Balancing basic freedoms and the need to fight cybercrime

South Africa's new cybercrime legislation is another tool in its armoury aimed at fighting online crime. In addition, it sends a clear signal to other African Union (AU) member states of its commitment to tackling such crime.

As a leading economy in the region, South Africa is increasingly being targeted by cybercriminals, in part because of high mobile phone and Internet penetration. Its status as one of Africa's biggest financial hubs also makes it an especially attractive target for cybercriminals.

Other sizeable economies such as Nigeria, Morocco, Egypt and Kenya are also fast becoming the focus of cybercriminals. Current trends suggest that the continent will continue to face Internet- and mobile phone-related crime at a growing rate. Crimes traditionally classified as cybercrime range from extortion, forgery and fraud to the use of Internet platforms to distribute child pornography or trade in illicit goods.

Cost of cybercrime to the continent

The latest figures from South Africa's Banking and Risk Information Centre estimate that cybercrime costs the country roughly 2.2 billion rand in lost revenue annually (US$154 million). For Africa in general, where the economic development potential of the Fourth Industrial Revolution is being hailed as a game changer, there is merit in the argument that in order to harness these benefits, the continent needs to be better equipped to confront the risks.

Sizeable economies like Nigeria, Morocco, Egypt and Kenya are becoming targets for cybercriminalsSpeaking at a recent cyber security summit, Abdul-Hakeem Ajijola, who chairs the AU Cyber Security Expert Group that advises the AU Commission on cyber-related issues, cautioned that 'Africa shouldn't be the weak link, because once you have a weak link, it undermines the global value chain'. The need to rapidly scale up mitigation measures to bring Africa into line with international best practice is clear.

Defining cybercrime

Establishing robust legal architecture to confront cybercrime, as well as putting in place more effective prevention measures and public education, is an important step in building continental resilience to cybercrime.

South Africa's new Cybercrimes Act sets out a range of offences that constitute cybercrime. Until now, the absence of a clear definition has hampered the investigation and prosecution of Internet-based crimes, with authorities having to rely on the Criminal Procedure Act (1977).

The new act defines cybercrime as including, but not limited to, unlawful access to a computer or device such as a USB drive or an external hard drive; the illegal interception of data; the unlawful acquisition, possession, receipt or use of a password; and forgery, fraud and extortion online. Malicious communications are also criminalised.

It also sets out the scope and mechanisms by which investigators can search and seize computer hardware, software and other items such as USB drives or storage devices. It describes how the South African authorities should conduct international investigations and how evidence must be collected, shared and preserved for future prosecutions.

Together with the Protection of Personal Information Act (POPI), which came into full operation on 1 July 2021, South Africa's legislation now adheres to international standards.

AU legal frameworks

In addition to drawing up national legislation, it is also necessary to ratify agreements such as the AU Convention on Cyber Security and Personal Data Protection (Malabo Protocol). This is Africa's most important convention on cybercrime.

The Malabo Protocol provides a legal framework to 'harmonise legislation' between member states to fight cybercrime and money laundering. It also seeks to establish a mechanism for each state party to respond to cybercrime while respecting the 'basic freedoms and human rights of individuals' and taking into account security considerations.  

African states have been slow to ratify this regional treaty. Only Angola, Guinea, Ghana, Mozambique, Mauritius, Namibia, Rwanda and Senegal have done so thus far. This lengthy pace of adoption is limiting its effectiveness.

The Malabo Protocol provides a legal framework to harmonise legislation and fight cybercrime

South Africa's passage of cybercrime legislation demonstrates it is 'walking the walk', according to Moliehi Makumane, a former special advisor on cybercrime for South Africa's foreign ministry, and signals the South African government's intention to ratify the convention.

Stronger regional cooperation could not come soon enough, argued Ajijola, but equally urgent was the need for practical rapid action to counter the threat of cybercrime. He said his expert group's main priority was 'protecting the next 1 billion from the Global South who are beginning to come online. We are talking about the street vendors, the itinerant farmers' who are using mobile phones to conduct business.

