Preventing and Combating Cybercrime in East Africa: Lessons from Europe's Cybercrime Frameworks [1 ed.] 9783428556014, 9783428156016

Citation preview

Schriften zum Strafrechtsvergleich Band 5

Preventing and Combating Cybercrime in East Africa Lessons from Europe’s Cybercrime Frameworks

By

Abel Juma Mwiburi

Duncker & Humblot · Berlin

ABEL JUMA MWIBURI

Preventing and Combating Cybercrime in East Africa

Schriften zum Strafrechtsvergleich Herausgegeben von Prof. Dr. Dr. Eric Hilgendorf, Würzburg und Prof. Dr. Brian Valerius, Bayreuth

Band 5

Preventing and Combating Cybercrime in East Africa Lessons from Europe’s Cybercrime Frameworks

By

Abel Juma Mwiburi

Duncker & Humblot · Berlin

The Faculty of Law and Economics of the University of Bayreuth accepted this work as thesis in the year 2018.

Bibliographic information of the German national library The German national library registers this publication in the German national bibliography; specified bibliographic data are retrievable on the Internet about http://dnb.d-nb.de.

All rights reserved

© 2019 Duncker & Humblot GmbH, Berlin

Typesetting: L101 Mediengestaltung, Fürstenwalde Printing: buchbücher.de gmbh, Birkach Printed in Germany ISSN 2364-8155 ISBN 978-3-428-15601-6 (Print) ISBN 978-3-428-55601-4 (E-Book) ISBN 978-3-428-85601-5 (Print & E-Book) Printed on no aging resistant (non-acid) paper according to ISO 9706

Internet: http://www.duncker-humblot.de

To my parents Juma Chazenga Mwiburi and Faustina Zablon Msangi; my wife Violeth Zacharia Mwiburi and my children Abigail, Aaron, Abdiel, and Ariel

Foreword Technological development in the world has tremendously assisted human beings to improve their lives in various sectors from engineering, medicine, law to performing arts. Huge search engines are making research take shorter time than before as the whole world is at your desk. In the older days, when the Radio could also play music on a tape and also record sounds we all thought we are at the edge of the highest level of science. However, the human mind is restless and probes further. Currently, your simple smart phone in your hand can do hundreds of functions. It is your communication device, your camera, your Television with all facilities, device for playing games etc. There is no doubt that we are enjoying the highest level of scientific advancement making our lives easy, enjoyable at affordable level. However, advancement in science comes with its twin brother/sister – crime. The same device can make your life miserable through abuse of advancement in science. This can happen through cybercrime – the topic chosen by Dr. Abel Juma Mwiburi for this book. The cyber space – the fifth and newest space to be accessed by human beings after land, sea, air and outer space can be accessed vide internet. The problem is once a person in on the internet he or she is vulnerable and defenceless potential victim of cybercrime. Those involved in cybercrime target governments and individuals as well. The motive might be political, criminal or social. Politically, we have witnessed elections in powerful States being influenced from thousands of kilometres through internet. This is because cybercrime, like air pollution, knows of no borders and crosses from one country to another without visas. Criminals are accessing Credit Cards and Bank Accounts of unsuspecting people and emptying them. At personal level, couples are harassing each other through the internet. Recently, a newspaper explained “How husband’s two years of e-mail terror turned wife towards suicide.” It is bad. Faced with such a threat, Dr. Mwiburi makes a strong case for the States in East Africa to work together to address this threat. He notes that notwithstanding their technological backwardness, East African States, while having diverse national frameworks, have not developed a strong joint regional legal framework to address cybercrime. He recommends that the region take leaf from European Union where they have successfully worked together and established effective institutions to fight cybercrime. This is a timely clarion

8 Foreword

call which should be taken seriously. That is the value of this book. The author has managed to reduce heavy scientific material into simple language understandable to all. It is a must read for all those interested in understanding this menace – which is always around us! Dar es Salaam, December 2018

Chris Maina Peter*

*  Professor of Law, School of Law, University of Dar es Salaam, Tanzania; and Member, United Nations International Law Commission (ILC).

Acknowledgements This book would have not been fruitful, if the required support was not offered by colleagues and friends. First of all, I am very grateful to the financiers of my Ph.D. studies, the Government of the United Republic of Tanzania, and the Federal Government of Germany through the Tanzania-Germany Postgraduate Training Programme 2015. Without their financial support, realizing this dream would have not been possible. More importantly, I am sincerely grateful to Prof. Dr. Brian Valerius, my Ph.D. supervisor, and academic mentor. Prof. Dr. Valerius unswervingly offered his support and guidance to me in a very friendly and flexible manner. He was always close and available whenever I sought his guidance. I am very proud to pursue my doctoral studies under his academic guardianship. Also, I thank my family for heartening me and being relentlessly supportive, especially, whenever I seemed to lose hope. My wife, Violeth and my children, Abigail, Aaron, Abdiel and Ariel endured tough moments of my absence with firm and sincere hope that this undertaking will end fruitfully. In similar vein, I extend my appreciations to Prof. Dr. Hamudi Majamba, the Dean of the University of Dar es Salaam School of law. Prof. Dr. Majamba accorded me his full support, inspiration, and guidance. Also, I am indebted to Prof. Dr. Ulrike Wanitzek who deserves a special mention for both motherly and academic guidance and support during my studies at the University of Bayreuth. Exceptionally, I further extend my sense of appreciation to my friend and colleague, FAyaz Bhojani, and FB Attorneys, for their all sorts of support and encouragement in making this project successful. In a very special way, I would like to thank my colleague and friend, Comrade Dr. Goodluck Kiwori, with whom I traveled miles of plains, hills, and slopes when he was undertaking a similar project at the University of Bayreuth. We engaged each other with constant and productive consultations which were very helpful in molding our studies. It is my earnest admission that I cannot account for his unwavering contribution towards the completion of this book. Lastly, I appreciate a hand of support extended by my friends and colleagues, Dr. Alexander Saba, Dr. Mary Zacharia, Imani Shayo, Kimatha Said Kimatha, Amani Lwila, Veronica Buchumi, Goodluck Temu, and Florencia Kimario. Also, I admit that it is not humanly possible to mention all those

10 Acknowledgements

who rendered assistance in the preparation and completion of this work. For that reason, I generally thank all those who made this work possible. I would like to finally state that the order in which my appreciations are expressed herein is not, anyhow, an attempt to rank the importance or the extent of support rendered, rather it becomes necessary to do so for convenience and portrayal purposes. Otherwise, to all of you, I say, “thank you so much”.

Table of Contents Chapter 1

General Introduction 

19

A. General Introduction and Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 B. Cybercrime as a Challenge in East Africa and Beyond . . . . . . . . . . . . . . . 21 C. Focus of the Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Chapter 2

Cyberspace as an Emerging Phenomenon in Criminal Jurisprudence 

25

A. Introductory Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 B. Understanding Cyberspace, Computer Crime, and Cybercrime . . . . . . . . 26 I. Cyberspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 II. Computer Crime and Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 C. Nature and Evolution of Modern Cybercrime . . . . . . . . . . . . . . . . . . . . . . . I. Nature of Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . II. Evolution of Modern Cybercrime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1. The Era of Mainframe Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. Evolution of Networked Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. The Epoch of Personal Computers and the Internet . . . . . . . . . . . . . . .

30 30 31 32 32 33

D. Forms of Cyber Criminality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I. Categorization by Individuals and Experts . . . . . . . . . . . . . . . . . . . . . . . . II. Categorization by Institutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . III. General Observations from the Categorization . . . . . . . . . . . . . . . . . . . . .

34 34 37 38

E. Features of Cybercrimes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I. Cybercrimes are Committed in Computer Environment . . . . . . . . . . . . . . II. Veil of Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . III. Requirement of Technical Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV. Cybercrimes are Easy to Commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V. Cybercrime as a Cross-Border Phenomenon . . . . . . . . . . . . . . . . . . . . . . .

39 39 40 41 41 42

F. Approaches to Cyberspace and ICT Governance . . . . . . . . . . . . . . . . . . . . 43 I. Regulation by Norms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 II. Regulation by Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

12

Table of Contents III. Regulation by Market Forces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 IV. Regulation by Code or Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 V. Pillars of Cybersecurity  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

G. Contemporary Issues and Challenges on Cyberspace . . . . . . . . . . . . . . . . . I. Borderlessness and Jurisdictional Issues  . . . . . . . . . . . . . . . . . . . . . . . . . . II. Harmonization of Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . III. Speedy Technological Developments and Flexibility . . . . . . . . . . . . . . . . IV. Striking a Balance Between Regulation and Enjoyment of Individual Rights  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V. Increased Criminal Capability and Child Protection . . . . . . . . . . . . . . . . . VI. Anonymity and Lack of Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

48 49 49 51 52 53 54

H. Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Chapter 3

Systemic and Institutional Synergies Among the East African Community, the European Union and the Council of Europe 

57

A. Introductory Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 B. The East African Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I. The East African Community in Historical Perspectives . . . . . . . . . . . . . II. Revival of the East African Community  . . . . . . . . . . . . . . . . . . . . . . . . . . III. Principles Governing the East African Community . . . . . . . . . . . . . . . . . . IV. The East African Community’s Organs and Institutions  . . . . . . . . . . . . . V. Scope and Competences of the East African Community . . . . . . . . . . . . .

57 57 61 63 65 69

C. The European Union . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I. History and Establishment of the European Union . . . . . . . . . . . . . . . . . . II. Principles Governing the European Union . . . . . . . . . . . . . . . . . . . . . . . . . III. European Union’s Organs and Institutions . . . . . . . . . . . . . . . . . . . . . . . . . IV. Competencies and Functions of the European Union . . . . . . . . . . . . . . . .

71 71 78 80 83

D. The Council of Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I. History and Establishment of the Council of Europe . . . . . . . . . . . . . . . . II. Principles Governing the Council of Europe . . . . . . . . . . . . . . . . . . . . . . . III. Council of Europe’s Organs and Institutions . . . . . . . . . . . . . . . . . . . . . . . IV. Competences and Functions of the Council of Europe . . . . . . . . . . . . . . .

88 88 91 91 93

E. Synergies Among the East African Community, the European Union, and the Council of Europe as Intergovernmental Organizations . . . . . . . 94 F. Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96



Table of Contents13 Chapter 4



The War Against Cybercrime: Europe’s Legal and Institutional Frameworks 

100

A. Introductory Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 B. General Background to the Cooperation in Criminal Matters Among the Council of Europe Member States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 C. The Council of Europe Convention on Cybercrime  . . . . . . . . . . . . . . . . . . I. Harmonization of Rules and Criminalization of Some Acts . . . . . . . . . . . II. Criminal Procedural Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . III. International Cooperation in Cybercrime and Related Matters . . . . . . . . . IV. The Additional Protocol to the Convention on Cybercrime, Concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed Through Computer Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

102 104 107 108

D. Institutions Under the Council of Europe Cybercrime Framework . . . . . I. European Committee on Crime Problems (CDPC)  . . . . . . . . . . . . . . . . . II. Cybercrime Convention Committee (T-CY) . . . . . . . . . . . . . . . . . . . . . . . III. Directorate of Information Society and Action Against Crime  . . . . . . . . IV. Cybercrime Programme Office of the Council of Europe (C-PROC) . . .

111 111 113 115 115

109

E. Historical and Legal Basis of Cooperation in Penal Matters Among the EU Member States  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 F. An Overview of the European Union’s Cybercrime Framework . . . . . . . 121 I. The European Union’s Cybercrime Legal Framework . . . . . . . . . . . . . . . 121 1. Council Framework Decision on Combating Fraud and Counterfeiting of Non-Cash Means of Payment . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 2. Council Framework Decision on Combating the Sexual Exploitation of Children and Child Pornography . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 3. Framework Decision on Attacks Against Information Systems . . . . . . 125 4. Directive of the European Parliament and the Council on Attacks Against Information Systems and Replacing Council Framework Decision 2005 / 222 / JHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 5. Council Framework Decision on Combating Certain Forms and Expressions of Racism and Xenophobia by Means of Criminal Law . 128 G. Cyberlaw Enforcement Mechanisms and Institutions Under the European Union . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I. The European Arrest Warrant (EAW) . . . . . . . . . . . . . . . . . . . . . . . . . . . . II. The European Police College (CEPOL) . . . . . . . . . . . . . . . . . . . . . . . . . . . III. The European Police Office (Europol) . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV. Eurojust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . V. European Union Agency for Network and Information Security (ENISA)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VI. European Crime Prevention Network (EUCPN) . . . . . . . . . . . . . . . . . . . .

129 129 130 131 133 134 135

H. Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

14

Table of Contents Chapter 5



Preventing and Combating Cybercrime in East Africa: Legal and Institutional Frameworks 

139

A. Introductory Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 B. Rationale for Approximation and Harmonization of Criminal Laws in the EAC  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 C. Legal Basis for Harmonization and Approximation of Laws in the EAC Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 D. An Overview of the EAC’s Anti-Cybercrime Framework  . . . . . . . . . . . . I. Policy and Legislative Measures Adopted in the EAC Region . . . . . . . . . 1. The EAC Customs Management Act, 2004 . . . . . . . . . . . . . . . . . . . . . 2. The Regional e-Government Framework, 2006 . . . . . . . . . . . . . . . . . . 3. The EAC Legal Framework for Cyberlaws, 2008 . . . . . . . . . . . . . . . . 4. The EAC Protocol on Peace and Security, 2013 . . . . . . . . . . . . . . . . . II. Anti-Cybercrime Institutions in the EAC . . . . . . . . . . . . . . . . . . . . . . . . . . 1. The East African Communications Organisation (EACO) . . . . . . . . . . 2. The EAC Cyberlaws Task Force . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

144 145 145 146 147 149 150 150 152

E. Individual Countries’ Cyberspace Frameworks . . . . . . . . . . . . . . . . . . . . . 153 I. Cybercrime Policy, Laws and Institutions in Tanzania . . . . . . . . . . . . . . . 153 1. The National Information and Communications Technologies Policy, 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 2. The Electronic and Postal Communications Act, 2010  . . . . . . . . . . . . 156 3. The Cybercrime Act, 2015  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 4. Tanzania Communications Regulatory Authority . . . . . . . . . . . . . . . . . 162 5. Tanzania Cybercrime Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 II. Cybercrime Policies, Laws and Institutions in Kenya . . . . . . . . . . . . . . . . 164 1. National Information and Communications Technology Policy, 2006 . 165 2. The Kenya Information and Communications Act, 1998 . . . . . . . . . . . 166 3. The National Cybersecurity Strategy, 2014  . . . . . . . . . . . . . . . . . . . . . 168 4. The Communications Authority of Kenya . . . . . . . . . . . . . . . . . . . . . . 169 5. Kenya Cybercrime Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 III. Cybercrime Policies, Laws and Institutions in Uganda . . . . . . . . . . . . . . . 170 1. The National Information and Communications Technology Policy for Uganda, 2014 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 2. National Information Security Strategy, 2011 . . . . . . . . . . . . . . . . . . . . 172 3. The Computer Misuse Act, 2011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 4. The Uganda Communications Commission  . . . . . . . . . . . . . . . . . . . . . 180 5. The National Information Technology Authority, Uganda . . . . . . . . . . 181 6. Uganda Cybercrime Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 F. Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182



Table of Contents15 Chapter 6



Comparative Assessment of Anti-Cybercrime Initiatives Between Europe and East Africa 

184

A. Introductory Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 B. Basic Integration Frameworks Among the EAC, EU, and CoE . . . . . . . . 184 C. Approximation and Harmonization of Laws in Europe and East Africa . 186 D. Comparison of the Efficiency and Efficacy of Anti-Cybercrime Legislative Measures in Europe and East Africa . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 I. Substantive Cybercrime Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 II. Proportionality of Sanctions and Other Dissuasive Measures Against Offenders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 E. Efficiency and Efficacy of Anti-Cybercrime Enforcement and Institutional Mechanisms in Europe and East Africa . . . . . . . . . . . . . . . . . . . . . . 205 I. Anti-Cybercrime Watchdog and Coordination Institutions and Mechanisms in Europe and the EAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 II. Other Anti-Cybercrime Institutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 F. Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Chapter 7

General Conclusion 

215

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 List of Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 List of Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Online Materials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Subject Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

List of Tables Table 1: List of the Current EU Members and Their Year of Admission . . . . . . 77 Table 2: List of Categories and Areas of Competencies in the EU . . . . . . . . . . . 85 Table 3: The Current Member States of the Council of Europe . . . . . . . . . . . . . 89 Table 4: Sanctions Under the Computer Misuse Act, 2011 . . . . . . . . . . . . . . . . . 178 Table 5: Comparison of Cybercrime Regimes Between the CoE and Selected EAC Countries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Table 6: Proportionality of Sanctions and Other Dissuasive Measures Against Offenders Between the CoE and Selected EAC Countries . . . . . . . . . . 199

List of Abbreviations and Acronyms ACCP African Centre for Cyberlaw and Cybercrime Prevention ARPANET Advanced Research Projects Agency Network CAK Communications Authority of Kenya CDPC European Committee on Crime Problems CEPOL European Police College Chap. Chapter CoE Council of Europe C-PROC Cybercrime Programme Office of the Council of Europe CSIRT Computer Security Incident Response Team DPP Director of Public Prosecution EAC East African Community EACJ East African Court of Justice EACO East African Communications Organisation EACSO East African Common Services Organization EALA East African Legislative Assembly EARPTO East Africa Regulators, Postal and Telecommunication Operators Organisation EAW European Arrest Warrant EC3 European Cybercrime Centre ECSC European Coal and Steel Community ED / EDS Editor / Editors EEC European Economic Community ENISA European Union Agency for Network and Information Security EU European Union EUCPN European Crime Prevention Network EURATOM European Atomic Energy Community Europol European Police Office FIU Financial Intelligence Unit GDP Gross Domestic Product ICT Information and Communications Technology INTERPOL International Criminal Police Organization IT Information Technology ITU International Telecommunication Union

18 KES LHRC NATO NBC NISS NITA-U NMB OECD PC-CY TBA TCRA T-CY TZS UCC UGX UNCITRAL UNCTAD UNODC Vol.  vs.

List of Abbreviations and Acronyms Tanzanian Shilling Legal and Human Rights Center North Atlantic Treaty Organization National Bank of Commerce National Information Security Strategy (Uganda) National Information Technology Authority, Uganda National Microfinance Bank Organization for Economic Cooperation and Development Committee of Experts on Crime in Cyberspace Tanzania Bankers Association Tanzania Communications Regulatory Authority Cybercrime Convention Committee Kenyan Shilling Uganda Communications Commission Ugandan Shilling United Nations Commission on International Trade Law United Nations Conference on Trade and Development United Nations Office on Drugs and Crime Volume versus

Chapter 1

General Introduction A. General Introduction and Background Since men are arguably evil in nature,1 criminality has the main characteristic of always being attached to human life at all times and circumstances. This is the reason why crimes are committed in both poor and rich countries, the difference being only that levels of development sometimes determine the extent, type, nature and effects of those crimes. Technological developments similarly have been providing fertile grounds for criminals to accomplish their evil missions. Developments in Information and Communications Technology (ICT) were meant to increase, among other things, accuracy, simplicity, and efficiency in various aspects of life. However, despite the fact that the world has registered tremendous achievement in realizing these goals, ICT has also turned into an avenue for criminals, thereby posing incalculable threats to the world through cyber criminality.2 Explaining the complexities of crime, Singh makes the following observations: Crime is not a single phenomenon that can be examined, analyzed and described in one piece. It occurs in every part of the country and in every stratum of society. The offenders and its victims are people of all ages, income and backgrounds. Its trends are difficult to ascertain. Its causes are legion. Its cures are speculative and controversial. Computer related crimes, popularly called as Cyber Crimes, are most the latest among all the crimes.3

It is a fact currently that almost every aspect of human life interacts with ICT in one way or another. For example, in 2011 and 2014, studies showed that more than one-third of the world’s total population had access to the Internet.4 Moreover, over sixty percent of all internet users are in developing countries, with forty-five percent of all internet users being below the age of twenty-five years.5 Also, it was expected that by 2017 more than seventy 1  Paranjape,

p. 1. p. 1. 3  Singh (2007), pp. 3–4. 4  United Nations Office on Drugs and Crime (2013), p. 1. Also see: Chawki, p. 4. 5  Chawki, p. 4. 2  Mwiburi,

20

Chap. 1: General Introduction

percent of the world’s population will be connected to the Internet.6 It is further said that, mobile telephone services that are also used to access the Internet, are accessible to ninety six percent of the world’s population.7 This being the case, there has been a tendency of criminal behaviours to develop simultaneously and instantaneously with the use of the technology, a situation which calls for more serious and concerted efforts to address. This is because of the fact that criminality is becoming very common in the area (cyberspace) where a significant portion of the world’s population meets. Perhaps, the worst thing about cyber criminality is the fact that for the perpetrator to commit the intended crime, one must not necessarily be within the locality or jurisdiction where the criminal conduct or its effect occurs, or where the victim of that illegal conduct resides.8 Rampancy of cybercrimes globally is one of the reasons that have attracted individual and collective global initiatives and efforts in addressing the problem. Rapid developments in ICTs are considered to be one of the factors contributing to these contemporary emerging trends of criminality.9 Associating the developments in ICT and the challenges they pose in criminal jurisprudence, Lunker, observes: The rapid development of Internet and Computer technology globally has led to the growth of new forms of transnational crime especially Internet related. These crimes have virtually no boundaries and may affect any country across the globe. Thus, there is a need for awareness and enactment of necessary legislation in all countries for the prevention of computer-related crime.10

Furthermore, one of the challenging characteristics of cybercrime is the fact that it is borderless and cross territorial in nature, and its impacts are much wider than those of traditional crimes.11 This means that while the legal and institutional frameworks are grounded on real geographical locations, cybercrimes are not affected by physical boundaries as such. For that matter, cybercrime poses threats not only to the confidentiality, integrity or availability of computer systems, but also to the security of critical infrastructure.12 It is for this reason that a call for the fight against this contemporary form of criminality inevitably necessitates employing individual and the collective initiatives and efforts among States at regional and inter-regional levels to combat the same. 6  Chawki,

p. 4. (2014), p. 699. 8  United Nations Office on Drugs and Crime (2013), p. 6. 9  Lunker, Cyber Laws: A Global Perspective. 10  Lunker, Cyber Laws: A Global Perspective. 11  Johnson / Post, pp. 1367–1402. 12  United Nations Office on Drugs and Crime (2011), p. 2. 7  Clough



B. Cybercrime as a Challenge in East Africa and Beyond21

Emphasizing the seriousness and threats posed by cybercrime, the then Interpol Secretary General observed that: Cybercrime is emerging as a very concrete threat…. Considering the anonymity of cyberspace, it may, in fact, be one of the most dangerous criminal threats we will ever face.13

Similarly, the East African Community (EAC)14 is not far and safe from what is happening in the world, in terms of technological developments and also criminal threats and trends. The East African region covers a land area of 1.82 million square kilometers and it is home to 149.7 million people.15 This population as a whole can, therefore, be contemplated as comprising potential victims of cyber criminality. Under the East African Community portfolio, the region has been forging cooperation among Member States in addressing common problems facing its inhabitants. The most recent and remarkable initiative, in so far as a war against cybercrime is concerned, was the Workshop on Effective Cybercrime Legislation in East Africa, held in Dar es Salaam, Tanzania from 22 to 24 August 2013.16 Since then, there have been hardly very little collective concerted efforts against cybercrime worth reporting in the East Africa region.

B. Cybercrime as a Challenge in East Africa and Beyond According to the available records, cybercrime victimization rate globally is significantly higher than for conventional crime forms.17 For example, the rates of victimization for online credit card fraud, identity theft, responding to phishing attempts and unauthorized access to emails are as high as seventeen percent of the online population.18 Victimization to cybercrime has gone too far in other jurisdictions, for example, hackers are said to have attacked computer networks of the Pentagon, the White House, NATO’s military web13  Noble, R.K., the then Interpol Secretary General (2000–2014) as quoted in KPMG International, p. 6. Also see: PricewaterhouseCoopers (2014), pp. 14–15. 14  Reference to the East African Region and the East African Community in this book is limited to the countries forming the East African Community which is the regional intergovernmental organization of the Republics of Burundi, Kenya, Rwanda, the United Republic of Tanzania, and the Republic of Uganda, with its headquarters in Arusha, Tanzania. Although South Sudan was officially admitted to EAC Membership on 2 March 2016, this book intends not to cover South Sudan for the obvious reason that her statistics and records are not yet very well incorporated and integrated into various EAC reports. 15  The East African Community Secretariat, p. 15. 16  The African Centre for Cyberlaw and Cybercrime Prevention. 17  United Nations Office on Drugs and Crime (2013), p. 25. 18  United Nations Office on Drugs and Crime (2013), p. 25.

22

Chap. 1: General Introduction

sites, and the Interpol.19 More interesting and something which justifies the writing of this book, is the fact that individual victimization rate in the least developed countries is higher than in developed countries.20 Although the African continent accounts for only two percent of the global Gross Domestic Product (GDP), it accounts for ten percent of global cybercrime incidents.21 In the first quarter of 2014 alone, it is reported that 49 million cyber-attacks took place in Africa.22 In the East Africa region alone it is reported that, through cyber criminality, more than eighty billion Tanzanian Shilling (35 Million USD) was stolen from banks in 2013.23 Furthermore, a recent study has revealed that sixty percent of East African Banks are susceptible to cybercrime and the estimated cost of combined threats of cybercrime to financial institutions in the region is USD 245 million.24 As further discussed in chapter 5 part. A. of this book below, according to the 2016 Cybersecurity Report published by an IT firm, Serianu, the estimated cost of cybercrime in the East African region has been alarming with Kenya leading by USD 175 million, Tanzania USD 85 million, and Uganda USD 35 million. A similar study by PricewaterhouseCoopers in Kenya indicates that twenty-one percent of the surveyed financial service organisations had experienced cybercrime over the last 12 months, attributed to both internal and external fraudsters.25 According to the available records, Kenya takes the lead of being the country with many cybercrime incidences in the East Africa region and it is in the fourth position on cyber-attacks victimization in the entire African continent.26 In Uganda, cybercrime was said to have increased by fifteen percent in 2012 compared to 2011, and the criminal incidences mainly involved Automated Teller Machines (ATM) and mobile money service frauds, which in combination accounted for a loss of over one million US dollars country wide.27 At the same time, in Tanzania some banks and financial institutions are among the victims of cybercrime in which criminals have already used the advantage of technological advancements to steal billions of shillings.28 In 19  Kshetri,

p. 2. Nations Office on Drugs and Crime (2013), p. 25. 21  Tentena, Cybercrime on the Increase in Africa. 22  Jackson, Can Africa Fight Cybercrime and Preserve Human Rights? 23  Kassim. 24  Tumwebaze, East Africa Seeks Joint Approach to Combat Cybercrime. 25  Munga, p. 3. 26  Jackson, Can Africa Fight Cybercrime and Preserve Human Rights? 27  The African Centre for Cyberlaw and Cybercrime Prevention, p. 11. 28  Mtweve, Cybercrime a Threat to Africa’s Development. 20  United



C. Focus of the Book23

view of the alarming rate of cyber criminality in Tanzania, the Central Bank of Tanzania (BOT) has formed a task force to fight against cybercrime, bringing together other stakeholders such as the Tanzania Communications Regulatory Authority (TCRA), the Financial Intelligence Unit (FIU), the Tanzania Bankers Association (TBA), and the Police Force Cyber Crime Unit.29 The above statistics indicate that the East African region is facing real challenges in so far as prevention, detection, apprehension, investigation, trying and punishing cybercriminals is concerned. It suffices to say that cyber criminals in East Africa enjoy the advantage of weaknesses in cybercrime legislation and lenient systems of law enforcement; as a result, it leads to propagation of illegal activities in cyberspace.30 This weakness is mainly caused by variations in legislative and institutional developments and setups in each individual country. That is to say, commonality in terms of anti-cybercrime measures in the region is lacking to the extent that countries like Uganda and Tanzania have enacted clear and express anti-cybercrime laws, while Kenya has a partial anti-cybercrime statute, and is struggling to adopt a new law.31 Besides the above disparities among members of EAC, the region lacks a robust collective legal and institutional framework to address cybercrime, the fact which makes effective cooperation among States on the same a nightmare. However, on the other hand, there have been remarkable developments in Europe in adopting the anti-cybercrime frameworks since the late 1990s and early 2000s. Given the global nature of cybercrime, it is apparent that some degree of harmonization between countries is vital and necessary if effective regulation is to be achieved. It is for this reason that the study was carried out to see what the East African region can learn from Europe’s cybercrime regime for purposes of developing its own local and regional frameworks that will essentially harmonize the varying domestic laws and enhance international cooperation in fighting the menace.

C. Focus of the Book The focus of this book is to examine the effectiveness of the measures currently employed in East Africa as a region, and in the individual Member States in dealing with cybercrime and how best the same can be modified to prevent and combat cybercrime in the region. So, the subsequent analysis in 29  Kassim. 30  The 31  The

African Centre for Cyberlaw and Cybercrime Prevention, p. 1. African Centre for Cyberlaw and Cybercrime Prevention, p. 2.

24

Chap. 1: General Introduction

this book is done with a view of drawing some lessons from Europe’s cybercime regimes. In so doing, the book is set to critically examine the role of the law in preventing and combating cybercrime in East Africa; investigate the extent to which the current laws address the problem of cybercrime and ICT governance and regulation in the East African region at country and regional levels; examine the level and extent of cooperation required among the EAC partners in fighting cybercrime; analyze legal and institutional challenges on ICT governance and regulation in East Africa and globally with a view of creating a crime-free environment for the Internet and computer users; and examine the best ways through which the East Africa region can ensure efficient regulation of ICT through a regime that will prevent and combat cybercrime without necessarily inhibiting social, political and economic development. Despite the above-mentioned challenges, the efforts to prevent and combat cybercrime in the East African region have been an ongoing exercise over and beyond the duration of preparing this book. Legal and institutional developments have been constantly happening even after some chapters were completed. Some of these developments have been captured and updated in the book accordingly. However, in order to bring this book to the finality and avoid endless review, a cut-off point had to be set. Based on the above, it is important to state clearly that facts and laws discussed and examined in this book are based on the status of affairs in East Africa and Europe not beyond January 2018.

Chapter 2

Cyberspace as an Emerging Phenomenon in Criminal Jurisprudence A. Introductory Remarks While the influence of ICTs on society is immeasurable, legal scrutiny of the same and cyberspace, in particular, is still in its infancy stages of evolution in many developing countries. For that reason, a clear analysis and understanding of some basic concepts and key issues relating to it is a decisive step towards appreciating the need to circumvent the speedy emerging technological malpractices. This chapter is an attempt to lay a simple but informative foundation on cyberspace upon which subsequent discussions in this book are founded. This thorough examination of facts and issues intends to create a relatively common understanding on key concepts and theories pertinent to the subsequent analysis in this book. This chapter, therefore, among others, endeavors to discuss key terms relevant to ICT and unveil their relationships and variances. The key terms analyzed in this chapter include but not limited to cyberspace, computer crime, and cybercrime. The chapter further explains the evolution of the Internet as a public network and subsequent behavioral developments such as malpractices among users, specifically cyber criminality. It further analyzes the types and common features of cybercrime. Moreover, the chapter demonstrates how geographical boundaries do not matter in cyberspace. In fact, the chapter illustrates how this unique characteristic is critical in ICT and cyberspace governance, and the war against cybercrime in particular. The chapter ends with discussions on contemporary issues and challenges on cyberspace. These contemporary issues revolve around but not limited to questions of criminal capability, jurisdictions of courts, child protection and the debate on striking a balance between legal or / and governmental regulation of the technology vis-à-vis the spirit of innovativeness and human rights’ protection. The chapter finally unveils a serious risk that governments are facing or likely to face, that is, striking a balance between two contrasting obligations, namely protection of people against cybercrime and observance of the fundamental rights and freedoms of individuals subjected to criminal investigation.

26 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

B. Understanding Cyberspace, Computer Crime, and Cybercrime The terms cyberspace, computer crime, Internet crime, technological crime, digital crime, e-crime, hi-tech crime, net crime and cybercrime are used by some authors and experts interchangeably to refer to personal computers and networked computers, and the way they can be manipulated to accomplish criminal missions respectively.32 In this discourse, the central emphasis lies to a computer and its peripherals. However, it is important to note that the definitions of terms are said to be mostly dependent on the context and intended use of that particular term.33 Notwithstanding the above observation, it is important to have them further clarified so that similarities and differences, if any, are also clearly understood at this juncture. It is also argued that the importance of having cybercrime related terms clearly defined is not only to educate the reader on the complexity of the definitional issues but also to show how the broad use of terms can isolate people that are not as familiar with how computers are used as an instrument of criminality.34 I. Cyberspace One may correctly argue that there is no academic consensus as to what cyberspace actually is. The list of industrious attempts to define and explain the concept of cyberspace is very exhaustive and some authors argue that some definitions are even competing.35 However, the history shows that the word “cyberspace” in the context of virtual and imaginary space was used for the first time by a novelist William Gibson in his novel Neuromancer, published in 1984.36 He describes cyberspace as an imaginary space consisted of a fully immersive virtual reality through which users of computer networks from all over the world could communicate and interact with each other.37 This description is etymologically based on the idea of “cybernetics” which is the study of control at a distance through devices, as coined by Norbert Wiener.38 Cybernetics, in other words, is referred to as the study of

32  Turrini / Ghosh,

p. 8. Also see: Clough (2010), p. 9. Nations Office on Drugs and Crime (2013), p. 19. 34  Reyes (2007), p. 24. 35  Buckland / Schreier / Winkler (2015), p. 9. Also see: Popa, p. 115. 36  Lessig (2006), p. 3. Also see: Schwabach, p. 65. Further see: Loader, p. 3. 37  Perry, p. 52. Also see: Post (2009), p. 3. 38  See Lessig (2006), p. 3. Also see: Perry, p. 52. 33  United



B. Understanding Cyberspace, Computer Crime, and Cybercrime 27

the mechanics of human or electronic-machine movements, and the way in which electronic devices can be made to work and imitate human actions.39 According to Judge Stein Schjolberg,40 cyberspace is the new and fifth common space after land, sea, air and outer space.41 Moreover, cyberspace is described to mean the broad co-dependent network of information technology substructures which include the Internet, telecommunications networks, computer systems and computer peripherals in various industries.42 David Post and David R. Johnson define cyberspace as a new frontier composed of the screens and personal identification numbers (PINs) that separate the computer-generated biosphere from the “real world” of atoms.43 Furthermore, Dictionary of ICT defines cyberspace as the world in which computers and people interact, normally via the Internet.44 In simple terms, cyberspace is a concept used to explain an imaginary non-physical forum or place where users of modern information and communications technologies networks meet and converse with each other. The key word in defining cyberspace is the network which acts as a medium of linking users and providing access to the forum. The list of networks in the sense of computer and its peripherals connected together to perform a specified purpose(s) can be very extensive, but to mention a few, it can be in the form of the Internet, telecommunications networks, supervisory control and data acquisition (SCADA), computer systems and so forth.

