The emergence of cybercrime requires significant changes in national and international legislation, empowering law enforcement to deal with crimes involving technology. Perhaps the greatest challenge to cybercrime in terms of law making is the nature of law itself. As a general rule, laws can only be enforced within the country where they were originally made. This makes it difficult to enforce cybercrime laws in situations when the criminal is outside the impacted territory. However, criminal jurisdiction can be extraterritorial in nature when a nation asserts it, either generally or in specific cases under its domestic law. A supranational authority, such as the United Nations Security Council, can create an international court to deal with a specific case, such as war crimes in a certain country, or an international court created under a treaty to deal with a stated area of jurisdiction.
Resource
The United Nations Office on Drugs and Crime carried out a comprehensive study and provided a report in 2013. The report recognised that in developing an effective cybercrime legal framework, there are certain components that must be considered to make the framework efficient and effective. These include providing for institutional framework, building capacity for law enforcement, addressing issues of electronic or digital evidence, international cooperation, and preventive measures.
UNODC Comprehensive Study on Cybercrime
INTERPOL Cybercrime Strategy Guidebook
This step-by-step guide is the resource for INTERPOL member countries wishing to create or enhance their national Cybercrime Strategy. The Guidebook also helps countries gain insight into their current response to cybercrime and provides a means to design a more robust strategy and programme.
Over the years, many countries managed to amend their existing legislation to extend the concepts of various traditional crimes to the digital world and to add new crimes. Others enacted entirely new laws dealing with cybercrime only. The United Nations Conference on Trade and Development (UNCTAD) provides a database of cybercrime legislation the world over. The database indicates that 80% of countries have cybercrime legislation, while 5% have draft legislations. In Africa (54 countries), 39 countries (72%) have cybercrime legislation, 2 (4%) have a draft legislation, 12 (22%) have no legislation, while 1 (2%) have no data available.
Figure 1 shows countries with cybercrime legislation in Africa.
Source: UNCTAD Database
Cybercrime legislation identifies acts that cause harm and prohibits them. This automatically creates acceptable standards of behaviour in the use of the ICT. Legislation addresses two distinct aspects – substantive aspect, which provides for criminal acts that are punishable and procedural aspect focusing on how to collect digital evidence and prosecute those identified for violating substantive law.
Under the substantive aspect of cybercrime legislations, the objective is to create or modify laws to prevent illegal activities using the internet. In some instances, existing laws may be adequate to deal with illegal activities online. However, in most cases, existing laws cannot address online harmful activities, so new ones need to be created to criminalise illicit activities. While there is no exhaustive list of cybercrimes the ITU provides some resources that can help countries develop appropriate legislation for cybercrime.
In Africa, Mauritius has developed the Mauritian Cybercrime Online Reporting System (MAUCORS). It is a national online system which allows the public to report cybercrimes occurring on social media securely. It will also provide advice to help in recognising and avoiding common types of cybercrime which takes place on social media websites.
The procedural aspect of cybercrime law addresses the gathering of evidence, identification of perpetrators, and prosecution, in order to secure conviction. However, this aspect is more complex since information on the internet crosses borders without showing travel documents. Thus, criminals can easily bypass national frameworks, tackling multiple victims in different countries, since the data needed for the investigation of crime can be stored at multiple providers across various jurisdictions. The need for transborder cooperation on the bilateral, regional, and multilateral levels to get timely access to this data, is critical.
African context
Combating Cybercrime in the Commonwealth
The Commonwealth Secretariat runs a project that builds capacity in cybercrime prevention and legal frameworks. The project started in September 2020 and will end in March 2023.
The aim of the project is to to influence the establishment of effective anti-cybercrime frameworks in the Commonwealth , i.e. laws, policies, institutions, and practices that can be harnessed to combat the growing scourge of cybercrime. The outcome would include:
Increased awareness;
Enhanced cybercrime-combating capacity; and
Strengthened pan-Commonwealth anti-cybercrime cooperation frameworks.
The beneficiary countries of this phase are Botswana, Cameroon, Eswatini, the Gambia, and Ghana.
Details of this project can be found on the Cybil Portal.