Implementation hampered by a lack of skills

Makumane, who led a number of South African government delegations to the UN on the topic of cybercrime, said that the hard work started now. 'A lot of countries will be looking at how we implement the Act.' 

Zambia has recently enacted the Cyber Security and Cyber Crimes Act (2021) and is likely to face similar capacity challenges as South Africa. Makumane predicted that one of the biggest obstacles to translating the law into practice was likely to be the issue of manpower – in particular, 'a lack of people with the necessary skills' to investigate and prosecute cybercriminals.

Police and justice department officials will have to establish regulations and centralised points of contact under the act. This will enable them to act on requests for mutual legal assistance from other countries – which, given the globalised nature of cybercrime, are highly likely – and to receive a coordinated response.

Africa's obstacle in effecting law is the lack of skills to investigate and prosecute cybercriminalsFurthermore, as organisations acting through Interpol seek to enhance regional capacity in terms of operations and intelligence sharing, there will be a greater demand to train personnel across Africa to tackle cybercrime. Makumane said that, in the South African context, managers may have to consider 'accepting certification rather than degrees to plug the skills gap'.

More broadly, in an interview, Ajijola suggested that cybercrime should be viewed as not only a threat but also an 'opportunity' for skills development, drawing on the African diaspora. 'Nigeria gets more money from remittances than oil, but if members of the diaspora community who acquire skills return to Africa with experience and expertise, we could find ourselves providing world-class solutions and be global players.'

Legal contestation

Another challenge is the possibility of legal contestation of legislation on constitutional or human rights grounds. For example, there may be challenges to 'clauses that might be interpreted and struck out by a court for violating citizens' rights, or contravene human rights, international humanitarian law, and evolving global cyber norms and standards', warned Ajijola.

The Nigerian government recently experienced this with a ruling by the Economic Community of West African States Court that Section 24 of its Cybercrime Prohibition and Prevention Act (2015) violates the right to freedom of expression. The court ruled that lawmakers should amend or delete Section 24 to bring the act back into line with the African Charter on Human and Peoples' Rights.

While South Africa's Cybercrimes Act and POPI Act were written with the country's constitution firmly in mind, there is a chance that some aspects of the legislation may also be subject to legal challenge. One possible issue is whether the reporting obligations on electronic communications service providers in the event of a cyberattack conflict with the regulatory requirements for businesses under the POPI Act. In other words, is there a disincentive for companies to cooperate with cybercrime investigations if in doing so they expose themselves to fines for failing to have robust security measures?

Risks and advantages of mobile technology

The availability of cheap mobile phone technology has given disadvantaged communities in the Global South unprecedented access to markets and services, but it is also exposing more Africans to risk. Citing a recent investigation that revealed how pre-loaded software on cheap Chinese smart phones sold in South Africa, Ethiopia, Cameroon, Egypt and Ghana had resulted in users' data being stolen, Ajijola said building a 'cyber envelope system' (i.e. stronger counter-measures) was urgently needed to prevent Africa from becoming a 'weak link' in cybersecurity mitigation measures.

African countries are vulnerable to abuses when democratic institutions are weakOther concerns about data manipulation include the possibility of social engineering during elections. There have been documented cases in which voter registration data was sold to political parties, which then used it to micro-target voters and capitalise on fears or divisions.

African countries are particularly vulnerable to such abuses in settings where democratic institutions are weak. The Cambridge Analytica experience, where voter information was sold to a political lobbying firm working for candidates in Kenya and Nigeria, among others, shone a spotlight on such operations and contributed to both countries' putting in place data protection legislation. 

Furthermore, issues of how African governments engage with social media platforms such as Twitter and Facebook, and balance security concerns against the right to freedom of expression, are likely to dominate debate – both publicly and among AU member states.

Karen Allen, ISS Consultant

feature-5icon-printerPSC REPORT