The African Union has prepared a final draft of the AU Convention on the Establishment of a Credible Legal Framework for Cyber Security in Africa ("the AUCC"). The AUCC is scheduled for final passage at an AU meeting in January 2014. We implore you to support our movement opposing passage of the AUCC in its current form.
After extensive discussions with various stakeholders from industry, academia, and NGOs, we have identified numerous provisions in the AUCC that, if passed by the AU, will have substantial negative effects on online economies and social cultures across Africa. A few of the more egregious examples are:
- As currently drafted, the AUCC dangerously imposes broad limitations on freedom of expression by permitting the interception of content data and traffic data on unfounded grounds, such as “where the imperatives of the information so dictate”.
- The AUCC is vesting upon investigative judges, the unlimited power to issue search and seizure warrants on data, parts or whole of computer systems on unfounded grounds such as “where it is useful for revelation of the truth”. Worse still, Most African judicial officers are currently untrained in technical and legislative aspects of cyber forensics to satisfy such a legal requirement, and the likelihood of misuse is high.
- The AUCC requires that ICT product vendors submit products for “vulnerability and guarantee tests.” Such a requirement, although intentioned for protecting consumers, actually increases the risk to consumers. An ICT product vendor, having complied with the standardized testing required of the AUCC, can reasonably argue that such compliance completely eliminates their liability for security breaches of their products.The AUCC also places unlimited criminal liability on the corporate sector for offences defined in it.
- The AUCC requires that a person or a corporate organization engaging in electronic financial transactions provide full identity information, including PIN and address information. This requirement is costly and risky, and it remains unclear how such data will be protected and how confidentiality will be maintained.
- Finally, preparation of the AUCC involved little or no consultation with non-government stakeholders. Major industry stakeholders have expressed serious misgivings to us about the scope and practicality of the AUCC. Most industry stakeholders, however, remain completely unaware even of the existence of the draft AUCC.
We are calling for the AU to stop the ratification process of the AUCC, and to begin a transparent and public effort to revise the AUCC (or cancel it altogether) based on input from the private sector and civil society stakeholders.
In Kenya and in Africa, we are calling for a Parliamentary debate over the merits of the AUCC and whether AU member states should support passage of this ill-advised treaty. At a very minimum, cyber security experts and a wide selection of industry and non-government stakeholders should be given a chance to vet the AUCC. The process should be transparent and public.