39  Collin,

p. 64. Schjolberg was an extraordinary Court of Appeal Judge in Norway from 2010 until August 1, 2013, when he retired. He was appointed as a Judge in 1984 and as the Chief Judge of Moss Tingrett Court from 1994 to 2010. Until 1984 he served as a prosecutor and Assistant Commissioner of Police in Oslo. Judge Schjolberg is an international expert on cybercrime, and one of the founders of the global harmonization on computer crime legislation. He was a Fulbright-Hays Scholar at Stanford Research Institute (SRI International) in 1981–1982. In cooperation with INTERPOL he organized the First INTERPOL Training Seminar for Investigators of Computer Crime in Paris, 1981. Judge Schjolberg has served as an expert on cybercrime for several international institutions. He has published widely on computer crime and cybercrime legislation, in addition to court technology issues. He was appointed by the National Center for State Courts, United States, as a member of the International Think Tank on Global Court Technology in 1999–2001. Schjolberg’s biography is according to the information that was extracted from http: /  / www.cybercrimelaw. net / biography.html, accessed on 7 March 2018. 41  Schjolberg (2010), p. 1. Also see: Schjolberg (2012), p. 3. Further see: Toure, p. 122. 42  Buckland / Schreier / Winkler (2015), p. 9. 43  Johnson / Post, p. 1367. 44  Collin, p. 64. 40  Stein

28 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

II. Computer Crime and Cybercrime The terms “computer crime” and “cybercrime” are interchangeably used to refer to criminal wrongs whereby a computer is involved as an integral part of the commission.45 Normally, the computer and / or computer systems are put at the center as the tool or victim of the criminal transaction. However, the perception by some authors about these terms is that they are two different phenomena which are closely related. One may rightly argue that all cybercrimes are computer crimes, but not all computer crimes are cybercrimes. The expression that “all cybercrimes are computer crimes” refers to the fact that commission of a cybercrime always involves a computer or computer system as an integral part of a criminal transaction.46 Also, the statement that “not all computer crimes are cybercrimes” means that for a computer crime to be a cybercrime, it must be committed through the Internet or other known computer networks.47 These statements represent a thin line of dissimilarity between the two terms commonly used to refer to high-tech crimes. It suffices to say that there is no single universally accepted definition of what actually amounts to computer crime. Different authors have been defining it depending on their standpoint, context and sometimes intended utility of the definition.48 Since issues revolving around ICTs and criminality are cross-cutting, different definitions have evolved among lawyers, engineers, sociologists, political scientists and many other professionals and disciplines. In the Dictionary of ICT, computer crime is defined in a very short and clear way as theft, fraud or other crimes involving computers.49 Historically, Donn Parker is cited as the first scholar to attempt to define computer crime categorically in the 1970s.50 Parker describes computer crime as any incident of computer abuse involving a deliberate act associated with computers whereby a victim suffers loss, and a perpetrator gains a certain advantage.51 He further clarifies that the role played by computers in commission of crimes can be in four limbs, namely the computer is the object or the data in the computer are the objects of the act; the computer cre45  Dudley,

pp. 58–59. Also see: Turrini / Ghosh, p. 8. Telecommunication Union (2009), p. 17. Also see: Australia Institute of Criminology. 47  International Telecommunication Union (2009), p. 17. Also see: Australia Institute of Criminology. 48  Reyes (2007), p. 24. 49  Collin, p. 55. 50  Reyes (2007), p. 24. 51  Reyes (2007), p. 25. 46  International



B. Understanding Cyberspace, Computer Crime, and Cybercrime 29

ates a unique environment or unique form of assets; the computer is the instrument or the tool of the act; and the computer represents a symbol used for intimidation or deception.52 This categorization by Parker is commended as one of the foundations upon which subsequent analysis and categorization of the modern computer crimes are based. It is said that the first mention of computer crime at international level was in 1976 in Europe at the Council of Europe Conference on Criminological Aspects of Economic Crime.53 In this conference the delegates made an attempt to define computer crime in the following words: Any illegal action which a computer is a tool or object of the crime, in other words any crime the means or purpose of which is to influence the function of a computer.54

The definition of computer crime propounded by the U.S. Department of Justice (DOJ) is very extensive for it defines computer crime as any violations of criminal law that involve knowledge of computer technology for their perpetration, investigation, or prosecution.55 It goes beyond the traditional definitions we know which are limited to the commission per se. This definition also includes investigation and prosecution aspects. This definition though extensive, but may appear to be more perplexing. However, it suffices to say that generally computer crime is any delinquency that is expedited or committed using a computer, network, or hardware device. As it is for the computer crime which is a generic term, the task to define what cybercrime is has never been simple. There are hundreds of attempts in defining the term cybercrime for there is no one commonly agreed definition.56 However, the above-discussed definitions of computer crime can be more or less modified to cater for cybercrime. Susan Brenner defines cybercrime as engaging in conduct that is outlawed by using computer technology.57 She further stresses that these crimes are committed in cyberspace and the cyberspace becomes the tool used by offenders to commit traditional crimes in new ways.58 According to the Encyclopedia of Cybercrime, cybercrime is defined in the following terms:

52  Reyes

(2007), p. 25. (2014), p. 51. 54  Schjolberg (2014), p. 51. 55  Dudley, pp. 58–59. Also see: Turrini / Ghosh, p. 8. 56  European Commission (2007). Also see: Yar (2006), p. 9. 57  Brenner (2010), p. 10. 58  Brenner (2010), p. 10. 53  Schjolberg

30 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence Cybercrime is a broad term covering all the ways in which computers and other types of portable electronic devices such as cell phones and PDAs capable of connecting to the Internet are used to break laws and cause harm. A slightly more technical definition would be use of computers or other electronic devices via information systems such as organizational networks or the Internet to facilitate illegal behaviors.59

During the 10th United Nations Congress on the Prevention of Crime and the Treatment of Offenders, a relatively comprehensive definition of cybercrime encompassing two main limbs was adopted. The first limb of the definition describes cybercrime as any crime that can be committed by means of a computer system. The second limb adds the element of the network being employed in a computer system in the commission. Further to this, it is clearly stated in the definition that the crime should be committed either in a computer system or network or against a computer system or network. The descriptions above have attempted to define and differentiate the two common and somewhat similar concepts of computer crime and cybercrime as they apply in criminal jurisprudence. However, with the definitions of cybercrime and / or computer crime, it is important to note that the bottom line is that the computer technology is used as a central component of the crime. As repeatedly noted above, though the dissimilarity between the two is very critical and worth examining to achieve clarity on issues, it is undisputable fact that the same is very thin and negligible for the purpose of subsequent analysis in this book. Therefore, a more or less substitutable approach on the two terms will be employed throughout the discussion. For purposes of this book, a consistent definition of cybercrime and / or computer crime is adopted to mean all traditional crimes committed in the computer environment as well as all new forms of crime that are capable of being committed in the computer environment only such as hacking, production and distribution of malware and so forth.

C. Nature and Evolution of Modern Cybercrime I. Nature of Cybercrime In academic discourse and debates, there exist two different approaches attempting to offer explanations regarding the nature of cybercrime. The first approach considers cybercrime as capable of being easily explained by using the conventional theories.60 And they are basically treated as old crimes that 59  Mcquade,

p. 43. Also see: Singh (2007), p. 6. pp. 243 & 248. For a lengthy and detailed discussion on whether cybercrime is old wine in new bottles or not see: O’Neill, pp. 237–288. 60  Grabosky,



C. Nature and Evolution of Modern Cybercrime31

are committed by using new techniques. This phenomenon is literally explained as “old wine in new bottles approach”. The second approach, “the novelty of cybercrime approach”, considers cybercrime as a completely new form of criminality and differs from the traditional crimes committed in the real world.61 Both positions above are logical and reasonable as they appear to be practically valid. Looking at cybercrimes today, one will find that they carry both features of traditional crimes and new crimes. Taking fraud, theft, money laundering, sexual harassment, hate speech, and pornography as examples of conventional crimes, one may correctly argue that the possibility of them being committed in cyberspace is more or less as it is in the physical world. However, one must also note that in cyberspace new crimes such as viral attacks, hacking, and denial of service attacks have emerged in tandem with the Internet and could not exist separately from it. In the discussion about nature of cybercrime, it is safer to take a combined approach. This refers to the approach that will take into consideration the fact that evolution of cybercrime has not only impacted the way traditional crimes are committed, but also criminal law by the emergence of new offenses which were not known to the law. II. Evolution of Modern Cybercrime Modern cybercrime cannot be quarantined from the invention of modern digital programmable computers. A German national, Konrad Zuse, is said to be the father of modern programmable computing which he invented in 1936.62 So, the computers we use today and the subsequent malpractices related to computing can be well understood by firstly appreciating the great job done by Zuse. Computer-related crime, or computer crime, is said to be a relatively long well-known phenomenon, but with the speedy development of global connectivity, contemporary forms of wrongdoing in the name of cybercrime have emerged and increased tremendously with time.63 In order to appreciate the development of modern cybercrime, a short chronological account of major issues on ICTs as explained below is inevitable.

61  Yar

(2005), pp. 407–411.

62  History-Computer. 63  United

Nations Office on Drugs and Crime (2013), p. 5.

32 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

1. The Era of Mainframe Computers It is alleged that the first incidence of computers being used to commit a crime was reported in the 1960s in the United States of America.64 At this time, computing was dominated by mainframe computers which were owned only by big companies and organizations.65 Individuals could not own computers as they were very expensive and required a very big space for them to be installed. It is estimated that by 1960, five thousand mainframe computers were in use in the United States.66 By 1970, nearly eighty thousand were in use in the United States and approximately another fifty thousand were in use in other countries.67 With this type of computer use which was limited to big companies and organizations, most of the crimes committed related to embezzlement and fraud, information stealing (trade secrets), physical damage to the computer, and unauthorized access to private information.68 Also, these crimes were only capable of being committed by persons whose employment allowed them access to mainframe computers.69 There was no Internet, hence the mainframes were not networked to each other.70 Individuals were not mainly the targeted victims and even the victimized organizations deliberately concealed the information about these criminal incidences.71 Generally, all this did not alert the world of dangers and risks of computing as such since it was considered as just committing conventional crimes in a new way. 2. Evolution of Networked Computers Coming into operations of the networked computers, especially through the Internet, had direct impacts on computer related criminality. The history of the Internet as a medium and the major catalyst in cybercrime commission is not very clear.72 However, it is presumed to have started in 1969 when the Advanced Research Projects Agency Network (ARPANET), the first packet-

64  Brenner

(2010), p. 10. (2010), p. 10. 66  Brenner (2010), p. 10. 67  Brenner (2010), p. 10. 68  Brenner (2010), p. 11. Also see: International Telecommunication Union (2012), pp. 12–13. 69  Brenner (2010), p. 10. 70  Brenner (2010), p. 10. 71  Brenner (2010), pp. 12–13. 72  Schwabach, p. xiv. 65  Brenner



C. Nature and Evolution of Modern Cybercrime33

switching network, was launched.73 ARPANET was a project pioneered under the sponsorship of the U.S. Department of Defense.74 The project pulled and connected together mainframes in hundreds of universities, research laboratories, and defense contracting companies.75 It became a network for programmers, scientists, and other specialists using computers.76 This connection created what was called “a networked tribe.”77 Etymologically, the Internet though today widely accepted and used by the public, it started as a small private network of researchers and academics. 3. The Epoch of Personal Computers and the Internet The proliferation of personal computers in the public market in the 1980s and the Internet in the 1990s are said to be a turning point towards the evolution of modern cybercrime.78 The subsequent introduction of the World Wide Web in the 1990s and increased use of information systems among individuals and businesses have catalyzed commission of cybercrimes drastically.79 With the World Wide Web and the Internet, unprecedented opportunity to create an existence on the Internet was made available, which consequently resulted into a new arena for criminal dominance. These developments paved a way for hacking and malware production and distribution as one of the earliest cybercrimes.80 It is important to note that, early criminal incidences on cyberspace mainly targeted computer systems and / or data stored in the computer system. Offenses targeting individuals and fraud related ones for personal gain were not very common. Undoubtedly, this was because of the fact that life was not yet that much digitized as it is the case now. However, it did not take a long time before computer technology was employed to commit conventional crimes such as fraud, theft, extortion, and copyright violations.81 They were committed in new and more profitable ways while the perpetrators maintained anonymity.82 The twenty-first centu73  Brenner

(2010), p. 15. Also see: Easttom / Taylor, p. 34. p. xiv. Also see: Giacomello, p. 1. 75  Mcquade, p. 7. Also see: Brenner (2010), p. 15. 76  Schwabach, p. xiv. 77  Brenner (2010), p. 15. 78  Schwabach, p. ix. Also see: Dudley, p. 38. 79  Dudley, p. 38. 80  Dudley, p. 39. Also see: Brenner (2010), pp. 14–36. 81  Brenner (2010), pp. 36–37. 82  Brenner (2010), pp. 36–37. 74  Schwabach,

34 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

ry has witnessed a stagy evolution and growth in online criminality such as stalking, harassment, financial crimes, corruption, crimes against children, defamation, and invasion of privacy.83 It is said that the twenty-first-century technological criminality is catalyzed by increasing use of broadband; increasing use of wireless technologies; new methods of identification and verification; and new payment systems.84 Today, computer crime is a more far-reaching and more complex term than it was five or ten years ago. With the current speed of technological changes and innovations, one cannot predict with certainty what will be the tomorrow’s criminal trends. Victimization on cyberspace is increasingly growing over time. In June 2014, it was reported that the cost of cybercrime for the global economy was estimated at 445 billion U.S dollars annually.85 It was further reported that more than eight hundred million people fell victim to cyber espionage and stealing of individuals’ personal information.86

D. Forms of Cyber Criminality Industrious efforts have been dedicated towards grouping cybercrimes into various forms with a view of achieving clear understanding, smooth and systematic investigation and finally prosecution of the same. Also, it is equally critical for the study investigating on preventing and combating cybercrime to have the forms clearly outlined for close monitoring of the trends in an informed manner.87 It is through this categorization one may correctly comprehend whether cybercrimes are completely new crimes or old ones committed by using new ways. As a result, even the prevention and combating approaches will take these trends into consideration. A snapshot of various computer crime taxonomies as promulgated by institutions, experts and academics is covered hereunder. I. Categorization by Individuals and Experts Vasili Polivanyuk simply classifies computer criminals into two categories, namely hackers, and crackers. He argues that hackers are those who interfere with the computer system and disturb it just for fun to demonstrate that com83  Brenner

(2010), p. 37. The Australian Institute of Criminology. 85  See: Williams, Cybercrime Costs Global Economy $445 bn Annually. Also see: PricewaterhouseCoopers (2014). 86  See: Williams, Cybercrime Costs Global Economy $445 bn Annually. 87  Alkaabi, p. 2. 84  See:



D. Forms of Cyber Criminality35

puting can have very precarious and perilous moments.88 According to him, crackers are those persons who intrude in the computer network for purposes of destroying it or deriving material or economic benefits from the intrusion.89 The classification by Polivanyuk is very simple and clear as it captures some of the computer crimes within its range of grouping. However, due to probably evolution and development of other new forms of crime in cyberspace, this classification today can be challenged for having left some of the criminal deeds out of its scope. For example, cyber-attacks against a person such as cyber-stalking, harassment, dissemination of obscene material including pornography and indecent exposure can hardly fit within the two categories advocated by Polivanyuk. Cybercrimes can also be categorized into four groups. The first group covers Data Crimes under which offences like data theft, data modification, and data interception form part and parcel of this group.90 Secondly, is the category called Network Crimes which include crimes like network interferences and network sabotage.91 The third group involves the so-called Access Crimes, namely unauthorized access and virus dissemination.92 The fourth and last category contains what are designated as Related Crimes.93 This category covers a range of crimes such as aiding and abetting cybercrimes; computer-related forgery and fraud; and content-related crimes.94 David Wall whose categorization has been also endorsed by Majid Yar,95 sums up cybercrimes into four main categories.96 These categories are cybertrespass, cyber-deceptions / thefts, cyber-pornography / obscenity, and cyberviolence.97 In the category of cyber-trespass, Wall puts all types of hackers / crackers in this category.98 Regarding the category of cyber-deceptions / thefts, these are fraud related offences like credit card fraud, illegal production of cyber-cash credits, cyber piracy, and many more of this type.99 In the category of cyber-pornography / obscenity, Wall includes offences re-

88  Polivanyuk,

Cybercrime Criminological Researches. Cybercrime Criminological Researches. 90  Ajay, pp. 1–3. 91  Ajay, pp. 1–3. 92  Ajay, pp. 1–3. 93  Ajay, pp. 1–3. 94  Ajay, pp. 1–3. 95  Yar (2005), p. 410. Also see: Yar (2006), p. 10. 96  Wall, p. 3. 97  Wall, pp. 3–7. 98  Wall, pp. 3–4. 99  Wall, pp. 4–5. 89  Polivanyuk,

36 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

lated to publication or trading on obscene materials online.100 The last category according to Wall is the cyber-violence category. This category represents cybercrime offences that involve violence upon an individual, social or political groups.101 He puts in this category crimes such as cyber-stalking, hate speech, and tech-talk, among others.102 Pavan Duggal uses the victimization factor to array criminality in cyberspace.103 According to him, there are three major taxonomies of cybercrime, namely cybercrimes against persons; cybercrimes against property; and cybercrimes against the government.104 As it is clear from his nomenclature, cybercrime committed against persons are such as production and transmission of child pornography, harassment, trafficking, distribution, posting, and dissemination of obscene materials and indecent exposure.105 Cybercrimes against property include computer vandalism, production and transmission of harmful software, and corporate cyber-spy, among others.106 The last category is that of Cybercrimes against Government. Some examples of offences forming part of this category are cyberterrorism, cracking, and the recent denial of service attacks.107

100  Wall,

p. 6. p. 6. 102  Wall, p. 6. 103  Pavan Duggal who is an Advocate of the Supreme Court of India and the President of Cyberlaws.Net is one among the top ten Cyber lawyers around the world. He is working in the pioneering area of Cyberlaw. While he is a practicing Advocate of the Supreme Court of India, Pavan Duggal has made an immense impact with an international reputation as an expert and authority on Cyberlaw and E-Commerce law. As such, his empanelment as a consultant to UNCTAD and UNESCAP on Cyberlaw and Cybercrime respectively, membership of the AFACT Legal Working Group of the UN / CEFAT, consulting as an expert with the Council of Europe on Cybercrime, inclusion in the Board of Experts of European Commission’s Dr. ECommerce and his work as an expert authority on a Cyberlaw primer for e-ASEAN Task Force and as a reviewer for Asian Development Bank speaks volumes of his worldwide acceptance as an authority. Pavan is the President of Cyberlaw Asia, Asia’s pioneering organization committed to the passing of dynamic Cyber laws in the Asian continent. Pavan is also a member of the WIPO Arbitration and Mediation Center Panel of Neutrals. He has researched and published in the areas of Cyberlaw and e-commerce extensively. 104  Computer Crime Research (India). 105  Computer Crime Research (India). 106  Computer Crime Research (India). 107  Computer Crime Research (India). 101  Wall,



D. Forms of Cyber Criminality37

II. Categorization by Institutions Susan Brenner108 and Jonathan Clough109 subscribe to the classification of computer crime as summarized by the US Department of Justice. This categorization creates three groups of computer crime, specifically, computer as a target, computer as a tool of crime, and computer as incidental to crime.110 The computer as a target category means all cybercrimes whereas the offender sabotages the computer or computer system by breaking into it or bombing it from outside.111 Here the specific offences include hacking and malware production and distribution, among others.112 The computer as a tool of crime category comprises of the conventional offences, but only that a computer is employed as an instrument to facilitate the smooth commission of the crime.113 Examples of computer crimes falling in this category are child pornography, stalking, criminal copyright infringement, and fraud.114 The category of the computer as incidental to crime covers those offences in whose commission a computer plays a minor role, that is to say, using a computer is just incidental in the offence.115 For example, in drug raids cases, money laundering, and other similar incidences computers and electronic storage devices holding incriminating information have been very useful in helping prosecutors to prove their cases.116 The International Criminal Police Organization (INTERPOL) groups cybercrimes into three broad categories. The first category contains attacks against computer hardware and software, which includes offences like botnets, malware production and distribution, and network intrusion.117 The second category is financial crimes and corruption.118 The offences put under this category include online fraud, penetration of online financial services and phishing.119 The Third category is abuse which comprises of crimes in the form of grooming or sex exploitation and others of this nature, especially crimes against children.120 108  Brenner

(2010), pp. 39–47. (2010), p. 10. 110  Clough (2010), p. 10. Also see: Brenner (2010), pp. 39–47. 111  Clough (2010), p. 10. 112  Brenner (2010), p. 39. 113  Brenner (2010), p. 42. 114  Clough (2010), p. 10. 115  Brenner (2010), p. 45. 116  Carter, pp. 21–27. 117  INTERPOL. 118  INTERPOL. 119  INTERPOL. 120  INTERPOL. 109  Clough

38 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

The Council of Europe through the Council of Europe Convention on Cybercrime classifies cybercrime in four main groups.121 The first category involves a group of offences constituting acts against the confidentiality, integrity and availability of computer data or systems.122 The offences put under this category are illegal access; illegal interception; data interference; computer system interference; and misuse of computer devices.123 Computer-related offences or acts for personal or financial gain or harm is the second category which covers offences such as fraud and computer-related forgery.124 The third category is that of computer content-related offences which mainly covers computer-related production, distribution or possession of child pornography.125 The fourth and last category is that which relates to copyright-related offences.126 Basically, this category puts together all computer related criminal transactions which infringe copyright and other related rights. The United Nations Office on Drugs and Crime (UNODC) reaffirms the categorization by the Council of Europe especially with regard to the first three categories.127 However, UNODC clearly states that the list of cybercrimes is not exhaustive and therefore the categories mentioned above may not accommodate all criminal activities in cyberspace.128 In view of this fact and given the complicated nature of cybercrimes, UNODC has included a sub-category of other cybercrimes known as “other cybercrimes”, which seems to be not very specific.129 It includes, among others, crimes like computer-related drug trafficking; computer-related extortion; using a computer to commit the offence of trafficking in persons; and online gambling.130 III. General Observations from the Categorization As observed above, developments in ICTs have impacted criminal law mainly in two ways, namely facilitation in the commission of traditional crimes, and evolution of a new generation of crimes which were not known 121  Alkaabi,

p. 3. articles 2–6 of the Council of Europe Convention on Cybercrime, 2001. See: International Telecommunication Union (2012), p. 12. Also see: Brown, p. 232. 123  See articles 2–6 of the Council of Europe Convention on Cybercrime, 2001. 124  See articles 7–8 of the Council of Europe Convention on Cybercrime, 2001. 125  See article 9 of the Council of Europe Convention on Cybercrime, 2001. 126  See articles 10 of the Council of Europe Convention on Cybercrime, 2001. 127  United Nations Office on Drugs and Crime (2013), pp. 16–19. 128  United Nations Office on Drugs and Crime (2013), p. 19. 129  United Nations Office on Drugs and Crime (2013), p. 19. 130  United Nations Office on Drugs and Crime (2013), p. 19. 122  See



E. Features of Cybercrimes39

to the law. Institutions, academics, and experts in cybercrime have attempted to classify computer crimes into several groups as demonstrated above in order to make the understanding of cybercrimes trends and analysis of the same easier. The classifications range from simple and clear categories to complicated ones. Also, the taxonomies are not uniform. Taking into consideration the technological developments happening globally, it is very challenging to come up with an exhaustive list or categorization of computer crimes. However, critical examination of the taxonomies reveals that almost all groupings are based on two main factors, that is to say, victimization factor (who is the victim), and mode of commission factor (how the crime is committed).

E. Features of Cybercrimes A thorough examination of definitions, facts, categorizations and other information related to cybercrime reveals that there exist common characteristics among these crimes. A clear understanding of these elements is critical for the better apprehension of the subject in question and subsequent analysis and reflections on the same. In a bid to demonstrate the uniqueness of cybercrime Marc Goodman and Susan Brenner make the observations below: As a recent study noted, cybercrimes differ from terrestrial crimes in four ways: They are easy to learn how to commit; they require few resources relative to the potential damage caused; they can be committed in a jurisdiction without being physically present in it; and they are often not clearly illegal. They also pose far greater challenges for law enforcement: Effective law enforcement is complicated by the transnational nature of cyberspace.131

Based on the above observation, some cybercrime’s common features are briefly discussed below. I. Cybercrimes are Committed in Computer Environment Although Peter Grabosky and some other criminologists maintain that cybercrime is nothing new but “old wine in a new bottle”, but they all at least admit that cybercrimes have a unique characteristic of being capable to be committed only in a computer environment.132 The so-called computer environment has multiple descriptions such as cyberspace, electronic environment, non-physical environment and so forth.

131  Goodman / Brenner 132  Grabosky,

p. 243.

(2002), p. 142.

40 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

It is also said that although the effects of computer crimes can sometimes be violent, but the commission itself of the most cybercrimes is never violent.133 This unique feature of cybercrime, as opposed to terrestrial crimes, can be grasped even from various definitions attempting to define cybercrime. Almost all definitions indicate that for a criminal wrong to amount to cybercrime or computer crime, it is a prerequisite that it is committed in a non-physical environment, specifically, computer environment.134 The aspect of crime being violent or non-violent is used to explain the criminological difference between what are called white collar and blue collar crimes.135 Indeed, cybercrimes are white collar crimes too. II. Veil of Anonymity Cyber-criminals have the obvious advantage and tendency of utilizing the available technological avenue to enjoy the veil of anonymity.136 Since the nature of the crime and the technology allow non-physical interactions between users of the computer technology, many criminals’ real identities remain undetected.137 As opposed to real world theft which requires the perpetrator to be physically present at the crime scene, computer theft, for example, data theft, does not necessarily require physical presence for its commission to succeed. This unique feature of cybercrimes makes detection, apprehension, and prosecution of crimes falling under this new form of criminality very complicated, and it is a big challenge to law enforcement agencies.138 It is even more critical that evidential traces of criminality can be removed from the reach of the law enforcers by using the commercially available software.139 It worth also saying that the escalation of vulnerability to cyberattacks is closely associated with, among others, the anonymity characteristic of cybercrimes.140

133  Wall,

p. 6. Also see: Cross, pp. 18–19. Johnson / Post, pp. 1367–1402; Lu / Jen, p. 593; Singh (2007), p. 9; Casey, pp. 32–33; and Cross, p. 11. 135  Verstein, p. 873. 136  Clough (2010), p. 6. 137  Reyes / Wiles (2007), p. 5. Also see: Goodman / Brenner (2002), p. 144. 138  Chawki, p. 8. Also see: Brown, p. 235. 139  Clough (2010), p. 6. 140  Stahl, p. 248. 134  See:



E. Features of Cybercrimes41

III. Requirement of Technical Knowledge As indicated above, computer crimes are white collar crimes. One of the definitional features of white collar crime is that they are committed by persons of respectability and high social status in the course of their occupation.141 This implies that computer crimes are mostly committed by persons who have technical knowledge of computers or whose employments or lifestyles allow them regular access to computers. Unlike terrestrial offences such as murder, theft, and rape which are capable of being committed by any person, and no specialized technical knowledge is required, many cybercrimes like hacking, data theft, denial of service attack and so forth require technical knowhow and smartness on the technology in their commission. It is also eminent that commission of offences like production and distribution of malware requires skilled cybercriminals.142 Innovation is one of the factors criminologists associate with increased criminality on earth.143 Obviously, innovation goes together with skills and technical knowledge. The more the world becomes sophisticated, the higher the risks of the evolution of hi-tech crimes. So, it suffices to say that requirement of advanced technical knowledge is one of the common features of the recent cyber-criminality.144 IV. Cybercrimes are Easy to Commit Evolution of cybercrime has made it possible, for the first time, for people who were traditionally deemed incapable for criminal purposes, like children and teenagers, to be implicated with very complicated and serious criminal transactions with far reaching effects.145 Simplicity in commission geared by technological advancements is highly linked with increased criminal capability of offenders.146 It is not necessary for a cybercriminal to leave the comfort of his office or home chair for him to accomplish his criminal mission. The technology has made it possible for a criminal to perpetrate, say online theft, in state “A” while physically present in state “B” with the help of just electronic commands. It is evident that offences relating to computer networks are uniquely easy to commit transnationally.147 141  Singh

(2002), p. 231. p. 236. 143  Wall, p. 18. 144  Reyes / Wiles (2007), p. 6. 145  Esbenshade, p. 52. 146  Kshetri, N., 2010, p. 169. Also see: Stahl, p. 248. 147  Brown, p. 240. Also see, Clough (2010), pp. 4–7. 142  Brown,

42 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

With the said commission simplicity nature of cybercrime, children have entered into registers of notorious criminals. Among the serious incidences of computer crime by juveniles is the one that happened in the U.S in 1998 when a juvenile computer hacker intentionally, and without authorization, accessed a computer system that was providing services to an airport.148 The juvenile was able to send a series of computer commands that damaged data and disabled the airport’s system.149 This juvenile hacker caused serious problems to public health and safety.150 Another hacker just a youngster of sixteen years old intruded into a National Aeronautics and Space Administration (NASA) computer network used by the US Department of Defense (DOD).151 The hacker’s activity cost the DOD forty-one thousand US dollars in repair and downtime.152 Because of this characteristic of simplicity of commission embedded in cybercrimes, criminologists are faced with an enigma regarding the position of juveniles due to their current technologically increased criminal capability. This enigma may prompt criminologists to start rethinking about the doli incapax concept, which exonerates children of certain ages from criminal liability. V. Cybercrime as a Cross-Border Phenomenon Cybercrime is explained as a phenomenon which is interstate, transnational, borderless, or long distance, and in particular a new form of criminality.153 Grabosky unquestionably admits that one of the remarkable features associated with cybercrime is its transnational implications.154 It is transnational in the sense that a criminal deed committed from state “A” victimizes a person in state “B” within a blink of an eye. Given that the subject and the object are connected to the Internet, distance is nothing in cyber criminality. This unique feature of cybercrime makes it one of the most difficult world’s crises to contain. While legal and institutional regimes are attached to geographical boundaries, cyberspace, and cybercrime, in particular, is not affected by physical borders.155 The case of Gary MacKinnon vs. Government 148  Esbenshade,

p. 57. p. 57. Further on juveniles and serious computer crimes inflicting chaos and destruction see: Chawki, p. 8. 150  Chawki, p. 8. 151  Esbenshade, p. 58. Further on teenagers and problems with computing see: Singh (2007), pp. 15–16. 152  Esbenshade, p. 58. 153  Clough (2010), p. 7. 154  Grabosky, p. 247. 155  Johnson / Post, p. 1370. Also see: Singh (2007), pp. 4, 10–11. 149  Esbenshade,



F. Approaches to Cyberspace and ICT Governance43

of the USA and Secretary of State for the Home Department is probably the best example which explains the cross-borderness of cybercrime. In the said case, it was alleged that while seating at his home in the United Kingdom, Gary MacKinnon illegally gained access to 97 computers of the US Government.156 This is indeed the borderlessness characteristic of cybercrime which this part of the book attempts to illuminate. Another notorious example of transnationality of cybercrime was experienced in May 2000 in Hong Kong when the “Love Bug” virus invaded the cyberspace.157 The virus badly damaged files and stole passwords.158 It promptly spread around the world in two hours which is said to be three times faster than “Melissa virus,” its predecessor.159 It was estimated that the virus affected more than forty five million users in approximately twenty countries.160 The economic loss caused by the virus is estimated to range between two and ten billion US dollars.161 Since long distance in cyberspace seems to separate the criminal from the deed, it eliminates the traditional connection between the perpetrator and the crime scene, henceforth causing more problems to the investigation.162 Likewise, when a criminal incidence involves, let say, two different jurisdictions, investigation and prosecution of the same is more complicated especially when the states have different legal and institutional frameworks.163 The transnational feature is said to radically increase both the technical and legal intricacies of investigating and prosecuting cybercrimes.164

F. Approaches to Cyberspace and ICT Governance It should be clearly understood that for purposes of this discussion the terms governance and regulation are treated as synonymous. Governance or regulation generally refers to the rules, processes, procedures, and specific actions that impact the way in which power is exercised in a specific area of concern.165 It is all about who has the power to make decisions in respect of 156  Gary MacKinnon vs. Government of the USA and Secretary of State for the Home Department [2007] EWHC 762. 157  Goodman / Brenner (2002), pp. 139–143. 158  Goodman / Brenner (2002), pp. 139–143. 159  Goodman / Brenner (2002), pp. 139–143. 160  Goodman / Brenner (2002), pp. 139–143. 161  Goodman / Brenner (2002), pp. 139–143. 162  Brown, p. 233. 163  Brown, pp. 233–234. Also see: Dudley, p. 38. 164  Brown p. 142. 165  Tripathi, pp. 370–371.

44 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

certain issues or concerns and who takes the responsibility for the issues.166 Lawrence Lessig describes “regulability” as the ability of a government to regulate conduct within its correct scope.167 This ability in the context of the Internet and cyberspace translates into the ability of the government to control the behavior of its citizens while on the Net.168 Lessig opines that to regulate well, one needs to know three basic things: who someone is; where they are; and what they are doing.169 Governance pronounces the mechanisms an institution employs to ensure that its constituents abide by its established processes and policies.170 It is the way of keeping control and answerability in a loosely united administrative structure.171 The governance of cyberspace is the pillar of the information age’s survival.172 However, it is still a relatively fresh subject, hence it lacks theoretical consensus about how it should be crafted.173 Nevertheless, it is important to note that governance is a very wide and complex concept that can be explained in different perspectives. It can be analyzed in political, economic, social, and legal perspectives.174 This book focuses its concentration on legal and political parameters of governance with a view of having secure cyberspace. Eventually, through the Internet the utility of cyberspace has grown exponentially.175 This situation calls for a more organized and accountable coordination on how business should be transacted on cyberspace.176 For effective utilization of the social, economic and environmental benefits of cyberspace, the need to have a reliable, transparent and non-discriminatory legal, and regulatory governance over the same is very appealing.177 This necessity for a monitoring machinery has paved a way for the idea of Internet governance to develop.178

166  Tripathi,

pp. 370–371. (2006), p. 23. 168  Lessig (2006), p. 23. 169  Lessig (2006), p. 23. 170  Tripathi, p. 371. 171  Tripathi, p. 371. 172  Popa, p. 122. 173  Popa, p. 122. Also see: Balleste, p. 41. 174  Tripathi, p. 369. 175  Tripathi, p. 369. 176  Tripathi, p. 369. 177  Tripathi, p. 369. 178  Tripathi, p. 369. 167  Lessig



F. Approaches to Cyberspace and ICT Governance45

The relationship between technological innovation and government regulation is said to be neither simple nor direct.179 And undoubtedly so, is the attempt to thoroughly address that relationship. Early perceptions about cyberspace were that, it is a place or space of absolute freedom and lawlessness.180 It was believed that Governments would not only be able to own cyberspace but also could not regulate cyberspace.181 It was thought that cyberspace was by nature unavoidably free.182 However, the reasons for this kind of thinking were not clear. Some people went even further by making a declaration which was known as “Declaration of Independence for Cyberspace,” which states: Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.183

However, despite these feelings and beliefs among cyberspace citizens, Lessig perceives cyberspace as not only is capable of being governed but is governed already.184 He considers the thoughts about the perceived freedom and absence of governance in cyberspace as a misconception.185 He further advances four modalities of regulation in cyberspace, namely regulation by norms; regulation by law; regulation by market forces; and regulation by code or architecture.186 The regulation approach propounded by Lessig seems to be very pragmatic, systematic and appealing, hence it is hereby considered for further discussion. I. Regulation by Norms Regulation by norms presupposes that, for a person to function and be accepted in a given society one should abide by the norms of that society.187 This means that by the standards of any society there are already the dos and 179  For further discussion on technological innovation and Governmental Regulation see: Epstein, pp. 87–104. 180  Lessig (2006), p. 3. 181  Lessig (2006), p. 3. 182  Lessig (2006), p. 3. 183  This Declaration was made on February 8th 1996 by John Parry Barlow, the co-founder of the Electronic Frontier Foundation, a non-profit organization defending civil liberties in the digital world, which was founded in the US in 1990s. For further details about the Declaration see Loader, pp. 4–5. 184  Lessig (2006), p. 3. 185  Lessig (2006), p. 4. 186  Lessig (2006), pp. 4–6. 187  Lessig (1999), p. 507. Also see: Lessig (1998), pp. 2–3.

