COMPUTER SOCIETY OF ZIMBABWE SUMMER SCHOOL 2018:...

COMPUTER SOCIETY OF ZIMBABWE SUMMER SCHOOL 2018: VIC FALLS

07-10 November 2018“EVERYTHING ICT – THE DIGITAL AGE & CYBER SECURITY”

RUFARO E. MHANDUSENIOR ASSOCIATECRIMINAL LAW & CYBERLAW SPECIALISTMUVINGI AND MUGADZA LEGAL PRACTITIONERSwww.mmmlawfirm.co.zwrmhandu@mmmlawfirm.co.zw0717717567/ 0771417458

http://www.mmmlawfirm.co.zw/

mailto:[email protected]

Worldwide, the ever-increasing surge of technology has brought with it a myriad of legal problems - D.P. van der Merwe at al,

Information and Communications Technology Law, 2nd Edition, 2016, Lexis Nexis: South

Africa

An Analytical Approach To Cybersecurity And Cybercrime FromA Legislative Perspective In The New Digital Age In Zimbabwe

• Statistics gathered by the Ministry of Information CommunicationTechnology and Cybersecurity when they drafted the Zimbabwe NationalPolicy on Information and Communication Technology shows that thenumber of ICT users is escalating as technology continues to evolve.

• According to the Ministry, as at 31 December 2015, mobile users had risento 95.4% and internet use had risen to 45%. From a cybersecurityperspective, the need for legislative intervention regulating internetactivities is a matter of urgency.

• The legal landscape itself has been evolving greatly with a surge ofcybercrimes being reported to the police daily. A look at the nature ofoffences being reported is a cry in itself for legislative intervention.

• The legislature needs to engage the computer science experts in order tocraft technologically sound legislation and governance. The role to beplayed by the computer science community should not be undermined.


• This must occur as a team work. The legislative office of the AttorneyGeneral’s Office needs to engage the computer science experts.

• The development of the Cybercrime and Cybersecurity Bill shows verylittle engagement between the stakeholders: litigants, computer scienceexperts and the investigator. Without the experts’ input, the legislationcannot be amplified to the optimum.

• Current legislation is inadequate towards governance of cyberspaceactivities. Proposed legislation needs serious revision.

• Whilst imploring a legislative perspective to cybersecurity and cybercrime,it will be an injustice to our legal system if we overlook the importance ofcyberforensics in this equation.

• Again, the role of computer science experts cannot be overemphasizednor overlooked. In order to develop an effective procedural legislation togovern gathering of evidence using cyberforensics and cyber forensicrelated aspects, the Zimbabwe Republic Police burdened with theinvestigative mandate must continue to undergo rigorous cyberforensictraining.

Report on the world’s legislative landscape in 2000 by McConnell International LLC:

Report on Africa’s legislative landscape by OAfrica on the 3rd of October 2012:Botswana:

• Cybercrime and Computer Related Crimes Bill 2007

• Financial Intelligence 2008

• e-Legislation Committee formed in 2010

• Chapter 08:06 cybercrime and computer related crimes act

Ghana:

• Electronic Transaction Act (2008)

• Criminal Code Act 29/60 Section 131 for Cybercrime Prosecution

• MoC is drafting a national Cyber Security Strategy

• e-Crime Project

Kenya:

• Kenya Information and Communication Act

• Kenya Communications Regulations, 2001 (Broadcasting, 2009)

• No national cyber security policy in place yet

Morocco:

• Morocco Numeric 2013 contains a variety of acts addressing information and cyber security

Mozambique:

• National Cybersecurity Management System is in the process of being implemented

• Electronic Transactions Act

Report on Africa’s legislative landscape by OAfrica on the 3rd of October 2012:Namibia:• Computer Misuse and Cybercrime Act 2003• Electronic Transactions and Communications BillNigeria:• Harmonized Cybersecurity Bill 2011 (ready for National Assembly)• Nigerian Cyber-Crime Working Group InitiativeSudan:• Cyber Crime Law of 2007• Electronic transactions law (2007)• Informatics Crimes Law 2007• CERT SudanTunisia:• National Plan and Strategy in IT (2003)• Law on protection of Privacy and Personal Information (2004)• Law on Electronic signature and e-commerce (2000)• Law Against Cyber-Crimes• Law related to IT Security (2004)Zimbabwe:• No law on cyber crime

Report on the world’s legislative landscape by David Banisar in January 2018:

LEGISLATION CONVENTION

•Legislation is the law or body of rules that has been enacted by the legislature or any governing body that has the mandate to make the law in a country.

