Combating Computer Crime in Africa, Proposal for a Pan-African Cyber Crime Legal Framework -Part 1

African countries are at various stages in their implementation of e-government and e-commerce environments.  This is being undertaken with a view to utilise technology not only to reduce costs, but also to save time and energy on activities that can be done using reduced human interaction.

These initiatives while slightly behind in relation to time frames against the developments that have been implemented in other parts of the globe are a worthy step to bring Africans up to speed with the benefits of harnessing information technology.

The introduction of the Internet has seen a vast change in the way individuals lead their commercial and social lives. It has led to innovative ways of conducting business and new ways in which government services can be channelled. It has also been responsible for providing easier ways of interacting and keeping in contact with relatives and friends through social networking websites.

It is to be noted however that criminals have used these same technologies and have become more adept in their ways, taking advantage of the ease of use of technology to exploit vulnerabilities left behind by under pressure developers who forget to test and remove known vulnerabilities in their haste to roll out new systems.

We are constantly being reminded of the attempts criminals have made to hack or and gain access to systems and their ingenuity to keep one step ahead of the law.

We are familiar with the rise in Phishing, Identity theft and Virus attacks and are perplexed that new risks, threats and vulnerabilities are being conjured before we can get an effective handle on already existing ones.

We are also aware that certain countries have allegedly been proactive in spying on and attempting to hack into sensitive, confidential and critical systems of other countries

E-commerce and e-government environments are constantly targeted, making it necessary for them to beef up information security to remove the possibility of their systems being compromised. They are obliged to perform regular penetration tests on their networks as well as indentifying and removing exploitable application vulnerabilities such as, cross-site scripting, buffer overflow, SQL injection before systems go live.

The information security landscape has changed significantly over the last 15 years. Indeed, we have seen the shift in regards to information security responsibility moving from a technical issue to one that now resides in the legal domain. We are seeing a new trend where astute organisations and government institutions are transferring information security responsibility from their technical departments and placing them under the wings of their legal teams. This is not surprising given that new security breach legislations and data protection laws have made the onus of ensuring data subjects information is secure is placed firmly at the feet of organisations that process such data.

This article is aimed at enlightening African Law makers and Legal drafters of the types of computer crime legislations that need to be enacted in Africa to provide recourse to governments, corporations and individuals in the event that they fall victim to computer crime. It highlights legislations that can be used to prosecute criminals who perpetrate computer related criminal activity. The article also recommends and also looks at the benefit of developing and implementing a computer crime legislative framework for African countries with a suggestion for a re-vamp of the law faculties and advanced legal institute’s syllabus to cater for new technology laws.

Status of  African Cyber Crime Laws and the Call for an African Cybercrime Legislative Framework

There are a number of African Countries that are in the have developed or are in the development stages of implementing computer crime related legislations.

• East African Countries are in the process of formulating unified computer crime legislations
• Ghana has passed its Electronic Transactions Act and  National Information Technology Agency Act and is in the process of developing its Data Protection Laws
• Nigeria is in the process of developing its Critical Infrastructure Laws
• Senegal has passed legislation to govern the development of ICT. The legislation includes law on cyber law, law on protection of private data and the law dealing with electronic transactions
• South Africa has implemented Electronic Transactions Act
• Tunisia has implemented the Electronic Exchanges and Electronic Commerce Act
• Zambia has drafted its Computer Misuse and Cyber Crime Bill

A common thread in relation to some of these laws is the proposal for a single law to deal with cybercrime. It is to be noted from a preview of these laws that these single legislations will not go far enough to deal with the width of computer crime in the 21^st century.

There is a risk that if these laws are passed in their current state they may not cover relevant aspects of computer crime thereby leaving loopholes for the criminals to exploit. We also have a long winded process for passing laws in Africa, this could have the impact that by the time these laws are passed, technological developments may have moved on making them inadequate and redundant in their quest to deal with the issues they have been enacted for.

It is also noted that many of these legislations are tilted towards individuals committing criminal acts without addressing the fact that governments and corporations can be involved in computer related criminal activities. For example Data Protection is primarily geared towards providing organisations that collect our personal information with strict principles as to how that data is to be processed.

It is important to note that Data Protection affords redress against breaches to these principles and as such more organisations are taking heed that they could be liable to penalties in the event of such contraventions. In the UK, the limit of such fines has recently been raised from £5000 to £500,000.

Several banks in the UK were criticised for dumping customers’ personal information in bins outside their premises.

Also in the UK, Her Majesties Revenue and Customs (Tax Office) were pilloried for losing the details of over 2.4 million people.

African Cyber Crime Legislative Framework Proposal

While review and amendment of current African laws may be an option, I believe we will need to develop a common list of legislations that will form Africa’s Cybercrime Framework to replace the current proposed laws of individual countries.

This is necessary so that we generate similarly worded legislations. This will provide for generic and understandable laws across the board. It will in its inception allow for the anticipation of the effects of new technologies on the horizon so that the laws that constitute the framework are not obsolete and ineffective when passed.

I will now introduce and explain laws that must as a minimum be considered to constitute this framework, by explaining what they are, why they are necessary and giving examples of how they have been enacted in other countries.

Identity Theft Laws

Identity theft has taken up new grounds in the debate about the protection of personal information. High profile successful unauthorised and fraudulent access to databases where personal information is stored have more recently also called for speedy enactment of stringent legislation to assist in the curtailment of the phenomenon

Identity theft was initially thought to only affect the individuals whose personal information has been hijacked. It can however be seen that organisations whose primary business involves obtaining and selling personal information are falling prey to sophisticated criminals. These criminals are willing to go the extra length to obtain as many instances of personal information at one fell swoop, rather than having to hunt for individual pieces of information risking being caught out at each attempt.

An example of an Identity theft law is the Identity Theft Act US 1998

Following testimony by the Federal Trade Commission in front of the US Senate, federal officials deemed it necessary to address growing concerns over identity theft scams.

The Identity Theft Act was passed in the United States to offer identity theft protection for individuals and businesses that can or have been victims to identity thieves. Fully entitled The Identity Theft and Assumption Deterrence Act, it was passed by the US Congress and signed into law by President Bill Clinton in 1998. An amendment to the law was enacted in 2003.

The law came into being due to the exponential rate in which consumer’s personal information was being exploited in the United States due to the advent of the Internet and the rise in large consumer databases. It was also fuelled by the increased access to computers which now housed detailed information about individuals and their financial records.

The Identity Theft Act identifies crimes involving loans, mortgages, credit cards and lines of credit that can be prosecuted. It also includes additional crimes to which people can be prosecuted should they be caught. US Code Title 18 was amended to include any fraud committed using identification documents or personal information. It also made it illegal to knowingly transfer this information to other people without authorisation, regardless of intent.

The identity thief needs to have the intention of defrauding a person, business or government agency within the country. Criminals can be charged if they commit identity theft either through the mail, across state lines or internationally.

The Identity Theft Act allows for punishments of 5, 15, 20 or 30 years depending on the crime. It also calls for fines determined by certain factors such as the extent of financial disparity caused.

In extreme cases, there is also a statute that defines certain incidents as “Aggravated Identity Theft” which allows for consecutive sentences to be enforced upon criminals