Are Caribbean Cybercrime Bills based on flawed model law? (June 2015)

Image result for cybercrime law fingerprint keyboard

***This article was originally published in June 2015 via The Trinidad Guardian & TechnewsTT. It is being republished given the reading of the Cybercrime Bill, 2017, into Parliament on 5th May 2017.***  

I previously presented a partial analysis on the Trinidad & Tobago Cybercrime Bill 2014, entitled “T&T Cybercrime bill demands multi-stakeholder input” which can also be found on my website www.pinaka.co.tt/publications. Within this analysis, some light was shone on perceived problems with outputs of the Harmonization of ICT Policies, Legislation and Regulatory Procedures in the Caribbean (HIPCAR) and Electronic Government for Regional Integration Project (EGRIP) model law exercises. Several Caribbean nations have subsequently used the HIPCAR and EGRIP model laws to develop their proposed cybercrime legislation.

A subsequent December 2014, Council of Europe discussion paper, entitled “Cybercrime Model Laws“, has come to light which examines the various cybercrime outputs from model law exercises in the context of the Budapest Convention.  This Budapest Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. 

In this discussion paper, the importance of having proper model law upon which to base legislation development is explained by the author, Zahid Jamil, Barrister-at law. The paper goes further to explain problems of developing legislation based on poor model law by describing the possible situation which states may find themselves in, when seeking international cooperation:

Thus, poorly drafted and divergent model laws can cause countries to enact cybercrime legislation with gaping lacunas whilst at the same time criminalizing and labelling conduct as cybercrime which other countries (especially many members to the Convention) from whom they may seek cooperation would never view as cybercrime.

The paper is also very critical of the methodology adopted in carrying out some model law exercises. For example, in summarizing the methodology employed in the ITU run @CP-ICT Programme which resulted in three model law exercises including HIPCAR, the paper states:

The Models largely appear to have been prepared through input from participants at workshops rather than representatives or experts with an official mandate from State parties and have not received any official assent from the general body of the ITU.

Of interest to the Caribbean, the paper includes analysis and discussion of the HIPCAR and EGRIP model law exercises and highlight significant problems with not only the methodology but also the eventual outcome of these exercises.   For example, specific to the HIPCAR model law output, the paper highlights various deficiencies, continuing:

Its greatest challenge, however, stems from its deviation and attempts to improve upon the language of the Convention (Budapest Convention) whilst inserting unique new offences within the scope of cybercrime, the language of which border on technical and legal absurdities.    

The question which comes to my mind at this point is: are there any instances of problematic model law clauses which have been subsequently incorporated into actual Caribbean cybercrime legislation? In performing analysis on the HIPCAR model law, the paper cites several instances of ‘invention of offences’.  Among these is one item in particular concerning illegally remaining on a system:

It attempts to invent an offence of “Illegal Remaining” which relates to conduct after the initial illegal access of the computer system. The offence considers the conduct of remaining logged in by the offender without any further action or consequence to be an aggravated offence of illegal remaining.

Subsequent analysis of Trinidad and Tobago Cybercrime Bill, 2015, reveals clause 6 which speaks to an offence of illegally remaining on a system as described above.  Hence, is Trinidad and Tobago considering the creation of an offence which is inconsistent with international best practice?   There are some other instances of problems with the HIPCAR cybercrime model law, as cited within the paper, which seems to have been subsequently integrated into our cybercrime legislation; however, I leave this up to others to explore and comment.

Is this kind of deviation from international norms a legitimate concern?  There may very well be legitimate reasons for these deviations, but it is incumbent upon the Government to explain same. The question also arises as to which other Caribbean states may have issues with their proposed cybercrime legislations based on HIPCAR and EGRIP exercises?  The paper cites that the EGRIP model law is even more divergent and problematic than the HIPCAR model law and highlights the case of Grenada which needed to remove certain EGRIP derived clauses from its cybercrime legislation.

In my previous July 2014 article I commended the efforts of Dominica to go beyond the HIPCAR and EGRIP model law efforts in seeking out assistance from the Council of Europe, OAS and Commonwealth Secretariat to review their proposed cybercrime legislation and ensure compliance with the Budapest Convention.  Is this the solution which other Caribbean states should be exploring?

At this juncture when we debate the future of own cybercrime bill, I again make the call for better stakeholder engagement in the development of this legislation and maybe even a review in light of the findings of this paper.

Additional food for thought…  

What about the other laws within Trinidad & Tobago’s e-Legislative agenda which were derived from the HIPCAR exercise?  

Do the methodology problems found in the HIPCAR cybercrime model law exercise extend to these other model laws as well? 

How sufficiently differentiated is our e-Legislative agenda from the HIPCAR model laws?