•A convention is an agreement in international law that is made between countries to address particular legal issues of concern.

•Legislation also refers to a law that is yet to be enacted by the legislature or governing body, known as a “bill”.

•Member states agree to a convention by way of being signatories – signing the convention, ratifying or acceding to the convention (i.e. ratification or accession of a convention).

•Legislation can be drafted in such a manner so as to adopt principles contained in a convention.

•The convention can set out how it is deemed to come into force; subject to the provisions of various statutes of the member states’ domestic laws.

•Member states can domesticate the convention (done by legislation)

•Non-member states can adopt principles contained in the convention during legislative processes.


World and Regional legislative perspective:• Budapest Convention – Convention on Cybercrime

2001- Adopted at Budapest on the 23rd of November 2001 by

the Council of Europe

• Malabo Convention - African Union Convention on Cybersecurity and Personal Data 2012

- Adopted at the 23rd Ordinary Session of the Assembly held at Malabo in Equatorial Guinea on the 27th of June 2014


• BUDAPEST CONVENTION- Convention on cybercrime.- This convention can be acceded by any country.- This convention works as a guideline to countries

in their law-making processes, regardless of thembeing member states or non-member states

- An analysis of the laws in Zimbabwe, from thereading of the Cybersecurity and CybercrimeBill, 2017; the legislature seemingly adopted theBudapest Convention.


BUDAPEST CONVENTION – PREAMBLE:• Convinced of the need to pursue, as a matter of priority, a

common criminal policy aimed at the protection of societyagainst cybercrime, inter alia, by adopting appropriatelegislation and fostering international co-operation;

• Conscious of the profound changes brought about by thedigitalisation, convergence and continuing globalisation ofcomputer networks;

• Concerned by the risk that computer networks andelectronic information may also be used for committingcriminal offences and that evidence relating to suchoffences may be stored and transferred by these networks;


Comparison between the provisions of the Budapest Convention and the Cybercrime and

Cybersecurity Bill, 2017 of Zimbabwe

Budapest convention Cybercrime and Cybersecurity Bill, 2017

Article Description Section Description

Art. 1 Definitions s3 Interpretation section

Art. 2 Illegal access s6; s8 Unlawful access; unlawful acquisition of data.

Art. 3 Illegal interception s7 Unlawful interception of data.

Art. 4 Data interference s9 Unlawful interference with data or data storage system

Art. 5 System interference s10; s11

Unlawful interference with computer system; unlawful disclosure of data code


Comparison between the provisions of the Budapest Convention and the Cybercrime and Cybersecurity Bill, 2017 of Zimbabwe

Budapest Convention Cybercrime and Cybersecurity Bill, 2017


Art. 6 Misuse of devices s12 Unlawful use of data or devices

Art. 7 Computer-related forgery s23 Cyber-forgery and transmission thereof

Art. 8 Computer-related fraud s21; s24 Cyber-fraud; Computer-relatedfinancial offences

Art. 9 Child pornography s30; s31 Child pornography; Exposing children to pornography

Art. 10 IPR offences s25 Violation of intellectual PRs

Art. 12 Corporate liability s37 Obligations of service providers


Comparison between the provisions of the Budapest Convention and the Cybercrime and Cybersecurity Bill, 2017 of Zimbabwe