46 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

donts.188 Lessig explains this as one of the modalities of cyberspace regulation. Regulation by norms implies that the society will automatically adopt its own rules and regulations towards certain behaviors and conducts. The norms will discourage unacceptable practices and encourage the acceptable ones. Although these rules will have no force of law, but any person who wants to be accepted membership in this society must abide by the rules.189 Those who contravene these norms will face social sanctions. Regulation by norms in the ICTs’ perspective may take the form of acceptable use policies, terms and conditions of engagement and other policies that act as a norm although may not be legally binding like a contract.190 With time, norms can be developed into law through enactment or litigation. II. Regulation by Law Regulation by law is the most common form of regulation whereas through the law, unacceptable standards of behavior and conduct are pronounced, and any contravention attracts punishment in the form of imprisonment or fine.191 This regulation should be understood in its wider perspectives to include the laws enacted by the legislative organs, and also the laws made by courts through precedents. There are good examples of nations in their individual and collective capacities who have passed different laws in their efforts to regulate cyberspace and ICTs generally.192 III. Regulation by Market Forces It is said and believed that markets forces do regulate behaviors. Regulation by market forces is something analogous to the principle of economics of invisible hand as advocated by the father of modern economics, Adam smith.193 This means that the market trends will determine what to consume 188  Lessig

(1999), p. 507. Also see: Lessig (1998), pp. 2–3. (1999), p. 507. 190  Lessig (1999), p. 507. 191  Lessig (1999), pp. 506–507. 192  The Council of Europe Convention on Cybercrime, 2001 is an example of collective efforts among nations to regulate cyberspace through the law. Besides these collective efforts, there are also attempts by individual countries to legislate, for example, Tanzania has recently passed two Acts related to cyberspace, namely the Cybercrimes Act, and the Electronic Transactions Act, both of 2015. 193  For further discussion about the concept of invisible hand, see: The Economic Times. 189  Lessig



F. Approaches to Cyberspace and ICT Governance47

and what not to consume, as a result, the unwanted products (goods and services) will disappear from the market, and hence control is exercised.194 Those goods and services with low quality, high prices, and those which are unwanted by the consumers will automatically phase out. In other words, the market forces will determine what survives and what does not survive in the marketplace.195 It is further said that consumers have a tendency of regulating their behaviour based on the analysis of cost and benefit.196 A good example to explain this situation is that the higher the prices for petrol, the lesser the travel individuals make with their private cars.197 So, using the same theories and explanations, goods and services in cyberspace are capable of being controlled under this modality of regulation. IV. Regulation by Code or Architecture Regulation by code or architecture relies on the controls imposed by the technology itself. This modality relies on the power of human mind to design and create systems and controls that regulate human behaviors.198 As it is for the speed humps in controlling speed in street roads, the technology has its mechanisms to regulate certain unacceptable conduct.199 These mechanisms in the context of the ICTs are what Lessig calls as a code. The code is simply the software and hardware that make each cyberspace the way it is.200 For example, a computer program can be designed not to allow access to do something unless a password is entered; or encryption of files to deny access to other persons.201 Indeed, this is a kind of architectural constraint that can be used to govern behaviors on cyberspace. However, it worth noting that these four modalities of regulation do not operate independently, rather they interact in various ways.202 V. Pillars of Cybersecurity The modalities of cyberspace regulation discussed above is an attempt to lay just a big overview of how the technology can be regulated for the ben194  Lessig 195  Lessig

196  Lessig 197  Lessig 198  Lessig 199  Lessig 200  Lessig 201  Lessig 202  Lessig

(1999), (1999), (1999), (1999), (1999), (1999), (1999), (1999), (1999),

p. 507. Also see: Lessig (1998), pp. 2–3. p. 508. p. 507. p. 507. p. 507. p. 507. p. 503. p. 509. p. 511.

48 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

efit of the people. In a bid to ensure security in cyberspace, the International Telecommunication Union (ITU) has identified five main work areas.203 These areas are also known as Five Pillars of the Global Cybersecurity Agenda.204 The first pillar relates to legal measures, which simply requires the presence of necessary substantive criminal law provisions that specifically criminalize certain acts in cyberspace.205 The second pillar is all about technical and procedural measures that will ensure the conduct of proper cybercrime related investigations and maintaining the integrity of the evidence collected.206 The third pillar is on having highly developed organization structures with the required competencies to enforce the law and handle complex issues.207 The fourth pillar dwells on capacity building with a view of ensuring that the global standards and experiences are properly shared between developed countries and developing ones.208 The fifth and last pillar is on international cooperation in terms of having cybersecurity and anti-cybercrime strategies, and mutual assistance and cooperation in investigations and other related issues.209

G. Contemporary Issues and Challenges on Cyberspace It has been indicated from the discussions above that developments in ICTs have impacted life on earth in almost all spheres.210 Economically, new terminologies and practices like e-commerce, e-taxation and many more other ways of transacting electronically have evolved. Simply, one can say that a good portion of the world’s economy is currently transacted in cyberspace. Politically, electronic means of state administration and enjoyment of political rights have evolved, among others, in the names of e-Government and e-voting respectively. Socially, interactions between members of the society have not remained unaffected by these developments. Furthermore, delivery of social services has been positively championed by developments in ICTs. Together with a myriad success that the world has recorded from developments brought by ICTs, there are a number of challenges that require further determinations in so far as cybersecurity is concerned. 203  International

Telecommunication Telecommunication 205  International Telecommunication 206  International Telecommunication 207  International Telecommunication 208  International Telecommunication 209  International Telecommunication 210  Clough (2010), p. 3. 204  International

Union Union Union Union Union Union Union

(2009), (2009), (2009), (2009), (2009), (2009), (2009),

p. 84. p. 84. pp. 84–85. pp. 85–86. p. 86. p. 86–87. pp. 87–88.



G. Contemporary Issues and Challenges on Cyberspace49

I. Borderlessness and Jurisdictional Issues One of the unique features of cybercrime discussed in chapter 2 part. E.V. above is its borderlessness.211 While individuals are subjected to geographical boundaries and jurisdictions, cybercriminals are not bothered by these territories.212 For both preventive and enforcement measures against cybercriminals, absence of borders in cyberspace is a serious challenge.213 Since a perpetrator does not need to physically cross or enter the territory of the targeted victim of crime, it becomes an issue to prevent the crime from being committed even where one has information prior to the commission.214 Likewise, in pursuing a perpetrator of the completed criminal mission there are so many jurisdictional issues involved if the perpetrator is not within the geographical boundaries of the pursuing state.215 It is exceptionally possible in the absence of the Internet for an action in one state to have jurisdictional issues in another state.216 However, for cybercrime the issue of multiple jurisdictions is not an exception, rather a regular business.217 It is clear that one state cannot exercise its jurisdiction in the territories of another state.218 For that matter, processes and procedures related to criminal adjudication such as investigation, arrest and extradition will largely depend on the courtesy of the other state.219 The matter becomes more complicated if there is no agreement for cooperation in criminal matters between the two states involved. In such a situation the duty to cooperate between states becomes more moral than legal. As it is not practically possible for one state to have cooperation agreements in criminal matters with all states of the world, cybercrime brings a serious concern about resolving jurisdictional issues. II. Harmonization of Laws Cybercrime is a global crisis. Global efforts are required to circumvent it. Collective legal and institutional initiatives have been taken for decades now 211  Johnson / Post,

pp. 1370–1376. pp. 1370–1376. 213  Podgor (2004), p. 97. 214  Podgor (2004), pp. 97–98. 215  Yar (2006), p. 16. Also see: Chawki, p. 20. 216  Schwabach, p. 197. 217  Schwabach, p. 197. 218  Clough (2010), p. 405. Also see: Turrini / Ghosh, p. 321. Also see: Podgor (2009), p. 733. 219  Podgor (2009), pp. 733–734. 212  Johnson / Post,

50 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

in a bid to address criminality in cyberspace.220 The efforts are said to have begun in Europe in 1983 under the superintendence of the Organization for Economic Cooperation and Development (OECD).221 Also, the Council of Europe in 1985 tasked IT experts to study legal issues posed by transnational cybercrime.222 The recommendation that came from these experts emphasized on the need to have harmonized a set of laws around the world that criminalize certain basic illegal conducts.223 These efforts later in 2001 gave birth to the Council of Europe Convention on Cybercrime.224 As noted above, cybercrime is borderless and is one of the world’s serious crises. This fact suggests that global harmonization of laws is unavoidable in the war against cybercrime.225 Harmonization referred here is that which aims at having common standards in substantive and procedural laws, and best practices in addressing this unique form of criminality. This goes together with the creation of common institutions that are meant to fully cooperate in dealing with the problem.226 However, harmonization has been partially possible. There are a few regional conventions with the Council of Europe Convention on Cybercrime being at the forefront. Regrettably, global harmonization has not been possible so far and it seems to be challenging.227 Challenges of having collective anti-cybercrime measures can be evidenced by the current situations where some regions have adopted regional cybercrime instruments, which some of them have not been operational for lack of minimum ratifications.228 Practical experience of problems emanating from the absence of harmonized laws can be well explained by the “Love Bug” case above. In this case, the perpetrator who resided in the Philippines was unsuccessfully prosecuted as the Philippines had no cybercrime laws that criminalized creating and disseminating 220  Brenner

(2010), p. 173. Also see: Walden, pp. 314–317. (2010), p. 173. Also see: Walden, pp. 314–317. Also see: Goodman /  Brenner (2002), pp. 165–172. 222  Goodman / Brenner (2002), pp. 165–172. 223  Goodman / Brenner (2002), pp. 165–172. Also see: Simion, pp. 302–304. 224  Simion, pp. 302–304. 225  Clough (2014), p. 700. Also see: Yar (2006), p. 17. 226  Clough (2014), p. 701. Also see: Turrini / Ghosh, p. 320. 227  Brenner (2010), p. 174. 228  In June 2014, the African Union (AU) adopted the African Union Convention on the Establishment of a Legal Framework Conducive to Cyber Security in Africa. However, until April 2015 the convention was yet to enter into force for lack of minimum ratifications. The convention requires a minimum of 15 out of 54 AU members for it to become operation, but no single state has ratified it. For further information about ratification of the convention see: http: /  / www.bbc.com / news / business32079748, accessed on 30th October 2015. 221  Brenner



G. Contemporary Issues and Challenges on Cyberspace51

virus.229 Even though more victims of his deeds were in other parts of the world, including the US which had already well-crafted cybercrime laws, but still the perpetrator could not be successfully prosecuted.230 III. Speedy Technological Developments and Flexibility The future of cybercrime is among the things that are very difficult to predict with certainty. It is so because of the fact that the technology, especially ICTs, is owned by nobody. Virtually in every single day new computer hardware and software components are devised all over the world. This denotes that in every single day new technological developments are registered and are hardly regulated. Unfortunately, this speed does not match the speed of the legal and institutional mechanisms to oversee the same.231 As a result, a fertile ground for the commission of more sophisticated crimes is created. Simultaneous with speedy technological developments is the flexibility of the technology itself. Flexibility here refers to the possibility of the perpetrator of cybercrime to use one technological tool to commit a set of variety offences.232 For example, a personal computer connected to the Internet can be used to publish obscene materials, commit fraud, harass another person, hack another computer, and so forth. Flexibility can also mean the possibility of the technology to allow the use of different gadgets to commit cybercrime. It means that a mobile telephone or an iPad, as small as it is, is good as a personal computer when it comes to the commission of crimes. These mini computers offer a more flexible and “comfortable environment” for criminal purposes because of their mobility. Flexibility as a challenge can also be explained in terms of the possibility when using the technology to automate certain functions and processes.233 Automation is said to increase the speed of processes, scale, the impact of processes, and it finally dispenses with the involvement of human beings.234 This avenue provides an opportunity to offenders to use automation to increase the magnitude of their evil conduct. Speedy technological developments and flexibility as explained above become a challenge in several ways. Firstly, can be in terms of the legislative organs and law enforcement agencies taking appropriate preventive measures 229  Goodman / Brenner

(2002), p. 140. Also see: Soukieh, pp. 229–230. (2002), p. 140. Also see: Soukieh, pp. 229–230. 231  International Telecommunication Union (2012), pp. 79–80. 232  Podgor (2004), p. 100. 233  International Telecommunication Union (2012), p. 78. 234  International Telecommunication Union (2012), p. 78. 230  Goodman / Brenner

52 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

to preclude or deter the commission of crimes. Secondly, can be in terms of tracing a criminal incidence which has already occurred. Hitches in tracing the traces of a criminal transaction render investigation, prosecution, and securing conviction against perpetrators of cybercrime a nightmare. IV. Striking a Balance Between Regulation and Enjoyment of Individual Rights The early perceptions about cyberspace as indicated above were that it was a forum where individuals could enjoy absolute freedom. In the words of Lessig, it is “freedom to the disappearance of the state”.235 With this perception in mind, any efforts or attempts to oversee the technology are likely to be seen as a violation of human rights. Right to information and right to privacy are among the rights which are likely to be infringed when it comes to enactment and enforcement of cyberlaws.236 With growing fear over terrorism and cyber-criminality in general, state legislative and law enforcement organs would always want to have in place wide powers and tight measures. They would always want to have powers that would allow authorities to conduct censorship, access to private information of individuals, search and seizure and so forth. Because of the challenge of balancing the rights of individuals vis-à-vis the powers of the state to regulate, China is among the countries in the world condemned of abrogating human rights when it comes to online issues.237 For example, development of the right to privacy in China is said to be more than ten years behind that of western countries.238 Susan Brenner too admits the existence of the tension between policing and individual privacy.239 China is not the only country facing this challenge. A study conducted by Access Now, a digital users’ human rights organization, indicates that a similar challenge is experienced in Kenya, Madagascar, Mauritania, Morocco, Tanzania, Tunisia and Uganda.240

235  Lessig

(2006), p. 3. to privacy and right to information are among the rights which are recognized and guaranteed internationally and nationally. The International Covenant on Civil and Political Rights of 1966 recognizes and guarantees right to privacy and right to information under articles 17 and 19 respectively. 237  Jingchun, p. 664. 238  Jingchun, p. 645. 239  Brenner (2010), p. 176. Also see: Podgor (2004), p. 100. 240  Access Now. Also see: Jackson, Can Africa Fight Cybercrime and Preserve Human Rights? 236  Right



G. Contemporary Issues and Challenges on Cyberspace53

Tanzania has recently experienced a serious breach of the right to privacy allegedly under the powers conferred to the Police by the Cybercrimes Act of 2015 and other laws.241 It is reported that on 29th October 2015 a group of about ten heavily armed policemen in Dar es Salaam invaded office premises of the Legal and Human Rights Center (LHRC), a non-governmental human rights organization.242 In this operation, thirty six LHRC officers were arrested, twenty seven personal computers and twenty five mobile phones were seized for alleged violations of elections laws and cyberlaws.243 V. Increased Criminal Capability and Child Protection Computer technologies have increased the ability of offenders to commit serious crimes from which they get huge financial earnings while employing relatively minimum efforts in a short period of time.244 Taking an example of the offence of publishing obscene materials, increased criminal capability means that with the Internet almost anyone could become a publisher.245 The Internet provides an avenue to publish instantly whatever type of materials worldwide at the publisher’s convenience and with less efforts. Publication of offensive materials is just one example, but in a real sense, the commission of almost all crimes has been simplified with the use of computers. While in the past a criminal had to break the bank premises to steal some money, today one needs to have just a computer, and can do the same while sitting at his home or any other anonymous place. The way computers respond to good people when transacting legal business, they do the same to criminals when transacting illegal business. Obviously, the more capable criminals become, the more challenging it becomes for law enforcement agencies to curb crimes. The second limb of the discussion under this part relates to the challenge the globe is currently facing in so far as involvement of children in crimes is concerned. The concept of involvement here is a two-way traffic. One way considers children as potential victims of crime, and the other considers children as offenders. In part E.IV. of chapter 2 of this book above has covered adequately the discussion on how juveniles with the aid of technology are potential criminals. The challenge here which also worries criminologists is 241  Edward,

Mtandao wa TACCEO Walaani Polisi Kuvamia Kituo chao. Mtandao wa TACCEO Walaani Polisi Kuvamia Kituo chao. 243  Edward, Mtandao wa TACCEO Walaani Polisi Kuvamia Kituo chao. 244  Ivan, p. 73. 245  Lessig (2006), p. 2. 242  Edward,

54 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

the capability of youngsters to commit serious crimes disproportionate to their ages.246 On the other hand, children have easily become regular victims of computer crimes as a result of their access to the online world. For example, their engagement in online auctions, obscene publications, online pornography, and chat rooms that they would be denied access to the physical world, is one of the challenges brought by developments in ICTs.247 These problems associated with children and computing are propelled by many factors. It is not only difficult for parents to deny their children access to computers necessary for much legitimate schoolwork, but also even where parental control at home is practicable, the ubiquitous computer access provided by schools, libraries, private Internet retailers, and friends make the matter more intricate.248 VI. Anonymity and Lack of Statistics Anonymity is one of the serious challenges in cyberspace. Sun Tzu, a Chinese author of the famous book titled “The Art of War,” which was written more than two thousand years ago, insists on the importance of knowing your enemy in the war. Therefore, he argues that: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.249

The above quote suggests that one of the principles of guaranteeing victory in wars is knowing your enemy. As discussed in chapter 2 part. E.II. of this book, there is a big challenge of anonymity in cyberspace. Offenders in cyberspace enjoy an obvious advantage of anonymity which can be facilitated by digital technology in several ways.250 Offenders may intentionally secrete their identity online by using proxy servers, spoofed email or IP addresses or anonymous emailers.251 This can be done by simply opening an 246  Mwiburi, p. 77. For a detailed discussion about the challenges criminologists face in so far as cybercrime is concerned also see: Yar (2006), pp. 17–18. 247  Mwiburi, p. 78. 248  Mwiburi, p. 78. 249  Tzu, p. 14. 250  Clough (2010), p. 6. Also see: International Telecommunication Union (2012), p. 80. 251  Clough (2010), p. 6. Also see: International Telecommunication Union (2012), p. 80.



H. Concluding Remarks55

email account which does not need identity authentication.252 Also, anonymity can be maintained by using the encryption technology.253 The challenge now is for the prosecutors to trace digital evidence which can be removed or tampered with using the commercially available software. Closely related to the challenge of anonymity, is the problem of the governmental authorities charged with law enforcement to have reliable statistics about criminality in cyberspace.254 As said by the Chinese legend of wars, knowing your enemy is vital towards winning the war against him, therefore, lack of accurate statistics about cybercrime signifies a lack of information about the enemy. If the enormousness of the problem is not clearly established and understood, unravelling the same is always challenging.

H. Concluding Remarks Based on the above discussions, it is clear now that the definition of cybercrime is a subject of a very wide discussion. There is no single universally accepted definition of cybercrime. Also, it seems it has never been an issue of concern to the legislative authorities and institutions dealing with cybercrime, to have it defined. The reasons, among others, might be the nature of the terminology itself being volatile, for it seemingly takes new forms depending on the technology and over time; or for law enforcement purposes the demand for a uniform definition is insignificant. However, for research and academic purposes, the definition is critical. Also, it is undisputable fact that the evolution of computers and computing, especially with the flooded markets with personal computers and the Internet, has seriously impacted the law, and criminal law in particular. Not only terrestrial crimes are now committed in new ways (old wine in new bottle), but also new challenging criminal trends, namely cybercrimes have evolved (the novelty of cybercrime). The task to study and analyze these new crimes has not been easy and uniform. For example, different scholars and institutions have come up with different approaches on how cybercrimes can be grouped. However, something common among the approaches is that they both base their classification on two factors, namely victimization and how the crimes are committed (modus operandi). With these developments, legal and administrative issues revolving around jurisdiction of courts and other law enforcement agencies, regulability of cy252  Chawki,

p. 21. Also see: International Telecommunication Union (2012), p. 80. p. 21. Also see: International Telecommunication Union (2012), p. 80. 254  Wall, pp. 7–8. Also see: United Nations, pp. 2–3. 253  Chawki,

56 Chap. 2: Cyberspace as Emerging Phenomenon in Criminal Jurisprudence

berspace and ICTs in general, borderless nature of cybercrime and so forth have evolved. Generally, cybercrime will continue to pose new challenges not only to criminologists and criminal jurisprudence but also to crime control and justice systems as a whole.

Chapter 3

Systemic and Institutional Synergies Among the East African Community, the European Union and the Council of Europe A. Introductory Remarks For one to appreciate and compare legal regimes pertaining to any aspect, one needs to have a clear understanding of the history, principles, systemic and institutional features upon which those regimes are founded. So, any efforts to study legal and institutional mechanisms on preventing and combating cybercrime in East Africa in comparison with Europe should be well informed of the above points. This chapter is an attempt to analyze and compare the environment of establishment and historical backgrounds of the East African Community (EAC), the Council of Europe (CoE) and the European Union (EU) as inter-state regional bodies. The Chapter further seeks to discuss the structural organizations, principles governing these institutions and their mandates. Also, the chapter discusses the status, applicability and effect of international law over national laws of individual States who are members of these intergovernmental organizations. This chapter finally dwells on assessing the common features between these inter-state bodies plus their areas of variance.

B. The East African Community I. The East African Community in Historical Perspectives The History of the EAC as an inter-state body is somewhat checkered. It is checkered because the EAC has passed through different phases of development, both promising and disheartening ones. Generally, social interactions between the territories forming the EAC today have been there from time immemorial. However, formal cooperation arrangements among the Member States of the EAC dates back to the colonial era. Prior to the formation of the first East African Community in 1967, the founding members of the EAC (Kenya, Tanzania and Uganda) enjoyed a long history of coopera-

58

Chap. 3: Systemic and Institutional Synergies

tion through different joint arrangements and projects.255 It appears that formal cooperation arrangements started in the area of Customs Union between Kenya and Uganda in 1917, and in 1927 Tanzania (the then Tanganyika) joined.256 However, Professor Sam Tulya Muhika traces the history of formal cooperation among the EAC members in four phases starting from 1894 when the British Government and Parliament decided to build the Uganda Railway.257 This decision was followed by its implementation through construction of the railway from the Kenyan coastal town of Mombasa, the event which, according to his categorization, completed the first phase of cooperation.258 The second phase covers the period from 1900 to 1961. In this period of over sixty years, a number of activities took place including creation of the East African Common Market in 1917 which basically were Customs Union arrangements between Kenya and Uganda (the then British East Africa), on the one hand, and later Tanganyika (the then German East Africa) on the other hand.259 It is important also to note that cooperation arrangements were further catalyzed by Germany losing its colony in East Africa, Tanganyika, which was ceded to British under the Versailles Treaty in 1919. During this second phase in 1924, the Ormsby-Gore Commission was formed to look at the desirability of the East African Federation.260 In 1925, the cooperation was extended through complete amalgamation of posts and telecommunications which resulted in the birth of the East African Posts and Telecommunications.261 The year 1926 is important in this history as it marks the turning point in so far as formal cooperation between EAC Member States is concerned. This is the year when the Governors’ Conference for Kenya, Tanganyika and Uganda was formed, the first colonial intergovernmental body.262 In the same year, inter-territorial common services such as customs union, common currency, income tax, posts and telegraphs, statistics, East African Court of Appeal, and so forth were formalized.263 Another landmark initiative was in 255  The

East African Community, History of the EAC. pp. 303–304. 257  Muhika, pp. 21 and 33. Also see: Sippel, Regional Integration in East Africa: A Historical Overview, pp. 28–29. 258  Muhika, pp. 21 and 33. 259  Muhika, pp. 21 and 33. 260  Muhika, p. 33. 261  Muhika, pp. 33–34. 262  Muhika, p. 34. Also see: Sebalu, p. 345. 263  Muhika, p. 34. 256  Orloff,



B. The East African Community59

1927 when the Hilton Young Commission was formed to look at the feasibility of unifying British territories in Central and East Africa.264 Later, following the Governors’ Conference recommendations, the East African High Commission was established in 1948 through the enabling legal instrument known as the East Africa (High Commission) Order in Council.265 The East Africa High Commission was a body constituted by the Governors of Kenya, Tanganyika and Uganda, who were entrusted with powers to act as a Central Legislative Assembly and an executive organization with the support of inter-territorial advisory and consultative bodies.266 The power to legislate was enjoyed by the Commission with the advice and consent of the Central Legislative Assembly, on issues related to the common services to be managed, such legislation having effect throughout the three territories.267 It is estimated that between 1948 and 1960 approximately over forty East African Institutions in areas of research, education, social sciences and defence were established and / or strengthened.268 Some of these institutions included the East Africa Directorate of Civil Aviation, Customs and Excise Department, Directorate of Training, Income Tax Department, East Africa Office in London, Posts and Telegraph Department, East Africa Research Services, Production and Supply Council, and East Africa Statistical Department.269 The third phase is simply referred to as the first EAC creation period. According to Professor Sam Tulya Muhika, the third phase of historical cooperation among the Member States of EAC started in 1961, the year marking the independence of Tanganyika. This was subsequently followed by the independence of Uganda and Kenya in 1962 and 1963 respectively. In 1961, the Raisman Commission was appointed which eventually recommended for replacement of the East Africa High Commission with the East African Common Services Organization (EACSO). This was implemented through the promulgation of the legal instrument known as the East Africa (High Commission) (Revocation) Order in Council, 1961.270 After the independence of Uganda in 1962, the dialogue on the establishment of the East African Federation continued, but it was finally decided that the move should await the independence of Kenya.271 In 1963, Kenya got her independence. It is also in the records that in 1963, the East African Fed264  Muhika,

p. 34. p. 5. 266  Morris, p. 6. 267  Morris, p. 6. 268  Muhika, p. 34. Also see: Sebalu, pp. 345–348. 269  Muhika, p. 34. 270  Muhika, p. 34. Also see: Morris, p. 6. 271  Muhika, p. 35. 265  Morris,

60

Chap. 3: Systemic and Institutional Synergies

eration Treaty was almost signed in Arusha by the Presidents of Kenya, Tanzania and Uganda, but the plan was halted at the very last minute.272 The reasons as to why this project was aborted are said to be more external than internal. Uganda being one of the key players of the federation to be established, pulled out of the negotiations allegedly under the influence of Ghana which was supporting more the idea of Pan-Africanism than regionalism.273 The position of Ghana under Kwame Nkrumah was that formation of regional blocs would hinder the smooth establishment of the Pan-African Federation, supposedly, “the United States of Africa”. In 1964, the Kampala Agreement on Distribution of Industries in East Africa was signed which was another catalyst in terms of strengthening economic integration and interdependence among the three countries.274 In 1966, the Phillips Commission (named before its chairperson, Kjeld Phillips) was appointed which came up with recommendations of formation of the EAC.275 As a result of the recommendations, in 1967 the Treaty for East African Cooperation, establishing the first EAC as a regional body, was officially signed.276 It was once said that the EAC was a unique intergovernmental organization in the world as it was one of the most integrated and progressive regional body for economic and political cooperation.277 From the foregoing, one can argue that the third phase is mainly characterized by the concerted actions of the founding members of the EAC towards establishing themselves into a legally founded integration. However, these efforts lasted for only ten years after the former EAC was officially dissolved in 1977.278 The reasons assigned to the dissolution of the former EAC were many, the main one being the overthrowing of Milton Obote, the then President of Uganda, by Idi Amin in a military coup in 1971.279 Subsequent to the dissolution of the former EAC in 1977, the Member States negotiated a Mediation Agreement for the Division of Assets and Liabilities, which was signed in 1984.280 According to Professor Sam Tulya Muhika, the fourth phase which is termed as the current phase covers the period from the signing of the Media272  Muhika,

p. 35.

273  Mbughuni. 274  Muhika,

p. 35. p. 35. Also see: Svoda, p. 93. 276  Svoda, p. 93. 277  Sebalu, p. 345. 278  The East African Community, History of the EAC. 279  Muhika, p. 35. For detailed discussion and more reasons on the collapse of the former EAC, see: Mukandala, pp. 96–97. 280  Mukandala, p. 97. 275  Muhika,



B. The East African Community61

tion Agreement onwards.281 The Mediation Agreement contained a provision allowing the three founding Member States to look for areas of future cooperation and to make solid arrangements for such cooperation.282 This provision acted as a cornerstone for subsequent meetings between the Heads of States. These meetings resulted in the signing of the Agreement for the Establishment of the Permanent Tripartite Commission for East African Cooperation in Kampala, Uganda on 30 November 1993.283 The appointment of the Permanent Tripartite Commission culminated into the launching of the EAC Secretariat on 14 March 1996.284 On 29 April 1997, the East African Heads of State instructed the Permanent Tripartite Commission to start improving the Agreement establishing the Permanent Tripartite Commission for East African Cooperation into a full-fledged Treaty. In 1998, the Draft Treaty for the Establishment of the EAC was published. On 30 November 1999, the Treaty for the Establishment of the EAC (the EAC Treaty) was signed in Arusha marking the official revival of the new EAC and it entered into force on 7 July 2000 after receiving the required ratifications.285 II. Revival of the East African Community As observed from the above discussion, the revival of the EAC was by and large facilitated by the 1984 assets and liabilities sharing agreement. The agreement had foreseen, though without a timeframe, the possibility of reviving cooperation among the EAC members in future considering that the region and its people, in particular, share a common history, the unity of communities with personal ties, language and culture, and other common values. It is worth noting that the revival of the EAC came with new efforts, vigor, enthusiasm, and perspectives of having a firmer and vibrant organization to the extent of establishing a political federation in a near future. This spirit was manifested within a short while after the revival of the EAC through the words of the then Heads of States of Uganda, Tanzania and Kenya. The statements below echo the new philosophy of the EAC. His Excellence Yoweri Kaguta Museveni, the President of the Republic of Uganda, had this to say on the new EAC: 281  Muhika, 282  The

198.

pp. 21–22. East African Community, History of the EAC. Also see: Oluoch, pp. 197–

283  Oluoch,

pp. 197–198. pp. 197–198. 285  Oluoch, pp. 197–198. Also see: Muhika, p. 38. Further see: Possi, p. 32. 284  Oluoch,

62

Chap. 3: Systemic and Institutional Synergies

The balkanization of Africa into 53, mostly suboptimal States, has meant that Africa cannot have a large internal market under one political Authority; have no power to negotiate with the rest of the world … This balkanization must stop.286

His Excellence Benjamin William Mkapa, the then President of the United Republic of Tanzania, opined as follows on the same issue: We have everything to gain in East African Federation in terms of political stability, greater feeling in safety in numbers and as an economic entity better able to fight poverty.287

Furthermore, His Excellence Mwai Emilio Kibaki, the then President of the Republic of Kenya, commented as follows: I firmly believe that regional integration is not a choice but a necessary strategy for sustainable development … On a cultural level, regional solidifies the unity of communities with personal ties and common history, language and culture.288

So, the above statements are a reflection of the force that existed in favour of the restoration of the EAC as an intergovernmental organization. The signing of the Treaty for the Establishment of the East African Community on 30 November 1999 and its ratification on 7 July 2000 signified the official rebirth of the new EAC.289 Basically, the EAC is a creature of the EAC Treaty. It is established under article 2 of the Treaty for the Establishment of the East African Community. Membership to the EAC initially started with the three founding States of Kenya, Tanzania and Uganda, but open to any foreign country subject to the acceptance by the founding States upon fulfillment of the conditions set out in the EAC Treaty.290 As of now, the EAC has a total of six Member 286  East

African Community (2004), p. 8. Also see: Harelimana, pp. 1–2. African Community, 2004, p. 8. 288  East African Community (2004), p. 9. 289  Together with the fact that the EAC is celebrating its rebirth, but Lo Wauna Oluoch holds a different opinion on the establishment of the new EAC. He is of the opinion that it lacks legitimacy because of the reasons that its formation process was neither inclusive nor transparent as consent of the people was not sought. For further discussion see: Oluoch, pp. 198–199. 290  Issues of membership to the EAC are governed by article 3 of the Treaty for the Establishment of the East African Community, 1999. The article further sets out the conditions to be mate by any foreign country aspiring to be a member of the EAC. The conditions as stated under article 3 of the Treaty include acceptance of the Community as set out in the Treaty; adherence to universally acceptable principles of good governance, democracy, the rule of law, observance of human rights and social justice; potential contribution to the strengthening of integration within the East African region; geographical proximity to and inter-dependence between it and the Partner States; establishment and maintenance of a market driven economy; and social and economic policies being compatible with those of the Community. 287  East



B. The East African Community63

States, namely Kenya, Tanzania, Uganda, Burundi, Rwanda and South Sudan.291 Furthermore, the objectives of the Community are stated under article 5 of the EAC Treaty. The main objectives of the EAC are, to develop policies and programmes intended at extending and intensifying cooperation among the Partner States in political, economic, social and cultural fields, research and technology, defence, security and legal and judicial affairs, for their mutual benefit. The attempt in this book of addressing issues related to preventing and combating cybercrime in the region fits well within the objectives of the Community under the auspices of security and legal affairs. Also, it is worth noting that the EAC, in its broad priority areas of cooperation in the next decade (2011–2020), puts in the forefront the need to have vigorous legal and administrative frameworks that stimulate the economy of the region.292 In the current digitized world one cannot speak of harmonization of laws while ignoring cyber laws. So, it is expected that the EAC will prioritize the need to have cybersecurity laws harmonized. III. Principles Governing the East African Community For the Community to achieve its above-stated objectives, the EAC Treaty provides for two sets of principles. There are those branded as fundamental principles of the Community and another set of principles in the name of operational principles of the Community. The two sets are generally crafted towards governing the Partner States in the performance of their obligations and other affairs of the Community under the EAC Treaty. The fundamental principles and operational principles are stated under article 6 and 7 of the EAC Treaty respectively. The first set of EAC’s fundamental principles are as follows: (a) Mutual trust, political will, and sovereign equality; (b) Peaceful co-existence and good neighbourliness; (c) Peaceful settlement of disputes; (d) Good governance including adherence to the principles of democracy, the rule of law, accountability, transparency, social justice, equal opportunities, gender equality, as well as the recognition, promotion and pro291  Burundi and Rwanda joined the EAC formally on 1 July 2007. South Sudan was admitted as a new and sixth Member of the Community at the 17th Ordinary Summit held on 2nd March, 2016 in Arusha, Tanzania followed by the signing of the Treaty of Accession of the Republic of South Sudan into the EAC on Friday 15th April 2016 in Dar es Salaam, Tanzania. 292  The East African Community (2011), p. 14.

