Summary of ECLAC Caribbean DFS outputs (2014-2017) 

Report on ITU/ECLAC/TATT 2016 workshop; Exploring Innovation in Transactions & Financing in Caribbean

 

 

The Economic Commission for Latin America and the Caribbean (ECLAC), subregional headquarters for the Caribbean, is pleased to transmit for your attention, (LC/CAR/2017/11) entitled “REPORT OF THE SEMINAR ON SCIENCE, TECHNOLOGY AND INNOVATION FOR SUSTAINABLE DEVELOPMENT- EXPLORING INNOVATION IN TRANSACTIONS AND FINANCING IN THE CARIBBEAN” from the meeting convened in Port of Spain, 1-3 June 2016.

 

Below is a listing of the various DFS outputs produced by ECLAC from 2014 – 2017

=============================================================================

ECLAC Publications and Resources in “Digital Financial Services”

2014

2015

 

Digital currency and mobile money solutions are components of new industry classifications referred to as Financial Technology (FinTech) and Digital Financial Services (DFS).

2016

 

 

 

 

 

Instagram media by beascycle - UN Economic Commission for Latin America and Caribbean #digitalcurrency study finally publishedThis report examines the usage of digital currency technology in the Caribbean subregion with a view to drawing attention to the opportunities and risks associated with this new phenomenon. It discusses the broader context of an emerging activity at the global level and considers how this technology could address subregional deficiencies in the electronic payment infrastructure.The report also discusses mobile money solutions, and the relationship of that technology to digital currency.

 

The workshop is co-organized by the International Telecommunication Union (ITU) in partnership with the Telecommunications Authority of Trinidad and Tobago (TATT) and the United Nations Economic Commission for Latin America and the Caribbean (UNECLAC).

 

Its primary purpose is to provide Caribbean stakeholders from various sectors with interactive sessions along the theme of utilizing technology innovations towards the goal of improving financial transactions and financing arrangements.

 

 

Report of the seminar on science, technology and innovation for sustainable development – Exploring innovation in transactions and financing in the Caribbean (LC/CAR/2017/11) 

 

 

Event video recording

2017

 

Caribbean countries have been seriously impacted by the trend toward “de-risking” in the global financial system, and this is damaging to their economic security and the ability of Caribbean businesses to innovate. De-risking is the name given to the tendency of banking institutions to turn away from working relationships and lines of business for which the cost of regulatory compliance—and the risk of non-compliance— is deemed to be too high in comparison to the returns.

 

This is a phenomenon that is affecting developing economies around the world, but the small and vulnerable economies of the Caribbean have been hardest hit.

 

 

 

The primary purpose and objective of this workshop is to continue providing Caribbean stakeholders from various sectors with interactive sessions along the theme of utilizing technology innovations towards the goal of improving financial transactions and financing arrangements.

 

 

Programme & Presentations available from link above

 

 

Event video recording 

 

T&T Cybercrime bill demands multi-stakeholder input (July 2014)

Related image

***This article was originally published in July 2014 via TechnewsTT and is being republished given the reading of the Cybercrime Bill, 2017, into Parliament on 5th May 2017.***  

The case for Multi-stakeholder engagement in reviewing the Trinidad & Tobago Cybercrime Bill, 2014

Summary

The Cybercrime Bill 2014 was read into Parliament by the Minister of National Security, Gary Griffith, on 21/03/14 and subsequent debate occurred in the Lower House of Parliament on 13/06/14.   An alarm has been raised by media workers over certain clauses (21 and 23) in the Bill which they deem to be oppressive to their profession.  Similar dissatisfaction has been expressed by other media workers in other Caribbean territories where attempts to introduce similar legislation have been made. Additionally, questions have arisen over the extent of stakeholder engagement practiced to review and produce the Bill.

This paper presents a historical context of the development of this legislation and presents a review of certain clauses (12, 21, 23, 26, 27, 28 and 31) or aspects within, from an ICT and Information Security perspective, so as to illustrate why a review of the Bill by a wider set of stakeholders may be required at this point. 