Budapest Convention Cybercrime and Cybersecurity Bill, 2017


Art. 14 Scope and procedural provisions

s32 Application of procedural law

Art. 16 Expedited preservation s34 Expedited preservation

Art. 17 Expedited preservation & partial disclosure of traffic data

s35 Partial disclosure of traffic data

Art. 19 Search and seizure s33 Search and seizure

Art. 20 Real-time collection of traffic data

s36 Collection of traffic data

Art. 21 Interception of content data s35 Partial disclosure of data

Art. 22 Jurisdiction s38 Jurisdiction


MALABO CONVENTION:

• African Union Convention on Cybersecurity andProtection of Personal Data

• Adopted , but not yet in effect because only 3 countrieshave ratified the Convention to date and 11 havesigned it.

• On the 17th of October 2018, the AU Commission, inparticular Dr. Amani Abou-zeid reportedly urged themember states to ratify the Convention immediately.

• This Convention needs 15 countries to ratify it in orderto come into effect – article 36

MALABO CONVENTION: UPDATE ON MEMBER STATES

Countries Date signed Date ratified/ accession

1. Benin 28.01.15 -

2. Chad 14.06.15 -

3. Comoros 29.01.18 -

4. Congo 12.06.15 -

5. Ghana 04.07.15 -

6. Guinea-Bissou 31.01.15 -

7. Guinea - 31.07.18

8. Mozambique 29.06.18 -

9. Mauritania 26.02.15 -

10. Mauritius - 06.03.18

11. Senegal - 03.08.16

12. Sierra Leone 29.01.16 -

13. Zambia 29.01.16 -


MALABO CONVENTION – PREAMBLE: • Guided by the Constitute Act of the African Union adopted in 2000.• The preamble of this Convention reflects that in its objectives and aims, it is

intended that:- It establishes a legal framework for Cyber-security and Personal Data

Protection which embodies the existing commitments of African UnionMember States at sub-regional, regional and international levels to build theInformation Society.

- It reaffirms the commitment of member states to fundamental freedoms andhuman and peoples’ rights contained in the declarations, conventions andother instruments adopted within the framework of the African Union and theUnited Nations.

- It establishes regulatory framework on cyber-security and personal dataprotection that takes into account the requirements of respects for the rightsof citizens, guaranteed under the fundamental texts of domestic law andprotected by international human rights Conventions and Treaties,particularly the African Charter on Human and Peoples’ Rights.


MALABO CONVENTION – PREAMBLE:- It is also meant to regulate a particularly evolving technological domain, and

also sets forth the security rules essential for establishing a credible digitalspace for electronic transactions, personal data protection and combatingcybercrime.

- That in terms of criminal procedural law, it defines the framework for theadaptation of the standard proceedings concerning information andtelecommunication technologies and spells out the conditions for institutingproceedings specific to cybercrime.

- It addresses the need for harmonized legislation in the area of cyber-securityin member states of the African Union, and to establish in each State party amechanism capable of combating violations of privacy that may be generatedby personal data collection, processing, transmission, storage and use

- It addresses the need for the protection under criminal law of the systemvalues of the Information Society as a necessity prompted by securityconsiderations; that is reflected primarily be the need for appropriate criminallegislation in the fight against cybercrime in general, and money laundering inparticular;


SADC MODEL LAW: COMPUTER CRIME AND CYBERCRIME• This model is cited as an achievement of a regional activity carried out

under the HIPSSA project (“Support to the Harmonization of ICT Policies inSub-Sahara Africa”) officially launched in Addis Ababa in December 2008

• Works as a template generated to guide states on the legal and regulatoryframework to be adopted in creating ICT policies for their respective legalsystems in addressing cybercrime.

• A look at the incoming laws of Zimbabwe; particularly the Cybercrimeand Cybersecurity Bill, 2017, the Data Protection Bill, 2013 and theElectronic Transactions and Electronic Commerce Bill, 2013; shows thatthe legislature adopted the outline set out in the SADC Model Law.

• Initially sections 42, 43 and 44 of the Data Protection Act expresslyshowed that the legislature adopted the SADC Model Law, the influencewas so apparent, but was later cancelled so as to accommodateinternational law.


