Cyber (In)Security: potential impact of the Cyber Security and Cyber Crimes Bill of 2021 on an already shrinking civic space in Zambia

[By Chapter One Foundation]

According to Digital Reportal’s statistics, in January 2021 it was estimated that internet penetration in Zambia is at 29.4% with 5.48 million internet users and over 2.6 million social media users. The cyber space provides a platform for real time communication, commerce, entertainment, dissemination of information and more recently, public gatherings. Online interaction is seemingly at fever pitch with new ways to communicate and transmit data growing daily.

With an increased dependency on automated and computerized systems, cyber crimes such as hacking, identity theft, phishing and spamming have been on the rise. Government officials have stated on several occasions that the proposed Cyber Security and Cyber Crimes Bill of 2021 is aimed at “social media abusers”; even going as far as citing the catchall term “cyber bullying” to describe the abuse. Of even more concern are attacks on critical national infrastructure which are undeniably a matter of national security. Admittedly, cyber security is a necessity. Why then has the Cyber Security and Cyber Crimes Bill been met with such strong opposition?

Several provisions of the Cyber Security and Cyber Crime Bill have the potential to be abused for purposes of infringing on the freedom of expression, the right to information and the right to privacy. For instance, section 29 of Bill grants law enforcement officers, who include police officers, Drug Enforcement Commission officers, Anti-corruption Commission officers or any other officer appointed by the Minister, wide powers to orally request service providers to intercept communications of citizens without a warrant or even a court order on the basis of a “reasonable belief” that there is a possibility of harm to a person or property. As the request is made orally, the law enforcement officer need not provide proof of the basis of their belief. These powers of interceptions are broad and arbitrary. We strongly recommend that the provision be done away with.

The Bill also grants what are called “cyber inspectors” the power to investigate “cyber security incidents” and “cyber security threats”. However, the definition of what amounts to a “cyber security threat” is not defined while the definition of a cyber security incident is very widely and poorly defined. Poorly defined or undefined laws leave too much room to the persons who enforce these laws to provide their own definitions. We recommend that these terms ought to be precisely defined to limit the possibility of their being used as tools for censorship.
In investigating “cyber threats” and “cyber incidents”, section 11 of the Bill empowers cyber inspectors to, among other things, obtain and make copies of electronic records, search a person or a premises, inspect a computer or information system and even request a person to attend at a place to be questioned. A person who obstructs a cyber inspector in carrying out these searches and seizures faces a fine and/or imprisonment. However, the Bill does not require that the obstruction has to be intentional. This means that even someone who does not intend to commit a crime may be found guilty of one. For example, a legitimate act such as employing the use of encryption or a password on a computer system or mobile phone can easily be construed as an obstruction.

Although the powers under section 11 are to be exercised under a warrant, the Bill provides no description of the nature, scope, and time limit of such a warrant. In addition, there is no minimum requirement that must be met before such a warrant is issued. For instance, the cyber inspector ought to be required to state the reasons for their belief that the computer system contains the relevant information, specify the type of content or data they are looking for on the computer system, provide measures they will take to ensure there is no disclosure of any data of third persons, and show how their investigation will be frustrated without the information for which the warrant is required. We recommend that safeguards be put in place to ensure transparency and limitations on the powers in section 11 which are far too wide and have potential to be used to pursue political aims.

In addition, sections 38 and 40 of the Cyber Security and Cyber Crimes Bill seek to make it mandatory for all electronic communication service providers to ensure that they provide services which are capable of being intercepted, use systems that are capable of supporting interceptions, install hardware and software to enable such interception, provide call-related information in real time as soon as possible, store call related information and access calls diverted to other service providers or terminal equipment. “Electronic communications service” is defined in the Bill as any service which provides the ability to send, receive, process or store electronic communications. The Bill empowers the Minister to issue regulations to specify what machinery and systems service providers ought to install at their own expense to achieve these aims. This means that mobile network service providers, whether public or private, will be required by law to use systems and install machinery that allows the state to intercept communications and information from their subscribers. Mobile service providers who fail to use such systems and/or install such machinery may be liable to pay a fine and/or imprisonment. Not only are these provisions incredibly onerous for service providers, but they are also counterproductive to the aim of public security – if that is in fact the aim of the Bill. The provisions are focused on ensuring that electronic communication services can be compromised, regardless of their nature, rather than ensuring that members of the public can safely communicate and keep confidential information private. We recommend that these provisions ought to be done away with or reframed in a manner that reflects a focus on the legitimate aim of protecting members of the public rather than treating all their communications as potentially criminal.

