[governance] Kenya/Uganda online debate on the African Union Convention on Cyber Security(AUCC)
Suresh Ramasubramanian
suresh at hserus.net
Mon Nov 25 20:18:16 EST 2013
I would agree with SM that there are sections on data protection, copyright bolted on, and electronic transaction security / spam are specifically referenced here rather than implied in the Budapest convention (where it is quite possible to have inter agency cooperation across countries to arrest a criminal spammer, and this has happened in the past)
This is more due to the unique needs of africa I would say. When you have a convention you need enabling legislation around it, which if it does not exist, has all to be drafted from scratch, and hopefully drafted so as to be harmonized with the laws drafted in other signatories to the convention. What differences SM pointed out are related to this different maturity level of the laws in various African countries,
--srs (iPad)
> On 26-Nov-2013, at 2:17, Grace Githaiga <ggithaiga at hotmail.com> wrote:
>
> Dear Suresh
> The points you raise are very useful and I will put them in our reporting matrix.
> Further, I copy a message here on the difference between the Budapest and AU Convention as outlined by one SM. It was a response to Jean Paul but it never came onto the list.
>
> Lets keep this debate live.
>
> Rgds
> Grace
>
>
> From: SM (sm at resistor.net)
>
> To: Jean Paul NKURUNZIZA, Grace Githaiga
>
> Cc: internetgovtech at iab.org
>
>
> Hi Jean Paul,
> At 21:54 24-11-2013, Jean Paul NKURUNZIZA wrote:
> >Thank you Grace for sharing those updates about the African Union
> >Convention on Cyber Security(AUCC)
> >Just last week ( 21 and 22 November 2013) , the National
> >Telecommunication Regulatory Authority of Burundi ( I am burundian
> >based in Burundi) has conducted a sensitisation workshop about the
> >issue of cybersecurity.
>
> The (European) Convention on Cybercrime is different from the
> (African Union) draft convention on the confidence and security in
> cyberspace. The former is somewhat about computer-related offences,
> content-related offences and offences related to infringements of
> copyright and related rights. As a quick note, it seems that the
> draft convention tries to cover consumer protection, intellectual
> property rights, personal data and information systems. It is a bit
> odd to mix all that with legislation to tackle activities which are
> legislated as criminal activities.
>
> The differences between the convention and this draft convention are
> that the latter:
>
> - tries to solve the spam problem
>
> - includes electronic transaction
>
> - includes a legal framework for personal data protection
>
> The scope of the draft convention is broad. The draft convention
> does not have any text about lawful interception. That can be used
> to address the problems the draft convention attempts to solve. The
> drawback is that it might entail less personal data protection.
>
> Regards,
> -sm
>
> To: ggithaiga at hotmail.com; governance at lists.igcaucus.org
> From: suresh at hserus.net
> Date: Mon, 25 Nov 2013 06:58:01 +0530
> Subject: Re: [governance] Kenya/Uganda online debate on the African Union Convention on Cyber Security(AUCC)
>
> Hi Grace
>
> About I8 to I10 as I have worked extensively on spam at a technical and policy level since the late 90s
>
> I8 : This is a convention and not an international law. It provides a criterion that nations in the American will commit to harmonize their current (or more likely proposed, in large parts of Africa) to be uniform on this and other provisions. In this case, it advocates transparency in direct marketing offers which is a best practice
>
> I9 : this is an optin law, which is respectful of user privacy and doesn't allow the sending of unsolicited bulk email, which is the canonical definition of spam. This should not restrict itself to marketing but cover other sorts of bulk mail sent by other organizations or individuals. The law should be content neutral and cover all forms of unsolicited bulk email rather than just marketing mail.
>
> I10 : this is a standard prior business relationship exception to make compliance simpler
>
> The articles also need to additionally cover criminal forms of spam as the 419 scam, phishing etc.
>
> They additionally need to specify penalties both for the organization that commissioned the spam and the marketing agency they contracted with to actually send the spam.