Most bilateral agreements on criminal investigation are achieved through traditional Mutual Legal Assistance treaties (MLATs) – agreements between countries to gather and exchange information and address extradition issues (sometimes criticised for being slow and insufficient). Mutual legal assistance requires dual criminality – an act should be criminal in both jurisdictions when one country seeks legal assistance from another. Irrespective of the fact that most countries have national cybercrime laws, issues may arise where certain acts punishable in one country are not punishable in another. For example, Onel de Guzman from the Philippines, created the love bug computer worm in May 2000, which infected over 10 million widows personal computers worldwide, stealing passwords and sending them to all contacts on the computer’s address book. At the time, the perpetrator could not be prosecuted because the Philippines did not have a cybercrime law, making his actions unpunishable. Incidents like this have led to various initiatives for the harmonisation of cybercrime laws globally.
Therefore, various regional blocks have developed legal frameworks for cybercrime to enable the investigation across their national borders. This has led to various initiatives to harmonise cybercrime laws across countries. Sometimes, more advanced countries provide assistance to less developed ones in creating cybercrime legal and regulatory framework.
The GLACY+ Project
GLACY+ is a Joint project of the European Union and the Council of Europe. GLACY+ is intended to extend the experience of the original GLACY project (2013 – 2016) and supports seventeen priority and hub countries in Africa, Asia-Pacific, and Latin America and the Caribbean region. The countries in Africa are Benin, Burkina Faso, Cape Verde, Ghana, Mauritius, Morocco, Nigeria, and Senegal. These countries may serve as hubs to share their experience in cybercrime issues within their respective regions.
Some of the International frameworks include the African Union Convention on Cybersecurity and Data Protection 2014, the Commonwealth Model Law on Computer and Computer Related Crime, the Commonwealth of Independent States Agreement (2016), the Shanghai Cooperation Organisation Agreement on Cooperation in the Field of Ensuring the international information security (2009), the EU Directive on Attacks Against Information Systems 2013, among others.
These instruments have, to a large degree, influenced each other, with a prominent role being played by the Council of Europe Convention on Cybercrime in setting international standards. The convention is the most comprehensive and widely accepted document in Europe and beyond, but still faces obstacles to becoming a globally accepted agreement. The goal of the CoE convention on cybercrime is to provide a platform for the harmonisation ol legal frameworks globally. However, there are various challenges facing this objective. Firstly, every country has territorial jurisdiction in criminal law and brings diverse perspectives based on legal traditions and culture. This leads to the second challenge, which is that transposing the substantive provisions of the convention to domestic law may not always work. This is because such transposition may contradict the domestic constitution. What may be considered a form of art in Australia could be child ponography in Mali. Any international legal framework for cybercrime must therefore seek to accommodate and reconcile these differences. While harmonisation does not mean creating identical laws, there must be a deliberate drive to recognise the differences in local laws of various countries. In Africa, these factors also affect the Malabo Convention.
Negotiating a new global or regional convention may take years, if not decades, so it is likely that for now, the CoE and Malabo Conventions will remain the most relevant international and regional agreements on cybercrime for African countries.
Other initiatives include those at UN level (such as the work by the International Telecommunication Union (ITU), the United Nations Commission on Crime Prevention and Criminal Justice (UNCCPCJ), and the United Nations Office on Drugs and Crime (UNODC)), as well as ongoing fora and processes for negotiating norms and other instruments. Other stakeholders, such as the private sector, also contribute towards tackling cybercrime in the form of information sharing, awareness-raising activities, and research appropriate to their unique roles as owners of gateways to internet infrastructure or services.
Resource
The UNODC Cybercrime repository offers resources that provide a guide for drafting cybercrime legislations. It covers issues that must be considered in substantive law, procedural law, and international cooperation, among others.
Areas of cooperation are not restricted to legal and institutional frameworks only. The African Joint Operations against Cybercrime (AFJOC) is a project to drive intelligence-led, coordinated actions against cybercrime and their perpetrators in African member countries by creating a harmonised regional coordination framework that will produce joint action plans and conduct law enforcement activities. By doing this, the idea is to address the vulnerabilities of weak networks and security under a context of growing underground market and high levels of social engineering/financially motivated threats against vulnerable people.
Another issue worth mentioning when discussing cybercrime is the concept of cybersecurity. While cybercrime deals with crime using ICT, cybersecurity focuses on measures which individuals, organisations, and countries can take to protect themselves from cybercriminals and incidents. The ITU defines cybersecurity as the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyber environment and organisation and user’s assets. Knowledge Module 2 discusses steps countries should take to develop cybersecurity strategies.