Introduction

There has been recent outcry by the Trinidad and Tobago Publishers and Broadcasters Association (TTPBA) against the proposed Cybercrime Bill 2014.

“It is evident that the media can be muzzled and the profession of investigative journalism can be undermined if this law is passed.  The government has shown its willingness to discuss such issues before and we ask that they engage the TTPBA and other stakeholders again in order to work in the best interest of our democracy.  In reviewing this Bill, it would seem that no thought was given to the repercussions of a free media nor to the role of the media as watchdogs of our nation.”

Additionally, the Trinidad Guardian editorial, dated 17/06/14, cited concerns with clauses 21 and 23 of the bill and went further to cite lack of proper stakeholder engagement in the consultative process leading up to the laying of the bill in Parliament.  Amongst the “interest groups” cited as requiring time to “weigh in” on the bill was the Law Association, which raises the question as to if the legal fraternity has provided sufficient input on the bill. 

In his contributions to the debate on the Cybercrime Bill as reported by the Trinidad Newsday, dated 16/06/14, Member of Parliament for St. Joseph, Terrence Deyalsingh raised an interesting question of the relevance of the proposed bill in relation to existing laws such as the Telecommunications Act, Electronic Monitoring Act and Interception of Communications Act.  These are all interesting points which lead to the following questions: Where did this bill come from?  Who were the stakeholders consulted?  Does it unfairly target certain groups?  Is the current outcry justified?  How does it integrate into our existing set of laws? The response to these questions should lead to the position that greater stakeholder engagement is required at this point.

Historical Context

The bill is derived from the HIPCAR project which commenced in 2008 and was designed to provide “harmonization of ICT policies and legislation across the Caribbean”.  This project was 95% funded by the European Commission with the International Telecommunications Union (ITU) as the executing agency and the Caribbean Telecommunications Union (CTU) as its project advisor.   The fifteen (15) beneficiary countries were identified as Antigua and Barbuda, the Bahamas, Barbados, Belize, Dominica, the Dominican Republic, Grenada, Guyana, Haiti, Jamaica, Saint Kitts and Nevis, Saint Lucia, Saint Vincent and the Grenadines, Suriname, and Trinidad and Tobago. 

As part of its deliverables, it produced “Model Policy Guidelines & Legislation texts” across nine (9) different areas where “Cybercrimes and cybersecurity” was one of the areas.  Supplementing these “model law” deliverables, technical assistance made available to tailor these deliverables to the unique scenario of individual beneficiary countries.  Trinidad and Tobago benefitted from at least two (2) “Stakeholder Validation Consultation and Capacity Building Workshop to review the Legislative Framework on Cybercrime (e-Crimes)” as of June 2012.  In 2009, Dominica, Grenada and St. Lucia also commenced another effort around ICT harmonization called the Electronic Government for Regional Integration Project (EGRIP).

Clearly, significant effort went into the HIPCAR project; however there has been some dissent amongst Caribbean ICT professionals as to the effectiveness of the deliverables in meeting the needs of the individual beneficiary states.  At the “Caribbean Stakeholders’ Meeting: The Importance of ICTs and their Impact on Regional Development”, which was attended by several regional ICT Ministers, held in  Trinidad over the period 26th to 28th May 2014, the Caribbean Area Representative to the International Telecommunications Union (ITU), Mr. Cleveland Thomas, acknowledged this dissent but attempted to place it in the context of the significance of the work accomplished given some of the constraints which presented as an externally funded project. 

My own impressions from this meeting on issues of Caribbean cybercrime and cyber secuirty development can be found in my Slideshare folder.  As to if the root of the dissent originates from the model law phase or the tailoring phase, this is up for debate.  However, the fact that questions are now arising over the extent of consultations performed in the production of the Cybercrime Bill, seems to indicate, that the tailoring phase and/or subsequent necessary follow-up consultative processes between June 2012 and June 2014, were not executed properly or did not adequately address the concerns of relevant stakeholders.