>
> Specific language that would be appropriate is in the Australian spam act of 2003 and in the proposed Canadian antispam law, both of which were drafted after open, consultative and multistakeholder processes in the respective countries, including inputs from respected privacy groups.
>
> Before that, data protection and net anonymity have to be carefully balanced to log data but retain it under strict controls and regulation of how it can be used (in accordance with privacy regulations). If you legislate blanket anonymity then scam artists and cybercriminals will extensively abuse it to remain undetected.
>
> These are a first set of thoughts
>
> --srs (htc one x)
>
> ----- Reply message -----
> From: "Grace Githaiga" <ggithaiga at hotmail.com>
> To: "governance at lists.igcaucus.org" <governance at lists.igcaucus.org>, "bestbits at lists.bestbits.net" <bestbits at lists.bestbits.net>
> Subject: [governance] Kenya/Uganda online debate on the African Union Convention on Cyber Security(AUCC)
> Date: Mon, Nov 25, 2013 3:30 AM
>
> IGC and Bestbits Listers
> I write to you to seek your views on the African Union Convention on Cyber Security(AUCC)http://pages.au.int/sites/default/files/AU%20Cybersecurity%20Convention%20ENGLISH_0.pdf
> KICTANet has been in discussion with AUC and the drafters have accepted to receive our input despite having gone through this process two years ago with African governments. The Convention will be signed in January 2014.
> In light of this, Kenya and Uganda stakeholders will conduct an online debate on multiple lists of KICTANet and
> ISOC-KE, and on I-Network list moderated by the Collaboration on International ICT
> Policy in East and Southern Africa (CIPESA)
> and ISOC -Uganda, starting Today Monday 25th to Friday 29th November 2013. Please feel free to send us your contribution. RgdsGrace
> Below is the announcement made on the multiple lists.
>
>
>
> 1. Background to the African Union
> Convention on Cyber Security (AUCC)
>
> African Union (AU) convention (52 page document) seeks to
> intensify the fight against cybercrime across Africa in light of increase in
> cybercrime, and a lack of mastery of security risks by African countries.
> Further, that one challenge for African countries is lack of technological
> security adequate enough to prevent and effectively control technological
> and informational risks. As such “African States are in dire need of innovative
> criminal policy strategies that embody States, societal and technical responses
> to create a credible legal climate for cyber security”.
>
> The Convention establishes a framework for cybersecurity in
> Africa “through organisation of electronic transactions, protection of personal
> data, promotion of cyber security, e-governance and combating cybercrime”
> (Conceptual framework).
>
>
>
> 2. Division of the Convention
>
> Part 1
>
> Electronic transactions
>
> Section I:
> Definition
> of terms
>
> Section II:
> Electronic
> Commerce (Fields of application of electronic commerce, Contractual
> responsibility of the electronic provider of goods and services).
>
> Section III:
> Publicity by electronic
> means.
>
> Section IV:
> Obligations in electronic form
> (Electronic contracts, Written matter in electronic form, Ensuring the security
> of electronic transactions).
>
>
>
> Part II PERSONAL DATA PROTECTION
>
> Section I:
> Definition
>
> Section II:
> Legal framework
> for personal data protection (Objectives of this Convention with respect to
> personal data, Scope of application of the Convention, Preliminary formalities
> for personal data processing).
>
> Section III:
> Institutional framework
> for protection of personal data (Status, composition or organization, Functions
> of the protection authority).
>
> Section IV:
> Obligations relating to the
> conditions governing the processing of personal data (basic principles
> governing the processing of personal data, Specific principles governing the
> processing of sensitive data, Interconnection of
> personal data files).
>
> Section V:
> The rights of the
> person whose personal data are to be processed (Right to information, Right of
> access, Right of opposition, Right of correction or suppression).
>
> Section VI:
> Obligations of the personal
> data processing official (Confidentiality obligations, Security obligations,
> Conservation obligations, Sustainability obligations).
