1

AFRICAN CENTRE FOR CYBERLAW AND CYBERCRIME PREVENTION (ACCP)

WORKSHOP REPORT ON CYBERCRIME LEGISLATION IN WEST AFRICA

DATE: 11thApril 2014

ORGANISATION: ACCP

EVENT: COE / UNCTAD / ECOWAS / ISS/ ACCP –

Workshop on the harmonization of cyber legislation in ECOWAS Accra (Ghana), 18-21 March 2014

Executive summary ( Mr Patrick Mwaita, National Coordinator, ACCP )

Cybercrime has continued to compromise the growth potentials of the Africa region. It is a relatively new trend of crime, highly volatile and massive in dysfunctional impact. The scourge of online criminality has followed the growing use and application of information /communication technologies which have recorded an unprecedented level, invariably overwhelming traditional means of crime control.

The purpose of the workshop was to support countries of the ECOWAS region in their collective effort aimed at discussing the challenges cybercrime poses to their development. Governments and institutions are showing greater resolve to commit resources in the search for empirical and action-oriented remedial interventions to address the problem of cybercrime. Assurances of support from the Government of Ghana as a focal point to galvanise all authorities in the region to fight cybercrime were given by the Minister for Communications in his statement to the participants at the opening ceremony. As expected, the visible challenges brought by cybercrime operations overwhelm the individual capacities of African countries to make any meaningful intervention on their own.

Accordingly, Africa has to seek technical capacity to facilitate a concerted approach to the difficulties of cybercrime, particularly drawing lessons from better endowed regions where practices, policies and legislation have brought significant success in similar situations. In response to this need, the Council of Europe has agreed to offer funding support and through this improve technical capacity of relevant crime prevention and criminal justice personnel and institutions to kickstart and maintain the push against cybercrime. Support in this respect has manifested in capacity-building programmes aimed at training and increasing awareness and encouraging dialogue about the problem of cybercrime (starting with Southern Africa and Eastern Africa in 2013).

Due to its constantly increasing sophistication in the nature, cybercrime continues to pose a defiant challenge to governments’ efforts for stability, development and security. This calls for intensified attention including drawing in several remedial strategies from a variety of stakeholders to provide additional support in this regard. Furthermore, the extraterrestrial nature of commission of cybercrime brings with it unique challenges to law enforcement, jurisdictional concerns and criminal justice management. Following from these observations this workshop was divided into two tracks which were mutually reinforcing to address pertinent issues expressed in the needs assessment of African countries; notably, harmonization of cyber legislation on one hand and strengthening responses to cybercrime including appropriate criminal justice responses consistent with the Budapest Convention on the other.

The cyberlaw harmonization track was supported by the United Nations Conference on Trade and Development (UNCTAD), while the cybercrime track was supported the Council of Europe in cooperation with the African Centre for Cyberlaw and Cybercrime Prevention (ACCP), United Nations African Institute for the Prevention of Crime and the Treatment of Offenders (UNAFRI), the Institute for Security Studies (ISS). The input by various organisations mirrored the multi-pronged and concerted approach required to give an effective response to the challenges of cyber insecurity. The choice of facilitators and participants to the workshop reflected the need by the countries of ECOWAS region to sustain the impact and benefit of technical skill updates derived from this workshop in their countries by tapping into the available capacities from identified sources.

It was observed that life is getting increasingly electronic, with virtually every aspect of day-to-day routines conducted with the aid of electronic appliances. The increasing use of internet and other ICT developments in Africa, for legitimate purposes, but also for commission of crime (online) were testimony to this advancement. Consequently, the need to integrate telecommunication service providers as major stakeholders in resolving e-crime was emphasised, principally for the unprecedented level of traffic and content data in their custody.

Accordingly, it was stressed that special initiatives in legislation; expedited preservation of data were of essence in meeting the necessity to act with the necessary promptness to ‘capture’ electronic evidence from the service providers without being lost or interfered with for effective management of e-crime. Other concerns raised included the need for preserving privacy in the wake of increasing online intrusions, observing the rights of internet users, including cybercriminals in emerging litigations and protection of children from pornography and the general population from xenophobic material and other forms of abuse.

Participants came from middle level functional categories with ability to influence necessary legislative and policy review/development in their countries pursuant to the recommendations/proposals from the workshop. Their domain at home focused on routine operations as well as supportive policy development and legislative authorities of government departments and national assemblies. The workshop content on both tracks gave participants opportunity to critically examine a variety of relevant regional and international instruments including the Budapest Convention.

The strengths and opportunities in these were acknowledged as a basis to give momentum to the national frameworks for cybersecurity. The countries represented included, Cape Verde, Cote d’Ivoire, The Gambia, Ghana, Guinea Bissau, Liberia, Nigeria, Sierra Leone. All the participants invited to the workshop attended, with many others offering to sponsor their participation from alternative sources, an indication of the desire for technical capacity by the countries in Africa.