64

Chap. 3: Systemic and Institutional Synergies

tection of human and people’s rights in accordance with the provisions of the African Charter on Human and Peoples’ Rights; (e) Equitable distribution of benefits; and (f) Cooperation for mutual benefit.293 The second set of principles termed as Operational Principles of the Community includes the following: (a) People-centered and market-driven cooperation; (b) The provision by the Partner States of an adequate and appropriate enabling environment, such as conducive policies and basic infrastructure; (c) The establishment of an export-oriented economy for the Partner States in which there shall be free movement of goods, persons, labour, services, capital, information and technology; (d) The principle of subsidiarity with emphasis on multi-level participation and the involvement of a wide range of stakeholders in the process of integration; (e) The principle of variable geometry which allows for progression in cooperation among groups within the Community for wider integration schemes in various fields and at different speeds; (f) The equitable distribution of benefits accruing or to be derived from the operations of the Community and measures to address economic imbalances that may arise from such operations; (g) The principle of complementarity; and (h) The principle of asymmetry.294 Commendably, the EAC Treaty is rooted, firmly and to a large extent, within the contemporary and universally accepted principles of regional integration. Furthermore, the principles are not only stated in the EAC Treaty but also somehow emphasized in the subsequent provisions of the EAC Treaty on how they will be practically applied. For example, in a bid to show respect to the fundamental principles and objectives of the EAC, the EAC Treaty provides a room for a Partner State to be suspended from taking party in the activities of the Community, or be expelled from the Community for, among others, failure to observe and fulfil the fundamental principles and objectives of the Community, or gross and persistent violation of the principles and objectives of the Community respectively.295 293  See article 6 of the Treaty for the Establishment of the East African Community, 1999. 294  See article 7 of the Treaty for the Establishment of the East African Community, 1999.



B. The East African Community65

However, in reality some of the good principles enshrined in the EAC Treaty do just exist in papers, but are not reflected by what is actually happening on the ground. There are several examples of violation of the EAC principles in the region including the 2007 post elections violence in Kenya; the ongoing civil wars in South Sudan; the political unrest in Burundi which goes hand in hand with serious human rights violations; and the alleged violations of democratic principles in Rwanda and Uganda. The instances above are outrightly against the fundamental principles and objectives of the EAC. Besides all what is happening, no serious intervention has been done at the EAC level to address the above problems in terms of applying the provisions of the Treaty against the defiant Member States. Almost all members of the EAC have serious issues with the observance of democratic principles and protection of human rights to the extent of reasonably implicating the EAC to be seen as “a bloc of dictators”. Notwithstanding the foregoing, no single Member State has ever been suspended or expelled from the Community, or otherwise sanctioned accordingly. IV. The East African Community’s Organs and Institutions In order to realize the objectives of the Community, enforce the provisions of the EAC Treaty and oversee the day to day activities of the Community, different organs and institutions are established under the EAC Treaty. The so established organs and institutions of the Community can be grouped into three major categories, namely the executive, the legislative and the judicial arms. The Executive arm includes the Summit, the Council, the Secretariat, the Co-ordination Committee, Sectoral Committees, and other bodies, departments, and services.296 The judicial and legislative arms include the East African Court of Justice (the Court or the EACJ); and the East African Legislative Assembly respectively.297 Admirably, the EAC Treaty in recognizing the joint impact of both men and women, clearly states that gender balance should be considered in the appointment of staff and composition of the organs and institutions of the Community.298 A detailed discussion of the EAC organs and institutions is covered below.

295  See articles 146 and 147 of the Treaty for the Establishment of the East African Community, 1999. 296  See article 9 of the Treaty for the Establishment of the East African Community, 1999. Also see: The East African Community (2011), p. 12. 297  See article 9 of the Treaty for the Establishment of the East African Community, 1999. 298  See article 9(5) of the Treaty for the Establishment of the East African Community, 1999.

66

Chap. 3: Systemic and Institutional Synergies

Starting with the Summit, this is the topmost organ composed of the Heads of States or Governments of the Partner States.299 In terms of functions, the Summit is the general overseer of the activities of the Community and it gives directives and impetus on how best can the objectives of the Community be achieved.300 Also, it considers annual progressive reports and other reports; examines the state of peace, security and good governance within the Community; assesses the progress achieved towards the creation of the EAC Political Federation; appoints Judges of the East African Court of Justice; admits the new Member States to the Community;301 assents Bills, and any other function stated in the EAC Treaty.302 The Summit meets at least once every year with the possibility of convening an extraordinary meeting at the request of any member of the Summit.303 The Chairperson of the Summit holds the office for one year on rotational basis among the Member States.304 The Council is another organ of the EAC whose members are Ministers responsible for EAC affairs of each Partner State; such other Ministers of the Partner States as each Partner State may decide; and the Attorneys General of each Partner State.305 This organ is mandated with formulation of policies; overseeing implementation of development programs; considering the budget of the Community; initiating and submitting Bills to the East African Legislative Assembly; establishing the Sectoral Committees, and other related functions.306 Additionally, the EAC Treaty allows the Council, where it 299  See article 10 of the Treaty for the Establishment of the East African Community, 1999. 300  See article 11 of the Treaty for the Establishment of the East African Community, 1999. 301  For further discussion on the power of the Summit to admit new Member States to the Community, see EACJ Reference No. 8 of 2013 between Patrick Ntege Walusimbi & 2 Others vs. the Attorney General of Uganda & 5 Others, whereas the power of the Summit to admit South Sudan into membership of EAC was unsuccessfully challenged in the EACJ. Also see EACJ Appeal No. 2 of 2013 between Timothy Alvin Kahoho and the Secretary General of the East African Community for a detailed discussion on the objectives of the Community and areas of cooperation vis-àvis the power of the Summit to adopt Protocols. 302  See article 11 of the Treaty for the Establishment of the East African Community, 1999. 303  See article 12 of the Treaty for the Establishment of the East African Community, 1999. 304  See article 12 of the Treaty for the Establishment of the East African Community, 1999. 305  See article 13 of the Treaty for the Establishment of the East African Community, 1999. 306  See article 14 of the Treaty for the Establishment of the East African Community, 1999.



B. The East African Community67

deems fit, to request advisory opinions on legal issues requiring interpretation from the East African Court of Justice.307 The Co-ordination Committee which is constituted by Permanent Secretaries of the Ministries responsible for EAC affairs of the Partner States and any such other Permanent Secretaries of the Partner States, acts as an arm of the Council.308 Basically, the Co-ordination Committee implements the decisions of the Council, submits reports to the Council and receives reports and co-ordinates activities of the Sectoral Committees.309 The EAC Treaty further gives a mandate to the Co-ordination Committee to recommend to the Council on the establishment Sectoral Committees, their composition and functions for better carrying out of the objectives of the Community.310 The Sectoral Committees basically oversee the implementation of the objectives of the Community in specific sectors of cooperation. Further to the above, the EAC Treaty creates a two-chambered court (First Instance Division and an Appellate Division) styled as the East African Court of Justice, with a full mandate to ensure the observance of the provisions of the EAC Treaty by the Partner States.311 The proceedings of Court are presided over by the Judges appointed by the Summit following recommendations from each Partner State.312 Initially, the Jurisdiction of the Court is on the interpretation and application of the EAC Treaty and related issues. However, there is a possibility of the Court to have extended jurisdiction on matters pertaining to human rights and other related matters subject to the Council’s decision by way of a Protocol.313 Hitherto, no Protocol has been adopt307  See articles 14 and 36 of the Treaty for the Establishment of the East African Community, 1999. 308  See article 17 of the Treaty for the Establishment of the East African Community, 1999. 309  See article 18 of the Treaty for the Establishment of the East African Community, 1999. 310  See article 20 of the Treaty for the Establishment of the East African Community, 1999. 311  See article 23 of the Treaty for the Establishment of the East African Community, 1999. 312  See article 24 of the Treaty for the Establishment of the East African Community, 1999. 313  See article 27 of the Treaty for the Establishment of the East African Community, 1999. Also see; EACJ Reference No. 1 of 2007 between James Katabazi and 21 Others vs. Secretary General of the East African Community and the Attorney General of the Republic of Uganda; EACJ Reference No. 5 of 2011 between Samuel Mukira Mohochi and the Attorney General of the Republic of Uganda; EACJ Reference No. 12 of 2014 between James Alfred Koroso and the Attorney General of the Republic of Kenya; EACJ Reference No. 1 of 2006 between Prof. Peter Anyang’ Nyongo and 10 others and the Attorney General of Kenya and 2 others and Abdira-

68

Chap. 3: Systemic and Institutional Synergies

ed to confer jurisdiction to the East African Court of Justice to entertain human rights matters. Access to the Court can be by way of reference by the Partner States,314 reference by the Secretary General,315 and reference by legal and natural persons.316 Also, the EAC Treaty expressly provides that in the case of conflict of decisions between the Court and national courts, the Court shall take precedence over decisions of national courts on the interpretation and application of the EAC Treaty.317 Based on the above analysis, it is regrettably noted that the mandate of the EACJ is somewhat curtailed. The denied or rather withheld or deferred extended jurisdiction of the Court to entertain human rights and related matters until an enabling Protocol is adopted renders the Court to lose a direct touch with the citizenry and the impacts of the EAC are less felt. In a number of occasions the Court, when confronted with human rights issues, has not been able to react in response to the expectations of the people. Unfortunately, it is not so far known when actually the Court will be conferred with this belated category of jurisdiction. If the proper functioning of the Court is to be achieved, it is critically important that the Court is fully mandated to hear and determine human rights cases. Furthermore, the EAC Treaty establishes and confers legislative powers to the East African Legislative Assembly (the Assembly).318 Membership of the Assembly is comprised of nine members elected from each Partner State and ex-officio members.319 Apart from legislative functions, the Assembly also debates and approves the budget of the Community, considers reports on the activities of the Community and recommends to the Council various issues related to the affairs of the Community.320 him Haitha Abdi and 11 others; and EACJ Appeal No. 1 of 2011 between the Attorney General of the Republic of Kenya vs. Independent Medico Legal Unit, for an in-depth analysis and discussion on the jurisdiction of the EACJ. 314  See article 28 of the Treaty for the Establishment of the East African Community, 1999. 315  See article 29 of the Treaty for the Establishment of the East African Community, 1999. 316  See article 30 of the Treaty for the Establishment of the East African Community, 1999. 317  See article 33 of the Treaty for the Establishment of the East African Community, 1999. 318  See article 49 of the Treaty for the Establishment of the East African Community, 1999. 319  See articles 48 and 50 of the Treaty for the Establishment of the East African Community, 1999. 320  See article 49 of the Treaty for the Establishment of the East African Community, 1999.



B. The East African Community69

The last organ which acts like the engine of the Community is the Secretariat. It is the engine of the Community in the sense that it is entrusted with all the executive functions of the Community.321 Its functions and obligations are almost equivalent to those of the European Commission. It is composed of the office of the Secretary General who is the chief executive officer and head of the Secretariat, Deputy Secretary General, Counsel to the Community and other offices and staff of the Secretariat.322 Administratively, the Secretariat is organized along six main offices which are Executive Office of the Secretary-General, Customs and Trade, Planning and Infrastructure, Productive and Social Sectors, Co-operation in Political Matters, and Finance and Administration.323 The Secretariat implements all decisions and directives of the Community which are within the objectives of the EAC and its mandate under the EAC Treaty. Basically, the Secretariat performs a number of functions which include to ensure that the regulations and directives approved by the Council of Ministers are appropriately effected; it coordinates the harmonization of policies and strategies relating to the EAC goals; it is the custodian of the properties of the EAC; and it provides the Council of Ministers with strategic recommendations.324 V. Scope and Competences of the East African Community As discussed in chapter 3 part. B.II. of this book above, the EAC is mandated to implement the objectives of the Community, the main one being, widening and deepening cooperation among the Member States through joint programmes and activities in economic, political and social fields for their mutual benefit. This mandate originates from the Treaty for the Establishment of the East African Community, which provides for a very extensive list of issues that the EAC is competent to deal with. The issues range from research, political, social, economic, cultural, defence, security, legal, to judicial affairs. Looking at the EAC Treaty, one will note that it basically aims at achieving incrementally four levels or stages of cooperation among the

321  See article 66 of the Treaty for the Establishment of the East African Community, 1999. 322  See articles 66 and 67 of the Treaty for the Establishment of the East African Community, 1999. 323  See the East African Community, the Secretariat, available at: http: /  / www.eac. int / about / the-secretariat, accessed on 31 August 2016. 324  See article 71 of the Treaty for the Establishment of the East African Community, 1999.

70

Chap. 3: Systemic and Institutional Synergies

Partner States, namely a Customs Union,325 a Common Market,326 subsequently a Monetary Union and ultimately a Political Federation.327 It is worth noting that through integration, the EAC has recorded growth in areas of trade, finance, investment, transport, communications, agriculture, and food security, energy, tourism, wildlife management, and so on.328 It is, therefore, indisputable that integration is a gateway and catalyst towards achieving growth and development in general. Together with the provisions of the EAC Treaty specifically providing for the mandate of the EAC, the Court has also been jealously protecting the sovereignty of the Partner States and upholding the principle of non-interference through its various decisions. These efforts are keenly taken to see to it that matters reserved within the mandate of the individual Partner States are not subjected to the scope of the Community, rather are left as internal issues of the particular individual States.329 The Court, on several occasions, has been tested and decided that the Community does not take the sovereignty of the Partner States on matters not within the scope of the EAC Treaty.330 325  The Protocol for the Establishment of the East African Community Customs Union was signed on 2 March 2004 by the Heads of State of Kenya, Tanzania and Uganda. Rwanda and Burundi joined the Customs Union in 2008 and started applying its instruments in July 2009. On 1 January 2010, the EAC fully-fledged Customs Union became operational. 326  The EAC Common Market was established on 1 July 2010 by entering into force of the Protocol on the Establishment of the East African Community after having been ratified by all Member States. Briefly, the Protocol addresses rights and obligation of States in relation to movement of goods, movement of persons, movement of labour, right of establishment, right of residence, movement of services, and movement of capital. 327  See article 5(2) of the Treaty for the Establishment of the East African Community, 1999. Also see: Agaba, p. 505. 328  For a detailed discussion on achievement of the EAC in the first ten years of integration see: Mwapachu, pp. 45–65. 329  There have been allegations of the EACJ overstepping its mandate by allegedly interfering with matters reserved for individual Partner States. In the decision of the Court in EACJ Reference No. 1 of 2006 between Prof. Anyang’ Nyong’o and 10 others vs. the Attorney General of the Republic of Kenya and 5 others, the Court questioned the authority in nominating Members of the Assembly from Kenya and ruled that the process infringed article 50 of the Treaty. This decision was construed by the then President of Kenya, H.E. Mwai Kibaki as an act of the Court overstepping its mandate. For further discussion, see: Oluoch, pp. 203–209. 330  For further discussion and understanding of the EACJ’s interpretation of the mandate of the Community under the Treaty see, among others, EACJ Reference No. 5 of 2011 between Samuel Mukira Mohochi and the Attorney General of the Republic of Uganda; EACJ Reference No. 1 of 2014 between East Africa Law Society and the Attorney General of the Republic of Burundi and the Secretary General of the East African Community; and EACJ Appeal No. 1 of 2014 between Democratic Party



C. The European Union71

However, there have been continued debates on issues related to scope and competences of the EAC vis-à-vis sovereignty of individual Member States. For example, in a number of times, Tanzania has been accused of its tardiness and rigidity in implementing various decisions and programmes aimed at achieving the objectives of the Community supposedly for the fear of losing or / and neutralizing its sovereignty. However, these allegations are yet to be confirmed, hence, they remain to be mere illusions and qualms.

C. The European Union I. History and Establishment of the European Union The history of formal cooperation arrangements among the territories of the East Africa region that has resulted in the formation of the EAC, started approximately one hundred years ago. However, the history of the formation of the EU dates back to over sixty five years only. While the setup of the EAC seems to be simple and straight forward, the setup of the EU is ostensibly sweeping and complex, if one compared the two. It is sweeping in the sense that the integration among the EU States is wider and deeper compared to that of EAC Partner States. And the complexity of the EU is associated with the fact that it is a result of multiple Treaties and other legal instruments. Notwithstanding its short period of existence, the EU has always been more dynamic than the EAC, the fact which explains well its current steadiness and intricacy as an intergovernmental institution. As noted above, this being a comparative study, this critical examination of the structures of these intergovernmental organizations is ineluctable. The History which culminated into the establishment of EU is closely associated with the bloody wars experience among many neighbouring countries in Europe. So, concerted efforts and determination were needed in making sure that the Second World War becomes the last experience of war related bloodshed in Europe. The bloody experience relates to the atrocities and miseries from the World Wars, Nazism, Fascism, cold wars and so forth, which resulted in a serious political instability in Europe. It is, therefore, correct to say that efforts to form the EU were orchestrated by the fears of wars in future in the continent.331 For that reason, Europe was in a great need than ever of undergoing major political reconstruction.332 The preamble to the and the Secretary General of the East African Community, Attorney General of the Republic of Uganda, Attorney General of the Republic of Kenya, Attorney General of the Republic of Rwanda, Attorney General of the Republic of Burundi. 331  Larat, p. 276. 332  Kaczorowska (2011), pp. 3–5.

72

Chap. 3: Systemic and Institutional Synergies

Treaty of Paris which established the European Coal and Steel Community in 1951 evidences the above position as follows: Considering that world peace may be safeguarded only by creative efforts equal to the dangers which menace it; Convinced that the contribution which an organized and vital Europe can bring to civilization is indispensable to the maintenance of peaceful relations; conscious of the fact that Europe can be built only by concrete actions which create a real solidarity and by the establishment of common bases for economic development; desirous of assisting through the expansion of their basic production in raising the standard of living and in furthering the works of peace; resolved to substitute for historic rivalries a fusion of their essential interests; to establish, by creating an economic community, the foundation of a broad and independent community among peoples long divided by bloody conflicts; and to lay the bases of institutions capable of giving direction to their future common destiny; have decided to create a European Coal and Steel Community …

The official and remarkable history of EU starts with the “Schuman Declaration” of 9 May 1950, which was a proclamation by the then French Minister for Foreign Affairs, Robert Schuman, calling upon European countries to establish a joint community for controlling coal and steel production.333 Because of this Declaration, the date 9 May 1950 is considered as the birthdate of the EU which started to be celebrated every year effectively from 1985.334 Following the recommendations by Robert Schuman, the European Coal and Steel Community (ECSC) was established by the Treaty of Paris which was signed on 18 April 1951 in Paris.335 And subsequently in 1952, the Treaty became operational.336 The founding members of the ECSC were six, namely Belgium, France, Germany, Italy, Luxembourg and the Netherlands.337 The Treaty of Paris was concluded for a period of fifty years, so it came to an end in 2002.338 In 1957, the cooperation among European States was further extended through the signing of the two Treaties of Rome. Basically, the Treaties aimed at developing common institutions, integration of national economies, the creation of a common market, and synchronization of social policies.339 This was achieved through the establishment of the European Economic 333  See: European Union, the Founding Fathers of the EU. Also see: Larat, p. 275. Also see: European Union (2014), p. 4. 334  Larat, p. 275. However, some scholars are of the view that the EU was founded on the Treaties of Rome of 25 March 1957. For further details, see: Cret / Pantea, p. 1. 335  European Union (2014), p. 4. Also see: Medhurst, pp. 1–5. 336  European Union (2014), p. 4. Also see: Medhurst, pp. 1–5. 337  See: European Union, the History of the European Union. Also see: Fairhurst, p. 5. 338  Kaczorowska (2011), p. 8. 339  Kaczorowska (2011), p. 8.



C. The European Union73

Community (EEC) and the European Atomic Energy Community (EURATOM).340 The Treaties came into force on 1 January 1958. In 1965, some amendments to the Treaties of Paris and Rome were effected through the Merger Treaty.341 This move aimed at merging some institutions of the three Communities (ECSC, EEC and EURATOM), and establishing a common Council and a Common Commission.342 Regarding the Member States, it is noted that over time, the number of members was increasing gradually. It increased from six founding Member States in 1957, in 1973 the number reached nine members, in 1981 ten members, and in 1986 twelve members.343 However, it is important to mention that the history of the development of the EU has not been smooth throughout. It has passed through some challenging moments too. It is said that in the year 1965, the first difference among the EEC members occurred which was known as “the empty chairs crisis”.344 In this crisis France declined to attend Council meetings, hence the concept of empty chairs, as a way of opposing the move of increasing the powers of the Community.345 Some resolutions were negotiated and as a result in January 1966 a non-binding agreement was reached which was termed as Luxembourg Accord.346 This disagreement halted the progress of the Community in forging further integration in other areas. The period between 1970 and 1985 is said to be the period of indecisiveness in so far as the integration in Europe is concerned.347 The reasons associated with this condition include the Member States prioritizing their own problems and ignoring issues of the Community, and economic problems caused by the oil crisis in 1973.348 In February 1986, the Single European Act (SEA) was signed and it came into force on 1 July 1987.349 The SEA, which was a six-year programme, aimed at solidification of cooperation through strengthening of the single market; imposition of some changes on some areas of voting in the Council; equipping the European Parliament with more legislative powers; the establishment of the European Council; reliev340  Kaczorowska (2011), p. 8. Also see: Reinisch, pp. 1–2. Further see: Tillotson /  Foster, p. 9. 341  Davies, p. 11. 342  Davies, p. 11. 343  Blair, pp. x–xi. 344  Kaczorowska (2011), p. 11. 345  Kaczorowska (2011), p. 11. 346  Craig / Burca, pp. 8–9. 347  Kaczorowska (2011), p. 13. 348  Kaczorowska (2011), p. 13. 349  Kaczorowska (2008), p. 19.

74

Chap. 3: Systemic and Institutional Synergies

ing workload to the European Court of Justice by creation of the Court of First Instance; and widening of the mandate of the Community in other new areas.350 The SEA seems to have intensified integration in Europe as it managed to indoctrinate the feelings of oneness among the Europeans in pursuing their common objectives. It created a fertile ground upon which the Treaty of Maastricht was signed. Notably, the reunification of Germany as a key and influential player in the Community in 1990 is considered as one of the factors that influenced the development of Europe as a whole and precisely the Community.351 On 7 February 1992, the Treaty on European Union (TEU), famously known as the Maastricht Treaty (named before a town in the southeast of the Netherlands), was signed and it became operational on 1 November 1993.352 In general terms, the Maastricht Treaty had three impacts to the integration. It established the EU based on the existed Communities; it provided more decision making power to the European Parliament; and extended new policy areas of cooperation.353 The Treaty further incorporated and renamed the EEC into the European Community (EC).354 Regarding the structure of the EU, the Treaty of Maastricht introduced the so called three pillar system which comprised of the European Communities (the ECSC, the EURATOM, and the EC) as Pillar I; foreign policies and security issues as Pillar II; and cooperation in Justice and Home Affairs (JHA) as Pillar III.355 David Medhurst comments on the promulgation of the Maastricht Treaty in the following words: By this Treaty the twelve Member States of the Community resolved to form a European Union, founded on the existing European Communities. The Treaty of Rome was therefore altered, stitched, patched and renamed the Treaty Establishing the European Community. The new European Community which was created by these amendments forms the first pillar of the Union.356

It is worth noting that by the year 1995, the EU had already fifteen Member States. These States were Germany, Belgium, Denmark, France, Greece, Italy, Ireland, Netherlands, Portugal, Luxembourg, Finland, Sweden, Spain, Austria, and the United Kingdom.357 Furthermore, on 2 October 1997, the 350  See: European Union, the History of the European Union. Also see: Kaczorowska (2008), p. 19. Further see: Medhurst, pp. 12–13. 351  Larat, p. 278. Also see: Schutze, p. 27. 352  Medhurst, p. 14. 353  European Union (2014), p. 4. 354  See article G of the Treaty on European Union. 355  Davies, p. 14. 356  Medhurst, p. 14. 357  Blair, p. xii. Also see: Medhurst, p. 15.



C. The European Union75

Treaty of Amsterdam was signed and came into force in 1999. The Treaty of Amsterdam introduced a number of amendments to the Treaty on European Union and the European Communities Treaties. The Treaty of Amsterdam, among others, extended the objectives of the EU and EC; it conferred more powers to the European Parliament; it introduced the procedure of involving national parliaments in decision making; and some sanctions were set for Member States who could violate human rights.358 Subsequent to the Amsterdam Treaty, another Treaty was negotiated and signed. This is the Treaty of Nice. The Treaty of Nice was signed on 26 February 2000 and it became operational on 1 February 2003.359 The changes which were brought by the Treaty of Nice were basically three-fold, that is, it made some reforms to the institutions of the EU; the enhanced cooperation procedure was further revised; and new mechanisms for preventing human rights violations were put in place.360 Prior to the Treaty of Lisbon, attempts were made by the European Council to draw up the EU Constitutional Treaty which would mature in 2004, however, the plan failed due to ratification clashes in France and the Netherlands.361 On 13 December 2007, the Treaty of Lisbon was signed. It became effective in 2009. As we have observed with the other Treaties discussed above, the Treaty of Lisbon had some reforms to be effected which were meant to address the challenges of the twenty-first century. At this time the EU had increased the number of its members to twenty seven.362 The Treaty was aimed at completing the process started by the Treaties of Amsterdam and Nice of improving democracy of the EU region.363 Specifically, the noteworthy changes brought by the Treaty of Lisbon included formally establishing the EU and conferring legal personality to it,364 changing voting procedures on decision making, increasing the number of institutions, balancing legislative powers of the European Parliament and that of the Council, merging the existed Union structure into a single European Union, increasing involvement of Member States’ Parliaments, changing the name from the European Court of Justice to Court of Justice of the European Union, and increasing emphasis on democracy and human rights.365

358  Kaczorowska

(2011), pp. 25–26. Also see: Davies, pp. 15–17. Union (2014), p. 4. 360  Kaczorowska (2011), p. 27. 361  Schutze, pp. 32–33. 362  Davies, pp. 18–19. 363  Davies, p. 19. 364  See articles 1 and 47 of the Treaty on European Union. 365  Davies, pp. 19–20. 359  European

76

Chap. 3: Systemic and Institutional Synergies

So, the Treaty of Lisbon amended both the EU and EC Treaties, and in addition to that it renamed the latter into the Treaty on the Functioning of the European Union (TFEU).366 It is important to note at this juncture that, as indicated above on the changes introduced by the Treaty of Lisbon, it is only the EU which has legal personality, hence, capable of concluding agreements and acquiring memberships in other international organizations. So, in terms of legal establishment, the EU today is founded on two Treaties, namely the Treaty on European Union and the Treaty on the Functioning of the European Union, which have the same legal value.367 The convergence between the two Treaties is that the Treaty on the European Union establishes the Union, its organs and institutions, while the Treaty on the Functioning of the European Union coordinates the functioning of the Union and governs the areas of delimitation and arrangements for exercising the Union’s competencies (see Table 1). In terms of membership to the EU, it is open to any European State subject to acceptance of the conditions provided under the Treaty. Specifically, issues of admission and withdrawal from EU membership are governed by the provisions of articles 49 and 50 of the Treaty on European Union. The EU as of now has a total of twenty-eight Member states. The list of the Member States with their year of admission to the EU is summarized in Table 1 below. In terms of the objectives, the EU’s objectives are two-fold. There are what can be called as general objectives and specific objectives. The general one is to promote peace, its values and the well-being of its peoples.368 The specific objectives are many and lengthy, and are hereunder reproduced for ease of reference: (a) The Union shall offer its citizens an area of freedom, security and justice without internal frontiers, in which the free movement of persons is ensured in conjunction with appropriate measures with respect to external border controls, asylum, immigration and the prevention and combating of crime; (b) The Union shall establish an internal market. It shall work for the sustainable development of Europe based on balanced economic growth and price stability, a highly competitive social market economy, aiming at full employment and social progress, and a high level of protection and improvement of the quality of the environment. It shall promote scientific and technological advance; 366  Kaczorowska

(2011), pp. 31–32. article 1 of the Treaty on European Union. 368  See article 3(1) of the Treaty on European Union. 367  See



C. The European Union77 Table 1 List of the Current EU Members and Their Year of Admission S / N

Member State

Admission

S / N

Member State

Admission

 1

Belgium

1958

15

Sweden

1995

 2

France

1958

16

Cyprus

2004

 3

Germany

1958

17

Czech Republic

2004

 4

Italy

1958

18

Estonia

2004

 5

Luxembourg

1958

19

Hungary

2004

 6

Netherlands

1958

20

Latvia

2004

 7

Denmark

1973

21

Lithuania

2004

 8

Ireland

1973

22

Malta

2004

 9

United Kingdom369

1973

23

Poland

2004

10

Greece

1981

24

Slovakia

2004

11

Portugal

1986

25

Slovenia

2004

12

Spain

1986

26

Bulgaria

2007

13

Austria

1995

27

Romania

2007

14

Finland

1995

28

Croatia

2013

Source: The European Union, Member Countries of the EU, available at: http: /  / europa.eu / about-eu /  countries / index_en.htmgoto_1, accessed on 31 May 2016.

(c) It shall combat social exclusion and discrimination, and shall promote social justice and protection, equality between women and men, solidarity between generations and protection of the rights of the child; (d) It shall promote economic, social and territorial cohesion, and solidarity among the Member States; (e) It shall respect its rich cultural and linguistic diversity, and shall ensure that Europe’s cultural heritage is safeguarded and enhanced;

369  Since the results of the Referendum which was held on 23 June 2016 decided in favour of the UK leaving the EU by 51.9 % of all votes, the European Council met on 28 June 2016 to discuss these new developments of the UK’s membership status to the EU. Also, the UK has started the exit processes and procedures and soon or later UK will be deregistered from the list of EU members.

78

Chap. 3: Systemic and Institutional Synergies

(f) The Union shall establish an economic and monetary union whose currency is the euro; and (g) In its relations with the wider world, the Union shall uphold and promote its values and interests and contribute to the protection of its citizens. It shall contribute to peace, security, the sustainable development of the Earth, solidarity and mutual respect among peoples, free and fair trade, eradication of poverty and the protection of human rights, in particular the rights of the child, as well as to the strict observance and the development of international law, including respect for the principles of the United Nations Charter.370 Looking at the objectives of the EU coupled with the listed areas of cooperation, as discussed in chapter 3 part. C.IV. below, they make the competencies of the EU to be very extensive and comprehensive. Something worthy a particular mention is the fact that areas of freedom, security, justice and the prevention and combating of crime, which is the main focus of this book, are among the objectives of the EU. The objectives range from social, political, economic to cultural spectrums of life to the extent of triggering debates among Europeans, analysts and academics on the sovereignty issue of individual Member States. A detailed discussion of the sovereignty of the EU individual Member States vis-à-vis the competencies of the EU is covered under chapter 3 part. C.IV. of this book below. II. Principles Governing the European Union The EU is founded on certain values which are strictly enforced if any Member State breaches or is likely to breach them. Apart from being stated in the Treaty, the values are further reinforced by subsequent provisions of the Treaty to the extent that any breaching Member State can be summoned to show cause as to why certain measures should not be taken against them; and also they are set as a condition precedent towards admission of any new Member State to the EU.371 This means that a new member of the EU cannot be admitted unless and until clearly and expressly commits themselves to the enshrined values. These values are stated in the Treaty on European Union in the following words: The Union is founded on the values of respect for human dignity, freedom, democracy, equality, the rule of law and respect for human rights, including the rights of persons belonging to minorities. These values are common to the Member States in

370  See 371  See

article 3(2)–(5) of the Treaty on European Union. articles 7 and 49 of the Treaty on European Union.



C. The European Union79 a society in which pluralism, non-discrimination, tolerance, justice, solidarity and equality between women and men prevail.372

As we have seen the case with the EAC, the EU in furtherance of its values and objectives is duty bound to observe certain agreed limits and principles. These principles are meant to govern the Union in whatever acts and / or decisions it takes. And any derogation from the principles may be seen as belittling the good spirit cherished in the EU Treaties. The principles governing the limits and competencies of the EU as envisaged in the Treaties are the principle of conferral, the principle of subsidiarity, and the principle of proportionality. To begin with the principle of conferral, it requires the EU to act only within the limits of the competencies conferred upon it, while leaving other areas to the exclusive competence of the Member States.373 This principle, therefore, limits the ability of the EU to act in areas not specifically conferred and ensures respect to some essential State functions reserved for the Member States. Together with this safeguard, the Court of Justice of the European Union in some occasions has justified some acts of the EU based on the doctrine of implied powers.374 On the other hand, the principle of subsidiarity requires that where an act or decision can be done or taken at the level of a Member State (lowest level of government), it should be done at that level and the EU can only intervene if the same cannot be effectively and efficiently accomplished at that lowest level.375 Furthermore, the EU is supposed to observe the principle of proportionality. This principle briefly demands the EU to exercise the competencies in a proportionate way so as to do what is necessary to achieve the objectives of the Union.376 It is a safeguard against the possibility of the EU and its institutions to overact in enjoying their mandate while hiding themselves in the name of “areas of competencies”. Further details on the procedures and applicability of the principles of subsidiarity and proportionality in the EU are laid down in the Protocol (No. 2) on the Application of the Principles of Subsidiarity and Proportionality.