Other Caribbean Cybercrime Efforts 

How have other Caribbean nations fared with their own efforts to introduce cybercrime legislation?   

In June 2013, Grenada laid in their Parliament, EGRIP based Electronic Crimes legislation much to the chagrin of local media representative bodies who expressed similar concerns of having their freedom of expression suppressed.  They were supported by international press freedom bodies such as the Paris based Reporters Without Borders (RWB) and Vienna based International Pres Institute (IPI) as well as the Association of Caribbean Media Workers (ACM).  Michelle Marius of ICT Pulse provides a good summary of the Grenada experience up to July 2013.

In April 2014, Dominica, which has been a beneficiary to both the HIPCAR and EGRIP projects, embarked upon a National Needs Assessment and Legislative Review Workshop on Cybersecurity with the direction and assistance from international bodies including; Cybersecurity Assessment and Strategy Development from the Commonwealth Secretariat (COMSEC), the Council of Europe (COE) the Inter-American Committee against Terrorism of the Organization of American States (CCITE/OAS).  The stated purpose of this workshop was to “review existing e-legislation to determine whether they are in compliance with the International Convention on Cybercrime known as the Budapest Convention on Cybercrime” towards the development of a national Cybercrime Strategy and establishing a National Cybercrime Policy.  The Dominica example must be commended as an example of tireless effort to getting the right tailored fit for Dominicans in accordance with an international recognized authoritative source.

The Case for Multi Stakeholder Review

The Minister of National Security, Gary Griffith, has heeded the calls of the media fraternity and has invited them to discuss their concerns specific to clause 21 of the Cybercrime Bill.  However, does this mean that the remainder of the Cybercrime Bill is perfectly fine and does not warrant review?  At  this juncture, I believe it would be more beneficial to employ a more encompassing approach bringing together a wide range of professionals from various stakeholder institutions and entities such as the law enforcement, the legal fraternity and of course the technical expertise represented by the ICT and Information Security fraternity.  I shall highlight a few points of concerns I have with the Cybercrime Bill which I have raised with various authorities over the past few months.  These are primarily derived from an ICT and Information Security perspective and underscore the need to solicit and engage in further discussion with others.

Clause 12 & 31: Illegal Devices & Remote Forensic Tool

The bill defines “remote forensic tools” as:

 “…investigative software or hardware installed on or attached to a computer system that is used to perform a task that includes keystroke logging or transmission of an internet protocol address”

This may be a bit misleading as the functionalities mentioned are a bare minimum of what these tools are capable of and indeed further reference to these tools in clause 31 alludes to a usage far greater than “keystroke logging or transmission of an internet protocol address”.  Additionally, such tools would undoubtedly fall under the classification of “Illegal devices” as described in clause 12.

Yet, clause 31(3) calls for internet service providers to “support the installation” of such tools.  It is my view that if competency is expected of persons outside of the police service to support the installation of such tools, explicit protection for such users of these tools for legitimate purposes, for example, academic research or professional duties should be stated within the bill

  Why is this important?  In 2010, the UK Cards Association (representative body for UK banks), attempted to compel the University of Cambridge to remove Omar Choudary’s research thesis from its website which exposed flaws in their Chip and PIN bank card technology.  

Figure 02: Omar Choudary’s specialized hardware ‘device’ used in academic research into Chip & PIN vulnerabilities

Figure 02: Omar Choudary’s specialized hardware ‘device’ used in academic research into Chip & PIN vulnerabilities

Under our Cybercrime Bill, the research performed by Mr Choudary, which required certain hardware tools and software to perform analysis of bank card transactions, could have been deemed as having utilized “illegal devices” with the intent of committing an offence against the members of the UK Cards Association.

