping hole in national security.
Such a multi-pronged approach should not just include putting structures with skilled personnel in place throughout the entire security cluster but must also include educating the general public as well as incorporating vital components into school curricula.
In a paper titled Cybersecurity Protection Structures: The Case for Lesotho, academics Mosala et al. argue that even in the presence of any legislative and regulatory framework, the absence of a cyber-security strategy in Lesotho renders the country vulnerable to sophisticated cyber-attacks.
Therefore, countries like Lesotho need to develop cyber security strategies, clearly detailing how they aim to defend themselves against any form of cyberattack.
Everyday internet usage has been steadily growing in Lesotho in recent years.
Ordinary Basotho have become dependent on the internet for mundane daily transactions such as buying electricity, paying water bills, paying fines, and others through Vodacom’s Mpesa or Econet’s Ecocash.
Besides regular electricity and water bill payments, even police spot fines have moved into the digital space to ease hurdles.
Key public institutions such as Revenue Services Lesotho (RSL) have been moving inexorably to ensure paperless business processes to ease doing business for taxpayers.
In short, these platforms have simply occupied space that was supposed to be taken by regular commercial banks, who literally shot their own feet because of rigid requirements for the lower strata of society, which remained mostly unbanked for many years.
It is clear regular banks should be ruining their stringent rules. Experts say all these developments in the use of digital platforms for business will amount to nothing without the necessary public education initiatives to go along with them.
“Most of Lesotho’s citizens are not aware of the inherent risks that come with accessing services electronically,” according to Mosala and others.
They add that regular internet usage increased from about 85,888 in 2011 to 444,376 by 2016, and although no figures are readily available, it is not a wild guess that the numbers have since increased considerably.
This gives insight into the fact that Internet use in Lesotho is increasing exponentially as more and more people use smart phones.
Dearth of expertise
While the Government should move with speed to curb cybercrime, there is no evidence that the same feisty zeal is being applied towards setting up structures such as monitoring task forces with the requisite IT skills in key sectors.
In the end, legislation alone, without such structures, amounts to putting the cart before the horse.
Putting in place enabling legislation to prosecute cyber criminals without ensuring expertise in the whole judicial chain from the stage of prosecution could lead to a lot of frustration and failure since criminals are always a step or two ahead.
It therefore needs tech-savvy arresting officers, along with magistrates and judges equipped with technical knowledge in the field.
Lack of technical cybersecurity skills in Lesotho implies there will be inadequate skills and insufficient technology needed to thwart cyberattacks.
The analysts say the security sector, comprising the national police, the army, security services, etc., is not well equipped with highly qualified personnel to curb cyberattacks and defend the country against advanced persistent attacks (APTs) at the national level.
Citizens’ rights
Regional civic groups say there is a need for countries in the SADC region to adopt a human rights-based approach.
Such an approach would ensure that the enacted or proposed legislation takes into account the urgent need to balance cybersecurity needs with the eye on protecting and promoting citizens’ fundamental right to privacy.
This can be done by integrating international human rights system norms, principles (necessary and proportionate principles), standards (model laws), and goals.
Member states must ensure that cybersecurity and cybercrime laws are aligned with national constitutions and that such statutes endeavour to promote the right to privacy and freedom of expression.
There is a need to ensure cybersecurity and cybercrime laws strike a balance between the protection of national security and the exercise of the rights of ordinary citizens, they say.
“Public consultation processes in coming up with cybersecurity and cybercrime legislation must follow clearly laid out procedures. Input from marginalised and vulnerable constituencies must be taken on board. Any cybersecurity law and institutional framework must be the product of an extensive and meaningful cooperative multistakeholder consultative process, and the eventual frameworks must make provision for some level of multi-stakeholder oversight involvement. There is a need to desist from coming with an omnibus type of legislation as evidenced in Malawi, Zimbabwe, and Namibia.”
