Africa deservedly gets much attention in the local and international tech and business media for its skyrocketing internet penetration, which in turn is boosting African economies and allowing for the launch of a new generation of digital startups.
With this growing web access, however, inevitably comes new cyber security threats. The likes of Kaspersky and Norton have highlighted for a number of years the increase in cybercrime in Africa, which will only get worse unless tackled adequately.
In South Africa alone, losses from cybercrime totaled US$500 million in 2014.
Much work needs to be done in order to prepare African governments and businesses from the growing threats they face.
African Union (AU) last June finally agreed to a convention on cybercrime, which was a big step in the right direction. However, the many flaws within the convention and the fact that not a single AU member state is yet to ratify it are causes for concern.
There are plenty of positives within the proposed convention.
It covers a very broad range of online activities, such as e-commerce, data protection and cybercrime, and would see many African nations enact personal data protection laws for the first time. AU member states would be required to develop national cyber security strategies and legislation.
According to Access, much of the data protection-related content of the convention mirrors that of the European Union (EU), requiring member states to have an independent national data protection authority (DPA), while data can only be processed for a “specific legitimate purpose”.
Individuals are more empowered to restrict the use of their personal data than they are now.
Meanwhile, also to be commended is the fact the cyber security sections of the convention specifically protect human rights, and civil society is included as part of the “multi-stakeholder” approach.
One is the pace of adoption, as the convention must be ratified by 15 countries to come into force. This could take as long as five years to happen, and in the meantime a number of countries are developing their own localized cybercrime laws that groups such as Access say are inappropriate.
There are also concerns over content restrictions. Nobody can argue with bans on child pornography and the like, but there are some quite broad definitions within the convention of “unseemly content” that could be dangerous if governments choose to apply them liberally.
In some instances, the definitions are not broad enough. Racism and xenophobia is outlawed, but discrimination on sexual orientation or gender is not. The word “insult” is also not properly defined, leaving room for abuse.
Particularly in light of what emerged in the United States with regard to the National Security Agency (NSA), it is also concerning that the convention puts not safeguards on the sharing of information between companies and governments, while it does not state what the limits are on the independent regulatory powers when cracking down on cybercrime.
Courts are also given too much power. The convention adds some worrying exceptions about when personal data can be processed, including in the public interest, with these loopholes wide enough to be exploited by a number of governments.
Journalists and whistleblowers should also be concerned, as leaked data under the convention counts as being “fraudulently obtained”.
Most groups analyzing the convention, such as Access, do however advise AU member states to implement it as quickly as possible, fearing a case of shutting the barn door after the horse has bolted.
As a first effort in requiring African countries to implement laws relating to cybercrime, it is a valiant try.
But given the way technology develops and the limitations of this first AU effort, even if the necessary 15 member states do ratify the convention (which appears unlikely to happen any time soon), it may be that Africa is left playing catch-up to cybercriminals in much the same way it lagged behind the rest of the world when it came to getting online in the first place.