1. Cybercrime & Cybersecurity Bill

2. Data Protection Bill

3. Electronic Transactions Bill

Budapest Convention

Malabo Convention

SADC Model Law


LEGISLATION ON CYBERSECURITY AND CYBERCRIME IN ZIMBABWE

CURRENT LEGISLATION FUTURE LEGISLATION

1. Constitution of the Republic ofZimbabwe (Amendment NO. 20) 2013

1. Cybercrime and Cybersecurity Bill, 2017

2. Access to Information and Protection of Privacy Act [Chapter 10:27]

2. Data Protection Bill, 2013

3. Criminal Law (Codification and Reform) Act [Chapter 9:23]

3. Electronic Transactions and Electronic Commerce Bill, 2013

4. Interception of Communications Act [Chapter 11:20]


CONSTITUTION OF THE REPUBLIC OF ZIMBABWE, 2013

• Section 51 – right to human dignity – every person has inherent dignity in their private andpublic life, and the right to have that dignity respected and protected.

• Section 52 – right to personal security – (a) every person has the right to bodily andpsychological integrity, which includes the right to freedom from all forms of violence frompublic and private sources.

• Section 53 – freedom from torture or cruel, inhuman or degrading treatment or punishment– no person may be subjected to physical or psychological torture or to cruel, inhuman ordegrading treatment or punishment.

• Section 57 – right to privacy – (d) every person has the right to privacy, which includes theright not to have the privacy of their communications infringed.

• Section 61 – freedom of expression and freedom of the media – (5) excludes (a) incitementto violence; (b) advocacy of hatred or hate speech; (c) malicious injury to a person’s reputationor dignity; or (d) malicious or unwarranted breach of a person’s right to privacy.

• Section 62 – access to information – provides for right of access to any information held byany person, held by the State or by any institution – correction thereof – includingenactment of legislation to give effect to this right within the confines of the Constitution’sprinciples.


Criminal Law (Codification and Reform) Act• Section 162 – Interpretation section• Section 163 – Unauthorized access to or use of computer or

computer network• Section 164 – Deliberate introduction of computer virus

into computer or computer network• Section 165 – Unauthorized manipulation of proposed

computer programme• Section 166 – Aggravating circumstances (s163, s164, s165)• Section 167 – Unauthorized use of credit or debit cards• Section 168 – Unauthorized use of password or pin-number


Access of Information and Protection of Privacy Act• members of the public have a right of access to records

and information held by public bodies;• public bodies are accountable – public has a right to

request correction of misrepresented personalinformation;

• Prevention of unauthorised collection, use ordisclosure of personal information by public bodies; toprotect personal privacy;

• regulation of the mass media;• Establishment of a Media and Information Commission


INTERCEPTION OF COMMUNICATIONS ACT

• To govern the lawful interception and monitoring of certaincommunications in the course of their transmission through atelecommunication, postal or any other related service or system inZimbabwe; Enacted 3 August 2007

• Section 1 – short title of the Act

• Section 2 – Interpretation section

• Section 3 – Control interception – can intercept telecommunication ifparty to or have been given consent by a party to the communication;except for bona fide interception during the course of provision,installation, maintenance or repair of telecommunication

• Section 4 – Establishment of monitoring centre

• Section 5 – Authorised persons to apply for warrant of interception

• Section 6 – issue of warrant

An analytical Approach To Cybersecurity and Cybercrime Froma Legislative Perspective In The New Digital Age in Zimbabwe

INTERCEPTION OF COMMUNICATIONS ACT • Section 7 – Scope of warrant and renewal thereof• Section 8 – Evidence obtained by unlawful interception – inadmissible –

criminal proceedings• Section 9 – Assistance by service providers• Section 10 – Duties of Service providers in relation to customer – must

obtain personal information – basically – name, physical address, IDdetails

• Section 11 – Notice of disclosure of protected information – by authorisedperson to key holder of protected information

• Section 12 – Interception capability of telecommunication service –service provider must provide service that can be intercepted & store call-related information

• Section 13 – Compensation payable to service provider or protectedinformation key holder – must be by the State and according toreasonable tariffs prescribed by the Minister.