372  See

article 2 of the Treaty on European Union. article 5(2) of the Treaty on European Union. 374  In the case of Germany and Others vs. Commission [1987] ECR 3203, the Court ruled that the Treaty confers on the Commission the necessary mandate to carry out certain tasks. Also see: Commission vs. Council [1971] ECR 263. 375  See article 5(3) of the Treaty on European Union. 376  See article 5(4) of the Treaty on European Union. 373  See

80

Chap. 3: Systemic and Institutional Synergies

III. European Union’s Organs and Institutions For the effective promotion of its values and implementation of its objectives, the EU acts through various organs and institutions. These organs and institutions are grouped into two main categories, namely the institutions and bodies, and agencies. The EU has more than sixteen institutions and bodies, and more than forty-eight agencies.377 Since the number is too big, only a few institutions and bodies, and agencies relevant to this book will be considered for further discussion. The Treaty on European Union names seven main institutions as forming the institutional framework of the EU. These institutions are the European Parliament, the European Council, the Council, the European Commission, the Court of Justice of the European Union, the European Central Bank, and the Court of Auditors.378 The European Parliament is probably one of the most democratic institutions of the EU because of the reason that it is composed of members who are directly elected by the EU citizens. It is composed of members not exceeding seven hundred and fifty in total plus the President, who are proportionally elected depending on the size of the population of the Member States.379 The minimum number of members per Member State is six and the maximum number is ninety six.380 In terms of functions, the European Parliament basically, among others, acts as the co-legislator with the Council,381 adopts the budget of the Union in collaboration with the Council382 and exercises the supervisory powers over all EU institutions and particularly the European Commission.383 The European Council is an institution meant to provide the Union with the impulse for development and setting political directions and priorities. The Treaties are clear and express that the European Council does not have legislative powers.384 It is composed of the Heads of State or Government of the Member States, its President and the President of the Commission, and the High Representative of the Union for Foreign Affairs and Security PoliEuropean Union, Institutions, Bodies and Agencies. article 13 of the Treaty on European Union. 379  See article 14 of the Treaty on European Union. 380  See article 14 of the Treaty on European Union. 381  See article 14 of the Treaty on European Union and article 223 of the Treaty on the Functioning of the European Union. 382  See article 14 of the Treaty on European Union and article 314 of the Treaty on the Functioning of the European Union. 383  See article 17(8) of the Treaty on European Union and articles 233 and 234 of the Treaty on the Functioning of the European Union. 384  See article 15(1) of the Treaty on European Union. 377  See: 378  See



C. The European Union81

cy.385 Apart from functioning as a catalyst for development as stated above, the European Council also discharges other duties including determining the existence of a serious and persistent breach of the EU values by a Member State;386 appointing the President of the European Commission; appointing the High Representative;387 and other related duties. The Council is the Ministerial representation of Member States to the EU. The Council is composed of one representative Minister from each Member States who are mandated to negotiate binding commitments of their governments.388 The composition of the Council, in terms of which Ministers are members, is not permanent as it changes depending on the issue tabled for discussion. The main functions of the Council are to act as a co-legislator with the European Parliament, doing budgetary functions, and carrying out policy-making and coordinating functions.389 It also concludes international agreements between the EU and non-EU countries and international organizations as well.390 The European Commission is an executive arm of the EU. It is composed of one national of each Member State plus its President and the High Representative of the Union for Foreign Affairs and Security Policy.391 The Treaties further require the members of the Commission to be competent EU citizens whose independence is beyond doubt and should not be taking instructions from their Governments.392 It is estimated that the Commission in discharging its duties enjoys the support from a total of twenty-five thousand staff.393 The main function of the Commission are to uphold the overall interest of the Union; to enforce the Treaties; to mastermind the application of Union law under the control of the Court; to implement the budget and oversee programmes; to coordinate and execute various management functions of the EU; to ensure the Union’s external representation; to initiate the Union’s annual and multi-annual programmes; to initiate the legislative proposal, and so forth.394 385  See

article 15(2) of the Treaty on European Union. article 7(2) of the Treaty on European Union. 387  See article 17(7) of the Treaty on European Union. 388  See article 16(2) of the Treaty on European Union. 389  See article 16(1) of the Treaty on European Union. 390  European Union (2014), p. 15. 391  See article 17(4) of the Treaty on European Union. 392  See article 17(3) of the Treaty on European Union and article 245 of the Treaty on the Functioning of the European Union. 393  Davies, p. 39. 394  See article of the Treaty on European Union 17(1) and article 258 of the Treaty on the Functioning of the European Union. 386  See

82

Chap. 3: Systemic and Institutional Synergies

The fact that EU is legally established and is supposed to operate in accordance with the laws necessitates the presence of an institution whose mandate is to interpret the said laws. That institution is none other than the Court of Justice of the European Union. The structure of the Court includes the Court of Justice, the General Court, and specialized courts.395 It is constituted by one judge from each Member State and nine Advocates-General, who are required to be people of undoubtful independence.396 The Court is mainly mandated to ensure that the interpretation and application of the Treaties and the law generally are observed. It has jurisdiction to decide on the legality or otherwise of the actions brought to it by the Member States, institutions, or individuals; and it may provide guidance (preliminary rulings) to national courts of the Member States on the correct interpretation of the EU law.397 The Treaty on European Union further establishes two more institutions, namely the Court of Auditors and the European Central Bank. The name “the Court of Auditors” is a misnomer as this institution is not a court in the ordinary understanding of courts, rather it is a watchdog institution of the EU mandated to oversee and ensure sound management of all revenue and expenditure of the Union.398 Regarding the European Central Bank, this is an institution entrusted with the duty to oversee the economy and monetary union (the Euro currency) in the Union.399 The European Central Bank and central banks of the Member States constitute what is called the European System of Central Banks. Apart from the above institutions, the EU also has other bodies and agencies directly involved in advancing the objectives of the Union. As indicated above the list of these agencies is very long. However, because of their peculiarity and / or importance in this book, some agencies are briefly discussed hereunder. To begin with the Committee of Regions, this is a peculiar body at international level representing interests of regional and local government authorities of the Member States.400 This is a unique feature of the EU in integrating Europeans and its existence is directly felt by the ordinary citi395  See

article 19(1) of the Treaty on European Union. article 19(2) of the Treaty on European Union, and articles 252 and 253 of the Treaty on the Functioning of the European Union. 397  See article 19(3) of the Treaty on European Union and article 256 of the Treaty on the Functioning of the European Union. 398  See articles 285–287 of the Treaty on the Functioning of the European Union. Also see: Borchardt, pp. 74–75. 399  See articles 128, 282–284 of the Treaty on the Functioning of the European Union. 400  See articles 300, 305–307 of the Treaty on the Functioning of the European Union. 396  See



C. The European Union83

zens at the grassroots, something which is not very common with other regional integrations. Another agency of interest is the European Economic and Social Committee. This is a consultative organ of the Union composed of representatives from civil society organizations of the Member States.401 The importance of this body is the reality that in building strong institutions and systems of any functioning public organization, the contribution of civil society organizations cannot be undermined. So, the presence of this Committee at least ensures that some concerns of certain sections of people in the Union are taken on board. Furthermore, considering the current developments in ICT and the possibility of abuse of the use data, the EU has set a specialized office to take care of data protection issues. The European Data Protection Supervisor is the agency charged with the duties, among others, to monitor processing of data in compliance with EU rules; advising the EU and its institutions on data protection issues, and cooperating with data protection authorities of EU Member States with a view of promoting consistency in data handling and usage throughout Europe.402 Basically, this office oversees the proper use of data in the EU bloc with a view of preventing data misuse by both governments and individuals. This agency is worth a specific mention in this book for data security, data misuse, illegal access of data, and / or data theft are some of the key issues in so far as the discussion on cybercrime is concerned. The completeness of this discussion on EU institutions and organs, in a view of preventing and combating crime, will not be achieved if a specific mention of the two important EU agencies is not done. These agencies inclined to oversee the enforcement of criminal law are the European Police College and the European Police Office (Europol). A detailed account of the roles and functions of these agencies is covered in chapter 4 of this book. IV. Competencies and Functions of the European Union In the EU context, the discussion on the competencies and functions of the Union is very wide. It is wide in the sense that the Union has been very successful to integrate most aspects of the Europeans’ life within its mandate to extent of establishing EU citizenship. The concept of EU citizenship was introduced for the first time by the Treaty on European Union whereas from 401  See articles 301–304 of the Treaty on the Functioning of the European Union. Also see: Davies, p. 45. Further see: Kaczorowska (2011), pp. 177–178. 402  European Data Protection Supervisor, Members and Mission. Also see: European Union (2014), p. 35.

84

Chap. 3: Systemic and Institutional Synergies

that moment onwards citizens of the Member States of the EU became also citizens of the EU. This status goes hand in hand with some rights and privileges which include the right to move and reside freely in the Union; the right to vote and / or be voted for as a candidate for European and municipal elections in the country where one resides; the right to petition the European Parliament and to submit a complaint to the Ombudsman; the right to enjoy protection by the diplomatic or consular authorities of any Member State, and so forth.403 The list of the EU areas of cooperation is very long and ranges from economic, political, social, to cultural spheres. These fields are agriculture, audiovisual and media, budget, climate action, competition, consumers, culture, customs, development and cooperation, digital economy and society, economic and monetary affairs, education, training and youth, employment and social affairs, energy, enlargement, enterprise, environment, EU citizenship, food safety, foreign and security policy, fraud prevention, and health.404 The list further includes humanitarian aid and civil protection, human rights, institutional affairs, justice and home affairs, and maritime affairs and fisheries multilingualism, regional policy, research and innovation, single market, space, sport, taxation, trade, and transport.405 Together with the areas of integration within the competencies of the EU being vast, the Treaty on the Functioning of the European Union groups the same into three major categories. These categories are also known as types of competencies of the EU, which are exclusive competence, shared competence, and supporting competence.406 Exclusive competence in the context of the EU Treaties connotes that the EU shall have an exclusive mandate in a specified area to legislate and implement legally binding acts, and the Member States can only be able to act if permitted by the Union.407 Shared competence refers to the mandate shared between the Member States and the EU, hence, the Member States shall have freedom to exercise its mandate in the specified area only to the extent that the Union has not exercised its mandate.408 Moreover, supporting competence means the Union has the competence to support, coordinate or supplement the efforts of Member States in certain areas, but without causing any intervention to the mandate of the Member States in those areas.409 403  See

article 8 of the Treaty on European Union. articles 3, 4 and 6 of the Treaty on the Functioning of the European Union. 405  See articles 3, 4 and 6 of the Treaty on the Functioning of the European Union. 406  See articles 3–6 of the Treaty on the Functioning of the European Union. 407  See article 2(1) of the Treaty on the Functioning of the European Union. 408  See article 2(2) of the Treaty on the Functioning of the European Union. 409  See article 2(5) of the Treaty on the Functioning of the European Union. 404  See



C. The European Union85

The lists of areas falling under the categories of exclusive competence shared competence, and supporting competence of the EU are provided for under articles 3, 4 and 6 of the Treaty on the Functioning of the European Union respectively. Table 2 below provides for the details of areas of integration under each category of competence. Table 2 List of Categories and Areas of Competencies in the EU Categories of Competence Areas of Integration Exclusive Competence

(a) Customs union;

(Article 3 of the TFEU)

(b) Establishing of the competition rules necessary for the functioning of the internal market; (c) Monetary policy for the Member States whose currency is the euro; (d) Conservation of marine biological resources under the common fisheries policy; (e) Common commercial policy; and (f) Concluding international agreements.

Shared Competence

(a) Internal market;

(Article 4 of the TFEU)

(b) Social policy, limited to the aspects defined in the Treaty; (c) Economic, social and territorial cohesion; (d) Agriculture and fisheries, excluding the conservation of marine biological resources; (e) Environment; (f) Consumer protection; (g) Transport; (h) Trans-European networks; (i) Energy; (j) Area of freedom, security and justice; (k) Common safety concerns in public health matters, limited to the aspects defined in the Treaty; (l) Research, technological development, and space; and (m) Development cooperation and humanitarian aid. (Continue next page)

86

Chap. 3: Systemic and Institutional Synergies

( Table 2: Continued) Categories of Competence Areas of Integration Supporting Competence

(a) Protection and improvement of human health;

(Article 6 of the TFEU)

(b) Industry; (c) Culture; (d) Tourism; (e) Education, youth, sport, and vocational training; (f) Civil protection; and (g) Administrative cooperation

Throughout its existence, the EU has always been haunted by serious debates on its functions and competencies vis-à-vis the powers of its individual Member States to plan, decide and implement projects in their own (sovereignty). While the advantages of the Union to the Member States and Europe as a whole are eminent, still the issue of sovereignty is a hot debate. Together with the safeguards contained in the Treaties against the possible interventions by the EU to the reserved affairs of individual Member States, still the debate on sovereignty is tense.410 Equally important, is the fact that the TFEU contains a “the flexibility clause” which allows for the extension of the mandate of the EU in certain specified circumstances.411 Fortunately or rather unfortunately, the debate on sovereignty has been there from the very early days of the EU’s inception. As discussed in chapter 3 part. C.I. above, in 1965 in the so-called “the empty chairs crisis”, France declined for almost a year to participate in the affairs of the then EEC because of the attempt to extend the mandate of the Community.412 Also, it has been explained above that the period between 1970 and 1980 is termed in the history of the EU as the years of stagnation because efforts among the EU members towards developing the EU were less effective. The Member States concentrated more in their internal affairs than the affairs of the Union.413 More or less the reasons accounting for this situation, among others, have a bearing on sovereignty issues leading to prioritizing more individual matters than that of the Union. Furthermore, the move towards adoption of the Constitution of the European Union which started in Decem410  Article 263 of the Treaty on the Functioning of the European Union allows the Court to invalidate any act done by the EU for lack competence or non-adherence to essential procedural requirements. 411  See article 352 of the Treaty on the Functioning of the European Union. 412  Kaczorowska (2011), p. 11. 413  Kaczorowska (2011), p. 13.



C. The European Union87

ber 2001 and terminated in 2007 failed because of the same issues related to the division of power between the EU as an intergovernmental institution and its members.414 It seems many members were not in support of the idea of conferring more powers to the Union. This fact explains why this project (the Constitution of the European Union) failed. More vividly, is the current move by the United Kingdom to conduct a referendum which was held on 23 June 2016 and majority of the Britain (51.9 %) have decided that their country should pullout from the European Union. The United Kingdom has so far held the referendum two times on the same EU membership issue. The reasons that are being advanced by the United Kingdom’s move, among others, is the question of the feeling of loss of sovereignty and pride as Britain in the EU, for the competence of the Union is very extensive and they feel that the EU is not beneficial to them as such. Moreover, although the United Kingdom is a member of the EU since 1973, she is not part of the Eurozone and Schengen area arrangements under the EU. The currency issue being one of the most important aspects of economic sovereignty, the British seemed to be reluctant to surrender their economic sovereignty to the EU. These examples evidence the ongoing debate and tension among Europeans on the sovereignty issue. The debate on power distribution between the EU and its Member States has reached a stage whereby some scholars ask whether the EU is an intergovernmental organization or a federation.415 Perhaps the British exit to the EU should be construed as a message to the EU to rethink about the future of the Union which is in line with the expectation of its citizens. To some countries within the European continent like Norway, the EU has never been an institution of admiration. When asked why Norway is not a member of the EU, Rune Bjåstad, the Minister Counsellor for Culture and Communication at the Royal Norwegian Embassy in Paris opined that Norway does not see any relevancy and necessity of being a member of the EU, in the following words: The reason is quite simple, the Norwegian people said, ‘no’ twice in referendums, each time by a narrow majority. The arguments for saying ‘no’ were that membership was a threat to the sovereignty of Norway, the fishing industries and agriculture would suffer, that membership would result in increased centralization, and there would be less favourable conditions for equality and the welfare state. Fishing is extremely important to the Norwegian economy, especially for coastal areas.

414  Kaczorowska

(2011), pp. 28–29. further discussion see: Cairns, pp. 8–10. Also see: Kaczorowska (2011), pp. 103–106. 415  For

88

Chap. 3: Systemic and Institutional Synergies

It is the second largest industry in our country, after oil. But we must immediately say that economically, Norway is already part of the EU Internal Market. The question may be a bit misleading: in fact, we are strongly integrated in the European Union, even if we are not members. Economically, we are equal with other member states, through the Agreement on the European Economic Area, the so-called EEA. Since 1994, Norway has participated fully in the Internal Market. We take part in several EU programs, such as the research program. Norwegian students are also involved in the Erasmus programme. We contribute financially to the programme. The Norwegian economy is strong, unemployment is low. Norwegians therefore see no economic argument in favour of EU membership.416

D. The Council of Europe As consistently demonstrated above, this chapter is an attempt to analyze the legal, political and institutional foundations of the three intergovernmental organizations, the EAC, the EU, and the CoE, which are the main subjects of this scrutiny. Having perused much on the EAC and the EU, this last part of the chapter concentrates on the CoE, an organization which deserves the same degree of devotion in order to appreciate the parameters, principles, and values upon which it is founded. Below is a detailed account of the CoE in terms of its history and establishment, principles, organs and institutions, and functions and competencies. I. History and Establishment of the Council of Europe The CoE is the first and oldest post-war intergovernmental organization established a few years after the Second World War. It was established based on the idea arose at the Congress of Europe held at the Hague on 10 May 1948, which was organized by the International Committee of the Movements for European Unity.417 Subsequent to the Congress, on 5 May 1949 in London, the CoE was established by the Statute of the Council of Europe, which was on that date officially signed by the ten founding Member States. These States were Belgium, Denmark, France, Ireland, Italy, Luxembourg, Netherlands, Norway, Sweden, and the United Kingdom.418 The driving force behind the establishment of the CoE is more or less the same as that of the EU. This is because of the reason that after the experi416  See Euronews at: http: /  / www.euronews.com / 2013 / 03 / 29 / norway-and-the-eu, accessed on 31 August 2016. 417  See: The Centre Virtuel de la Connaissance sur l’Europe (CVCE), The Origins of the Council of Europe. Also see: Sithole, pp. 67–68. 418  See the first paragraph of the preamble to the Statute of the Council of Europe which lists the founding Member States.



D. The Council of Europe89

ences of atrocities of the Second World War and other previous battles, Europe was adamantly looking for the permanent solutions to prevent future wars through combined political efforts.419 Due to these pressing circumstances, the formation of intergovernmental political organizations like the CoE was inevitable in Europe. The CoE is considered as the parent organization upon which the European Coal and Steel Community and the European Economic Community (which later formed the EU) were founded.420 At least all twenty eight EU Member States (now basically twenty seven after British exited the EU) joined the CoE first prior to joining the EU. Membership to the CoE is open to any European State which accepts principles of rule of law, enjoyment of human rights within its jurisdiction, freedoms, and sincere collaboration with a view to achieving the objectives of the Council.421 As of today, the CoE has a total number of forty seven Members States representing almost all parts and sections of Europe, from West to East Europe, and six States with observer State status.422 Belarus and Holy See (Vatican City) are the only countries in Europe that are not members of the CoE, but Holy See has the status of an Observer State in the CoE. Also, the CoE has four non-European countries, namely USA, Canada, Japan and Mexico which have been granted the observer status.423 The list of the Member States of the CoE is presented in Table 3 below. Table 3 The Current Member States of the Council of Europe S / N

Member State

Admission

S / N

Member State

Admission

1

Belgium

5 May 1949

25

Poland

26 Nov 1991

2

Denmark

5 May 1949

26

Bulgaria

7 May 1992

3

France

5 May 1949

27

Estonia

14 May 1993

4

Ireland

5 May 1949

28

Lithuania

14 May 1993

5

Italy

5 May 1949

29

Slovenia

14 May 1993

6

Luxembourg

5 May 1949

30

Czech Republic

30 Jun 1993

(Continue next page) 419  Dowrick,

pp. 610–611. Also see: Cook, pp. 391–392. The Council of Europe, Our History. Also see: Cook, p. 392. 421  See article 4 of the Statute of the Council of Europe, 1949. 422  Council of Europe, Our Member States. 423  Fafinski, p. 203. 420  See:

90

Chap. 3: Systemic and Institutional Synergies

(Table 3: Continued) S / N

Member State

Admission

S / N

Member State

Admission

7

Netherlands

5 May 1949

31

Slovakia

30 Jun 1993

8

Norway

5 May 1949

32

Romania

7 Oct 1993

9

Sweden

5 May 1949

33

Andorra

10 Nov 1994

10

United Kingdom

5 May 1949

34

Latvia

10 Feb 1995

11

Greece

9 Aug 1949

35

Albania

13 Jul 1995

12

Turkey

9 Aug 1949

36

Moldova

13 Jul 1995

13

Iceland

7 Mar 1950

37

Macedonia

9 Nov 1995

14

Germany

13 Jul 1950

38

Ukraine

9 Nov 1995

15

Austria

16 Apr 1956

39

Russia

28 Feb 1996

16

Cyprus

24 May 1961

40

Croatia

6 Nov 1996

17

Switzerland

6 May 1963

41

Georgia

27 Apr 1999

18

Malta

29 Apr 1965

42

Armenia

25 Jan 2001

19

Portugal

22 Sep 1976

43

Azerbaijan

25 Jan 2001

20

Spain

24 Nov 1977

44

Bosnia and Herzegovina

24 Apr 2002

21

Liechtenstein

23 Nov 1978

45

Serbia

3 Apr 2003

22

San Marino

16 Nov 1988

46

Monaco

5 Oct 2004

23

Finland

5 May 1989

47

Montenegro

11 May 2007

24

Hungary

6 Nov 1990

Source: Council of Europe, Our Member States, available at: http: /  / www.coe.int / en / web / about-us / ourmember-states, accessed on 13 June 2016.

According to the Statute of the Council of Europe, the aim of the CoE is stated as follows: The aim of the Council of Europe is to achieve a greater unity between its members for the purpose of safeguarding and realizing the ideals and principles which are their common heritage and facilitating their economic and social progress.424

424  See

article 1(a) of the Statute of the Council of Europe, 1949.



D. The Council of Europe91

Comparatively, while the EU’s objectives and programmes are more focused on economic integration, the CoE has human rights protection and advocacy, fundamental freedoms, the rule of law and democracy at the forefront of its objectives. In furtherance of its aim, the CoE has recorded remarkable achievements in the area of human rights protection and advocacy. It is an organization whose accomplishments in human right are celebrated all over the world and its framework is being endorsed as an exemplary human rights model at regional and international arenas. Furthermore, the CoE has again demonstrated leadership in terms of timely and effectively responding to global issues through its promulgation of the Council of Europe Convention on Cybercrime of 2001, famously known as the Budapest Convention. This Convention is one of the CoE’s most commendable efforts towards the creation of the secure cyberspace for the secure Europe and the globe as a whole. A detailed discussion and analysis of this Convention are covered in chapter 4 part. C. of this book. II. Principles Governing the Council of Europe Reading and analyzing the Statute of the Council of Europe from its preamble to the end, one will notice that much emphasis has been repeatedly put on five important aspects which can be considered to be the founding principles of the CoE. These principles are the rule of law, human rights, democracy, fundamental freedoms, and sincere and effective collaboration in realizing the objectives of the CoE. Human rights, democracy and the rule of law are also stated as core values of the CoE.425 In principle, whatever the CoE has been doing for the past sixty seven years has a direct bearing with the above-identified principles and values. III. Council of Europe’s Organs and Institutions The Statute of the Council of Europe provides for three basic organs as bodies entrusted with the duty of realizing the objectives of the CoE. These organs are the Committee of Ministers, the Parliamentary Assembly, and the Secretariat.426 To start with the Committee of Ministers, it is composed of one representative from each Member State, who is principally supposed to be a Minister responsible for Foreign Affairs.427 It is an organ with a mandate to act on behalf of the CoE subject to some restrictions contained in the 425  Council

of Europe, Values. article 10 of the Statute of the Council of Europe, 1949. 427  See article 14 of the Statute of the Council of Europe, 1949. 426  See

92

Chap. 3: Systemic and Institutional Synergies

Statute.428 Furthermore, the Committee is mandated to consider relevant actions needed for the furtherance of the objectives of the Council, to give recommendations to the governments of its members, and adoption of conventions and agreements on behalf of the CoE.429 It is also lawful for the Committee of Ministers to adopt administrative and financial arrangements, and to form consultative committees and commissions as necessary from time to time.430 It is, therefore, correct to say that the main function of the Committee of Ministers is to provide leadership on policy and political directions, and setting agenda priorities of the CoE. The Parliamentary Assembly is another organ of the CoE, which before the change of name introduced by the Committee of Ministers in February 1994, was known as the Consultative Assembly.431 In fact, the Assembly is a deliberative organ of the Council with powers to discuss any matters within the competencies of the CoE and present their decision to the Committee of Ministers in the form of recommendations.432 It has also power to establish committees and commissions, as it deems appropriate, to address specific issues and report back to it. In terms of composition, the Parliamentary Assembly of the CoE consists of 636 representatives appointed by the Parliament of each Member State, whose number depends on the allocation for each State as agreed under the Statute.433 According to the Statute, as of 16 June 2015 when the Statute was amended for the last time, the Member States with the highest number of representation in the Assembly had eighteen representatives (Germany, France, Italy, Russia, Turkey and United Kingdom), while the lowest number of representation was two representatives (Andorra, Monaco, San Marino and Liechtenstein). The Secretariat of the CoE is yet another important organ whose principal obligation is to provide secretarial services to the Committee of Ministers and the Parliamentary Assembly.434 This organ supervises the implementation of the day to day activities of the Council. It comprises the Secretary General, Deputy Secretary General, who are appointed by the Parliamentary Assembly based on the recommendations of the Committee of Ministers, and such other supporting staff.435

428  See 429  See 430  See 431  See 432  See 433  See 434  See 435  See

article 13 of the Statute of the Council of Europe, 1949. article 15 of the Statute of the Council of Europe, 1949. articles 16 and 17 of the Statute of the Council of Europe, 1949. article 10(ii) of the Statute of the Council of Europe, 1949. articles 22 and 23 of the Statute of the Council of Europe, 1949. articles 25 and 26 of the Statute of the Council of Europe, 1949. articles 10 and 37 of the Statute of the Council of Europe, 1949. article 36 of the Statute of the Council of Europe, 1949.



D. The Council of Europe93

Apart from the above organs, also the CoE has other many institutions not directly established under the Statute of the Council of Europe, but under other CoE conventions and legal instruments. In furtherance of its aims, the CoE has been adopting a number of legal instruments, the act which goes hand in hand with setting up of some of these institutions. For example, immediately after its establishment, the first Parliamentary Assembly of the CoE in Rome in 1950 adopted a landmark legal instrument in human rights, the European Convention on Human Rights.436 This convention establishes, among others, human rights watchdog institutions like the European Court of Human Rights. More relevant to this discussion is the CoE institution known as the European Committee on Crime Problems (CDPC) which was established in 1958 and mandated with, among others, overseeing and coordinating crime prevention and control.437 The CoE has numerous institutions established in a similar fashion. Something worth noting in the CoE is the absence of provisions on dispute settlement in the Statute of the Council of Europe. The Statute is silent on how disputes between the Member States of the Council, or organs of the Council, or the organs and the Member States will be dealt with. It establishes neither the court nor any other body with powers to interpret the Statute in the case of a misunderstanding or differences in interpretation. For example, article 8 of the Statute of the Council of Europe empowers the Committee of Ministers to suspend or even dismiss any Member State who seriously violate article 3 of the Statute. The critical question here is who determines fairly and justly the existence of such serious violation in the absence of the court? Since disputes are common among players in the integration process, the absence of clear and express provisions on the same in the Statute, be it by default or design, amounts to a serious omission. IV. Competences and Functions of the Council of Europe In a bid to achieve its aims, the CoE through its Statute lays down the tactical means to be employed in its endeavors, which are basically three. These are discussing issues of common concern; adopting agreements and common action in economic, social, cultural, scientific, legal and administrative matters; and upholding and further realizing human rights and fundamental freedoms.438 The stated tactical means can also be construed to define the competencies and functions of the CoE for they mention specifically the areas in which integration is expected. That said, the CoE, therefore, is ex436  Cook,

p. 392. Council of Europe, About the European Committee on Crime Problems. 438  See articles 1(b) and 23 of the Statute of the Council of Europe, 1949. 437  The

94

Chap. 3: Systemic and Institutional Synergies

pected to exercise its mandate only within the areas and limits specified in its Statute. This position is further solidified by article 1(d) of the Statute of the Council of Europe which unambiguously excludes matters relating to national defence from the competence of the CoE. In exercising its mandate under the Statute, the CoE has been very vibrant in pioneering and implementing diverse programs within its areas of competencies. As observed above, immediately after its establishment, the CoE engaged itself in the war against human rights violations in the region through the European Convention on Human Rights of 1950. This was followed by a series of programs on democratization, the formation of an independent judiciary, prevention of torture, minority rights, social security issues, cultural issues and so forth. Also, in 2001, the CoE adopted the Convention on Cybercrime which entered into force in 2004. In total, the CoE has so far successfully facilitated the adoption of more than two hundred different international legal instruments addressing dozens of common concerns among Europeans, in the forms of statutes, agreements, conventions, treaties and protocols. It should be clearly understood that while the EU is a supranational intergovernmental organization whereas Member States have surrendered some of their sovereignty on matters of common interest, the CoE is an institution with limited mandate which was established to mainly promote democracy and protect human rights and the rule of law in Europe. The role played by the CoE vis-à-vis the EU can be better explained and appreciated by borrowing some words from Emmanuel Paraschos, a distinguished academic and journalist, who says: Although the Council of Europe has been eclipsed recently by the notoriety and clout of European Union and its institutions, it remains the continent’s voice of conscience and carries immense moral authority on matters of its jurisdiction, primarily the monitoring and protection of human rights in Member States and even beyond them.439

E. Synergies Among the East African Community, the European Union, and the Council of Europe as Intergovernmental Organizations In an attempt to explain the theories behind integration and the formation of international organizations among States, there are three common approaches. These approaches are resource dependency approach (exchange theory), which suggests that international organizations are formed to accumulate resources with one another; organizational ecology and contingency 439  Paraschos,

p. 31.



E. Synergies Among the EAC, the EU, and the CoE95

theory, which considers integration as a means of adaptation among States to manipulate the environment and make survival possible; and the transaction cost theory, which implies that international organizations are meant to lower transaction costs.440 Approaching the three intergovernmental organizations above from theoretical perspectives, one will note that they were established and indeed operating similarly within the doctrinal benchmarks. The abovediscussed assumptions fit well within the history and politics behind the establishment of these organizations. The establishment of the EAC, the EU, and the CoE is therefore founded on similar philosophical assumptions. Legally, the EAC, the EU, and the CoE are creatures of treaties. Their establishment, objectives, organization structure, and mandate are governed by the legal instruments establishing them. For example, although there might be minor disparities in terms of their objectives and competencies, but the bottom line is that they are all intended at joining efforts in terms of extending and intensifying cooperation with a view to fostering social, economic, cultural and political welfare of their subjects. This can further be evidenced through various commitments made and even the principles governing these organizations. For example, the principle of subsidiarity and many other issues as enshrined in the Treaty on the European Union feature more or less in a similar manner in the Treaty for the Establishment of the East African Community.441 In terms of operations, the relationship between the CoE and the EU is like that of twin sisters or a parent and a child. They have been closely overlapping in their operations to the extent that some authors consider them to be complementary partners.442 With the recently increased concentration of the EU in human rights issues, one may feel that the EU and CoE occupy the same policy agenda, hence, no need to have two organizations dealing with the same concerns. However, the reality seems to be that the CoE and the EU have been operating parallel for the most of the time they have been in existence with each having a different field of activity, and different means of accomplishing its objectives. The overlapping between the CoE and the EU can also be explained as, while the CoE focuses more on human rights, democracy and the rule of law, the EU focuses on economic integration among the European States at the same time bringing in the notion of human rights in economic transactions. However, it is important to note that while the CoE is an intergovernmental organization whose mandate is very limited, the EU 440  Kolb,

pp. 19–20. details on the principle of subsidiarity see article 5(3) of the Treaty on European Union vis-à-vis article 7 of the Treaty for the Establishment of the East African Community, 1999. 442  Kolb, p. 5. 441  For

96

Chap. 3: Systemic and Institutional Synergies

has gone beyond this as it is a supranational institution with very extensive powers. Looking at the relationship between the EU and the EAC, one will note that the organization model upon which the EAC is founded is somewhat based on the EU style. The model has been slightly customized to accommodate the peculiarity and the specific needs of the East African region. In terms of cooperation between the EU and the EAC, it is noted that the EAC has continued to receive financial and technical supports from the EU in the implementation of its various programs and objectives.443 This fact catalyzes the need and decision of the author of this book to use Europe as an exemplary regime that the EAC can learn from. The commonality expounded above explains and justifies why this comparative study in the field of the law, particularly Cyber laws, is important for it is being carried out with the aim of assisting the EAC to systematically align its efforts against cybercrime while informed of the developments in the CoE and the EU. It is worth noting that Europe through the CoE has adopted two important legal instruments, the Convention on Cybercrime and the Additional Protocol to the Convention on Cybercrime, 2003, which are increasingly becoming the envy of the world in so far as the war against cybercrime is concerned. The adoption of the Cybercrime Convention by the CoE highly influenced the EU to adopt and model its cybercrime frameworks within the CoE parameters. The EU cybercrime frameworks that were adopted to reflect the CoE Convention on Cybercrime include the Council Framework Decision 2004 / 68 / JHA on Combating the Sexual Exploitation of Children and Child Pornography of 22 December 2003; the Council Framework Decision 2005 / 222 / JHA on Attacks against Information Systems of 24 February 2005; and Directive 2013 / 40 /  EU of the European Parliament and of the Council of 12 August 2013 on Attacks against Information Systems and Replacing Council Framework Decision 2005 / 222 / JHA. These frameworks are further discussed and analysed in chapter 4 below.

F. Concluding Remarks Based on the foregoing, one will note that the EAC, the EU, and the CoE are all intergovernmental political organizations aimed at unifying their peo443  For more details on the EU support to the EAC, see: East African Community Resource Mobilization Office, Regional Integration Support Programme (RISP). Also see: Delegation of European Union to the United Republic of Tanzania, EU-EAC, available at: http: /  / eeas.europa.eu / delegations / tanzania / africa_eu / eu_eac / index_en. htm, accessed on 17 June 2016.



