Are Caribbean Cybercrime Bills based on flawed model law? (June 2015)

Image result for cybercrime law fingerprint keyboard

***This article was originally published in June 2015 via The Trinidad Guardian & TechnewsTT. It is being republished given the reading of the Cybercrime Bill, 2017, into Parliament on 5th May 2017.***  

I previously presented a partial analysis on the Trinidad & Tobago Cybercrime Bill 2014, entitled “T&T Cybercrime bill demands multi-stakeholder input” which can also be found on my website www.pinaka.co.tt/publications. Within this analysis, some light was shone on perceived problems with outputs of the Harmonization of ICT Policies, Legislation and Regulatory Procedures in the Caribbean (HIPCAR) and Electronic Government for Regional Integration Project (EGRIP) model law exercises. Several Caribbean nations have subsequently used the HIPCAR and EGRIP model laws to develop their proposed cybercrime legislation.

A subsequent December 2014, Council of Europe discussion paper, entitled “Cybercrime Model Laws“, has come to light which examines the various cybercrime outputs from model law exercises in the context of the Budapest Convention.  This Budapest Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. 

In this discussion paper, the importance of having proper model law upon which to base legislation development is explained by the author, Zahid Jamil, Barrister-at law. The paper goes further to explain problems of developing legislation based on poor model law by describing the possible situation which states may find themselves in, when seeking international cooperation:

Thus, poorly drafted and divergent model laws can cause countries to enact cybercrime legislation with gaping lacunas whilst at the same time criminalizing and labelling conduct as cybercrime which other countries (especially many members to the Convention) from whom they may seek cooperation would never view as cybercrime.

The paper is also very critical of the methodology adopted in carrying out some model law exercises. For example, in summarizing the methodology employed in the ITU run @CP-ICT Programme which resulted in three model law exercises including HIPCAR, the paper states:

The Models largely appear to have been prepared through input from participants at workshops rather than representatives or experts with an official mandate from State parties and have not received any official assent from the general body of the ITU.

Of interest to the Caribbean, the paper includes analysis and discussion of the HIPCAR and EGRIP model law exercises and highlight significant problems with not only the methodology but also the eventual outcome of these exercises.   For example, specific to the HIPCAR model law output, the paper highlights various deficiencies, continuing:

Its greatest challenge, however, stems from its deviation and attempts to improve upon the language of the Convention (Budapest Convention) whilst inserting unique new offences within the scope of cybercrime, the language of which border on technical and legal absurdities.    

The question which comes to my mind at this point is: are there any instances of problematic model law clauses which have been subsequently incorporated into actual Caribbean cybercrime legislation? In performing analysis on the HIPCAR model law, the paper cites several instances of ‘invention of offences’.  Among these is one item in particular concerning illegally remaining on a system:

It attempts to invent an offence of “Illegal Remaining” which relates to conduct after the initial illegal access of the computer system. The offence considers the conduct of remaining logged in by the offender without any further action or consequence to be an aggravated offence of illegal remaining.

Subsequent analysis of Trinidad and Tobago Cybercrime Bill, 2015, reveals clause 6 which speaks to an offence of illegally remaining on a system as described above.  Hence, is Trinidad and Tobago considering the creation of an offence which is inconsistent with international best practice?   There are some other instances of problems with the HIPCAR cybercrime model law, as cited within the paper, which seems to have been subsequently integrated into our cybercrime legislation; however, I leave this up to others to explore and comment.

Is this kind of deviation from international norms a legitimate concern?  There may very well be legitimate reasons for these deviations, but it is incumbent upon the Government to explain same. The question also arises as to which other Caribbean states may have issues with their proposed cybercrime legislations based on HIPCAR and EGRIP exercises?  The paper cites that the EGRIP model law is even more divergent and problematic than the HIPCAR model law and highlights the case of Grenada which needed to remove certain EGRIP derived clauses from its cybercrime legislation.

In my previous July 2014 article I commended the efforts of Dominica to go beyond the HIPCAR and EGRIP model law efforts in seeking out assistance from the Council of Europe, OAS and Commonwealth Secretariat to review their proposed cybercrime legislation and ensure compliance with the Budapest Convention.  Is this the solution which other Caribbean states should be exploring?

At this juncture when we debate the future of own cybercrime bill, I again make the call for better stakeholder engagement in the development of this legislation and maybe even a review in light of the findings of this paper.

Additional food for thought…  

What about the other laws within Trinidad & Tobago’s e-Legislative agenda which were derived from the HIPCAR exercise?  

Do the methodology problems found in the HIPCAR cybercrime model law exercise extend to these other model laws as well? 

How sufficiently differentiated is our e-Legislative agenda from the HIPCAR model laws?

The TT Cybercrime Bill debate continues:  Critics, Opinions and Facts

I was interviewed on 23/05/15 by Kejan Haynes on TV6′s “In Conclusion” for my take on the TT cybercrime bill 2015. Within the interview I alluded to certain ‘issues’ within the bill which seemed to have crept over from the model law phase.

