A Council of Europe report on cybercrime ‘model laws’ is scathing in its analysis of legislation promoted and funded by the International Telecommunication Union (ITU), calling it ‘technically and legally incorrect, confusing, ambiguous’, ‘poorly drafted’, ‘unsafe’, and of ‘dubious’ credibility.
It argues that it raises barriers to international cooperation rather than removing them.
One such bill has been tabled for a vote in the next Ordinary session of Parliament.
The report states that model laws are being falsely touted as a harmonisation process that will improve cooperation between states.
However, “no such approval appears to have been provided by member states of these inter-governmental bodies”.
In fact, the report argues that these so-called model laws constitute an end-run around existing international treaties such as the Budapest Convention.
Vanuatu’s new cybercrime bill is found wanting.
The ITU-driven endeavour makes “a general mention of international cooperation in one provision, but does not provide the legislative language necessary for international cooperation or mutual legal assistance either as provided in the Convention or as suggested by the Commonwealth’s Harare Scheme.”
The current bill leaves out critical components of any cybercrime regime. Intellectual property and digital copyright, which are of paramount importance to preserve Vanuatu’s cultural and artistic heritage, are entirely missing from the text.
Therefore, the report argues, “poorly drafted and divergent model laws can cause countries to enact cybercrime legislation with gaping lacunas whilst at the same time criminalizing and labelling conduct as cybercrime which other countries … would never view as cybercrime.”
It continues: “Regulatory powers introduced in the Models give governments and public authorities sweeping, overly broad and intrusive powers to block access to information at their absolute discretion without any safeguards, judicial or other independent supervision, due process provisions, limits to scope or duration and in a disproportionate manner, all of which are anathema to the principles enshrined in the Convention and international best practice.”
The report suggests that these laws lack legitimacy: “such models are simply funded by the executive arms of international organizations and are products of consultants which do not necessarily have the sanction of the international organization’s general body or approval of member States.”
The report adds: “though the models bear the flags, emblems and logos and make mention of project funded by the ITU, EU and regional bodies they were not part of any official intergovernmental negotiations and approvals process. Their status and credibility as ‘Model Laws’, officially supported by the general bodies of the inter-governmental organizations named in their products, are at best dubious.”
Far from advancing matters, the law raises a “barrier to the implementation of holistic, compatible, convergent and effective cybercrime legislation on a global basis”.
In addition to lacking credibility, the report says that the model law is subject to “inexperienced tinkering” with the text, and the result “has diluted the efficacy and limited the application of the offences and powers with edits that make the provisions technically and legally unsound.”
One example of this is section 8 of Vanuatu’s proposed bill, which mistakenly leaves out a critical phrase and effectively renders illegal the sale or distribution of a ‘software, system or electronic device’. In short, a drafting error has made all technology illegal.
Even if the original intent of the clause were upheld, it would be hugely problematical. An ‘illegal device’ according to the bill’s intent, is anything that allows a person to circumvent computer-based security measures. This would make most kinds of computerised software analysis and reverse engineering illegal. Most operating systems and software development kits contain such tools.
Re-flashing the ROM on your Android phone, for example, would be illegal.
The law arbitrarily overreaches by “redefining the scope of cybercrime to include criminalizing defamation of religion, blasphemy, insults, and any form of pornography, SPAM and a unique concept of ‘Illegal Remaining’ without any carve outs, exceptions or safeguards. In this regard they are unsafe models of practice shrouded in the myth that they represent best practice of the EU and ITU member states.”
‘Illegal remaining’ is an interesting example of legislative overreach. According to the Vanuatu bill, you can go to jail for up to a year if you simply fail to log out when you’re supposed to.
Asked if Vanuatu’s bill was based on outside laws, the Office of the Government Chief Information Officer replied that, “The bill is based on our own needs and not from any existing legislation from anywhere in the world.”
But identical or nearly identical language over extended parts of the bill was found in the laws of several other countries in the Caribbean and in sub-Saharan Africa, all of whom participated in the ITU-driven campaign to implement these laws. The table of contents of the bill is nearly word-for-word identical with the list in an ITU-sponsored presentation made to the government of Zimbabwe for a proposed cybercrime law there.
The OGCIO response continued with the proviso that it used the ITU-funded “the ICB4PAC Model Skeleton For Legislations on Electronic Crimes” as a reference document. Aside from a single substantive change, this legislation appears to so closely mirror the ‘skeleton’ that it is almost indistinguishable.
OGCIO stated that the “Vanuatu legal framework was benchmarked against the Penal Code Act” as well as other salient legislation. But rather than aligning with the Penal Code and avoiding repetition, it creates contradictions that will be worrying for many.
In particular, its version of defamation is broader than the existing definition, appears to lack free speech safeguards, and effectively increases the maximum penalty from three years to five.
The Council of Europe report raises concerns about these attempts at policing online behaviour. “They also criminalize cyberstalking, described as ‘annoying or insulting messages’. Each of these categories are poorly defined and overly broad in application.”
Vanuatu’s cybercrime bill appears to say that a person can be imprisoned for repeatedly annoying someone. What constitutes an annoyance is left open to interpretation.
These model laws are bad for business as well, the report argues. “Notably, they criminalize any failure by a provider (regardless of jurisdiction) to take down any information regardless of its legality. Effectively, administrative authorities have absolute discretion to seek removal of any information or content whether legal or illegal or be subject to criminal liability. The providers subject to such criminal sanction are unique and include absurd definitions of hyperlink providers, search engine providers, hosting providers and access providers which are technically and legally incorrect, confusing, ambiguous, overlapping and so broad that they could include homes and individuals.”
The Daily Post requested a response to the Council of Europe report from OGCIO. The reply stated that “we did have some concern about the ICB4PAC program”, and insisted that their legislation was substantially different from that of Tonga and Nauru.
Tonga’s cybercrime bill is not yet published, but a brief examination of Nauru’s shows that it has been significantly expanded, with numerous additions and clarifications added to text that resembles that in the model law.
The Daily Post contacted Professor Eric Colvin, head of USP’s School of Law. He responded by forwarding a written submission that he had made to OGCIO, which suggested that the language concerning pornography was overbroad and subject to misinterpretation.
“It is questionable,” he wrote, “whether the law should become concerned with private possession and whether scarce resources should be devoted to pursuing and suppressing it.”
He said that his comments “were submitted to the drafters some time ago but have been ignored”.
OGCIO insisted however that they had taken note of his input and that “some of the sentences for offences were also revised based on his comments”.
The Daily Post made repeated requests for a list of stakeholders to whom the OGCIO had circulated the draft bill, but was told, “We did circulate the bill to all interested parties”.
A search of regional and national ICT discussion groups failed to find any requests for input on the draft bill. Likewise, a records search of Daily Post articles, press releases and notifications turned up nothing concerning a request for input on the draft bill.
In contrast, multiple inputs were actively solicited within the ICT community and the media for the RTI Act and the National ICT Policy.
It is not clear where copies of the cybercrime bill are best obtained. The Daily Post received its copy following a series of requests to the OGCIO. A copy of the bill will be downloadable on the online version of this article on the Daily Post website.