  Ultimately the University of Cambridge defended their right to have the work published on their website and the UK Cards Association backed down, however this case still resonates with the way universities approach cybersecurity research.  Having recently completed M.Sc. Information Security studies 2012/13 at University College London, UK, I can personally attest to interactions between one of my classmates and his thesis supervisor on establishing boundaries for the scope of his research into contactless Near Field Communications (NFC) based bank card transactions for fear of how this research and published findings could be perceived.

Figure 4: Proxy and Relay NFC attack scenarios, credit C.Petridis

Figure 4: Proxy and Relay NFC attack scenarios, credit C.Petridis

How would a Caribbean based Bankers Association view a University of West Indies based researcher doing similar work?  What possible pressure could be levied to suppress such work?  Can such legitimate research be misrepresented by a powerful lobbying group as an offensive under our Cybercrime Bill?  In the US similar concerns have emerged from the security research industry with respect to the US Computer Fraud and Abuse Act (CFAA) laws being used to target security researchers conducting benign research into internet vulnerabilities

The United Nations Office on Drugs and Crime has produced a “Comprehensive Study on Cybercrime” which presents some of the issues and differences in national strategies in criminalizing “computer misuse tools.  Are we confident we have we found the right fit for Trinidad and Tobago?

Clause: 26 – 28: Order for removal or disablement of data, Production Order & Expedited Preservation

Given the emerging field of cloud computing where data and services from various corporate entities and individuals may be hosted on a single physical server or storage device, i.e. co-located at a 3rd party’s data centre; the issues raised in clause 26 through clause 28 take on a different dimension.  

How does one safely ensure that an “Order for removal or disablement of data” only affects the data and services of the target being investigated?

How does one ensure that in issuing a “Production Order” or an order for “Expedited preservation” one does not inadvertently copy data from another entity who is not the subject of investigation?  This should be a significant concern to corporate entities who would be keenly interested in protecting the privacy or their own data as well as data stored on behalf of their customers.  

How do the police even get forensic access to data of Trinidadian entities when said entity’s data is domicile in other counties?  We would normally believe that Mutual Legal Assistance Treaty (MLAT) between countries would bridge this gap, but given the lack of results the public has seen from a very public email investigation originating in 2013 we need to be mindful as to how such investigations are executed.  

 The emerging field of cloud forensics may have some solutions here;  one proposal being to have competent cloud forensic experts on staff at data centres, who are then included in the chain of custody to facilitate such orders which may require instances of data acquiring, removal, disablement etc.  The Cloud Security Alliance (CSA) a consortium of cloud industry stakeholders is undertaking an effort at present towards mapping an ISO standard for digital forensics (ISO/IEC 27037:2012) to cloud computing.

While I fully appreciate the need for legislation to be as technology agnostic as possible, I raise this point as an example of how the pace of rapidly emerging and maturing technologies can outstrip the lethargic pace of policy, regulatory and legislative efforts as well as to underscore the importance of technical expertise stakeholder consultations to continuously update these processes with scenarios which may challenge the path being followed.

At present, are there sufficient (or for that matter…any) Information Security centric roles within the public service tasked with looking at these issues from a strategic perspective to come up with the potential scenarios I have outlined above? The capacity building effort to accompany this type of legislative agenda must begin well in advance of enactment but I believe this is sorely lacking at present.

Clause 19:  Violation of Privacy

The advancements have not only been on the technical side though, and again the following two points establish the need for stakeholder engagement with strategic thinkers who are tuned into current issue and can examine if the cybercrime policy, regulatory and legislative efforts being pursued are sufficient.  It also underscores the need for possible further analysis at the legal wording of certain clauses.

Michael Robertson of Massachusetts, USA, was charged with two counts of violating several women’s right to privacy by taking ‘upskirt’ photos of them.   Upskriting refers to the practice of covertly taking photos of another person’s exposed underwear or private area without their knowledge. While his defence acknowledged that he did take such photos of women as they used public transport, they argued that the wording of the ‘peeping tom’ laws he was charged under, only made provisions for victims who were nude or semi-nude; consequently, in March 2014 he was found not guilty.  In light of this ruling the wording of clause 19(3) of our own Cybercrime Bill which deals with violation of privacy offences, may require a revisit to ensure that the intention of the clause is maintained under the circumstances cited in this case.