Cybercrime and Cybersecurity Bill, 2017• To provide for and to consolidate cyber-related offences with due

regard to the Declaration of Rights under the Constitution and thepublic and national interest;

• to establish a Cyber Security Centre and to provide for itsfunctions; provide for investigation and collection of evidence ofcyber-crime;

• to provide for the admissibility of electronic evidence for suchoffences; to create a technology-driven business environment;

• to encourage technological development and the lawful use oftechnology;

• to amend section 162 and to repeal sections 163 to 166 of theCriminal Code (Codification and Reform) Act [Chapter 9:23];


Data Protection Bill, 2013• An Act to govern the processing of personal

information by private and public bodies,• to prevent unauthorised and arbitrary use,

collection, processing, transmission and storageof data of identifiable persons,

• to provide for the regulation of data protection,to establish a Data Protection Authority and

• to provide for matters connected therewith orincidental to the foregoing.

DATA PROTECTION ACT• Section 1 – Short title

• Section 2 – Interpretation

• Section 3 – Scope of application

• Section 4 to 14 – Data ProtectionAuthority

• Section 15 to 20 – Quality of Data

• Section 21 – disclosure whencollecting data directly from datasubject

• Section 22 – Disclosure when notcollecting data directly from datasubject

• Section 23 – Authority toprocess

• Section 24 – Security• Section 25 – Security breach

notification• section 26 – Obligation of

notification to the Authority• Section 27 – Content

notification• Section 28 – Authorization• Section 29 – Openness of the

processing• Section 30 – Accountability• Section 31 – Right of Access

DATA PROTECTION ACT

• Section 32 – Right ofrectification, deletion andtemporary limitation ofaccess

• Section 33 – Right ofobjection

• Section 34 – Delays• Section 35 – Further

Regulation

• Section 36 – Decisiontaken purely on the basisof automatic dataprocessing

• Section 37 –Representation of thatdata subject – child

• Section 38 –Representation of dataphysically, mentally orlegally incapacitatedsubjects


ELECTRONIC TRANSACTIONS AND ELECTRONIC COMMERCE BILL, 2013

• to promote legal certainty and enforceability to electronictransactions and electronic commerce,

• to grant legal recognition to electronic communications and writing,to provide for the legal effect of electronic signatures and secureelectronic signatures,

• to make provision for the admissibility and evidentiary weight ofelectronic evidence,

• to provide for the time and place of the dispatch and receipt ofelectronic communications and electronic contract formation,transactions,

• to protect consumers in the on-line environment and to prohibitcertain electronic marketing practices, to provide for the limitationof liability of service providers,


ELECTRONIC TRANSACTIONS AND ELECTRONIC COMMERCE BILL, 2013

• Section 4 – Legal recognition of electronic communications – datamessage – valid and enforceable

• Section 5 – Recognition by parties of electronic communications –electronic communications – statement, declaration of will or any otheraction – valid and enforceable

• Section 7 – Signature – electronic signature valid – if it complies withRegulation requirements

• Section 8 – Creation and recognition of secure electronic signature

• Section 11 – Formation and validity of contracts

• Section 26 – Obligations of supplier – consumer protection – must providebusiness information – full business details, contact, address, email,description and price of product, terms of transaction, maintain record oftransaction and give access thereto.


Cyber-crime and the existing laws in Zimbabwe• EcoCash fraud – section 136 Codification• Ransomware; hacking – section 163 of the Codification• Malware – section 164 of the Codification• Card cloning – section 167 of the Codification• Identity theft – section 113, 136• Revenge porn – section 61(5)(c) & (d); section 57(d) of

the Constitution• Cyber-fraud – section 136 of the Codification• Cyber-bullying – criminal insult – section 95 of the

Codification


• WHY IS LEGISLATION IMPORTANT?