Another particularly problematic provision is section 54 of the Bill which prohibits the publication of information which is “false, deceptive, misleading, inaccurate” which is done with the “intent to compromise the safety and security of another person”. This is seemingly an attempt to curb fake news. However, it endangers legitimate information from whistle blowers, investigative journalists, civil society, human rights defenders, and activists who often expose information of public interest. The provision leaves the determination of what is “false” and “deceptive” to the interpretation of law enforcement officers. We need not emphasise that there is great room for human rights abuses wherever the enforcers of the law are simultaneously the determiners of “truth”. The manner in which section 54 is framed will have a chilling effect on independent media and independent thought so that non-partisan, objective analysis is stifled. This in fact weakens democracy. In addition, a similar provision in the Penal Code has been declared unconstitutional by the High Court in the case of McDonald Chipenzi and Another v The Attorney-General. The introduction of Section 54 of the Bill appears to be an attempt by the drafters to reintroduce the crime through the back door. This provision ought therefore to be done away with.

In addition, there are several terms and phrases in the Bill that are either poorly defined or not defined at all. Words and phrases such as “harassment”, “cyber threat”, “corrupt morals”, “relevant traffic data”, “cyber-attack”, “critical information infrastructure” and “Minister” have not been defined in the Bill. Other phrases such as “hate speech” are defined in dangerously broad terms. The danger of leaving such terms undefined or loosely defined leaves it subject to the discretion of the law enforcement officer, which power may be abused. In order to align the public’s conduct with legitimate aims of the Bill and to avoid coming into conflict with the law, we recommend that these terms must be properly defined.

Furthermore, the Bill seeks to make all offences defined under it cognisable. By definition, a cognisable offence is one which is easily identifiable without need for further investigation. The difference between an offence deemed to be cognisable and any other offence is that a police officer may arrest a person for a cognisable offence without a warrant. Given the nature of cyber offences and the very nature of activities in cyber space, this provision should be cause of much concern for all members of the public. How will a police officer perceive a person committing an offence online to justify arresting them without a warrant? There is an obvious potential for this provision to be abused to censor independent thought, political dissent and to stifle the free sharing of information. We recommend that this Section be scrapped.

These are but a few provisions within the Bill that are problematic. It is in no way an exhaustive list of all the ways in which the Bill could be improved before it is passed. This is merely a demonstration that in its current form, the Bill is a threat to the freedom of expression, freedom of information, the right to privacy, and the freedom of the media.

The need for cyber security is not denied and Zambia is certainly not the first country to feel the need to regulate the use of the internet and the need to curb its misuse. In fact, Zambia is a party to the African Union Convention on Cyber Security and Personal Data Protection (“the Malabo Convention”) which specifically obligates states to enact laws that respect the rights of citizens to privacy, freedom of expression and freedom of information. Although the Zambian Cyber Security and Cyber Crimes Bill is purported to have its origin in the Malabo Convention, the Bill in its current state does not meet the standards outlined in the Malabo Convention.

It is no secret that the cyber space is the site of much political engagement today, particularly with the youth, who are more adept to the intricacies of online systems. In its current form, the Cyber Security and Cyber Crimes Bill seeks to permit widespread surveillance and censorship of the cyber space by the State over ordinary citizens which will undoubtedly hamper the free flow of information. Already the physical space, which falls under the ambit of the Public Order Act, has been severely restricted due to the broad discretionary powers given to police officers under the Public Order Act. If left in its current state, the Cyber Security and Cyber Crimes Bill threatens to constrict the digital space and Zambians will have nowhere left to turn to express themselves and nowhere to hide from the piercing gaze of the State.

Chapter One Foundation is a civil society organization that promotes human rights, the rule of law and social justice in Zambia.

Leave a Reply

Your email address will not be published. Required fields are marked *