They met and interfaced, exchanging experiences with each other and acquired knowledge from a set of purposed facilitators from whom best practices and skill updates were solicited. Using a diversity of techniques, ranging from lectures, discussions (groups), tutorials and demonstrations, the facilitators aroused free exchange of views and sharing of experiences, including critical analyses of situations and circumstances which give rise to cyber insecurity. Focusing on Africa, it was noted that the region was disproportionately affected by cyber frauds given its low level of technical capacity.

This was seen to be a sure source of uncontrolled loss of value and resources. Considering that there is an increasing call for electronic transactions following the growth of ICT developments (e-commerce, e-signature, e-governance), which Africa has to embrace, the region’s vulnerability was expected to continue rising. It is against this background that the workshop scored a fundamental breakthrough in meeting the needs of Africa for knowledge and capacity building through training and emphasis on regional and international collaboration as avenues for skill development to cause necessary intervention.

It was noted that each country was at various stages of enacting effective legislations and the Budapest Convention offered a unique opportunity to guide and inform this process, providing inroads for further technical support in adoption of relevant provisions and continued exposure to skill updates as well as offering a bedrock of cross references to steer national roadmaps of planned activities for cybersecurity. Appropriate care and attention was taken in adopting relevant provisions from the convention and tailoring them to situations as they obtain in their respective countries.

The workshop received added thrust from the prospects of strengthened capacity that came with the launch of the collaboration between the Government of Ghana and the Commonwealth Cybercrime Initiative expected to promote home-grown measures to provide a basis for practical cyber security policies. In their resolve to consolidate the gains attained from this dual training the participants made a number of vital recommendations as given herewith:

•Increase the opportunities for training sessions in all the regions and include more personnel and introduce other modules to target enforcement of legislation

•Improve awareness raising and sensitization of stakeholders, especially the judiciary

•Disseminate the information derived from the workshop.

•Consolidate the benefits derivable from international and regional cooperation, by promoting collaboration within institutions and governments

•Improve criminal justice responses to cyber threats by offering specialised training and strengthening research to identify emerging challenges

1. Welcome address by Prof. Alhas Maicibi, Secretary General (ACCP):

Professor Maicibi welcomed participants to the workshop in Accra, Ghana and paid tribute to the Government of Ghana and the National team led by Mr Albert Antwi-Bosiakako for hosting the workshop in Accra at the Kofi Annan International Peacekeeping Training Centre (KAIPTC). Professor Maicibi then acknowledged the collaborative links between the Council of Europe and the African Centre for Cyberlaw and Cybercrime Prevention (ACCP) which started in Vienna, February 2013 at the occasion of the Inter-governmental Expert Group Meeting where the crippling impact of cybercrime to development was discussed. He gave special thanks to the Council of Europe for funding the Cybercrime track of the workshop and the United Nations Conference on Trade and Development (UNCTAD) for funding the cyberlaw harmonization track. He also recognized the participation and importance of the roles played by the United Nations African Institute for the Prevention of Crime and the Treatment of Offenders (UNAFRI) and the Institute for Security Studies (ISS).He conveyed apologies from the Directors of ACCP, Dr Mohammed Chawki and Mr John Kisembo who could not attend the workshop due to other pressing obligations.

Setting out the mandate of the ACCP as an organisation that coordinates the fight against the impact of cybercrime on African countries, he urged participants toutilize the Centre as a resource for acquiring necessary skills and knowledge exchange with experts inAfrica and other regions of the world. That way, there is enhanced capacity building in Africa to promote the useful attributes of technological developments. Professor Maicibi decried the fact that the same technological advancements that aim to make communication faster, increase productivity, and enhance innovations store data easily, had been hijacked by criminal groups for illicit activities. These activities have caused considerable economic malaise to the global economies, with Africa suffering significantly.He therefore called upon the participants to be the core of West Africa’s resource team and crucial task force to disseminate information, strategies and good practices acquired from the workshop to the rest of Africa to the benefit of increased cyber security.

Finally, he asked participants to be the ambassadors of their respective countries in this fight against cyber-crime, while emphasizing that they were trainers in their own right for this purpose – since the workshop was a ‘Train the trainers’ function. He assured them of the support of the ACCP and related partner agencies in the fight against cybecrime. Prof Maicibi, assisted by Dr Maureen Owor chaired all the sessions of the cybercrime track of the workshop.

2. The Council of Europe Convention on Cybercrime and the Additional Protocol concerning the criminalisation of acts of a racist andxenophobic nature committed through computer systems by Barrister Russell Tyner:

Mr Russell Tyner represented Dr Alexander Seger and the Council of Europe at the opening formalities of the workshop. He urged member states of the Economic Community of West African States to collaborate and harmonize their legislation and practices that would facilitate an effective onslaught on cybercrimes by catering for extra territorial offences.