F. Concluding Remarks97

ple towards forging integration for their political, social, cultural and economic wellbeing. They commonly share some objectives and principles governing their day to day operations. Furthermore, they are all creatures of the law as they are established under their respective legal instruments. In terms of integration maturity and intensification, it is evident that the EU and the CoE have gone far deeper than the EAC as they have been successful in establishing cooperation in diverse fields. While the CoE and the EU are intergovernmental organizations whose most members are developed countries (save for Greece which is currently implementing the toughest austerity measures following the economic crisis it is facing), the EAC is an intergovernmental organization whose all members are developing countries, as a result, even its operations are confined to a few earmarked areas. The EAC is still facing some challenges in its operations such as problems of financing the budget of the community, limited institutional development, regional peace and security issues, and so forth.444 It has also been noted that the establishment of the EAC and the way it operates has resulted in questions on its legitimacy, transparency and adherence to democracy. Some people opine that the establishment of the EAC lacks legitimacy as the process did not involve the East Africans themselves from the grassroots, rather it is perceived as an organization of a few political elites.445 Also, it appears that its organizational setup and operations are not founded on participatory democracy and transparency. In short, the EAC appears not to have a direct touch with its subjects. In comparison with its counterparts, the EU, and the CoE, these organizations seem to somehow involve people at all levels from the grassroots. Their organs mirror certain level of representation of the Europeans in the organizations. For example, the members of the EU Parliament are appointed directly by the Europeans through direct voting. In addition to that, the EU has a Committee of Regions which represents the interests of the Europeans at the regional and local government levels, and the European Economic and Social Committee represents the voice of the civil society. Comparatively, these instances convey the sense that the organizations are more representative, people-centered, democratic, and having direct touch and impact to its people, the fact which is missing with the EAC. However, there has been also serious concerns on the EU integration vis-à-vis certain constitutional limitations contained in the constitutions of the Member States. Mwapachu, pp. 61–66. footnote 289 above and further see: Gastorn / Sippel / Wanitzek, Introduction: Regional Cooperation and Legal Integration in East Africa, p. 2. Further see: Mchome, pp. 100–101. Also see: Kamanga / Possi, p. 207. 444  See: 445  See

98

Chap. 3: Systemic and Institutional Synergies

Looking at the EU from the German constitutional perspective, one will note that the judgment of the German Federal Constitutional Court (FCC) of 30 June 2009 regarding the constitutionality of the Lisbon Treaty does not only repudiate the claim that EU law is superior to Member States law, but also it tends to limit the mandate of the EU to extend the areas of integration in future.446 The FCC noted that the Lisbon Treaty went too far to the extent of interfering with the inalienable State sovereignty, national identity of Germany as a State, and the principle of democracy which demands that certain decisions making powers should remain only with the Parliament which is elected by the Germans.447 Furthermore, the FCC identified areas of fundamental criminal law, State’s monopoly to the use of force internally and externally, State’s financial system, social security system, and fundamental cultural issues like family law, education and religion as inalienable patterns of State’s sovereignty.448 It suffices to say that the observation by the FCC raises a number of doubts in relation to EU’s mandate and its political and legal legitimacy vis-à-vis Member States’ sovereignty. On the supremacy of international law over domestic law, the Treaty for the Establishment of the East African Community clearly provides that “community organs, institutions, and laws shall take precedence over similar national ones on matters pertaining to the implementation of this Treaty”.449 However, laws of the EAC have no direct effect on national laws as such, for constitutions of some EAC Member States require further domestication by way of enacting a corresponding legislation in line with the EAC laws, to be more precise a dualist approach to international law.450 This process, therefore, means that EAC laws cannot be directly enforced in national courts of Member States without first being domesticated. As opposed to the EAC law, generally one may argue that the EU law does not require further domestication as it enjoys supremacy and has a direct effect on the domestic laws of Member States, hence, it can be directly enforced in local courts of Member States without further processes which is a monist approach to international law.451 For example, the courts in France consider that the EU law is superior to national laws.452 This is what is famously known as the doctrine of direct effect and supremacy of the EU law. However, the supremacy of EU 446  Bothe,

p. 2. Also see: Kiiver, p. 1288. pp. 1280–1281. 448  Wohlfahrt, p. 1284. 449  See Article 8(4) of the Treaty for the Establishment of the East African Community, 1999. 450  See: Mchome, p. 85. 451  This principle was established by the then European Court of Justice in the case of Flaminio vs. ENEL [1964] ECR 585. 452  Grosser, p. 1264. 447  Wohlfahrt,



F. Concluding Remarks99

law has two exceptions, namely the res judicata principle and it also does not apply to international agreements concluded by a Member State prior to the accession of the EU law.453 However, together with this being the position of the Court of Justice of the European Union, some courts of the Member States have openly challenged this position and claim precedence over the EU Law.454 The FCC in its judgment on the Lisbon Treaty although it confirmed that the Lisbon Treaty and the German Basic Law are compatible, but it openly stated that the German Basic Law is superior to the EU especially on issues related to criminal law, State’s decision on the use of force, decisions on State’s financial system, social security system issues, and fundamental cultural issues.455 This is the clear manifestation of power struggle between the EU and its Member States. Together with the above-identified variations, still, Europe’s setup plays a very useful role of being an exemplary lesson to the EAC.

Kaczorowska (2011), 2011, pp. 341–364. Further see: Turner, pp. 19–33. pp. 1241–1242. Also see: Niedobitek, pp. 1272–1274. 455  Wohlfahrt, pp. 1283–1285. Also see: Schönberger, pp. 1201–1202. 453  See:

454  Halberstam,

Chapter 4

The War Against Cybercrime: Europe’s Legal and Institutional Frameworks A. Introductory Remarks As indicated in chapter 3, despite the challenges the EU and the CoE are facing, they have been steadily growing and the integration between European countries is being more intensified over time. In this growth and intensified cooperation the field of criminal law is not left behind. Although theoretically the field of criminal law was supposed to be reserved for individual countries to exercise their sovereignty, however, the pressure of globalization, economic, social, cultural and political changes, technological developments, and specifically new criminal trends have necessitated the extension of the mandate by intergovernmental organizations to include penal matters.456 This chapter is an in-depth discussion of the efforts, in terms of legal and institutional mechanisms, put in place by the CoE and the EU in preventing and combating cybercrime. It covers the historical, legal and institutional basis upon which the EU and the CoE harmonization and approximation of criminal law, particularly cyber laws are founded. The chapter basically focuses on the scope of the laws and mandate conferred upon the institutions in place against their capabilities in preventing and fighting cybercrime. However, the chapter does not primarily intend to examine the efforts by individual States composing the EU and the CoE, rather it focuses on collective arrangements under the auspices of these intergovernmental organizations. But in the course of the discussion, a few specific examples might be cited from individual countries in an attempt to further clarify issues. Bearing in mind that Europe has been lively at all times in policy and law making, and institutions building, this discussion is expected to be exceptionally beneficial for the East African bloc in its attempts to forge a serious integration in the fields of law and justice, and precisely criminal law.

456  O’Flynn,

p. 61.



B. General Background to the Cooperation in Criminal Matters101

B. General Background to the Cooperation in Criminal Matters Among the Council of Europe Member States Cooperation in criminal matters at the level of the CoE has a very long history almost as old as the CoE itself. There has been more than thirty different legal instruments in the form of Conventions, Agreements and Protocols from the period of the CoE’s establishment to-date, with a direct bearing on criminal justice.457 The very first undertaking was in 1957 when the CoE adopted the European Convention on Extradition which basically provided for the extradition obligation and procedures between Parties to the Convention of persons wanted for criminal proceedings or for the carrying out of a sentence or detention order in relation to certain specified offences.458 The Convention entered into force on 18 April 1960 and it was further steadied by four Additional Protocols of 1975, 1978, 2010 and 2012. Another important and landmark legal instrument adopted by the CoE worth mentioning in this discussion is the European Convention on Mutual Assistance in Criminal Matters of 1959 which entered into force in 1962. This Convention enabled the Parties to offer each other the most extensive but legally coordinated degree of reciprocal support in criminal matters with a view to gathering evidence, hearing witnesses, experts, prosecuted persons and so forth.459 In order to sail through the everyday challenges taking place around the globe, the CoE stabilized the European Convention on Mutual Assistance in Criminal Matters by the adoption of the two Additional Protocols of 1978 and 2001. The first and second Additional Protocols were basically intended at tightening the environment for the Parties to refuse offering assistance and improving the Parties’ mandate to respond to cross-border crime respectively.460 In fact, the adoption of the Protocols was necessary to reflect political, social and technological developments in Europe and throughout the world. Apart from the above legal instruments, the CoE has been adopting other several Conventions, Protocols, and Agreements with diverse repercussions 457  The list of all CoE legal instruments can be found at: http: /  / www.coe.int / en /  web / conventions / full-list, as accessed on 18 August 2016. 458  See articles 1 and 2 of the European Convention on Extradition, 1957. 459  See articles 1–13 of the European Convention on Mutual Assistance in Criminal Matters, 1959. 460  See articles 1 and 2 of the Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters, 1978, and articles 1 and 2 of the Second Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters, 2001.

102

Chap. 4: The War Against Cybercrime

in criminal justice administration. Some of these instruments include the European Convention on the International Validity of Criminal Judgments, 1970; the European Convention on the Transfer of Proceedings in Criminal Matters, 1972; the European Convention on the Suppression of Terrorism, 1977; and the Convention on Laundering, Search, Seizure and Confiscation of the Proceeds from Crime, 1990. Other adopted legal instruments include the Council of Europe Convention on the Prevention of Terrorism, 2005; Additional Protocol to the Council of Europe Convention on the Prevention of Terrorism, 2015; the Council of Europe Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse, 2007 and many more. The Council of Europe Convention on Cybercrime of 2001 and its Additional Protocol to the Convention on Cybercrime, Concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed through Computer Systems of 2003 deserve a special devotion in this book, hence, a detailed account of the same is covered in subsequent discussions below.

C. The Council of Europe Convention on Cybercrime The Council of Europe Convention on Cybercrime (famously known as the Budapest Convention) is said to be the first international legal instrument to comprehensively address criminality on cyberspace.461 The adoption of the Council of Europe Convention on Cybercrime in 2001 in Budapest, Hungary was not an overnight course but a result of the efforts and processes that began some decades ago. Although Susan Brenner and Ian Walden claim that international efforts in dealing with cybercrime in Europe were initiated by the OECD in 1983 (see part. G.II. of chapter 2 of this book), Judge Stein Schjolberg considers the efforts which eventually resulted in the adoption of the Budapest Convention to have started in 1976 when the CoE organized a Conference on Criminological Aspects of Economic Crime in Strasbourg, France.462 In this conference, among others, an attempt to define and categorize computer crime was made as explained in chapter 2 part. B.II. of this book. In 1985, the CoE engaged a panel of experts to study legal issues and challenges posed by cybercrime.463 After four years, this team of expert came up with a report containing some guidelines on the minimum uniform offences that countries of the world should consider criminalizing in their statute books.464 Parallel to the CoE process, the OECD was also undertak461  Oddis,

p. 512. (2014), p. 32. 463  Brenner (2010), p. 173. Also see: Walden, pp. 314–317. 464  Brenner (2010), p. 173. 462  Schjolberg



C. The Council of Europe Convention on Cybercrime103

ing some initiatives towards fighting cybercrime, whose experts came up with a more or less similar approach as that of the CoE.465 In November 1996, the European Committee on Crime Problems (CDPC) decided to form a committee of experts to address the problem of criminality in cyberspace.466 The CDPC reached at this decision by taking into consideration the very fast technological developments and the need to have the law keeping pace with the developments.467 The formed committee was given specific terms of reference which can be summed up as to examine the computer related crime and some criminal procedure issues; to examine other related substantive criminal law issues of common interest; to look at the possibility of having trans-border coercive measures in a technological environment; to examine the issue of jurisdiction in relation to cybercrime; and to look at the possibility of having cooperation among States in investigation of cybercrime.468 On 4 February 1997, the Committee of Ministers formed a new committee, called the Committee of Experts on Crime in Cyberspace (PC-CY).469 In April 1997, the PC-CY officially started its work which included the negotiations on the international draft convention on cybercrime and the work was completed in December 2000.470 Finally, in November 2001, the CoE’s Council of Minister adopted the Council of Europe Convention on Cybercrime which became operational in 2004 after attaining a minimum number of ratifications required which was five.471 As of 30 June 2016, the Budapest Convention had 49 State Parties, 20 Observer States, 9 Observer Organizations and 60 signatories in total.472 Something interesting is that although the Convention was adopted under the auspices of the CoE, but its membership is open even to non-European States and that is why Canada, Japan, South Africa and the USA are signatories to the Convention. The main objective of the Budapest Convention, which can be gathered from its preamble is to have a common criminal law approach in view of 465  Brenner

(2010), p. 173. Also see: Simion, p. 302. Council of Europe, Explanatory Report to the Convention on Cybercrime, p. 2. Also see: Velasco, p. 334. 467  The Council of Europe, Explanatory Report to the Convention on Cybercrime, p. 2. Also see: Velasco, p. 334. 468  The Council of Europe, Explanatory Report to the Convention on Cybercrime, p. 3. 469  Tropina / Callanan, p. 88. Also see: The Council of Europe, Explanatory Report to the Convention on Cybercrime, p. 3. 470  Tropina / Callanan, p. 88. 471  Walden, p. 315. Also see: Watney, p. 141. Further see: Keyser, p. 296. 472  Cybercrime Convention Committee, Cybercrime@CoE Update, April–June 2016, p. 2. 466  The

104

Chap. 4: The War Against Cybercrime

enhancing the protection of the society against cybercrime through adopting appropriate legislation and promotion of international cooperation. Commendably, the Convention seeks to achieve the above objective without compromising the fundamental freedoms and human rights through its express recognition of the need to balance between law enforcement and respect for fundamental freedoms and human rights. It specifically recognizes the right to hold opinion without interference, right to freedom of expression, right to respect for privacy, and the right to information. The question of balancing law enforcement vis-à-vis human rights and fundamental freedoms is intentionally stated in this part of the discussion so as to set the footing upon which the discussions on the EAC cybercrime framework in chapter 5 and the comparative analysis between Europe and the EAC in chapter 6 will be founded. Now, looking at the provisions of the Convention, one will note that they have been organized to achieve three specific objectives, namely approximation of substantive rules of criminal law, establishing rules of criminal procedure in dealing with cybercrime, and enhancing cooperation in cybercrime matters.473 The provisions of the Budapest Convention are hereunder analyzed in details. I. Harmonization of Rules and Criminalization of Some Acts As noted above, the Budapest Convention is the first international legally binding instrument in the area of cybercrime. It provides for minimum standards upon which cyber laws of the State Parties to it should be aligned. Although it does not define what amounts to cybercrime, but it provides for definitions of some key terms relevant to cybercrime. The key terms that have been defined includes “computer system”, “computer data”, “service provider”, and “traffic data”.474 It is plausible and important that some key terms have been defined by the Convention to avoid unnecessary litigation on their meanings and applicability. For example, since cybercrime is committed in the computer environment or simply computer system, absence of the definition of “computer system” in the Convention would have serious repercussions in terms of ascertaining whether a certain setting amounts to computer system, hence within the range of cybercrime. Considering the technological advancements taking place on daily basis, the Convention has defined the term “computer system” widely enough to encompass reasonably foreseeable technological trends. 473  Oddis, 474  See

pp. 502–503. article 1 of the Council of Europe Convention on Cybercrime, 2001.



C. The Council of Europe Convention on Cybercrime105

In terms of substantive cybercrime law, the Convention categorizes the offences into four major groups. These groups are offences against the confidentiality, integrity and availability of computer data and systems; computerrelated offences; content-related offences; and offences related to infringements of copyright and related rights. The group of offences against the confidentiality, integrity and availability of computer data and systems carries with it specific offences such as illegal access to the computer system,475 illegal interception with the computer data or computer system,476 data interference,477 computer system interference,478 and misuse of the computer system and related devices.479 As noted above, it is worth commenting that the definitions provided in article one help to create a very clear understanding of the subsequent types of offences created by the Convention as it is the case with the first group of offences as analysed here. The computer-related offences according to the Convention are basically two. These are those offences involving dishonesty which can be manifested through forgery or / and fraud with the use of the computer as a primary tool for commission of the offence. Specifically, the Budapest Convention requires the Parties to make provisions in their domestic laws that will outlaw computer-related forgery480 and computer-related fraud.481 However, it is important to note that in this category the Convention is being criticized for non-inclusion of the offence of identity theft which is becoming one of the serious issues in cyberspace.482 The third group as mentioned above concerns content-related offences. Generally, this is probably one of the most contentious aspects when it comes to weighing between the legality of the content vis-à-vis individuals’ rights to information, freedom of expression, right to hold opinion without interference and right to privacy. It is contentious because of the fact that there is no single universally accepted standard as to what contents are legal and acceptable and what are not, save for child pornographic materials. Legislating on the legality of content is one of the toughest tasks. In the USA, the wisdom of the Supreme Court was tested in the case of Reno vs. American Civil Liberties Union483 which basically had something to do with the regulation of 475  See

article 2 of the Council of Europe Convention on Cybercrime, article 3 of the Council of Europe Convention on Cybercrime, 477  See article 4 of the Council of Europe Convention on Cybercrime, 478  See article 5 of the Council of Europe Convention on Cybercrime, 479  See article 6 of the Council of Europe Convention on Cybercrime, 480  See article 7 of the Council of Europe Convention on Cybercrime, 481  See article 8 of the Council of Europe Convention on Cybercrime, 482  Clough (2012), pp. 379–381. Also see: Clough (2014), p. 702. 483  Reno vs. American Civil Liberties Union, 521 U.S. 844 (1997). 476  See

2001. 2001. 2001. 2001. 2001. 2001. 2001.

106

Chap. 4: The War Against Cybercrime

online contents against the freedom of speech. The USA Supreme Court ended up declaring as unconstitutional the anti-indecency provisions of the Communications Decency Act that was meant to protect minors online. In the same spirit and wavelength, the Budapest Convention cautiously does not engage itself in regulation of any other types of content or materials except for child pornographic materials. This deliberate move to criminalize dealing in child pornographic materials might have been catalyzed by the rampancy of these materials in the late 1990s and early 2000s.484 The Convention obliges the Parties to make provisions that will criminalize dealing with child pornographic materials in terms of producing, offering or making available, distributing or transmitting, procuring, and possessing.485 Although it is important to be mindful of human rights limits, but still there is a need to regulate contents other than child pornographic materials scattered everywhere online and offline which sound offensive to the public. For example, currently grooming and spamming are among the common offences which ought to have been included in the Convention.486 The lacuna left by the Budapest Convention is wanting and it requires serious thinking and relook into this state of affairs, and probably effect the necessary adjustments. The fourth group is about offences related to infringements of copyright and related rights. In response to the simplicity and easiness brought by computing in tempering with copyrighted works, the Budapest Convention requires the Parties to enact provisions that will make it an offence to use a computer system to infringe copyrights and neighbouring rights.487 Finally, in the aspect of harmonizing rules on criminal law, the Budapest Convention provides for guidance on ancillary liability and sanctions. The Convention obliges the Parties to criminalize the acts of abetting or aiding by any party in the commission of any of the offences established under the Convention, the extension which covers even legal persons (bodies corporate).488 In terms of sanctions, the Convention requires Parties to have in place pieces of legislation that will ensure effective, proportionate and dissuasive punishments are imposed on convicted offenders, which may include denial of liberty.489

484  For statistics on rampancy of child pornographic materials online see: Oddis, pp. 478 and 486. 485  See article 9 of the Council of Europe Convention on Cybercrime, 2001. 486  Clough (2009), pp. 381–384. Also see: Clough (2014), p. 702. 487  See article 10 of the Council of Europe Convention on Cybercrime, 2001. 488  See articles 11 and 12 of the Council of Europe Convention on Cybercrime, 2001. 489  See article 13 of the Council of Europe Convention on Cybercrime, 2001.



C. The Council of Europe Convention on Cybercrime107

II. Criminal Procedural Issues The Budapest Convention contains also some provisions on criminal procedures and processes. The Convention provides for guidance in terms of procedures for offences established under the Convention and other offences committed using a computer system, and also rules of collection of electronic evidence.490 Considering the sensitivity of human rights and individual liberties, the Convention insists on the need to protect human rights in the implementation of criminal processes and procedures by imposing safeguards such as involvement of judicial or other independent supervision, application of the powers based on reasonably justifiable grounds, and other limitations in terms of scope and the duration of such procedures.491 Furthermore, the Convention provides for other powers which allow the authorities of State Parties to have in place and implement procedures such as computer data production order, search and seizure of computer data, real-time collection of computer data, and interception of content data.492 It is important to also note that these powers can be exercised by the authorities against individuals, and information and communications service providers. The most important aspect in so far as legal procedures and application of laws are concerned is the question of jurisdiction. It is important because jurisdiction determines who has what powers in implementing or applying the law, and it becomes critically important when an international aspect of the law is involved. For that matter, cybercrime being borderless and transnational in nature, the discussion on jurisdiction matters a lot. According to the Budapest Convention jurisdiction shall lie with a Party if the alleged offence is committed “in its territory, or on board a ship flying the flag of that Party, or on board an aircraft registered under the laws of that Party; or by one of its nationals”.493 In addition to this, the Convention clearly states that it does not exclude any criminal jurisdiction enjoyed by a Party in accordance with its domestic law, and it allows Parties to consult each other in case more than one Party claims jurisdiction over an alleged offence.494 These jurisdictional rules established by the Convention are based on the already appreciated and tested international principles of determination of jurisdiction, namely the territoriality, extra-territoriality, and nationality prin490  See

article 14 of the Council of Europe Convention on Cybercrime, 2001. article 15 of the Council of Europe Convention on Cybercrime, 2001. 492  See articles 18–21 of the Council of Europe Convention on Cybercrime, 2001. 493  See article 22 of the Council of Europe Convention on Cybercrime, 2001. 494  See article 22 of the Council of Europe Convention on Cybercrime, 2001. 491  See

108

Chap. 4: The War Against Cybercrime

ciples.495 Also, these rules help to clear some jurisdictional issues that existed before in cyberspace. However, on the issue of States to consult each other in case of conflict of interest to prosecute, there are possibilities that they may fail to agree on a common position. The Convention requires that if there is a dispute relating to interpretation or application of the Convention, the same should be referred either to the CDPC, or an arbitral tribunal, or the International Court of Justice (ICJ).496 The concern here is that one case may result in a multiplicity of cases and the original criminal case will remain stayed until the jurisdiction ascertainment issue is settled. This delay may have serious issues with achieving the objective of timely dispensation of justice and even maintaining the evidentiary value (credibility and reliability) of the exhibits collected in support of the cases, for evidence tends to deteriorate over time. Probably, the issue of jurisdiction is not a challenge with cybercrime alone, but with the transnational criminal justice as a whole. There are many instances where States have failed to agree on issues because of their policies or political standpoints they believe in. For example, if the conflict of interest to prosecute is between USA and Russia, it is very unlikely that they will agree. The Edward Snowden saga can explain better the above prediction. The situation is even more complicated if more than two States are involved in a single criminal transaction and each State claims the right to prosecute, something which is possible nowadays with the support of the technology. III. International Cooperation in Cybercrime and Related Matters In order to have an effective transnational criminal justice system, international cooperation is among the most critical areas.497 The Budapest Convention contains very extensive provisions in the area of cooperation among States in the fight against cybercrime. The extent of cooperation stated in the Convention involves cybercrime investigations, criminal proceedings, and collection of evidence relating to criminal offences.498 These obligations go in tandem with other related obligations under other international legal instruments.499 The international cooperation depicted by the Convention can 495  The Council of Europe, Explanatory Report to the Convention on Cybercrime, pp. 40–41. Also see: Velasco, p. 335. 496  See article 45 of the Council of Europe Convention on Cybercrime, 2001. 497  Walden, p. 325. 498  See article 23 of the Council of Europe Convention on Cybercrime, 2001. 499  See article 23 of the Council of Europe Convention on Cybercrime, 2001. Also see: Weber, p. 433.



C. The Council of Europe Convention on Cybercrime109

be categorized into two main forms, namely extradition, and mutual assistance. Regarding extradition, the Budapest Convention sets two basic conditions to be satisfied for extradition to be effected. The first condition is that extradition must involve an offence which is punishable under the laws of both Parties, and secondly the punishment must be either custodial sentence exceeding one year, or a more severe penalty.500 However, the Convention does not define what amounts to a more severe penalty, hence it is left for the reasonable man’s test to determine. On mutual assistance, the Convention again obliges Parties to afford one another reciprocal assistance in carrying out investigations, criminal proceedings, and collection of evidence.501 The principle of dual criminality which is considered as the underlying condition in mutual assistance in criminal matters is somehow vitiated by the Convention as it does not strictly apply. The Convention imposes the duty to the Parties to afford one another reciprocal assistance irrespective of variations in the wording, categorization, or denomination of the offence in question in their statute books.502 Furthermore, the Budapest Convention lays down the procedures relating to mutual assistance applications in the absence of appropriate international agreements.503 It also places an obligation on Parties to establish points of contact that will be accessible on a twenty four hour, seven-daya-week basis for the provision of assistance in core areas of mutual assistance as identified above.504 IV. The Additional Protocol to the Convention on Cybercrime, Concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed Through Computer Systems It has been noted in chapter 4 part. C.I. of this book above that the approach taken by the Budapest Convention in regulation of online content was not adequate. This could not withstand the challenges posed by the technology as there was more than child pornographic materials that required to be legislated upon. The PC-CY when drafting the Convention realized the need to have provisions criminalizing the distribution of racist propaganda through

500  See

article article 502  See article 503  See article 504  See article 501  See

24 of 25(1) 25(5) 27 of 35 of

the Council of of the Council of the Council the Council of the Council of

Europe Convention on Cybercrime, 2001. of Europe Convention on Cybercrime, 2001. of Europe Convention on Cybercrime, 2001. Europe Convention on Cybercrime, 2001. Europe Convention on Cybercrime, 2001.

110

Chap. 4: The War Against Cybercrime

computer systems, however, the idea did not sail through for consensus among the members was not reached.505 Also, the CoE Parliamentary Assembly, in its opinion, recommended that a Protocol should be prepared immediately to broaden the scope of the Convention so that other offences such as spreading of racist materials online are criminalized.506 As a result of these recommendations, the Committee of Ministers instructed the CDPC which eventually formed the Committee of Experts on the Criminalization of Acts of a Racist and Xenophobic Nature Committed through Computer Systems (PC-RX).507 The PC-RX therefore drafted and facilitated the adoption of the Additional Protocol to the Convention on Cybercrime, concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed through Computer Systems (the Additional Protocol to the Convention on Cybercrime), on 28 January 2003, which entered into force in March 2006.508 Basically, the Additional Protocol to the Convention on Cybercrime, 2003 serves two purposes. It establishes a new range of content offences in cyberspace on top of what are already established by the Budapest Convention; and it synchronizes the criminal procedure and international cooperation provisions in the Convention to the extent of making the same applicable to the newly created offences. Generally, the Additional Protocol to the Convention on Cybercrime, 2003 is not the first international legal instrument to address discrimination, racism, xenophobia and related issues. There are other numerous international legal instruments in this area including the International Convention on the Elimination of All Forms of Racial Discrimination of 1966, the Convention for the Protection of Human Rights and Fundamental Freedoms of 1950,509 the International Covenant on Civil and Political Rights of 1966510 and so forth. However, considering the specificity of racist and xenophobic acts committed through computer systems, the CoE realized the need to have a specific legal instrument to supplement the Budapest Convention and cater for this unique environment. Below is a brief discussion of the 505  The Council of Europe, Explanatory Report to the Additional Protocol to the Convention on Cybercrime, p. 2. 506  The Council of Europe, Explanatory Report to the Additional Protocol to the Convention on Cybercrime, p. 2. 507  The Council of Europe, Explanatory Report to the Additional Protocol to the Convention on Cybercrime, p. 2. 508  Simion, p. 303. 509  See article 14 of the Convention for the Protection of Human Rights and Fundamental Freedoms, 1950 wherein all forms of discrimination are expressly prohibited. 510  See articles 4, 20, 24 and 26 of the International Covenant on Civil and Political Rights, 1966.



D. Institutions Under the CoE Cybercrime Framework111

provisions of the Additional Protocol to the Convention on Cybercrime, 2003. The Additional Protocol to the Convention on Cybercrime, 2003 establishes four substantive offences and one secondary offence (aiding or abetting). The four primary offences are the distribution of racist and xenophobic materials in a computer system;511 threatening with racist and xenophobic motivation;512 insulting with racist and xenophobic motivation,513 and distributing or making available materials which approve or justify acts amounting to genocide or crimes against humanity.514 The Protocol further criminalizes any acts of aiding or abetting committed in relation the offences established under it.515 In terms of the relationship between the Budapest Convention and the Protocol, the Protocol clearly states that the provisions of the Convention shall apply concurrently with that of the Protocol.516

D. Institutions Under the Council of Europe Cybercrime Framework Having legal instruments alone however best worded and crafted, that does not by itself guarantee anyhow to achieve the intended purposes of such instruments. There must be organs, bodies, and institutions that will turn the letters of the law into reality. So, likewise in enforcing criminal law instruments, particularly cyber laws, the CoE discharges this obligation through a number of institutions which are the subjects of the discussion below. I. European Committee on Crime Problems (CDPC) The CDPC was established in 1958 by the decision of the Committee of Ministers of the CoE and it was entrusted with the duties to examine crime problems in Europe; to draft criminal matters Conventions, and to conduct 511  See

article 3 of the Additional Protocol to the Convention on Cybercrime,

512  See

article 4 of the Additional Protocol to the Convention on Cybercrime,

513  See

article 5 of the Additional Protocol to the Convention on Cybercrime,

514  See

article 6 of the Additional Protocol to the Convention on Cybercrime,

515  See

article 7 of the Additional Protocol to the Convention on Cybercrime,

516  See

article 8 of the Additional Protocol to the Convention on Cybercrime,

2003. 2003. 2003. 2003. 2003. 2003.

112

Chap. 4: The War Against Cybercrime

researches in the area of crimes and issue recommendations to be adopted by the CoE members.517 In other words, the CDPC was established to perform the duty of supervising the CoE activities in the area of preventing and combating crime. In the course of performing its duties, the CDPC earmarks main concerns for legal cooperation, recommends to the Committee of Ministers the activities be undertaken in the areas of criminal law and procedure, criminology and penology, and carry out these activities.518 So, the CDPC basically acts like the “right-hand man” of the CoE in so far as the preventing and combating crime is concerned. Furthermore, it is the duty of the CDPC to clarify and facilitate the adoption of Conventions, recommendations, and reports which are related to criminal justice in the CoE. In fact, even in the processes of adoption of the Council of Europe Convention on Cybercrime and its Additional Protocol, the CDPC played an immeasurable role from the beginning to the end with the assistance of the committees of cybercrime experts.519 From 1958 todate, the CDPC has successfully facilitated the CoE in the adoption of over 46 different international legal instruments (Conventions, Protocols, and Agreements) with a direct bearing on criminal matters.520 The CDPC also prepares the Council of Europe Conferences of Ministers of Justice and Conferences of Directors of Prison Administration, and it oversees the functioning of its subordinate organs, namely the Committee of Experts on the Operation of European Conventions on Cooperation in Criminal Matters (PCOC); and the Council for Penological Cooperation (PC-CP).521 Every year the CDPC organizes two plenary sessions which puts together representatives and experts in criminal justice administration, representatives of legislators, and observers from different segments including the CoE Member States, the EU, the CoE Observer States, and intergovernmental and non-governmental organizations.522 For example, in the 70th Plenary Session held from 27 to 30 June 2016 in Strasbourg, among the many agendas that were discussed, the issue of access to electronic evidence in the dispensation 517  Klare,

p. 377. European Committee on Crime Problems, About the European Committee on Crime Problems. 519  See: The Council of Europe, Explanatory Report to the Convention on Cybercrime, p. 2. Also see: The Council of Europe, Explanatory Report to the Additional Protocol to the Convention on Cybercrime, p. 2. 520  See: European Committee on Crime Problems, Conventions Elaborated under the Authority of the CDPC. 521  See: European Committee on Crime Problems, About the European Committee on Crime Problems. 522  See: European Committee on Crime Problems, 2016. 518  See:



D. Institutions Under the CoE Cybercrime Framework113

of criminal justice was discussed, which is a typical cybercrime issue.523 The second plenary session for the year 2016 (the 71st Plenary Session) was held from 29 November to 1 December 2016 in Strasbourg, France. In addition to the obligation of the CDPC stated above, the Budapest Convention expressly provides that the CDPC shall at all times be kept abreast regarding the interpretation and application of the Convention, and in case of a dispute between the Parties to the Convention, the Parties are at liberty to refer the dispute to the CDPC for settlement.524 Basically, reading through different provisions of the Budapest Convention one will note that the principal duty to enforce the Convention lies with the CDPC.525 II. Cybercrime Convention Committee (T-CY) As opposed to the CDPC which is the overall committee on crime problems in the CoE, the T-CY as the name itself suggests, is a specialized committee specifically taking care of cyber part of criminal law in the CoE. The mandate and functioning of the T-CY emanate from the Budapest Convention itself whereas it provides for the Parties to have periodic consultations regarding the effective implementation of the Convention, identification of hitches, exchange of information on important matters and concerns for possible amendments to the Convention.526 The T-CY was therefore formed to coordinate these functions effectively. For effective carrying out of the above duties, the T-CY was obliged to adopt its own rules of procedure during its 10th Plenary Session on 3 December 2013 and revised the same during the 12th Plenary Session on 3 December 2014 both held in Strasbourg. Now, according to the T-CY rules of procedure, the functions and activities of the T-CY are hereunder in verbatim listed: a) Undertake assessments of the implementation of the Convention by the Parties to enhance the practical application of the Convention on Cybercrime by identifying good practices, by helping address problems encountered and by sharing experience between current and potential future Parties to this treaty; b) Adopt opinions and recommendations on the interpretation and implementation of the Convention. If adopted unanimously, these opinions may 523  See: European Committee on Crime Problems, Agenda of the 70th Plenary Session, Strasbourg, 27–30 June 2016, item 13(d). 524  See article 45 of the Council of Europe Convention on Cybercrime, 2001. 525  See articles 44–46 of the Council of Europe Convention on Cybercrime, 2001. 526  See article 46 of the Council of Europe Convention on Cybercrime, 2001.

114

Chap. 4: The War Against Cybercrime

take the form of Guidance Notes representing the common understanding of the parties as to the use of the Convention; c) Consider preparing draft legal instruments (namely conventions, protocols, agreements or recommendations) with a view to their adoption by the Committee of Ministers; d) Adopt opinions requested by Council of Europe bodies; e) Review the functioning of 24 / 7 points of contact established under Article 35 of the Convention; f) Encourage the accession of States which are not members of the Council of Europe to the Convention on Cybercrime under Article 37 of the Convention; g) Promote common positions of the Parties in relevant international fora; h) Engage in dialogue with relevant international organizations in view of enhanced international cooperation on cybercrime; i) Promote capacity building on cybercrime and electronic evidence; j) Establish working groups to research or otherwise address specific questions.527 In the performance of the above tasks, the T-CY organizes two plenaries every year to discuss and analyse various issues related to cyberspace criminality. The agenda, documents and reports of these plenaries are published regularly to allow the public utilize the results of the plenaries. For example, in the 15th Plenary held from 24 to 25 May 2016, issues like the status of signatures, ratifications, accessions to the Budapest Convention and its Protocol; assessments on article 13 of the Convention on sanctions and measures; mutual legal assistance, and many more others were deliberated upon.528 Regarding the assessment obligation as listed in the functions above, the T-CY has recently conducted an assessment of the implementation of the preservation of data (evidence) provisions of the Budapest Convention on Cybercrime, and the report was published on 21 June 2015.529 Furthermore, as we have seen on the functions and activities, the T-CY has the mandate to adopt Guidance Notes which is the common understanding of the Parties on 527  See article 1 of the Cybercrime Convention Committee Rules of Procedure of 3 December 2014. 528  See: Cybercrime Convention Committee, 15th Plenary Meeting Report, Strasbourg, 25 May 2016, pp. 2–4. 529  See: Cybercrime Convention Committee, Assessment Report of Implementation of the Preservation Provisions of the Budapest Convention on Cybercrime, Strasbourg, 21 June 2015.