- To instil legislative governance of thecyberspace activities;

- To establish a regulatory system thatpromotes cybersecurity;

- To establish a legal framework aimed atgovernance of the protection of personaldata;

- To establish a legal framework for thecriminalization of cybercrimes;

- To establish a regulatory legal frameworkthat makes provision for accountability ofservice providers;

- To create a legal framework thatimplements compliance of internationalinstruments that promote legislativeredress on cybersecurity, cybercrimesand protection of personal data.

FIVE LAWS OF CYBERSECURITY by Nick Espinosa

1. If there is a vulnerability, it will

be exploited.

5. When in doubt, see Law No. 1

4. With innovation comes opportunity

for exploitation.

3. Humans trust even when they

shouldn’t.

2. Everything is vulnerable in some

way.


CASE STUDIES: • Chigumba Tweet Case – State versus Night Tawona

Shadaya – Section 95 – criminal insult• State versus Isaiah Marange – OK Zimbabwe Case –

hacked into OK Zimbabwe’s Money Wave System andprejudiced the company of $70 000.00

• Martha O’donovan Case – Subverting a constitutionalgovernment – s22 of Code – offence committed on twitter

• Fadzayi Mahere versus Petinah Gappah – Mahere suedGappah for defamation of character over tweet for 1million

• Liberty Life Assurance Case – Ransomware case – in SouthAfrica – prominent customers’ personal data breach


Chigumba Tweet Case: Magistrate Allows Suspect To Change Plea To Not GuiltyOctober 19, 2018

Harare Magistrate Rumbidzai Mugwagwa has ruled that Night Shadaya Tawona (25) fromChitungwiza can change his plea to not guilty. Shadaya is facing charges of criminal insult after heallegedly retweeted a tweet from a parody account pretending to be Zimbabwe ElectoralCommission (Zec) chairperson Priscilla Chigumba. The tweet in question said,

I can’t wait for the election fiasco to come to an end. I could do with a holiday and some good sex. My body needs a break.Tawona initially pleaded guilty to the charges and told the court that he was drunk when heretweeted the offensive tweet. He apologised for the tweet and warned other people not to makethe same mistake on social media platforms. However, before magistrate Rumbidzai Mugwagwacould sentence him, Tawona received legal representation from the Zimbabwe Lawyers for HumanRights (ZLHR). His lawyer Noble Chinhanu told the court that Shadaya had pleaded guilty becausehe had been pressured to do so and because he was not aware of the elements of the case. Heargued that Shadaya should not be charged with any crime as he had no intention to defame orinsult Chigumba since he believed that the account was hers. Chinhanu told the court,

My client genuinely believed that the account belonged to Chigumba at the time of retweeting andtherefore did not impair the reputation of the complainant. She did that herself.

The matter was postponed to November 5 for trial.https://news.pindula.co.zw/2018/10/19/chigumba-tweet-case-magistrate-allows-retrial-after-shadaya-

changes-plea-to-not-guilty/


Challenges: • Current legislation is inadequate to address legal

challenges that the judiciary system is currentlyburdened with; cybercrimes and computer-relatedissues – cyberforensics

• Current legislation does not address cases beingcurrently reported; E.g. identity theft, cyber-fraud

• Stake holders in the justice delivery system are forcedto improvise.

• Inadequate training of stake holders in the justicedelivery system to deal with cybercrimes, using thecurrent legislation


Recommendations:

• Train stake holders on how to deal with cybercrimes,cyberforensics and cybersecurity issues using currentlegislation.

• Consultative redress of legislation involving I.T.experts, litigants, investigators, and adjudicators.

• Legislature needs to implement legislative redress.

• Legislature needs to enact all the bills held by theAttorney General’s office.

THANK YOU!!!!

COMPUTER SOCIETY OF ZIMBABWE SUMMER SCHOOL 2018:...

Documents

Transcript of COMPUTER SOCIETY OF ZIMBABWE SUMMER SCHOOL 2018:...