>
>
>
> PART III – PROMOTING CYBERSECURITY AND COMBATING CYBERCRIME
>
> Section 1:
> Terminology,
> National cyber security framework, Legislative measures, National cyber
> security system, National cyber security monitoring structures).
>
> Section II:
> Material penal law
> (Offenses specific to Information and Communication Technologies [Attack on,
> computerized data, Content related offenses], Adapting certain information and
> communication technologies offenses).
>
> Section II:
> Criminal liability
> for corporate persons (Adapting certain sanctions to the Information and
> Communication Technologies, Other penal sanctions, Procedural law, Offenses specific to
> Information and Communication Technologies).
>
>
>
> PART IV: COMMON AND FINAL PROVISIONS
>
> Section I:
> Monitoring
> mechanism
>
> Section II:
> Final responses
>
>
>
> The Proposed Discussion
>
> We have picked on articles that need clarity, and would
> request listers to kindly discuss them and provide recommendations where
> necessary. Also, where
> necessary, listers are encouraged to identify and share other articles that
> need clarifications that we may have left out.
>
>
>
> Day 1 Monday 25/ 11/2013
>
> We begin with Part 1 on Electronic transactions and pick on
> four articles which we will discuss on Monday (25/11) and Tuesday (26/11).
>
> Section III: Publicity by electronic means
>
> Article I – 7:
>
> Without prejudice to Article I-4 any advertising
> action, irrespective of its form, accessible through online communication service,
> shall be clearly identified as such. It shall clearly identify the individual
> or corporate body on behalf of whom it is undertaken.
>
> Question: Should net
> anonymity be legislated? If
> so, what measures need to be or not be considered?
>
> Question: Should
> individuals or companies be obliged to reveal their identities and what are the
> implications?
>
>
>
> Article I – 8:
>
> The conditions governing the possibility of promotional
> offers as well as the conditions for participating in promotional
> competitions or games where such offers, competitions or games are
> electronically disseminated, shall be clearly spelt out and easily accessible.
>
> Question: Should an international (or should we
> call it regional) law legislate on promotional offers and competitions
> offered locally?
>
>
>
> Day 2 Tuesday 26/11/13
>
> Article I – 9:
>
> Direct marketing through any form of
> indirect communication including messages forwarded with automatic message
> sender, facsimile or electronic mails in whatsoever form, using the particulars
> of an individual who has not given prior consent to receiving the said direct
> marketing through the means indicated, shall be prohibited by the member states
> of the African Union.
>
> Article I – 10:
>
> The provisions of Article I – 9 above
> notwithstanding, direct marketing prospection by electronic mails shall be
> permissible where:
>
> 1) The particulars of the addressee have been obtained
> directly from him/her,
>
> 2) The recipient has given consent to be contacted by the
> prospector partners
>
> 3) The direct prospection concerns similar products or
> services provided by the same individual or corporate body.
>
> Question: Is this a realistic way of dealing with spam?
>
> Article I – 27
>
> Where the legislative provisions of Member States have not
> laid down other provisions, and where there is no valid agreement between the
> parties, the judge shall resolve proof related conflicts by determining by all
> possibl
> ____________________________________________________________
> You received this message as a subscriber on the list:
> governance at lists.igcaucus.org
> To be removed from the list, visit:
> http://www.igcaucus.org/unsubscribing
>
> For all other list information and functions, see:
> http://lists.igcaucus.org/info/governance
> To edit your profile and to find the IGC's charter, see:
> http://www.igcaucus.org/
>
> Translate this email: http://translate.google.com/translate_t
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20131126/9dc595c3/attachment.htm>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
governance at lists.igcaucus.org
To be removed from the list, visit:
http://www.igcaucus.org/unsubscribing
For all other list information and functions, see:
http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
http://www.igcaucus.org/
Translate this email: http://translate.google.com/translate_t
More information about the Governance
mailing list