D. Institutions Under the CoE Cybercrime Framework115

the interpretation and use of the Convention.530 The T-CY has so far adopted Guidance Notes in the areas of a computer system, botnets, trans-border access, identity theft, Distributed Denial of Service attacks (DDoS), critical infrastructure attacks, malware, and spam.531 III. Directorate of Information Society and Action Against Crime The Directorate of Information Society and Action against Crime is an umbrella institution which is constituted by some departments, offices, sections, and units. The directorate comprises, among others, the Information Society Department, the European Audiovisual Observatory, the Action against Crime Department, Group of States against Corruption, and so forth.532 Generally, the Directorate of Information Society and Action against Crime oversees the CoE’s work on the media, information society and action against crime. It deals specifically with standards setting, overseeing freedom of expression, data protection, internet governance, cybercrime, criminal law, fighting economic crime, corruption and money laundering, and preventing and combating drug trafficking and drug abuse.533 Something interesting is the fact that the CDPC which has been analysed above (see chapter 4 part. D.I.), is an institution within the bigger Directorate of Information Society and Action against Crime. So, whatever is undertaken by the CDPC has a direct connection with the directorate through its Action against Crime Department. IV. Cybercrime Programme Office of the Council of Europe (C-PROC) The C-PROC is an institution under the CoE established on 9 October 2013 by a resolution of the Committee of Ministers of the CoE at its 1180th meeting.534 The Office is based in Bucharest, Romania. Although the CPROC was established in October 2013, but it became operational on 7 April 2014 after the Memorandum of Understanding between the CoE and the 530  See article 1(b) of the Cybercrime Convention Committee Rules of Procedure of 3 December 2014. 531  See: Cybercrime Convention Committee, Guidance Notes. 532  See the Directorate of Information Society and Action against Crime Publication, available at: https: /  / rm.coe.int / CoERMPublicCommonSearchServices / Display DCTMContent?documentId=090000168007ff69, accessed on 7 September 2016. 533  See the Directorate of Information Society and Action against Crime Publication, 2016. 534  Cybercrime Programme Office of the Council of Europe, C-PROC Activity Report, p. 4.

116

Chap. 4: The War Against Cybercrime

Government of Romania entered into force.535 The Memorandum in question was signed on 15 October 2013.536 The core function of the C-PROC is to partner with countries worldwide and provide them with the necessary support which will enhance their criminal justice capacity to effectively react to cybercrime and electronic evidence issues in line with the principles and standards set out by the Budapest Convention.537 So, basically, the C-PROC is a capacity building office of the CoE in cybercrime related matters which supplements the efforts of the Cybercrime Convention Committee. All cybercrime related capacity building functions and activities of the CoE are carried out by the C-PROC on its behalf worldwide. Apart from the general functions discussed above, the C-PROC has a quite extensive mandate to perform specific tasks which include clarifying legislation, including human rights and rule of law safeguards and data protection; conducting training of judges, prosecutors and law enforcement officers; establishment of specialized cybercrime and computer forensic entities and improvement of cooperation among agencies; promoting public / private cooperation; protecting children against online sexual violence; and enhancing international cooperation.538 Between April 2014 and September 2015, the C-PROC has supported the implementation of 110 activities under four different projects worldwide.539 The projects are primarily on capacity building activities which are well within the core business of the C-PROC. However, out of the four projects three were implemented exclusively in Europe and only one project included a few countries from Africa, Asia, and America.540 In a form of a critique, it is noted that although the C-PROC claims to be an office for capacity building worldwide, but the already 110 activities implemented give an impression that it operates mainly in Europe and / or developed countries. There are so many developing countries that critically 535  See: Cybercrime Programme Office of the Council of Europe, C-PROC Office. Also see: Cybercrime Programme Office of the Council of Europe, About C-PROC, pp. 1–2. 536  Cybercrime Programme Office of the Council of Europe, About C-PROC, pp. 1–2. 537  Cybercrime Programme Office of the Council of Europe, About C-PROC, pp. 1–2. 538  See: Cybercrime Programme Office of the Council of Europe, C-PROC Office. Also see: Cybercrime Programme Office of the Council of Europe, C-PROC Activity Report, p. 8. 539  Cybercrime Programme Office of the Council of Europe, C-PROC Activity Report, pp. 8–12. 540  Cybercrime Programme Office of the Council of Europe, C-PROC Activity Report, pp. 8–12.



E. Historical and Legal Basis of Cooperation in Penal Matters117

need this kind of support as their cybercrimes regime are so poor and weak to withstand the current technological developments, but they have not been reached by the C-PROC. Considering the borderlessness nature of cybercrime, the efforts by the C-PROC may not yield the expected results in the CoE if the approach is not reassessed. The challenge of project implementation approach as explained above seems to be rooted on the funding arrangements of the office. The funding of the C-PROC activities is primarily by extra-budgetary resources, mainly from donors who are likely to influence the scope and approach of the office’s operations. The C-PROC might be the victim of the famous English saying, “he who pays the piper calls the tune”.

E. Historical and Legal Basis of Cooperation in Penal Matters Among the EU Member States As noted in the introduction above, internal peace and security, and home affairs generally are matters which were considered to be in exclusive jurisdiction of individual States to freely exercise their sovereignty. Considering the modern social contract theory as advocated by Thomas Hobbes, John Locke, and Jean-Jacques Rousseau, this sovereignty is what actually explains the relationship between the subjects and the State. The modern social contract theory places the obligation to the State to provide protection to its all subjects, the obligation which extends to include protection of private property and individuals’ protection against crime.541 However, this myth could not withstand the demands of the new globalized world, and the EU in particular. In 1970s, the arrangements for formalizing cooperation in criminal matters outside the EU structure started to evolve.542 It started outside the EU as there was disagreement among the members because of the fears that cooperation in criminal matters would endanger State sovereignty.543 For example, in December 1975, during the European Council Summit in Rome, TREVI (Terrorisme, Radicalisme, Extrémisme et Violence Internationale) which was an intergovernmental forum outside the EU framework for senior officials of the home affairs / interior ministries, was formed to counter terrorism and oversee policing in the EU, which became operational in June 1976.544

541  For further discussion on the primary obligation of the State and how sovereignty is an issue in criminal law and security see: Tropina and Callanan, p. 27. 542  Mitsilegas, p. 5. 543  Mitsilegas, p. 5. 544  Holzhacker, p. 3. Also see: Bunyan, p. 1.

118

Chap. 4: The War Against Cybercrime

As life on earth has never been static, evolution of new criminal drifts in 1980s became one of the major factors necessitating a relook at the possibility of the EU Member States to have unified efforts in areas of common concern such as illicit drug trafficking and organized crime.545 These early cooperation arrangements in criminal matters among the EU Member States resulted in the EU having one common position and voice in negotiating the United Nations Vienna Convention against Illicit Trafficking in Narcotic Drugs and Psychotropic Substances in 1988.546 This is one of the notable common efforts among the EU Member States in waging the war against criminality. Furthermore, the need to cooperate in penal matters was furthered by two more programmes, namely the Schengen Agreement between France, Germany, and the Benelux, and the abolition of internal frontiers in a single market. Both the Schengen and single market arrangements went hand in hand with commitments and undertakings to cooperate in criminal matters such as border controls, police cooperation, law enforcement and judicial cooperation.547 Also, the collapse of the Soviet bloc resulted in increased fears in West Europe that the then political instability in the East would bring criminal trends of the East to the West.548 A combination of these factors is what triggered the EU to quickly start rethinking about enhanced cooperation in the field of penal laws as a mechanism of fighting against criminal threats. This situation, therefore, called for formal arrangements among the EU Member States in terms of creating an official joint forum where collective efforts and resources could be effectively utilized. The enhanced and more legalized cooperation in criminal matters in the EU bloc started officially with the Treaty on European Union (TEU), famously known as the Maastricht Treaty in 1992. The Maastricht Treaty formed the EU in a three pillar structure, namely the European Communities pillar, the Common Foreign and Security Policy pillar, and Justice and Home Affairs pillar.549 In so far as this discussion is concerned, the relevant pillar is the third one which basically deals with cooperation in the fields of criminal justice and home affairs.

545  Mitsilegas,

pp. 5–6. p. 6. 547  Mitsilegas, pp. 7–8. Also see: Holzhacker, p. 4. 548  Mitsilegas, p. 8. 549  See Titles II–VI of the Treaty on European Union, 1992. Also see: Calderoni, p. 4. Further see: Fletcher / Loof / Gilmore, p. 1. Also see: O’Flynn, p. 64. 546  Mitsilegas,



E. Historical and Legal Basis of Cooperation in Penal Matters119

In the area of Justice and Home Affairs, specifically, the Treaty mentions the fields of cooperation which are meant to be matters of common concerns among the EU members. These areas include combating illegal immigration, asylum issues, combating fraud at international level, judicial cooperation in civil and criminal matters, preventing and combating terrorism, unlawful drug trafficking and other serious international crimes, police cooperation, and exchange of information on criminal matters through the subsequently established European Police Office (Europol).550 It is through the Maastricht Treaty that cooperation in penal matters became formal in the EU criminal framework, although not articulate and strong enough to guarantee smooth operations and integration as the matters were placed in the third pillar where the supranational approach would not apply.551 The treaty did not go deep enough in terms of providing guidance on the need to have common policies among the members that would stimulate cooperation in so far as criminal matters are concerned for fear of encroaching State’s sovereignty. As already covered in the EU historical part of this book (see chapter 3 above), the shortcomings of the Maastricht Treaty cultivated a fertile ground for the adoption of the Amsterdam Treaty of 1997 which became operational in 1999. The Amsterdam Treaty introduced noteworthy changes in the area of cooperation in criminal matters in the EU framework. Basically, it moved cooperation issues in areas of migration, asylum, and judicial cooperation in civil matters from pillar III to pillar I, and pillar III was renamed as “Police and Judicial Cooperation in Criminal Matters”.552 Furthermore, the Treaty of Amsterdam declared the EU region as “an Area of Freedom, Security and Justice (AFSJ)”, the declaration which aimed at facilitating free movement of persons, security, and justice through cooperation in external border controls, asylum, immigration, and preventing and combating crime.553 These changes are appreciated for creating a stronger basis for cooperation in criminal matters with a more focused and effective coordination towards preventing and combating crime than the former setup. However, a point worth noting here is that together with cooperation in the police and judicial issues in criminal matters being clearly spelt out and strengthened in the Amsterdam Treaty, still they were left under pillar III of the EU integration 550  See article K.1 of the Treaty on European Union, 1992. Also see: Mitsilegas, pp. 9–11. 551  Fletcher / Loof /  Gilmore, p. 1. 552  See article 1(11) of the Treaty of Amsterdam which amends, among others, article K.1–K.14 of the Maastricht Treaty. Also see: Davies, pp. 15–16. Also see: Blair, pp. 74, 84, 207 and 219. Further see: Kaczorowska (2011), pp. 25–26. 553  See the preamble and article 1(5) of the Treaty of Amsterdam which amends article B of the Maastricht Treaty.

120

Chap. 4: The War Against Cybercrime

structure whose implementation is by way of framework decisions. In the EU law context, framework decisions imply that the decisions reached by the EU organs are binding to the Member States as to the expected results but the Member States determine their own styles and means to achieve the expected results.554 Simply put, the framework decisions had no direct effect as opposed to directives. The adoption of the Treaty of Lisbon in 2007 and its subsequent entering into force in 2009 opened a new chapter of integration in criminal matters in the EU bloc. Notably, the Lisbon Treaty abolished the pillar structure of the EU which existed in the past.555 The changes introduced by the Lisbon Treaty included the shifting from the principle of mutual recognition to a more formal and legally based structure of cooperation in penal matters among the EU Member States.556 As of now, the Area of Freedom, Security, and Justice has been put under the category of shared competence of the EU.557 These changes were on a more practical operational cooperation such as exchange of relevant information in law enforcement through the police and so forth. Essentially, with the abolition of the pillar structure, the Treaty of Lisbon had the communitarisation effect to the EU criminal law. As a result, peace, security, and public order of the EU citizenry are best protected when the EU institutions play their full role in the decision-making process, particularly in so far as cooperation in criminal matters is concerned. Currently, with the communitarisation of the cooperation in criminal matters through shared competence in the Area of Freedom, Security, and Justice, the EU can take more binding deliberate legal acts in furtherance of its objectives. And legal acts of the EU are clearly defined under its legal framework to mean Regulations, Directives, Decisions, Recommendations, and Opinions.558 That said, any valid legal acts of the Union must be in the form prescribed by the law as listed above. However, it is worth noting that for the fundamentalists and conservatives, putting criminal matters and public order in the category of shared competencies of the EU, to a large extent, neutralizes the State’s mandate to exercise its sacred sovereignty freely. Furthermore, it is important to note at this point that the above coverage on historical and legal foundations of the EU in criminal matters, definitely informs and enables one to consistently appreciate the rapport between the 554  Mitsilegas,

p. 16. pp. 121–122. 556  Fletcher, pp. 13–14. 557  See article 4(2) of the Treaty on the Functioning of the European Union. Also, see chapter 3 part C.IV. of this book, particularly Table 2. 558  See article 288 of the Treaty on the Functioning of the European Union. 555  Elsuwege,



F. An Overview of the European Union’s Cybercrime Framework121

historical and legal landscapes of the EU against the current setup and functioning of the EU organs in criminal matters.

F. An Overview of the European Union’s Cybercrime Framework Cybercrime is among the forms of criminality whose patterns change rapidly over time, and so are the efforts to prevent and combat the same ought to be. In a bid to continue the already waged war against cybercrime, the EU, on 7 February 2013, adopted the Cybersecurity Strategy of the European Union. According to this strategy, five priorities are earmarked, namely achieving cyber resilience, reducing cybercrime considerably, developing cyber defence policy and capabilities, developing the industrial and technological resources for cybersecurity, and establishing a clear international cyberspace policy for the EU and promote core EU values.559 However, when assessing the timing of the intervention by the EU in preventing and combating cybercrime, Erik Wennerström is of the opinion that the legislative actions against cybercrime were adopted very late and at a time when serious pecuniary and other forms of losses were suffered already by individuals.560 Furthermore, he is of the opinion that given the transnational character of cybercrime and in so far as the war against cybercrime is concerned, an effective and well-functioning system of international cooperation is necessary if one wants to succeed.561 Below is a detailed account of the EU framework in preventing and combating cybercrime, which is assessed at two levels, namely the legal framework and the institutional framework levels. I. The European Union’s Cybercrime Legal Framework The adoption of the EU cybercrime framework is said to be so much influenced by the activities and achievements recorded by the CoE in its fight against cybercrime.562 While the CoE started the campaigns against cybercrime in the 1970s, the EU launched its indirect initiatives against cybercrime in 1998 through the legislative proposal on measures against fraud in non-cash payment systems.563 Below is an account of legislative measures 559  European

Union, the Cybersecurity Strategy of the European Union, pp. 4–5. p. 452. 561  Wennerström, p. 452. 562  Wennerström, pp. 457, 459 and 462. 563  Wennerström, p. 457. 560  Wennerström,

122

Chap. 4: The War Against Cybercrime

against cybercrime adopted by the EU from its inception in the 1990s to present. 1. Council Framework Decision on Combating Fraud and Counterfeiting of Non-Cash Means of Payment It has been indicated above that the proposal to adopt legislative measures against criminality involving non-cash methods of payment came from the European Commission as early as 1998. However, nothing serious was done by the Council until 28 May 2001 when the Council Framework Decision on Combating Fraud and Counterfeiting of Non-Cash Means of Payment (Framework Decision 2001 / 413 / JHA) was adopted. According to the Framework Decision 2001 / 413 / JHA, it suggests that was adopted based on Title VI of the Treaty on European Union. One may reasonably ask himself why a framework decision on non-cash payment means has found its way in the discussion about cybercrime. The answer to this question is simple, that is, at the EU level this framework decision was the first initiative taken, though against fraud in payment means, but with a bearing on criminality with the use of computers. So, in short, the framework decision had the effect of criminalizing some fraudulent acts in the payment systems committed through the use of computers. Basically, reading from the preamble and other provisions of the Framework Decision 2001 / 413 / JHA, one will realize that the primary aim of the Council to adopt this legal instrument is not to fight cybercrime. The instrument is meant to contend fraud and counterfeiting of non-cash means of payment which had taken international scales by then. Having been adopted, the Framework Decision 2001 / 413 / JHA outlaws some fraudulent acts relating to payment instruments like credit cards, Eurocheque cards, travelers’ cheques, Eurocheques, and bills of exchange.564 Specifically, the established offences include theft or other unlawful appropriation of a payment instrument; counterfeiting or falsification of a payment instrument; fraudulent use of a stolen or otherwise unlawfully appropriated payment instrument; and other related offences.565 Regarding offences which are computer related, the legal instrument in question provides as hereunder quoted: Each Member State shall take the necessary measures to ensure that the following conduct is a criminal offence when committed intentionally: 564  See article 2 of the Council Framework Decision on Combating Fraud and Counterfeiting of Non-Cash Means of Payment of 28 May 2001. 565  See article 2 of the Council Framework Decision on Combating Fraud and Counterfeiting of Non-Cash Means of Payment of 28 May 2001.



F. An Overview of the European Union’s Cybercrime Framework123 Performing or causing a transfer of money or monetary value and thereby causing an unauthorized loss of property for another person, with the intention of procuring an unauthorized economic benefit for the person committing the offence or for a third party, by: Without right introducing, altering, deleting or suppressing computer data, in particular, identification data, or Without right interfering with the functioning of a computer programme or system.566

Furthermore, the framework decision obliges the Member States to criminalize making, receiving, obtaining, or possession of devices, articles, including computers and computer programmes which are adapted for the commission of fraud related to non-cash payment means.567 So, as demonstrated above, although this framework decision is very particular to payment methods, but it is a reflection of the then misuse of computers and the approach taken by the EU with a view to preventing and combating the same, which marks the first legislative reaction of the EU against cybercrime and / or computer related criminality. 2. Council Framework Decision on Combating the Sexual Exploitation of Children and Child Pornography It has been noted in part. C.III. of chapter 3 of this book that among the functions of the European Commission is to initiate policy and legislative proposals by way of recommendations to the Council -and the European Parliament. While fascinated by the good progress recorded by the CoE in negotiating the Budapest Convention and G8 initiatives against cybercrime, on 26 January 2001, the European Commission issued a Communication to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions on Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime (COM(2000) 890), which is also famously known as the Cybercrime Communication.568 The Cybercrime Communication is a comprehensive document that contains the Commission’s response to a number of aspects pertaining to the regulation of ICT. Specifically, the Cybercrime Communication addresses is566  See article 3 of the Council Framework Decision on Combating Fraud and Counterfeiting of Non-Cash Means of Payment of 28 May 2001. 567  See article 4 of the Council Framework Decision on Combating Fraud and Counterfeiting of Non-Cash Means of Payment of 28 May 2001. 568  Wennerström, p. 459. Also see: The Commission of the European Communities (2001), p. 2.

124

Chap. 4: The War Against Cybercrime

sues related to security of information infrastructures, computer-related crime, and other substantive law issues.569 Furthermore, the Communication covers procedural law issues such as interception of communications, retention of traffic data, anonymous access and use, practical cooperation at international level, procedural law powers and jurisdiction, and evidential validity of computer data.570 At the end of the Cybercrime Communication, the Commission draws two sets of conclusions and proposals, namely the legislative and non-legislative recommendations. The legislative set of recommendations demonstrated the need of the EU to have legal instruments to cater for approximation of Member States’ laws in the area of child pornography offences; approximation of substantive criminal law in other cyber offences like hacking, denial of service attacks, racism and xenophobia, and online dealing in illicit drugs.571 Furthermore, the Commission proposed the application of the principle of mutual recognition of pre-trial orders as a way of facilitating smooth investigation of cybercrime involving more than one States.572 On non-legislative measures, the Commission proposed to continue supporting other anti-cybercrime initiatives and programmes; and establishment of the EU Forum that will bring together different stakeholders such as law enforcement agencies, service providers, consumer groups and so forth, with a view of enhancing cooperation and raising public awareness at the EU level.573 It is on the basis of the above recommendations and background that the Council of the European Union, on 22 December 2003, adopted the Council Framework Decision on Combating the Sexual Exploitation of Children and Child Pornography (Framework Decision 2004 / 68 / JHA). This Framework Decision, as it suggests, is aimed at harmonizing laws of Member States on the area of sexual exploitation of children and child pornography by adopting a common and comprehensive approach in terms of constituent elements of the offences, dissuasive sanctions, and possible judicial cooperation.574 Now, the Framework Decision 2004 / 68 / JHA obliges the Member States to enact in their national laws provisions that will criminalize and punish specified acts when committed intentionally, namely coercing a child into prostitution or into participating in pornographic performances; or profiting from or otherwise exploiting a child for such purposes; recruiting a child 569  The

Commission of the European Communities (2001), p. 5. Commission of the European Communities (2001), p. 5. 571  The Commission of the European Communities (2001), p. 31. 572  The Commission of the European Communities (2001), p. 31. 573  The Commission of the European Communities (2001), pp. 31–32. 574  See the preamble to the Council Framework Decision on Combating the Sexual Exploitation of Children and Child Pornography of 22 December 2003. 570  The



F. An Overview of the European Union’s Cybercrime Framework125

into prostitution or into participating in pornographic performances; engaging in sexual activities with a child by coercion, force or threats, or other means of inducement.575 In addition to the above, the Framework Decision imposes a duty on Member States to have provisions in their statute books that will outlaw production, distribution, dissemination or transmission, supplying or making available, and acquisition or possession of child pornography.576 In terms of rules governing jurisdiction, the Framework Decision 2004 / 68 / JHA requires Member States to be governed by the principles of territoriality, nationality and where the beneficiary of the offence is a legal person established in the territory of that Member State.577 As opposed to the Framework Decision 2001 / 413 / JHA whereas computer-related offences established have no direct connection with the initiatives for preventing and combating cybercrime, the Framework Decision 2004 / 68 / JHA represents the EU’s direct and concerted efforts towards addressing the cybercrime problem. 3. Framework Decision on Attacks Against Information Systems As already hinted in chapter 4 part. F.I., the European Commission made legislative proposals on different areas pertaining to cybercrime including an approximation of substantive criminal law in offences like hacking, denial of service attacks and much more. The Framework Decision on Attacks against Information Systems (Framework Decision 2005 / 222 / JHA) adopted by the Council of the European Union on 24 February 2005 was again a response in line with the Commission’s recommendations. Basically, the objective of the Framework Decision 2005 / 222 / JHA, among others, was to enhance teamwork between judicial and other law enforcement authorities of the Member States by establishing common rules on criminal law and procedure including jurisdictional issues and exchange of information in the area of attacks against information systems.578 In terms of common rules on criminal law, the Framework Decision 2005 / 222 / JHA obliged the Member States to enact laws that will create offences like illegal 575  See article 2 of the Council Framework Decision on Combating the Sexual Exploitation of Children and Child Pornography of 22 December 2003. 576  See article 3 of the Council Framework Decision on Combating the Sexual Exploitation of Children and Child Pornography of 22 December 2003. 577  See article 8 of the Council Framework Decision on Combating the Sexual Exploitation of Children and Child Pornography of 22 December 2003. 578  See the preamble to the Framework Decision on Attacks against Information Systems of 24 February 2005.

126

Chap. 4: The War Against Cybercrime

access to information systems; illegal system interference; illegal data interference; and instigation, aiding and abetting and attempt in the commission of the above-listed offences.579 On sanctions accompanying the offences, the Framework Decision 2005 / 222 / JHA required the Member States to impose relatively a maximum punishment of at least between one and three years of imprisonment.580 In substance, this enactment was more or less a reflection of the CoE’s Budapest Convention. However, the Framework Decision 2005 / 222 / JHA could not survive for a longer period as the technological developments necessitated for the adoption of a more stringent legislation. As a result, on 12 August 2013, the Framework Decision 2005 / 222 / JHA was repealed and replaced by the Directive of the European Parliament and the Council on Attacks against Information Systems and Replacing Council Framework Decision 2005 / 222 / JHA. 4. Directive of the European Parliament and the Council on Attacks Against Information Systems and Replacing Council Framework Decision 2005 / 222 / JHA As stated in chapter 4 part. F. above, with the adoption of the Lisbon Treaty in 2007and its entering into force on 1 December 2009, the pillar system upon which the EU was founded was abolished. These changes had many effects on the setup and functioning of the EU. The effects, among others, included changing the decision-making process. For example, initiatives of the EU in penal matters could now be adopted in the normal legislative process and a decision reached in the form of the EU Directives instead of the Framework Decisions used in the past.581 It is also important to state that, as hinted in chapter 3 part. C.IV. of this book, cooperation in criminal matters in the EU (Area of Freedom, Security and Justice) is now under the shared competencies category.582 Now, since the Framework Decision 2005 / 222 / JHA could not withstand the technological challenges in cyberspace over time, the need to have a more vibrant and effectively functioning legal framework was realized. As a result, on 12 August 2013, the Directive of the European Parliament and the 579  See articles 2–5 of the Framework Decision on Attacks against Information Systems of 24 February 2005. 580  See article 6 of the Framework Decision on Attacks against Information Systems of 24 February 2005. 581  Holzhacker, p. 4. 582  For further understanding refer to article 4 of the Treaty on Functioning of European Union.



F. An Overview of the European Union’s Cybercrime Framework127

Council on Attacks against Information Systems and Replacing Council Framework Decision 2005 / 222 / JHA (Directive 2013 / 40 / EU) was adopted. The new piece of legislation, the Directive 2013 / 40 / EU, retains a bigger portion of the provisions of the repealed and replaced enactment by upholding similar offences like illegal access to information systems; illegal system interference; Illegal data interference and so forth.583 In addition to the above, the Directive 2013 / 40 / EU introduces new rules of criminal law including, among others, criminalization of the use of botnets;584 intentional production and distribution of malicious software; and using illicitly-obtained password.585 In an attempt to show the seriousness of use of botnets to commit crimes, the Directive specifically recognizes the use of botnets in its preamble as one of challenges that needs to be addressed. Furthermore, the Directive 2013 / 40 / EU requires the Member States to impose severe punishments for the offences established ranging from a maximum of 2 years imprisonment for minor offences and 5 years imprisonment for serious offences with significant effects.586 On preventive measures, the Directive further requires the members to enhance exchange of information through the 24 hours points of contact established under the CoE regime; and having in place a system for collection of statistical data on cybercrime and transmitting the same to the Commission for review.587 Basically, through this Directive, the EU continues to align itself, in so far as the war against cybercrime is concerned, in almost the same state of affairs as the CoE. However, the Directive 2013 / 40 / EU has a few new aspects like specifically recognizing the challenge of botnets; and also specifically providing for the punishment in terms of range in years something which is 583  See articles 3–6 of the Directive of the European Parliament and the Council on Attacks against Information Systems and Replacing Council Framework Decision 2005 / 222 / JHA12 of 12 August 2013. 584  According to USA Kasperky Labs, the word Botnet is formed from the words ‘robot’ and ‘network’. A botnet is an interconnected network of computers infected with malware without the user’s knowledge and controlled by cybercriminals. They’re typically used to send spam emails, transmit viruses and engage in other acts of cybercrime. Sometimes known as a zombie army, botnets are often considered one of the biggest online threats today. 585  See article 7 of the Directive of the European Parliament and the Council on Attacks against Information Systems and Replacing Council Framework Decision 2005 / 222 / JHA12 of 12 August 2013. 586  See article 9 of the Directive of the European Parliament and the Council on Attacks against Information Systems and Replacing Council Framework Decision 2005 / 222 / JHA12 of 12 August 2013. 587  See article 14 of the Directive of the European Parliament and the Council on Attacks against Information Systems and Replacing Council Framework Decision 2005 / 222 / JHA12 of 12 August 2013.

128

Chap. 4: The War Against Cybercrime

missing in the Budapest Convention as it provides for proportionate and dissuasive sanctions. In so far as harmonization of criminal law rules is concerned, specification and uniformity of sanctions is important so as to avoid possible variances in punishments which can be utilized to the advantage of criminals in terms of providing an opportunity for forum shopping. 5. Council Framework Decision on Combating Certain Forms and Expressions of Racism and Xenophobia by Means of Criminal Law The Council Framework Decision on Combating Certain Forms and Expressions of Racism and Xenophobia by Means of Criminal Law (Framework Decision 2008 / 913 / JHA) was adopted on 28 November 2008. This legislation was adopted in response to the Commission’s proposal, which basically aimed at having common criminal law rules that will ensure that racist and xenophobic offences are punishable in all Member States.588 It was said that the Member States in their individual capacity could not achieve more compared to what would be achieved at the level of the EU.589 Also, the Framework Decision 2008 / 913 / JHA was adopted based on the understanding that racism and xenophobia violate the principles upon which the EU is founded. In terms of criminal rules provisions, the Framework Decision 2008 /  913 / JHA requires the Member States to put in place national enactments that will outlaw acts of publicly inciting to violence or hatred directed against a group of persons; dissemination or distribution of racist or xenophobic materials; publicly condoning, denying or grossly trivializing crimes of genocide, crimes against humanity and war crimes; and so forth.590 The relevance of this piece of legislation in the discussion on preventing and combating cybercrime is that it specifically states that the prohibited acts above will amount to an offence and therefore punishable if committed in both settings, physical and through information systems.591 Again, the decision by the EU to adopt a legislation on racism and xenophobia was very much influenced by the 588  See the preamble to the Council Framework Decision on Combating Certain Forms and Expressions of Racism and Xenophobia by Means of Criminal Law of 28 November 2008. 589  See the preamble to the Council Framework Decision on Combating Certain Forms and Expressions of Racism and Xenophobia by Means of Criminal Law of 28 November 2008. 590  See articles 1–2 of the Council Framework Decision on Combating Certain Forms and Expressions of Racism and Xenophobia by Means of Criminal Law of 28 November 2008. 591  See article 9 of the Council Framework Decision on Combating Certain Forms and Expressions of Racism and Xenophobia by Means of Criminal Law of 28 November 2008.



G. Cyberlaw Enforcement Mechanisms and Institutions Under the EU129

developments in the CoE through its Additional Protocol to the Budapest Convention of 2003. This fact is even evidenced by a statement to that effect in the preamble to the Framework Decision 2008 / 913 / JHA.

G. Cyberlaw Enforcement Mechanisms and Institutions Under the European Union Apart from the pieces of legislation discussed above, the EU has got mechanisms and institutions to enforce these laws. Generally, considering the extensiveness of the EU mandate to act, there are a number of mechanisms and institutions dedicated to enforcing criminal law in the bloc. However, considering the scope of this book, only a few mechanisms and institutions with a direct connection with preventing and combating cybercrime will be analysed. I. The European Arrest Warrant (EAW) The European Arrest Warrant (EAW) is among the mechanisms of enforcing criminal law rules in the EU bloc, whose prompt adoption is associated with the terrorist attacks of 11th September 2001.592 It is an enhanced form of international judicial cooperation in criminal matters with simplified procedures as opposed to the oldest and the well-known process of extradition. The reasons associated with the move from extradition to the EAW are many, but the main one is that with the establishment of the EU and the subsequently intensified integration such as the creation of the Schengen Area allowing free movements of citizens, new criminal opportunities increased which required more stringent and tougher enforcement mechanisms.593 Upon realization of the above demand, the Council of the European Union considered appropriate to legally establish the EAW through the Council Framework Decision on the European Arrest Warrant and the Surrender Procedures between Member States (Framework Decision 2002 / 584 / JHA) of 13 June 2002. The EAW is said to be a solid undertaking in the field of criminal law rendering effective the principle of mutual recognition which is one of the cornerstones of judicial cooperation.594 The relevancy of the EAW as hinted above is that it replaces the unpredictable, tedious, long and politi592  Fletcher / Loof / Gilmore,

p. 112. Commission of the European Communities (2000), p. 2. Also see: BălanRusu, p. 29. Further see: Haggenmüller, p. 98. 594  See paragraph 6 of the preamble to the Council Framework Decision on the European Arrest Warrant and the Surrender Procedures between Member States of 13 June 2002. 593  The

130

Chap. 4: The War Against Cybercrime

cally-influenced process of extradition, which has the effect of enabling the Member States to cooperate smoothly and respond quickly to transnational criminal transactions.595 The EAW involves almost like an automatic recognition and execution of judicial decisions among the Member States, in the same manner as if the executing judicial authority was implementing an order of a national court.596 In terms of scope, the EAW applies to a number of offences listed under the provisions of the Framework Decision 2002 / 584 / JHA and more importantly, computer related crimes are among the included offences.597 This is a commendable decision in so far as the war against transnational crimes is concerned. In the enforcement of rules of criminal law involving several jurisdictions, time is of the essence, therefore, having predictable legal procedures which serve time is important for they allow timely dispensation of justice and dedication of time into other serious issues. However, the imposition and implementation of the EAW has not been something that was celebrated by all Europeans. This is because it has caused some conflicts with local laws in some jurisdictions like Germany and Poland as it is alleged to encroach some constitutionally-reserved mandates.598 II. The European Police College (CEPOL) As opposed to the most of the EU institutions which are rooted from the EU Treaties, the establishment of the European Police College (CEPOL) was based on a different arrangement altogether. It was established based on the idea of the Council in the Tampere European Council Summit held on 15 and 16 October 1999.599 In the Tampere Summit, the Council observed as follows: A European Police College for the training of senior law enforcement officials should be established. It should start as a network of existing national training institutes. It should also be open to the authorities of candidate countries.600

595  See article 31 of to the Council Framework Decision on the European Arrest Warrant and the Surrender Procedures between Member States of 13 June 2002. Also see: Cătălin, pp. 445–446. 596  Neagu, p. 100. 597  See article 2 of to the Council Framework Decision on the European Arrest Warrant and the Surrender Procedures between Member States of 13 June 2002. 598  For a detailed discussion see: Fletcher / Loof / Gilmore, pp. 119–122. 599  Fletcher / Loof / Gilmore, pp. 80–81. 600  See: European Parliament, Tampere European Council 15 and 16 October 1999 Presidency Conclusions.



