Stakeholders in the ICT sector are lobbying against the ratification of an African Union regulations on cyber security because of fears the proposed rules will stifle Internet growth.
The African Union Convention on Cyber Security (AUCC) is scheduled to be adopted at a meeting in January if none of its members oppose it.
But some Kenyan stakeholders have filed a petition to bar the convention from being ratified into law, saying the agreement in its current form would derail penetration of the Internet and curtail freedom.
Strathmore Centre for Intellectual Property managing director Marcela Sinda called for wider consultations before the decision is ratified.
“This is being conducted in total darkness. We have identified provisions harmful to our Internet economy that need to be vetted. We are pressing the AU to produce a workable document.”
But Ms Sinda’s fears are not shared by the government with ICT Cabinet Secretary Fred Matiang’i confident the AUCC will be beneficial in a continent that has long remained vulnerable to cyber attacks.
“It is good that cyber security has been brought to a continental forum where we are looking at it as a region so that we can resolve the issue,” Mr Matiang’i said, in effect downplaying fears of organisations whose online activities depend on Kenya’s thriving web space.
Ms Sinda told the Sunday Nation by phone that Internet penetration figures, which stand at 36.6 per cent of the population according to the Communications Commission of Kenya, will stagnate and dip should the proposals be passed into law.
Google, iHub, iLab Africa and Strathmore University Centre for Internet Protocol and IT Law are among players who signed the petition pressing the AU to review the document before it is ratified.
“We are calling on individuals and local organisations to join us in this because if member states ratify the proposal and anyone goes against it, it would be in violation of law,” Ms Sinda said.
FULL IDENTITY INFORMATION
Among the contentious clauses is a proposal that a person or a corporation engaging in electronic financial transactions (eg M-Pesa or OLX users) must provide full identity information, including PINs and address information.
The petitioners say this requirement is costly and risky because it remains unclear how such data will be protected and how confidentiality will be maintained.
Ms Sinda said the section doesn’t specify what private information might be used in a court of law in case one commits a crime.
“We want the AU to point out exactly what private information they need and also assure users of safety of such information,” she said. “How will they ensure confidentiality if one is found liable?”
According to the business groups, the AUCC significantly restricts freedom of expression—in violation of the Constitution of Kenya—by prohibiting individuals from expressing ideas and theories on religion and ethnicity.
The AUCC also requires governments to have in place a mechanism for cyber forensic investigations. This includes appointment of investigative judges with almost unlimited power to request seizure and analysis of digital and physical evidence.
The petitioners argue that most African governments currently lack the legislative and technical capability to satisfy such a legal requirement, and the likelihood of misuse is high.
However, the government might feel compelled to back the legislation following the hacking of more than 100 of its websites last year.
The Kenya Cyber Security report of 2012 warned about the proliferation of malicious programmes that give hackers access to sensitive government data.