Cybercrime was prevalent in a number of day to day activities which were now increasingly evident on-line. These included internet frauds, child pornography, internet hacking and breaking into people’s computers, which activitiesneitheracknowledgednor respected physical boundaries. He stressed that it was through effective legislation in the sub-region that perpetrators of these illicit on-line activities could be made to face justice, particularly in view of the fact that theinternet was increasingly becoming a tool for vital activities such as electronic banking, e-commerce,and online communication.

He expressed concern that criminals were now exploiting the internet to the detriment of the public, adding that if such cybercrimes were allowed to continue unabated, it would erode the public confidence in online commercial activities such as trading, e-banking and e-commerce, which would have serious consequences on the economies of many countries. He cautioned that because of their sensitivities to electronic controls, some industries such as civil aviation were more vulnerable to cyber attacks and urged law enforcers to take appropriate care in this respect.

Mr Tyner, who is also a Crown Prosecutor in the United Kingdom, Organised Crime Division offered his services to meet any requests for professional assistance in prosecuting cybercrimes in ECOWAS region – a direct reference to the calls for technical support which was conspicuously inadequate in the region.
Mr Tyner said appealed to countries in the sub-region to put in place proactive measures to detect cybercrimes and also to train their law enforcement officers and other criminal justice personnel on how to identify cybercrimes, utilizing specialized skills and expertise as tools to gather forensic evidence and properly present them to court for adjudication.

He also tasked the law enforcement officers with extraordinary expedience when fighting cybercrime. He added that they should be prepared with matching strategies forexpeditious gatheringof relevant data from communications service providers such as the mobile companies, google search, yahoo and hotmail in the nick of time before such information were lost from their system or manipulated for destruction of evidence.

Due to the visible threats of possible intrusion, he cautioned that the internet was not a safe tool for storing vital information and passionately cautioned the youth against putting certain vital information about themselves such as videos and photographs on the internet, since once placed on the internet such information could not easily be retrieved or withdrawn.

Aims of the Convention

• A guideline for legislation leading to the harmonisation of domestic legislation

• Establish the necessary procedural powers for investigation and prosecution

• Establish a fast and effective regime of international co operation

• That Human rights are protected

• Flexibility so that it can be implemented nationally

Cybercrime is international. Perpetrators can situate themselves anywhere in the world. Thus one of the principal aims of the BCC is to reduce the number of safe havens. To avoid becoming a safe haven a country needs -

1. Legislation – both substantive and procedural - criminalise cyber activity that

may otherwise not fall within the scope of existing criminal law –including issues of jurisdiction - provide sufficient power for investigators to obtain access to evidence – enable requests for MLA and extradition

2. Police capability –a sufficient number of officers who understand the technical issues and have the ability to undertake enquires which will involve the examination of computers and obtaining access to communications data

3. Co-operation with Industry – a close working relationship with communication service providers in your county ideally pursuant to a voluntary code or MOU to allow you to obtain access to data held by service providers is vital

4. Training Judges and Prosecutors –must have some basic understanding to

ensure that they understand the evidence , are able to identify potential sources of evidence , assist in MLA requests , assess evidential admissibility and manage cases

Cybercrime causes real harm, either to individual victims of fraud, children who have suffered bullying or who have been abused to feed the market for child abuse images, or to financial institutions and governments seeking to expand and develop e commerce.

The investigation and prosecution of cybercrime can be challenging. This is due to a number of factors:

•the nature of digital material – it needs to be extracted and interpreted and presented in court in a manner that ensures its evidential integrity- it is volatile it is easily changed – it may only be in existence for a short time;

•The volume of material – investigators need to identify the evidential material. In the UK the prosecutor is also obliged to identify material that may assist the defendant or undermine the prosecution case as part of the fair trial process;

•The location of material – not only is it stored within digital devices it may be located in another jurisdiction or in the hands of an innocent third party;

•Investigators lack expertise;

•Prosecutors and judges may fail to understand the nature of the material;

•Domestic legislation may not ‘fit ‘cyber crime- there may be issues relating to jurisdiction;

•Industry - co operation may be lacking;

•Perpetrators may be located overseas- mutual legal assistance may not be available -extradition may not be available.

Having focused on the negative it is useful to remember that much cybercrime is committed overtly providing a wealth of evidence to prove that a crime has been committed, the issue then is one of proving that the defendant was responsible. Stored material can provide vital evidence as can evidence from service providers. The online environment also offers opportunities for police officers to covertly infiltrate online criminal groups.

The Convention

•defines key terms

•defines the common minimum standards of relevant offences

•provides the necessary procedural measures required in the investigation of cybercrime

• operates as an instrument of international co-operation both in terms of mutual legal assistance and extradition

The Additional Protocol to the Convention and the additional protocol to the Convention on Cybercrime, concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems

Article 3 – Dissemination of racist and xenophobic material through computer systemsdistributing, or otherwise making available, racist and xenophobic material to the public through a computer system.