Clause 21: Harassment utilizing electronic communication

 This is one of the clauses which has drawn the ire of Caribbean media workers, and their take on the matter has been well ventilated; my views are presented from the technical perspective.   Again the wording of certain clauses comes into focus when one looks at clause “Harassment utilizing electronic communication” specifically clauses 21(1) & 21(6) where the term cyberbully is mentioned.

As currently worded the “cyberbully” needs to use the computer system “repeatedly or continuously” to commit an offence against someone.  Yet, there are instances where a single action by an offending party (i.e. non-repeated or non-continuous) on a social media site against a victim can spawn a multitude of supporting actions from other entities all directed against the same victim.  For example, it not inconceivable that a single offensive tweet about someone can lead to a multitude of retweets and favourites without any follow-up action from the offending party.

In such an instance the concept of the use of a computer to “support severe repeated and hostile behaviour” as found I the original HIPCAR model law document may be more appropriate given the context and usage of the word “support”.  Again, this is one for the legal wording experts.

HIPCAR Cybercrime model law document

HIPCAR Cybercrime model law document

Clause 23:  Offence by body corporate

Interestingly, one of the areas of the Cybercrime Bill which I actually view as strengthening the cause of ensuring proper Information Security Governance within corporate entities is one of the clauses which media workers have taken issue with i.e. clause 23.  Different lens of perception leads to a different point of view!

While I fully appreciate the media workers perspective, from an ICT and Information Security perspective, I view this clause as placing responsibility squarely on the shoulders of corporate entities, and appropriate individual members of staff, to ensure that they have practiced “due diligence” in their efforts to secure their ICT infrastructure, people and processes from committing offenses identified within the bill.  Further details on my opinion of the benefits of this clause can be found in my Slideshare folder

 Conclusion

While the Government must be commended for their continued efforts to keep legislation abreast with technical advancement, it is incumbent upon the Government to ensure that as wide as possible stakeholder engagement takes place into reviewing the bill and ensuring that concerns are captured and treated with appropriately. It is also incumbent upon the Government to ensure that they have the right compliment of technical expertise on board to continuously survey the landscape of cybersecurity and cybercrime developments around the world and constantly provide feedback on policy/regulatory and legislative efforts being pursued.  

The limited review presented here is illustrative of the complexity of the issue and how its multiple dimensions resultantly produced multiple perspectives.   For example, some of the opposition I’ve heard coming from local and Caribbean based ICT professionals have to do with the harsh penalties and sentences for certain offensives; yet recently in the UK there has been overwhelming support for announcements of life sentences for certain cyberattack offenses.  

Somewhere a balance must be found and it is up to the public at large, corporate entities and institutions to inform themselves on how this bill potentially impacts them.  These views must then be presented to public officials at appropriate forums designed to receive and objectively process such feedback. Multi-stakeholder engagement is now required to find the most appropriate fit for Trinidad and Tobago.

At The Intersection Of Ethics, Law & Technology In Trinidad & Tobago

On 12th July 2015, the students of the Master of Information Systems & Technology Management (MISTM) programme at the Arthur Lok Jack Graduate School of Business were exposed to the growing global ethical debate of security vs. privacy within the context of existing local laws with an information Security dimension (as well as impending proposed legislation).   As part of my Information System Security, Ethics and Law (ISSEL) course, within the class dedicated to examine ethical and legal issues as pertains to Information Security, I invited two guest presenters, both lawyers, to share their expertise with the students:

  • Cláudio Lucena, Professor of Law, Paraíba State University, Brazil
  • Jason Nathu, Tutor, Legal Aid Clinic, Hugh Wooding Law School

