Change of heart on cyber security Part 2.
In the article:
- The AU convention on cyber security seeks to criminalize online reports that touch on ethnicity and religion, ban the use of pseudonyms, and criminalize all forms of online social irresponsibility.
- Governments should come strongly to protect citizens against online fraud.
- Should governments be allowed to monitor private communication in real time or otherwise? My answer is both yes and no.
- Governments need to invest in hi-tech gadgets capable of monitoring private communication in real time but as long as they don’t get caught.
We left the previous discussion on my change of heart on cyber security Part 1 at the point where I was trying to introduce the debate on the need for governments to monitor private messages (emails, inboxes, DMs, chats) that could be detrimental to national security while the same time raising questions on how the said monitoring can affect the right to privacy, confidentiality, and secrecy (to read part 1 see Change of heart on cyber security Part 1). I have my opinion on this but first let me address the issues regarding privacy, freedom of expression and secrecy as were brought out during the conference on Information Security and Public Key Infrastructure that was concluded yesterday at Safari Park Hotel, Nairobi.
A number of these issues were mentioned during the plenary discussion where the AU Draft Convention on Cyber Security was debated. During the discussion, it was pointed out that the AU Convention on Cyber Security has weaknesses on Privacy and Freedom of Expression. For instance, the convention seeks to criminalize online reports that touch on ethnicity and religion, ban the use of pseudonyms, and criminalize all forms of online social irresponsibility.
To me the existence of clauses in the AU Convention that would be detrimental to freedom of speech means that the drafter of the convention have been hitherto Government employees and agencies as only governments would be happy to have control on the type of content shared online or otherwise and the manner in which it is shared. Governments especially dictatorial governments do not want to be criticized. If for instance a particular government would violate human rights by orchestrating extra judicial killings, that government would not like to have victims and their relatives voice their complains to the masses. Heads of governments that have also benefited by squandering public resources would also not want a situation where their ills are brought to the public domain. The clause in the AU Convention that bars people from reporting ethnic and religious based stories, for instance, would be used by tribal chiefs and religiously biased governments to arrest and jail any human rights activists who would point out, using cyber platforms, the tribalism, religious and cultural biases on resource allocation and appointments to public offices.
No, my heart wasn’t changed to support such a draconian convention. My heart was also not changed to support any convention, treaties or national laws that would empower governments to monitor private data in real time in disguise that national security must be protected. What my heart was changed to support is in the need for enacting legislation that put in place government structures for dealing with cyber security threats, enabling the governments through the judiciary to handle cyber security cases, and basically having a legislation that recognizes the types of cyber security crimes and how to deal with them.
For example when one receives an offensive message via email, the person should be empowered to report the message to the authorities and the sender of such a message be arrested, prosecuted, and penalized. If on another instance one would seek to stop a particular information from being shared either through the mainstream media or via the Internet, then there should exist a legal framework that allows the offended to seek legal redress if for instance a careless tweep releases the private or confidential information on Twitter. For example we’ve heard of cases where protected witnesses by the ICC and other courts get their identities revealed by careless tweeps. The latter means that a legal body should be established empowered to find posters of offensive messages, whether such posters used pseudonyms or not. This body will be equipped with the most modern technology for investigating, tracking, and finding culprits who engage in cyber crime; but only if such a crime has been reported.
Secondly, legal frameworks for Public Key Infrastructure by providing the broad regulatory guidelines and which online transactions are conducted and regulated need to be established. As mentioned earlier in the post PKI Digital Certificates to create trust in online transactions, the government of Japan has not been able to operationalize Digital Certificate platforms for electronic transactions simply because they do not have a legal framework in place. In Change of heart on cyber security part 1 of this discussion I also mentioned the progress Estonia has had on electronic based transactions where their banking transactions are done electronically 99% of the time. I also mentioned that the citizens of Estonia were mostly against government control of cyber security five years ago but today only a minority think that government control of cyber security has negative impacts. These two cases tell us how important it is for government to have control on cyber security.
Having mentioned these, it is now important to clarify on the types and areas of control on cyber security that we need the governments to have via legislation. Top on the list would be the need for government involvement in regulating, in several ways, online transactions. The government can regulate online transactions foremost by ensuring that those who participate in online businesses are properly identified. This is where the issue of Digital Certificates come in. For issuance and use of authentic digital certificates, governments must put in place legal frameworks that govern how digital certificates are issued, who issues them, the standards each certificate must meet to be valid, expiry periods of various types of digital certificates, renewal processes, and any other logistics and technical considerations that would help seal loopholes in the issuance and use of the digital certificates. Here everyone should agree that governments should come strongly to protect citizens against online fraud. A future post will address, in the simplest way possible, how PKI and Digital Certificates help secure online transactions.
The other item that is equally important is the need for setting up Cyber (or Computer) Emergency Response Teams on matters of Cyber Crime at National, Regional, and Company levels that respond to threats of cyber attacks and complains. These are technical teams with technical resources able to predict, prevent, investigate, and defend against cyber attacks. How these teams operate must however be guided by legislation.
As the world get more connected, more and more transactions and communications are done electronically. This means that critical company, business, and government information files are stored electronically. The ability to easily copy, transmit, destroy, and alter electronic information means that there is need for legislation that governs the way those given the responsibility to keep and secure the critical information that belong either to governments or private sector are held responsible for any adulteration or leakage of said information. This is the point at which I do not agree with AU convention’s articles that seek to criminalize hacking. Most people who have been careless to let sensitive information stored electronically to get leaked have always had the excuse that they have been hacked. Legislation should however be enacted that illegalizes “I have been hacked” claims unless hacking was done by means unpreventable (close to a natural disaster). For more about this reasoning read: It should be illegal to be hacked. Basically the point here is that legislation should be enacted requiring those with the responsibility to keep and protect sensitive data are held accountable for any misfortunes on the data under their custody.
Other areas that require legislation are those regarding definition of cyber crimes and evidence, collection of electronic evidence, presentation of the evidence, the manner in which cyber crime cases are handled before a court of law (general principles), and role and power of the judges (AU convention tries to give judges investigative powers which should not be the case), the penalties for the different forms of cyber crimes etc. Kenya already has a similar law in place.
Back to the question of privacy, confidentiality, secrecy and national security; should governments be allowed to monitor private communication in real time or otherwise? My answer is both yes and no. Technically governments can and have monitored real time communications; the NSA spying activities that has given the US government a bad name is a case on point. Although governments have decided to put in place a number of cyber security measures on their systems to prevent similar snoopings by the NSA or any other institutions in the future, no one can be so sure that their cyber security systems are 100% fool proof against intrusion. Private communications are also held by third party communication platform providers like the mobile phone operators, Internet Service Providers, Domain Hosting companies and their ilk.
But just as Facebook and Microsoft reported that they were able to provide to several governments details of several people on request, governments should be required to legally access such information only after following proper legal channels like seeking caught orders. So the no part of the answer is that legislation should not be enacted that is empowering governments to monitor private information in real time, legislation should make it clear that proper channels must be followed.
The problem with following a legal process in order to access private communication is the inability to be proactive enough and prevent disasters such as Westgate attack. Here I would say yes, governments need to invest in hi-tech gadgets capable of monitoring private communication in real time but as long as they don’t get caught.