Draconian threat
Misa Lesotho argues that the bill must be crafted in simple, ordinary, and easy-to-understand language if it is going to apply to ordinary citizens, not computer engineers, ICT experts, or other people in specialised disciplines related to computers and the digital space.
Misa adds that, if the bill is not a local innovation but has come as a result of compliance with regional and international protocols in which Lesotho is a signatory, it should still be domesticated in a manner that addresses local content and the domestic climate.
For example, Lesotho is not that susceptible to social ills such as racial discrimination and xenophobia due to its monoculture and homogeneity as a society.
Minister Moorosi tabled the reasons and objects of the Computer Crime and Cyber Security Bill, 2024, in Parliament towards the end of last month.
Parliament’s Prime Minister’s Ministries Portfolio Cluster Committee deliberated on the detailed and comprehensive Bill on May 22 in a series of closed-door meetings.
This marks the resumption of what sceptics characterise as the authorities’ bid to spy on individuals’ communications while also deterring genuine investigations by journalists because of the heavy fines and sentences many have described as draconian.
Watchers this week expressed fears the government could be tempted to unilaterally push the fearsome law through parliament, which, in its present form, could spell a heavy blow to aspirations towards a free press in Lesotho.
Ntsukunyane expressed disappointment over the issue.
“The Minister has sneaked the bill into Parliament without considering our input. We will fight the oppressive law,” he said recently.
Urging MPs to reject the bill and jettison it from the table, Ntsukunyane said it was worrisome that the current communications minister was repeating the same mistake made by those before him on the issue.
Moving in circles
The previous administration’s communications portfolio was headed by then Minister Samuel Rapapa, who ignored pleas to vastly engage all the interest groups, including journalists and media houses, first.
Parliament itself, at the time, returned the bill to Rapapa, urging him to consult widely.
This saw a meeting being convened in June last year in Maseru, where media representatives and some prominent civic groups were represented.
They unanimously expressed concerns about many aspects of the bill, which they deemed too broad and therefore potentially problematic in the future.
After last year’s meeting, Minister Moorosi asked for written submissions to support claims that the bill was overarching, and parties duly submitted these to her office.
When she assumed the communications cabinet post, Moorosi immediately withdrew the bill from Parliament, thereby appeasing a restive media sector.
The run-ins with media watchdogs like Misa predate the era of Rapapa or Moorosi.
Even before Rapapa’s tenure, former Minister Khotso Letsatsi in the same portfolio around 2016 made what journalists considered to be ominous threats and a promise to put punitive law to rein in journalists.
In 2021, the NGO issued a statement that read, in part, “MISA Lesotho is extremely worried that the Computer Crime and Cyber Security Bill of 2021 that was presented to Parliament by the Minister of Communications, Science, and Technology Keketso Sello on March 23, 2021, was drafted by the Ministry of Communications, Science, and Technology without consulting all the parties that will be affected by the said Bill once it becomes law.”
Misa further warned: “MISA Lesotho is concerned that when the Computer Crime and Cyber Security Law is adopted in a hurried manner, without meaningful dialogue with all potentially affected parties, civil society, and the expert community, it is likely to be ineffective, incomplete, contradictory, and in breach of fundamental human rights and freedoms.”
It would seem the country continues to move in circles as the issue remains where it has been since 2021, according to media stakeholders.
Africa is not immune to global cyber threats. The continent faces an array of challenges, including phishing attacks, malware, online fraud, and cyber espionage. The World Economic Forum’s Global Cybersecurity Index ranks many African nations lower in terms of cybersecurity readiness.
A report has revealed that Nigeria, South Africa, and Kenya are facing the highest online threats on the African continent, according to a Russian multinational cybersecurity and anti-virus provider company, Kaspersky.
According to the ITU Global Cybersecurity Index, only seven African countries—Mauritius, Egypt, Tanzania, Ghana, Tunisia, Nigeria, and Morocco—are among the top 50 countries with the highest cybersecurity indices.