Security vs. Privacy

Mr. Lucena noted that increased awareness for privacy in the virtual world as a relatively new phenomenon due to the digital revolution and increased technological capabilities for mass collection of data, while stating; “The Right To Privacy” in the physical world dates back to 1890.  He suggested that the strength of the response towards 2012 Snowden revelations of global surveillance was mainly due to the fact that it revealed infractions against foreign leaders and persons involved in international relations, rather than only surveillance normal  citizens.  The awareness generated from these revelations was cited as contributing towards a March 2015 decision by the UN Human Rights Council to adopt a resolution to appoint a special rapporteur on the right to privacy. As a Brazilian citizen he related how specific revelations of surveillance in Brazil led to a heightened pace towards the passage of Marco Civil Da Internet as an online protection of civil liberties, and data protection laws to ensure adequate data handling.

 

IMG_20150712_104758

ISSEL student posing a question to Mr. Lucena

 

After laying this foundation, we got into other issue such as:

  • The ideological difference between the EU and US approaches towards data privacy where the EU approach tends towards protecting individuals’ rights to maintaining ownership of data.
  • How the right to “Right To Be Forgotten” seeks to protect individuals from search results about themselves which can be deemed as inaccurate, inadequate, irrelevant or excessive.

Interestingly, I met Mr. Lucena at the 2015 South School Internet Governance in Costa Rica, where we were fortunate to have seen a presentation by Mr. Pedro Less Andrade, Latin American Policy Counsel of Google, who presented (en español) some of the challenges of the right to be forgotten ruling.

Local Legal Context

Quite suiting a core theme of the day, Mr. Nathu grounded his delivery entitled “Information Security:  The Local Legal Context” by defining the right to privacy and then segued into discussion on the Data Protection, Computer Misuse and Electronic Transactions Acts.

IMG_20150712_113154

Mr. Nathu defining the right to privacy

 

Previously, Mr. Lucena, in commenting on Brazil’s weak cybercrime laws, suggested that there was a perception of cybercriminals as being less of a criminal.  This was echoed by Mr. Nathu, who also stated there was a low prosecution rate for e-crimes globally.   In highlighting the difference between criminal prosecution and civil proceeding he questioned why certain organisations, e.g. banks, would expose themselves as victims of cybercrime, and thereby suffer reputational loss, in criminal proceedings, which would result in no monetary compensation.

A few of the additional salient points on the aforementioned laws brought out by Mr. Nathu included:

  • Lack of proper consultations and serious objections from professional bodies such as the Media and Law Associations on certain aspects of the Data Protection Act, which remains partially proclaimed.
  • The Computer Misue act has over specification in some areas, e.g. definition of a computer, yet it “Broadly and vaguely protects against hacking, data misuse…”.
  • The Electronic Transactions Act remains partially proclaimed and it “does not REQUIRE a public body to accept or issue any document in electronic form”.
  • The pace of enacting and subsequent legislative reform is slow.

In responding to a question on why such deficiencies within our laws exist, Mr. Nathu offered that communication and consultation was an issue.  He urged the students to become more involved on matters with a technology and legal intersection.   On a conciliatory note, he admitted we were a young society with respect to this type of legislation and added that it is good that we have some laws in place, as a framework to build upon, even if it is not quite as robust to respond to the surrounding global context.

 

Conclusion

Fullscreen capture 7112015 113112 AM.bmp

Collaboration is stated as one of the five key areas of focus within Trinidad and Tobago’s national Cyber Security Strategy and it was certainly good to get collaboration from guest lectures of the caliber of Mr. Lucen and Mr. Nathu to share their expertise with a classroom of primarily technology based master level students.   Additionally both presenters mentioned the need for higher levels of activism and involvement. In the U.S. there is an organization known as the Electronic Frontier Foundation (EFF) which seeks to defend civil liberties in the digital world:

Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows.

Would you say we have a sufficient intersection between the technology and legal professions in Trinidad and Tobago towards the protection of rights in the digital age?