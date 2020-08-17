Zimbabwean tech experts who are currently looking into the Cyber Security Bill have highlighted genuine concerns that must be looked into before the bill is passed into law.

By Toneo.

The major concern is that there seem to be overdrive to use the bill to catch cyber criminology or abusers at the expense of digital security and protection of the privacy of internet users in Zimbabwe.

In some cases the cyber bill has taken general computer practice which may not be ethical but not necessarily illegal to be criminalized. For most tech pundits, the cyber bill completely takes away the right for grey hat hackers, creating white hat hackers protected by law and black hat hackers are criminals.

This is generally in bad taste for most us experts, who feel that the right to experiment has now been taken over by law, killing the creativity of the trait.

The past few weeks saw the ministry of ICT Postal and courier services, doing its part, by holding nation wide consultations, most of them poorly attended, which warranties concern of the people’s input in the whole process.

The Harare event we attended and broadcast is available here, and some striking issues of the bill were either massaged or not questioned at all.

The bill seeks to provide for data protection with due regard to the Declaration of Rights under the Constitution and the public and national interest; to establish a Cyber Security Centre and a Data Protection Authority and to provide for their functions; to create a technology driven business environment and encourage technological development and the lawful use of technology;

To amend sections 162 to 166 of the Criminal Code (Codification and Reform) Act [Chapter 9:23] to provide for investigation and collection of evidence of cyber crime and unauthorised data collection and breaches, and to provide for admissibility of electronic evidence for such offences; and to provide for matters connected with or incidental to the foregoing.

here are some areas of great concern inside the bill.

MISA Submitted that To begin with, Section 5 and 7 of the Bill seek to establish the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ), as the Cybersecurity Centre and Data Protection Authority, respectively. This essentially gives POTRAZ the roles of potentially three bodies, being the regulator of the telecommunications industry, the cybersecurity centre and the data protection authority. As rightly laid out in the Bill, POTRAZ is created in terms of the Postal and Telecommunications Act [Chapter 12:05] and likewise its roles should be limited to those laid out in [Chapter 12:05]. It is inappropriate to also allocate the functions of the Cybersecurity Centre and Data Protection Authority in their entirety to POTRAZ. There is no justifiable basis to promote such monopoly by POTRAZ as this frowns upon the basic principles of efficiency, before even delving into the nitty-gritties of the independence of this body.

clause 164C Transmission of false data message intending to cause

harm

Any person who unlawfully and intentionally by means of a computer

or information system makes available, broadcasts or distributes data to

any other person concerning an identified or identifiable person knowing

it to be false with intend to cause psychological or economic harm shall

be guilty of an offence and liable to a fine not exceeding level 10 or to

imprisonment for a period not exceeding five years or to both such fine

and such imprisonment.

This reading makes it difficult for media players, both citizen journalsists and proffessional ones to carry on with their various duties as passing on of unverified information can be easily crim inalised.

This is a matter of journalistic ethics not a criminal matter, it reads like an act that is indirectly taking away media freedom, or AIPPa being introduced via the back door.



164D Spam

Any person who intentionally and without lawful excuse—

(a) uses a protected computer system to relay or retransmit

multiple electronic mail messages, with the intent to deceive

or mislead recipients or any electronic mail or internet service

provider as to the origin of such messages; or

(b) materially falsifies header information in multiple electronic

mail messages and initiates the transmission of such

messages.

shall be guilty of an offence and liable to a fine not exceeding level 5 or

to imprisonment for a period not exceeding one year or to both such fine

and such imprisonment.

Illegalising this act is tantamount to criminalizing email marketing, this is what most traders and players do to get high quality traffic to their various products, however its only disappointing if the players are deliberately

163 Hacking

(1) A person who—

(a) knowing or suspecting that he or she must obtain prior

authority to access the data, computer programme, computer

data storage medium, or the whole or any part of a computer

system in question; and

(b) intentionally, unlawfully and without such authority, secures

access to such data, programme, medium or system;

Cyber Security and Data Protection

shall be guilty of hacking and liable—

(c) in any of the aggravating circumstances described in section

13 to a fine not exceeding level 14 or to imprisonment for

a period not exceeding ten years or both such fine and such

imprisonment;

(d) in any other case, to a fine not exceeding level 10 or to

imprisonment for a period not exceeding five years or to

both such fine and such imprisonment.

the above clause was written by people who are only worried about protecting informartion from reaching certain individuals and crimilises the act of such.

If information is accessed on unsecured source, whether with or without authority, this can not be classified as hacking and can not be criminalized, its simply sniffing around for the right sources .

The bill must have been more sincere and also criminalizes keeping of sensitive information in public domain, where its not protected, instead of accusing the ones who stumble upon it .

another commentary highlighted a ver important aspect of the bill, where they are genuine concerns that it may be used mainly to advance state interest over protection of the citizens, and yet still it could be prone to abuse to promote these interests.

It should be noted that Zimbabwe has a history of surveillance through its laws that seek to promote national security like the Official Secrets Act and the Interceptions of Communications Act. These laws are not aligned to the Constitution and have provisions that continue to violate the exercise of rights. There is, therefore, need to ensure that all national security laws are reviewed in line with the human rights framework in the Constitution. In circumstances where information relates to national security, more often than not, there is no disclosure of sufficient information under the auspices of national interests.

During the President Robert Mugabe era, a Ministry of Cybersecurity, Threat Detection and Mitigation, was set up. Subsequent to reshuffles in government, this ministry morphed into a department under the existing Ministry of Information Communication Technologies.

“It is therefore poignant to note that, and according to the then Presidential spokesperson at the material time, the ministry had been established to catch “mischievous rats” that abused social media.

More recently in March 2020, Zimbabwe National Army (ZNA) Commander, Lieutenant-General Edzai Chimonyo, addressing senior military commissioned officers at the Zimbabwe Military Academy in Gweru, highlighted that the military would soon start snooping into private communications between private citizens to “guard against subversion,” as social media has become a threat to national security.” said a MISA Commentary.

The Bill is also silent about current ills of ghost accounts, some which are being used by official state officers and politicians, which are being used to spread hatred, tribalism and political intolerance.