I subsequently wrote an article briefly detailing these ‘issues’ which was carried by the Trinidad Guardian 07/06/15 as commentary within their Business Guardian magazine.  TechNewsTT also ran the piece on 08/06/15 complete with a comments section 😉

The article was primarily based on a December 2014, Council of Europe (CoE) discussion paper, authored by a barrister-at-law, which examined “Cybercrime Model Laws”.  The author of the referenced paper questioned the quality of both the methodology and eventual output of the HIPCAR and EGRIP cybercrime model law exercises upon which several Caribbean territories have subsequently based their proposed cybercrime legislation.  Specific to HIPCAR, the author of the referenced paper stated:

Its greatest challenge, however, stems from its deviation and attempts to improve upon the language of the Convention (Budapest Convention) whilst inserting unique new offences within the scope of cybercrime, the language of which border on technical and legal absurdities.

Ahhh the critics…

One critic of my piece, who previously served as a consultant on the HIPCAR model law exercise, questioned why I cited from only that single referenced paper  for the 800 odd word article, as part of his thinly veiled assault on my credibility and “academic rigour”.   In discussing my article and this critic’s comments on the Caribbean ICT forum CIVIC, I offered the following:

My article is merely a synopsis of the CoE discussion paper (to) highlight the the relevant parts to the Caribbean.  Those who reviewed it pre publication know that my intent was not to murky the waters with my opinion but rather introduce the discussion paper to the local and Caribbean audiences so that they can review and form their own opinion.  As well, specific to my article, I present my findings as questions.  Questions which need to answered in the local and Caribbean debate on cybercrime legislation.

By the way, every time you mention HIPCAR in the CIVIC forum there is collective groan of ‘let’s not even go there’ which emerges from the Caribbean civil society and ICT professional members who previously participated in, and were not pleased with, the HIPCAR exercise. They also readily suggest a visit to the archives of CIVIC to see the various issues they previously highlighted with HIPCAR.

The critic also took a swipe at the author of the referenced discussion paper, referring to his work as:

…unqualified, unspecified OPINION of a barrister-at-law who I have not had the pleasure of meeting.

Well, it just so happens that the very TechNewsTT website, which the critic was actively using to place his comments, ran a piece on 26/05/15, from 2014, which pointed to an article entitled “Dominica considered a cybersecurity leader”.  The author of the referenced CoE discussion paper, Mr. Zahil Jamil, is spoken of within this article as follows:

Meanwhile, Zahil Jamil of the Commonwealth Secretariat and the Council of Europe also congratulated Dominica for taking a leadership role in the fight against cybercrime.  Jamil who also represents the Budapest Convention on Cybercrime congratulated Dominica for having taken “a very forward looking step and advanced step to having requested accession to the Council of Europe’s convention on cybercrime”.

So hopefully the critic has now been introduced, albeit virtually to Mr. Jamil. But let’s leave this critic behind and focus on the task at hand; i.e.getting cybercrime legislation right.

Commonwealth model law review

One of the things which Mr. Jamil points out in the discussion paper is that of the various model law efforts reviewed, the Commonwealth model law effort:

…received much recognition being a reasonable first effort at a model law based upon the Convention”

Additionally, while pointing out imperfections, he goes further to state:

…this is the only Model Law analyzed as part of this paper that bears any resemblance to an official inter-governmental process for negotiation and approval

However despite this model law seemingly being the best of the batch reviewed, the Commonwealth Secretariat is currently seeking a “Consultant for the Review of Commonwealth Model Law on computer and computer related crime”.

Hence, if even the best of the batch reviewed by Mr. Jamil recognizes the need for review of itself, what does that say about our legislation derived from HIPCAR model law?

As stated within the duties expected of the consultant, it is expected that he will perform review which may include areas currently absent within the current draft including:

…developments in technology such as peer-2-peer networking, revenge porn, cloud computingand user distributed information, and any practical difficulties which have been encountered in the operation of the existing model, such as delays in receiving mutual legal assistance

With respect to reviewing the area of cloud computing, if you will recall, my previously mentioned July 2014 article on the TT cybercrime bill cited the problems within the bill as treating data as if it is still stored on a single computing device rather than being stored within the all pervasive cloud:

Folks, remember where you saw the need for such inclusion of cloud computing provisions in review of a Caribbean bill first…right here!

What about Jamaica?

While I will be the first to admit that I have not reviewed the Jamaican cybercrime bill 2015, an interesting blog post has emerged from well respected US based Jamaican data privacy and security specialist, Dr. Tyrone W A Grandison, questioning aspects of this bill.  Of particular interest is that he also cites a need for the explicit protection of IT / information security professionals,academics and security researchers.  This need was previously highlighted in my July 2014 article on the TT cybercrime bill.

Dr. Grandison has subsequently responded to the Jamaican, Ministry of Justice, response to his blog post.

Where do we go from here?

Based on the aforementioned CoE discussion paper, the fact that a Commonwealth model law exercise is about to commence, the fact that more regional security specialist are voicing their concerns with respective cybercrime bills (based on the the same HIPCAR model law) and the opportunity presented by the closing of the parliamentary term; I believe a review of the TT cybercrime bill is warranted.