At The Intersection Of Ethics, Law & Technology In Trinidad & Tobago

On 12th July 2015, the students of the Master of Information Systems & Technology Management (MISTM) programme at the Arthur Lok Jack Graduate School of Business were exposed to the growing global ethical debate of security vs. privacy within the context of existing local laws with an information Security dimension (as well as impending proposed legislation).   As part of my Information System Security, Ethics and Law (ISSEL) course, within the class dedicated to examine ethical and legal issues as pertains to Information Security, I invited two guest presenters, both lawyers, to share their expertise with the students:

  • Cláudio Lucena, Professor of Law, Paraíba State University, Brazil
  • Jason Nathu, Tutor, Legal Aid Clinic, Hugh Wooding Law School

Security vs. Privacy

Mr. Lucena noted that increased awareness for privacy in the virtual world as a relatively new phenomenon due to the digital revolution and increased technological capabilities for mass collection of data, while stating; “The Right To Privacy” in the physical world dates back to 1890.  He suggested that the strength of the response towards 2012 Snowden revelations of global surveillance was mainly due to the fact that it revealed infractions against foreign leaders and persons involved in international relations, rather than only surveillance normal  citizens.  The awareness generated from these revelations was cited as contributing towards a March 2015 decision by the UN Human Rights Council to adopt a resolution to appoint a special rapporteur on the right to privacy. As a Brazilian citizen he related how specific revelations of surveillance in Brazil led to a heightened pace towards the passage of Marco Civil Da Internet as an online protection of civil liberties, and data protection laws to ensure adequate data handling.

 

IMG_20150712_104758

ISSEL student posing a question to Mr. Lucena

 

After laying this foundation, we got into other issue such as:

  • The ideological difference between the EU and US approaches towards data privacy where the EU approach tends towards protecting individuals’ rights to maintaining ownership of data.
  • How the right to “Right To Be Forgotten” seeks to protect individuals from search results about themselves which can be deemed as inaccurate, inadequate, irrelevant or excessive.

Interestingly, I met Mr. Lucena at the 2015 South School Internet Governance in Costa Rica, where we were fortunate to have seen a presentation by Mr. Pedro Less Andrade, Latin American Policy Counsel of Google, who presented (en español) some of the challenges of the right to be forgotten ruling.

Local Legal Context

Quite suiting a core theme of the day, Mr. Nathu grounded his delivery entitled “Information Security:  The Local Legal Context” by defining the right to privacy and then segued into discussion on the Data Protection, Computer Misuse and Electronic Transactions Acts.

IMG_20150712_113154

Mr. Nathu defining the right to privacy

 

Previously, Mr. Lucena, in commenting on Brazil’s weak cybercrime laws, suggested that there was a perception of cybercriminals as being less of a criminal.  This was echoed by Mr. Nathu, who also stated there was a low prosecution rate for e-crimes globally.   In highlighting the difference between criminal prosecution and civil proceeding he questioned why certain organisations, e.g. banks, would expose themselves as victims of cybercrime, and thereby suffer reputational loss, in criminal proceedings, which would result in no monetary compensation.

A few of the additional salient points on the aforementioned laws brought out by Mr. Nathu included:

  • Lack of proper consultations and serious objections from professional bodies such as the Media and Law Associations on certain aspects of the Data Protection Act, which remains partially proclaimed.
  • The Computer Misue act has over specification in some areas, e.g. definition of a computer, yet it “Broadly and vaguely protects against hacking, data misuse…”.
  • The Electronic Transactions Act remains partially proclaimed and it “does not REQUIRE a public body to accept or issue any document in electronic form”.
  • The pace of enacting and subsequent legislative reform is slow.

In responding to a question on why such deficiencies within our laws exist, Mr. Nathu offered that communication and consultation was an issue.  He urged the students to become more involved on matters with a technology and legal intersection.   On a conciliatory note, he admitted we were a young society with respect to this type of legislation and added that it is good that we have some laws in place, as a framework to build upon, even if it is not quite as robust to respond to the surrounding global context.

 

Conclusion

Fullscreen capture 7112015 113112 AM.bmp

Collaboration is stated as one of the five key areas of focus within Trinidad and Tobago’s national Cyber Security Strategy and it was certainly good to get collaboration from guest lectures of the caliber of Mr. Lucen and Mr. Nathu to share their expertise with a classroom of primarily technology based master level students.   Additionally both presenters mentioned the need for higher levels of activism and involvement. In the U.S. there is an organization known as the Electronic Frontier Foundation (EFF) which seeks to defend civil liberties in the digital world:

Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows.

Would you say we have a sufficient intersection between the technology and legal professions in Trinidad and Tobago towards the protection of rights in the digital age?