G. Cyberlaw Enforcement Mechanisms and Institutions Under the EU131

Based on the above idea, CEPOL was established by the Council Decision 2000 / 820 / JHA which was later repealed and replaced by Council Decision 2005 / 681 / JHA of 20 September 2005. The main objective of creating CEPOL is to enhance cooperation among the EU members in the area of policing, research and common policing training programmes with a view of having a common approach towards fighting criminality in the bloc. Policing being an important aspect of criminal justice, it is obvious that the role of CEPOL in the war against cybercrime is immeasurable. Cybercrime being one of the global concerns today, CEPOL has always been in the forefront in helping the EU to overcome this challenge. For example, in the CEPOL Annual Report of 2015, it is reported that cybercrime was among the eleven strategic priority areas of activities for the year in question.601 Furthermore, CEPOL reports to have successfully delivered some courses in certain areas within the EU Policy Cycle topics, whereas cybercrime was among the topics.602 Basically, looking at the list of activities undertaken by CEPOL in 2015, one will note that cybercrime-related activities feature more in the list than any other offence.603 Also, with the entering into force of the CEPOL’s new Regulation on 1 July 2016, CEPOL has been crowned as the European Union Agency for Law Enforcement Training. This decision means more powers and obligations to CEPOL with a bigger number of law enforcement officials being involved in its activities. III. The European Police Office (Europol) Initiatives that resulted in the formation of Europol can be traced back to 1970’s when an informal cooperation in policing and prevention of terrorism (TREVI), as discussed in chapter 4 part. F. was established. Later in 1991, at the European Summit, the then German chancellor, Helmut Kohl, proposed for the first time the idea of having a formal European Police Agency.604 Based on the above idea, when the Maastricht Treaty was adopted in 1992, in its provisions on the cooperation in the fields of justice and home affairs, it contained aspects of police cooperation with a view of fighting certain crimes such as terrorism, unlawful drug trafficking, et cetera, which made specific reference to Europol.605 Subsequently, the European Council decided to establish the Europol Drugs Unit (EDU) which started to operate in January 1994 but with limited powers of assisting the Member States in criminal European Police College, p. 15. European Police College, p. 22. 603  See: European Police College, pp. 27–31. 604  Mitsilegas, p. 162. 605  See article K.1(9) of the Treaty on European Union, 1992. 601  See: 602  See:

132

Chap. 4: The War Against Cybercrime

investigations, mainly those which related to illicit drugs.606 In 1995, the Europol Convention was signed, it entered into force in 1999, and Europol started to operate in 1999.607 The Europol Convention has undergone a number of amendments through different Protocols in a bid to confer it with more powers to act. The lengthy ratification and coming into force of the said Protocols made the Council of the European Union consider that introducing further amendments to the Convention would equally take long time to achieve their full legal force.608 Also, there was a need to improve the legal framework of the Europol and make its budgets get funded from the EU. These demands, among others, necessitated the Council of the European Union to adopt the Council Decision Establishing the European Police Office (Europol) (Council Decision 2009 / 371 / JHA) of 6 April 2009 which repeals and replaces the Europol Convention.609 The relevance of Europol in the war against cybercrime is in many ways. Firstly, Europol is legally conferred with a mandate to support and strengthen action by Member States in prevention and combating crime in the EU bloc, as its main objective.610 Secondly, Europol has the specific competence to deal with, among others, computer crime as provided for by the Council Decision 2009 / 371 / JHA.611 Thirdly and more importantly, Europol has taken concerted action in preventing and combating cybercrime by facilitating the establishment of, in its Operations Department, a specialized unit to deal with cybercrime only, namely the European Cybercrime Centre (EC3) which was established in March 2013 and started to operate on 1 January 2013.612 Now, in so far as the war against cybercrime is concerned, Europol through its EC3 has been offering forensic expertise, training and capacity building, cybercrime strategic analysis, public awareness and prevention programmes, and outreach and cooperation activities.613 The role played by Europol is, therefore, very important in ensuring that the EU bloc becomes a crime free zone. Europol, History. p. 163–164. 608  See paras 2 and 3 of the preamble to the Council Decision Establishing the European Police Office (Europol) of 6 April 2009. 609  See articles 1, 62 and 63 of the Council Decision Establishing the European Police Office (Europol) of 6 April 2009. 610  See article 3 of the Council Decision Establishing the European Police Office (Europol) of 6 April 2009. 611  See article 4 and Annex to the Council Decision Establishing the European Police Office (Europol) of 6 April 2009. 612  See: Europol, Europol Priorities. Also see: O’Flynn, p. 65. 613  See: Europol, Cyber Strategy. Also see: Popa, p. 121. 606  See:

607  Mitsilegas,



G. Cyberlaw Enforcement Mechanisms and Institutions Under the EU133

IV. Eurojust Having established police cooperation in the EU, the need to have further judicial cooperation in criminal matters was eminent. Realizing this need and importance, the Council of the European Union, on 28 February 2002, passed the Council Decision Setting up Eurojust with a View to Reinforcing the Fight against Serious Crime (Council Decision 2002 / 187 / JHA). This Council Decision has the effect of establishing Eurojust, a body of the EU aimed at improving judicial cooperation among the Member States in combating serious crimes committed by transnational organizations.614 Eurojust is a body composed of one member from each Member State who must be a prosecutor, judge or police officer of equivalent competence.615 In terms of functions, Eurojust is mandated to encourage and develop coordination among authorities responsible for investigation and prosecution in the Member States; improve cooperation among the Member States in implementing mutual legal assistance, and coordinate rendering of support among the Member States to achieve effective investigations and prosecutions.616 Furthermore, in performing the above functions Eurojust has the competence to deal with all crimes within the mandate of Europol plus computer crime which is specifically mentioned.617 It is also important to note that the Council Decision 2002 / 187 / JHA has been amended by two other Council Decisions, namely the Council Decision 2003 / 659 / JHA of 18 June 2003 and Council Decision 2009 / 426 / JHA of 16 December 2008. The Council Decision 2003 / 659 / JHA had the effect of providing for budgetary provisions for smooth funding and operations of Eurojust. The second amendment by way of Council Decision 2009 / 426 / JHA was aimed at enhancing Eurojust’s operational efficiency considering the experience already gained in the coordination of judicial cooperation in criminal matters. Judicial cooperation in a criminal matter is an important aspect of criminal justice especially cybercrime which has a transnational character. This is because of the fact that in addition to the cooperation in policing, judicial cooperation facilitates the exchange of information and experience among prosecutors and judicial officers an aspect which adds value to the effective and 614  See para 1 of the preamble and article 1 of the Council Decision Setting up Eurojust with a View to Reinforcing the Fight against Serious Crime of 28 February 2002. 615  See article 2 of the Council Decision Setting up Eurojust with a View to Re­ inforcing the Fight against Serious Crime of 28 February 2002. 616  See article 3 of the Council Decision Setting up Eurojust with a View to Re­ inforcing the Fight against Serious Crime of 28 February 2002. 617  See article 4 of the Council Decision Setting up Eurojust with a View to Re­ inforcing the Fight against Serious Crime of 28 February 2002.

134

Chap. 4: The War Against Cybercrime

timely dispensation of criminal justice. Also, with the changing forms of cybercrime over time, judicial cooperation provides for an appropriate avenue to get new experience as soon as it happens. V. European Union Agency for Network and Information Security (ENISA) The European Union Agency for Network and Information Security (­ENISA) is an agency whose mission is securing Europe’s information society.618 It was established under the Regulation of the European Parliament and of the Council Establishing the European Network and Information Security Agency (Regulation EC No. 460 / 2004) of 10 March 2004.619 ENISA works to implement its mission through creating awareness on network and information security, and inculcating a culture of network and information security for the benefit of European citizens, and both private and public institutions.620 The objectives under which ENISA was established are: a) To strengthen the capability of the EU and its Member States to prevent, address and respond to network and information security problems; b) To assist and advise the EU and its Member States on policy issues related to network and information security; c) To encourage cooperation between public and private sectors on issues related to network and information security; and d) To provide technical guidance for updating and developing laws relating to network and information security.621 The Regulation EC No. 460 / 2004 established ENISA to last for the period of five years only with effect from 14 March 2004.622 In order to prolong the existence of ENISA, on 24 September 2008, the European Parliament and 618  See: European Union Agency for Network and Information Security, Mission and Objectives. 619  See article 1(1) of the Regulation of the European Parliament and of the Council Establishing the European Network and Information Security Agency of 10 March 2004. 620  See article 1(1) of the Regulation of the European Parliament and of the Council Establishing the European Network and Information Security Agency of 10 March 2004. 621  See article 2 of the Regulation of the European Parliament and of the Council Establishing the European Network and Information Security Agency of 10 March 2004. 622  See article 14 of the Regulation of the European Parliament and of the Council Establishing the European Network and Information Security Agency of 10 March 2004.



G. Cyberlaw Enforcement Mechanisms and Institutions Under the EU135

the Council adopted Regulation EC No. 1007 / 2008 which extended the mandate of ENISA for a period of eight years running from March 2004, that is, until March 2012.623 Furthermore, Regulation EC No. 580 / 2011 was adopted again to extend the life of ENISA until 13 September 2013.624 On 21 May 2013, the European Parliament and the Council passed the Regulation EU No. 526 / 2013 on the European Union Agency for Network and Information Security which has the effect of repealing and replacing the Regulation EC No. 460 / 2004. The Regulation EU No. 526 / 2013 retains almost the same mission and objectives of ENISA as discussed above. Also, the functions of the Agency remain more or less the same but with them now being more articulate and clearly defined. The bottom line is that ENISA acts as the EU’s body which oversees the policy and legal issues pertaining to network and information security. In the performance of this duty the Agency advises the EU and its Member States on policy and legal issues, supports capacity building and encouraging cooperation in preventing and combating network and information security problems and incidents.625 Furthermore, ENISA plays the role of a coordinator of EU and Member State’s Computer Security Incident Response Teams (CSIRTs) and Computer Emergency Response Teams ­ (CERTs).626 ENISA is a manifestation of the EU’s multi-level approach against cyber and other related crimes. Apart from legal approaches and institutions discussed above, this is an Agency of purely network and information security experts who analyze cybercrime issues from an IT technical point of view mixed with policy and legal flavours. This is a commendable approach towards successful preventing and combating cybercrime. VI. European Crime Prevention Network (EUCPN) The idea of forming the European Crime Prevention Network (EUCPN) traces its roots from the conference in crime prevention held in Stockholm in 1996, and subsequent conferences and seminars which were held in Noordwijk in 1997, in London in 1998 and in the Algarve in 2000.627 In all these 623  See

article 1 of the Regulation EC No. 1007 / 2008 of 24 September 2008. para 6 of the preamble read together with article 1 of the Regulation EC No. 580 / 2011 of 8 June 2011. 625  See article 3 of the Regulation EU No. 526 / 2013 of 21 May 2013. Also see: Wennerström, pp. 461–462. 626  See paras 31 and 32 of the Preamble to the Regulation EU No. 526 / 2013 of 21 May 2013. Also see: Popa, p. 120. 627  See para 6 of the Preamble to the Council Decision Setting up a European Crime Prevention Network of 28 May 2001. 624  See

136

Chap. 4: The War Against Cybercrime

conferences a need to have a network within the EU to develop cooperation on crime prevention was realized.628 As a result, the Council of the European Union adopted the Council Decision Setting up a European Crime Prevention Network (Council Decision 2001 / 427 / JHA) of 28 May 2001, which formally established the EUCPN. The Network so established is unique and it neither falls within the police cooperation nor judicial cooperation.629 It is composed of not more than three contact points from each Member State, whose members are supposed to be representatives from the national authorities competent for crime prevention, researchers or academics specializing in crime prevention, and a contact point designated by the Commission.630 On 30 November 2009, the Council Decision 2001 / 427 / JHA of 28 May 2001 was repealed and replaced by the Council Decision Setting up a European Crime Prevention Network and Repealing Decision 2001 / 427 / JHA (Council Decision 2009 / 902 / JHA). This new Council Decision was intended at strengthening the Network and engaging more the national representatives in the activities of the Network.631 According to the Council Decision 2009 / 902 / JHA, the EUCPN has mandate to carry out a number of tasks including facilitating cooperation and exchange of information, good practice and experience in crime prevention; organizing seminars and conferences on crime prevention and particularly the Annual European Crime Prevention Award; providing expertise on crime prevention to the Council and the Commission and so forth.632 Looking at the role of the EUCPN in preventing cybercrime, one will note that, in the first place, the Network has the mandate to deal with all forms of crime, cybercrime being inclusive.633 Furthermore, EUCPN implements specific projects that are aimed at raising awareness in preventing cybercrime. For example, in the EUCPN Work Programme 2016, the Network implemented Project 18 entitled, “Cyber Jungle”, whose main theme was cyber628  See para 6 of the Preamble to the Council Decision Setting up a European Crime Prevention Network of 28 May 2001. 629  Fletcher / Loof / Gilmore, p. 81. 630  See article 2 of the Council Decision Setting up a European Crime Prevention Network of 28 May 2001. 631  See paras 4 and 5 of the Preamble to the Council Decision Setting up a European Crime Prevention Network and Repealing Decision 2001 / 427 / JHA of 30 November 2009. 632  See article 4 the Council Decision Setting up a European Crime Prevention Network and Repealing Decision 2001 / 427 / JHA of 30 November 2009. 633  See the objectives of EUCPN as provided for under article 2 of the Council Decision Setting up a European Crime Prevention Network and Repealing Decision 2001 / 427 / JHA of 30 November 2009.



H. Concluding Remarks137

crime and it is aimed at shaping the young Internet users through the provision of education.634 There is also Project 21 which is called “Cost and Impact of Cybercrime in Belgium” aimed at assessing the rate of cybercrime in Belgium and its progress over time.635 The EUCPN also issues publications in the area of cybercrime with a view of equipping the general public with the necessary knowledge on how to prevent the same. For example, in February 2016, the Network published a theoretical paper entitled, “Cybercrime: A Theoretical Overview of the Growing Digital Threat”. All this evidences that the preventive measures taken by EUCPN are extensive enough to cover cyber criminality, hence making the inclusion of the Network in the discussion on preventing and combating cybercrime inevitably important. On a different note, on 17 July 2013, a proposal was tabled by the Commission for adoption of a Council Regulation on the Establishment of a European Public Prosecutor’s Office (EPPO). The Commission made this proposal based on article 86 of the Treaty on the Functioning of the European Union which entrusts the Council with powers to establish such an Office in order to combat crimes affecting the financial interests of the Union. If successfully established, the EPPO will take charge of investigation and prosecution of perpetrators of fraud against the EU budget and related financial interests.636 However, it is important to note that, although the general understanding of the functions of the prosecutor’s office would suggest that the office will have mandate to investigate and prosecute all offences, but the EPPO is specifically intended to deal with fraud and offences against the EU budget and nothing more. This, therefore, means that the EPPO will have no mandate to deal with cybercrime at all.

H. Concluding Remarks The above discussion on legal and institutional frameworks on preventing and combating cybercrime in Europe shows that fairly there has been a number of achievements recorded so far. Laws have been put in place to carefully regulate most of the criminal dealings happening in cyberspace. There are also specialized enforcement mechanisms and institutions to enforce the law and ensure security in cyberspace as demonstrated above. This step is a commendable one at both levels, the CoE and the EU. It has also been noted that the Budapest Convention although is an instrument under the CoE has, to a large extent, influenced not only the EU but many other non-EU States to align their regime in line with the Convention. 634  European

Crime Prevention Network, Work Programme 2016, pp. 62–63. Crime Prevention Network, 2016, pp. 74–75. 636  European Commission (2013), pp. 2, 5 and 17. 635  European

138

Chap. 4: The War Against Cybercrime

However, together with the exemplary achievement reached by Europe in containing cybercrime in the continent, still, Europe cannot claim to be safe from cybercrime as long as there are cybercrime havens in other jurisdictions outside Europe. Considering the transnational and borderlessness nature of cybercrime, Europe can still continue to experience cyber-attacks launched from other jurisdictions whose legal and institutional frameworks are so weak to face the challenge. The war against cybercrime should be perceived as a global crisis requiring a global approach and solutions to it. Short of that, Europe’s dream to become an environment which is free of cyber threats may remain to be a nightmare not capable of being realized at all. The challenge of focus in the war against cybercrime identified could be linked with the fact that notwithstanding the efforts taken against criminality in cyberspace, the number cybersecurity incidents has been increasing every day. The Norton Cybersecurity Insights Report of 2015 indicates that 594 million people were affected by cybercrime globally.637 Also, according to the recently published survey, at least 80 % of the European companies have fallen victim of cybercrime in the last one year, and globally criminality in cyberspace increased by 38 % in 2015.638

637  See:

Norton Cybersecurity Insights Report, 2015, p. 4. Commission (2016). Also see: PricewaterhouseCoopers (2016).

638  European

Chapter 5

Preventing and Combating Cybercrime in East Africa: Legal and Institutional Frameworks A. Introductory Remarks The EAC was re-established in 2000 while aware from the beginning of the fact that developments and application of ICTs is crucial in achieving economic development in the region.639 Generally, the rate of penetration, access, and use of ICTs in East Africa has been increasing very fast over time. According to the International Telecommunications Union official statistics for the year 2016, seven billion people (95 % of the global population) live in an area that is covered by a mobile-cellular network.640 Furthermore, 84 % of the global population accesses mobile-broadband networks, while the penetration of cellular networks in rural areas is 67 % of the rural population.641 Also, the number of users of the fastest Internet (4G / LTE) is more than four billion people (53 % of the global population).642 This statistics connotes that the EAC region being part of the globe, is not isolated from what is going on in terms of developments and application of ICTs. In particular, the EAC region is continuously witnessing quite substantial progress in the ICT sector. For example, in March 2009 Tanzania had 13.9 million mobile subscriptions;643 in June 2009 Kenya had 17.4 million mobile subscriptions;644 and in March 2009 Uganda had ten million mobile subscriptions.645 Seven years later, it is reported that by September 2016, there were 22.3 million (61 % of the population) mobile subscriptions and 16.7 mil639  See article 103(1)(g) of the Treaty for the Establishment of the East African Community,1999. 640  International Telecommunications Union (2016). 641  International Telecommunications Union (2016). 642  International Telecommunications Union (2016). 643  Tanzania Communications Regulatory Authority, Status of Telecom Market; March 2009 Report. 644  Communications Commission of Kenya, Sector Statistics Report April–June 2008 / 09, August 2009, p. 7. 645  International Telecommunications Union, Communications in Uganda.

140

Chap. 5: Preventing and Combating Cybercrime in East Africa

lion (45 % of the population) Internet users in Uganda.646 In Tanzania by December 2016, the country had approximately 40.2 million mobile subscriptions (80 % of the population) and 19.9 million (40 % of the population) Internet users.647 By December 2016, Kenya had 38.9 million mobile subscriptions (88.2 % of the population) and 26.6 million Internet users.648 The records further show that by December 2016, Rwanda had mobile subscription rate of 78 % of the entire population and 3.6 million Internet users.649 Burundi by June 2016 was said to have mobile subscription rate of 48 %, and Internet users constituted 8.2 % of the entire population.650 Mobile subscriptions in Burundi are not very high compared to other countries in the region and this situation is likely caused by poverty and political instability which seem not to favour investments in mobile network infrastructures. Besides the above, subscription to mobile money services has been increasing every day, which eventually makes the amounts transacted on mobile money services to be so huge.651 Mobile money subscriptions in East Africa has increased from 29 million in 2009 to 82.3 million customers in December 2015.652 Furthermore, the increase in subscription has boosted the amount transacted per day from USD 13.3 Million to USD 125 Million.653 For example, in Tanzania alone, the amount of money transacted on mobile money services in the year 2015 was more than 24 trillion Tanzanian Shillings (approximately USD eleven billion).654 Furthermore, in a recent Africa Cyber Security Report 2016 prepared by an IT security firm, Serianu, it is said that the estimated cost of cybercrime in Africa is USD 895 million, with Nigeria leading by USD 550 million, followed by Kenya USD 175 million, 646  Uganda Communications Commission, Post, Broadcasting and Telecommunications Market and Industry Report, pp. 6 and 9. 647  Tanzania Telecommunications Regulatory Authority, Quarterly Communications Statistics Report (October–December Quarter), 2016. 648  Kenya Communications Authority, Second Quarter Sector Statistics Report for the Financial Year 2016 / 2017 (October-December), 2016, pp. 8 and 21. 649  Small Media, p. 17. 650  Small Media, p. 11. 651  On 15 August 2015, the East African Newspaper reported that in the year 2014 consumers in Kenya, Uganda, Rwanda, and Tanzania transacted USD 45.75 billion through their mobile phones. The amount transacted translates into 32 % of the countries’ combined gross domestic product. For further details, see: http: /  / www.the eastafrican.co.ke / business / Mobile-money-subscribers-on-the-rise-across-the-region- /  2560-2834470-v0d7cv / index.html. 652  Refer to the above footnote. 653  Refer to the above footnote. 654  This is according to the then President of Tanzania (fourth President), His Excellency Jakaya Mrisho Kikwete, when he made his closing speech to the 10th Parliament of Tanzania at Dodoma on 9 July 2015.



B. Rationale for Approximation and Harmonization of Criminal Laws141

Tanzania USD 85 million, Ghana USD 50 million and Uganda USD 35 million.655 In fact, out of the top five mentioned countries with the highest estimated costs of cybercrime in Africa, three are from East Africa. The above statistics implies that when one speaks of cyberspace and cybercrime control in East Africa it means that a good percentage of residents of the region is being considered. This fact justifies the undertaking in this chapter to critically evaluate the anti-cybercrime regime in the East African region as a whole and in some individual chosen Partner States. As repeatedly stated in this book, the examination of the regime will be done with a view of borrowing a leaf from the achievements recorded on the same in Europe. This chapter, therefore, is dedicated to examining legal and institutional mechanisms put in place to prevent and combat cybercrime in the region. The chapter assesses both collective measures at the EAC level, and efforts undertaken by the three selected EAC Member States in their individual capacity, namely Kenya, Tanzania, and Uganda. The three countries are selected based on the statistics analysed above, which shows that they are leading in cybercrime incidents in the region.

B. Rationale for Approximation and Harmonization of Criminal Laws in the EAC Part G.II. of chapter 2 of this book covers in general terms the need to harmonize cybercrime laws as one of the ways of addressing criminality in cyberspace. This part focuses on approximation and harmonization of laws in a specific context as one of the important anti-cybercrime initiatives required in the EAC region. Generally speaking, approximation and harmonization of criminal laws is the process of establishing common standards and definitions of crimes which are considered serious in nature, with a view of achieving a legal harmony which will translate to better cooperation in criminal matters and effective criminal law enforcement.656 So, simply speaking, approximation and harmonization will lead to elimination and / or reduction of criminal safe havens and will also guarantee effective cooperation among law enforcement organs.657 Much as harmonization is an important aspect of integration, but when it comes to criminal law, it has to be done with extra care. The reasons for this caution are obvious. Firstly, from the fact that criminal law is among the areas of law where States for so long have claimed traditional and uninter655  Serianu,

pp. 11–12. pp. 1–4. Further see: Toure, pp. 120–121. 657  Clough (2014), p. 701. 656  Calderoni,

142

Chap. 5: Preventing and Combating Cybercrime in East Africa

rupted right to exercise their sovereignty.658 And secondly, from the fact that enforcement of criminal law may result in serious violations of human rights. It is on this same footing that the EU’s approach on harmonization and approximation of criminal laws was criticized for lack of democratic legitimacy of institutions that spearheaded the harmonization, the selection of the areas that required harmonization and the overall quality of the harmonized instruments.659 Now, the EAC as a regional bloc will not be able to fully realize any of its objectives, if approximation and harmonization of laws, including criminal laws, is not prioritized. Approximation and harmonization is a cornerstone of any successful integration. Furthermore, it is evident that the EAC has been able to record remarkable success in the areas of the customs union and common market because of the harmonization of the relevant sectoral laws. However, for the customs union and common market to be utilized fully, peace and security are of utmost importance. Peace and security could be achieved by approximation and harmonization of laws relating to public order, the area of criminal law being a major component of them. For example, the successful implementation of the EAC Common Market Protocol which literally translates to free movement of goods; free movement of persons; free Movement of labour / workers; right of establishment; right of residence; free movement of services; and free movement of capital presupposes that the risks of offenses and insecurity are seriously mitigated, and the best conditions of public safety and security are in place all over the EAC region.660 Besides the above, when dealing with cybercrime, approximation and harmonization become critically important because of the transboundary nature of cybercrime.661 It has been stated a number of times in this book that cybercrimes are borderless and inherently transnational in nature. A crime can be committed within one jurisdiction but evidence that will enable successful prosecution needs to be obtained from other jurisdictions.662 Furthermore, in a study conducted by the United Nations Office on Drugs and Crime from February to July 2012, it was said that between 50 % and 100 % of cybercrime incidences reported to police had a cross-border element.663 A recent cyberattack named as “ransomware” which used a malware known as “WannaCry” is a good example of cross-borderness of cybercrime 658  For

further discussion on sovereignty and criminal law see chapter 4 part. E. p. 1. 660  Parcalabu, p. 172. 661  For importance of harmonization and approximation of laws on transboundary issues see: Tharani, p. 487. 662  Clough (2014), p. 700. 663  United Nations Office on Drugs and Crime (2013), p. 55. 659  Calderoni,



C. Legal Basis for Harmonization and Approximation of Laws143

and also an indicator that various systems of the world can just be shut down by a single click. The attack which happened on Friday 12 May 2017 was said by Europol to be an unprecedented attack which requires a complex international investigation to identify the perpetrators.664 The said attack is reported to have affected more than 75,000 computers in more than 99 countries in the world, while European countries and Russia were among the most affected.665 In the United Kingdom, for example, important sectors like the National Health Service and Nissan car plant in Sunderland were hit by the cyberattack.666 The above justifies the fact that cooperation among countries in fighting cybercrime is crucial, hence the need to approximate and harmonize criminal laws is inevitable, and it is of critical importance when it comes to cybercrime.

C. Legal Basis for Harmonization and Approximation of Laws in the EAC Framework In the East African Community, approximation and harmonization framework is principally founded on the EAC Treaty itself. It can be traced from the objectives of the EAC whereas, among others, the Community was established to broaden and intensify integration among members in political, economic, social and cultural matters, research and technology, defence, security, and legal and judicial affairs.667 For the stated objectives to be realized, the Treaty expressly allows for harmonization of all Partner States’ laws with relevance to the objectives of the Community.668 Specifically, the EAC Treaty allows its members to cooperate in criminal matters, including but not limited to, combating and prevention of crossborder crimes, arrests and repatriation of fugitives, and exchange of information in criminal matters.669 Again, in order to enhance cooperation and integration in various areas as enshrined by the Treaty, the Partner States are allowed to conclude such Protocols as may be necessary.670 All these are 664  The

BBC, Cyber-attack: Europol Says it was Unprecedented in Scale. BBC, Cyber-attack: Europol Says it was Unprecedented in Scale. 666  The BBC, NHS ‘Robust’ after Cyber-attack. 667  See article 5(1) of the Treaty for the Establishment of the East African Community, 1999. 668  See article 126(2) (b) of the Treaty for the Establishment of the East African Community, 1999. 669  See article 124(5) of the Treaty for the Establishment of the East African Community, 1999. 670  See article 151(1) of the Treaty for the Establishment of the East African Community, 1999. 665  The

144

Chap. 5: Preventing and Combating Cybercrime in East Africa

based on the belief of the EAC as a Community that peace and security are vital and fundamentals through which social and economic development and objectives of the Community can be realized.671 In furtherance of the above-stated objectives, the EAC is chiefly designed to gradually achieve what are called as the integration pillars, namely a Customs Union, a Common Market, a Monetary Union and eventually a Political Federation.672 In terms of success, the EAC has been able to achieve the fully-fledged Customs Union since January 2010, and the Common Market has been effective since 2010. The Monetary Union and a Political Federation are not yet operational. They are still at different stages as works in progress. However, it is important that before the Monetary Union and Political Federation are achieved, they should be preceded by harmonization and approximation of criminal laws, specifically cybercrime. The reasons for this argument are that Monetary Union and Political Federation will imply, among others, use of a single currency in bigger geographical boundaries, and surrender of individual State’s sovereignty and formation of one bigger political entity, hence there must be a uniform approach to issues of security and public order.

D. An Overview of the EAC’s Anti-Cybercrime Framework It is correct to say that generally the desire and mandate to deaI with crimes in the region with a view of maintaining peace, safety, security, and order emanates from the EAC Treaty itself. This is from the fact that cooperation in peace and security, legal and judicial matters is among the areas clearly addressed by the Treaty as already pointed out above. It is further said that a few years after the revival of the EAC in 2000, the desire and efforts to have common regional cyberspace framework were also conceived. There is evidence showing that since 2004 the EAC Partner States realized the need to have cyberlaws, e-justice, and information security as one of the important components for successful implementation of e-government programs and development of e-commerce in the region.673 These efforts were further complemented by the adoption of the Regional e-Government Framework by the EAC Council of Ministers.674 Since then, there have been a 671  See article 124(1) of the Treaty for the Establishment of the East African Community, 1999. 672  See article 5(2) of the Treaty for the Establishment of the East African Community, 1999. 673  The East African Community Task Force on Cyberlaws, p. 3. 674  The East African Community Task Force on Cyberlaws, p. 3.



D. An Overview of the EAC’s Anti-Cybercrime Framework145

couple of undertakings implemented by the EAC, in the area of cyberlaws and ICT development generally, which are further analysed below. I. Policy and Legislative Measures Adopted in the EAC Region 1. The EAC Customs Management Act, 2004 The enactment of the EAC Customs Management Act by the East African Legislative Assembly in 2004 was among the early efforts of the Community to implement the objectives of the EAC Treaty.675 These objectives are further reflected in the provisions of the Protocol for the Establishment of the East African Community Customs Union, 2004.676 So, the provisions of the EAC Customs Protocol were further translated and reflected through a detailed enactment of the Community, the EAC Customs Management Act of 2004 which came into force on 1 January 2005. As the name suggests, the EAC Customs Management Act is not primarily meant to deal with cybercrime in the region. The Act basically provides for a uniform manner for treatment of imports and exports (customs administration) in the EAC. However, in catering for customs administration and related roles the legislation has coincidentally become somewhat relevant in preventing computer crime. For example, the EAC Customs Management Act categorizes pornographic, indecent or obscene materials in all kinds of media as prohibited imports in the EAC region.677 And it is an offence punishable by an imprisonment not exceeding five years or a fine equal to 50 % of the customs value of the goods involved, for any person to import any goods categorized as prohibited goods.678 The above implies that, although the Act does not contain a specific provision on computer crime or cybercrime, but generally it prohibits the importation of pornographic, indecent or obscene material even those in electronic or computer usable form stored in CDs, flash discs and other storage devices which qualify as goods (in physical from) for purposes of customs administration. However, it should be understood that the prohibition under the law above does not extend to downloading of the prohibited materials online. Looking at the above prohibition in the form of materials stored electroni675  See articles 5 and 75 of the Treaty for the Establishment of the East African Community, 1999. 676  See articles 2–4 of the Protocol for the Establishment of the East African Community Customs Union. 677  See section 18 read together with item 3 of part. A of the second schedule to the East African Community Customs Management Act. 678  See section 200 of the East African Community Customs Management Act.

146

Chap. 5: Preventing and Combating Cybercrime in East Africa

cally, one will appreciate that it amounts to computer crime prevention efforts in the category of content related offences. This is the reason why the EAC Customs Management Act is considered to have anti-computer crime provisions, though, on the other hand, one may challenge that there is no clear and deliberate intention to that effect. 2. The Regional e-Government Framework, 2006 In recognizing the contribution of ICTs in fostering development and in a view of establishing e-Government Program to facilitate the effective provision of services, the EAC Council of Ministers in November 2006 adopted the Regional e-Government Framework. The Framework considers the creation of a legal and regulatory framework as a critical step towards materializing e-Government programs at both national and regional levels.679 The Framework further appreciates the fact that in order to achieve an effective and efficient e-Government Strategy a firm regime on data security, network security, cybercrime, information systems and electronic transactions is inevitable.680 The relevancy of this Framework is that it recognizes the need to prevent and combat cybercrime and ensure security on cyberspace for the e-Government Program to be successful. Looking critically at the Regional e-Government Framework, one will note that it is not a framework specifically meant for cybercrime, rather it is for effective implementation of the e-Government strategy which does not put much emphasis on cybercrime per se. Another challenge relating to the Framework is that it is not clear whether it is a policy, directive, regulations, recommendations, opinion, or decision within the meaning of the EAC Treaty and the legal framework in general.681 The common practice and experience show that the EAC has been implementing its commitments in various areas of cooperation through the adoption of specific protocols which are legally binding, to cater for the needs of those specific areas as required by the EAC Treaty.682 The legal status of the Framework within the meaning of EAC’s legally recognized and binding instruments, is not very clear.

679  The

East African Community Task Force on Cyberlaws, p. 3. East African Community Task Force on Cyberlaws, p. 3. 681  See articles 14 and 16 of the Treaty for the Establishment of the East African Community, 1999. 682  See article 151 of the Treaty for the Establishment of the East African Community, 1999. 680  The



D. An Overview of the EAC’s Anti-Cybercrime Framework147

3. The EAC Legal Framework for Cyberlaws, 2008 The adoption of the Regional e-Government Framework in 2006 paved the way for promulgation of the EAC Legal Framework for Cyberlaws in 2008. The Cyberlaws Framework was prepared by the EAC Task Force on Cyberlaws with the support of the EAC Secretariat and the United Nations Conference on Trade and Development (UNCTAD).683 The Framework was prepared under the auspices of a special project called the EAC Cyberlaw Reform Programme which was jointly supported by the EAC and UNCTAD.684 Although the Cyberlaws Framework was completed in 2008, it received the approval of the EAC Council of Ministers in 2010.685 It is further said that the Cyberlaws Framework has been prepared while informed of developments of cyberlaws in other regimes such as the Commonwealth Model Law on Electronic Transactions, the UNCITRAL Model Laws on Electronic Commerce and Electronic Signatures, the SADC Model Cyberlaw, international best practice, and other public international law instruments.686 The methodology adopted in the preparation of the Framework is reported as participatory and consultative among the Partner States constituting the EAC.687 Basically, the Cyberlaws Framework covers five cyberspace areas, namely electronic transactions, electronic signatures and authentication, computer crime, consumer protection, and data protection and privacy. Since this book focuses on computer crime only, detailed analysis of the Framework will be confined to the provisions addressing cybercrime only. On cybercrime, the Cyberlaws Framework is founded on two objectives. Firstly, the need to amend current laws to reflect the use of ICTs in the commission of new crimes, and secondly, the need to reform criminal procedural laws to facilitate the efficient and effective investigation and prosecution of cybercrimes.688 In terms of unacceptable acts and omissions in cyberspace, the Framework recommends that the Partner States should embark on amending their criminal laws to explicitly provide for cybercrimes.689 The Framework further recommends that offences related to fraud, forgery, copyright and other neighboring rights infringements, and child pornography be outlawed and designated as substantive offences in a similar manner as provided 683  The

East African Community Task Force African Legislative Assembly, p. 9. 685  Achieng. 686  The East African Community Task Force 687  The East African Community Task Force 688  The East African Community Task Force 689  The East African Community Task Force 684  East

on Cyberlaws, p. 3. on on on on

Cyberlaws, Cyberlaws, Cyberlaws, Cyberlaws,

pp. 4 and 5. pp. 4 and 6. p. 14. p. 14.

148

Chap. 5: Preventing and Combating Cybercrime in East Africa

by the Council of Europe Cybercrime Convention.690 In addition to the above, the Cyberlaws Framework proposes creating another category of ancillary offences in relation to confidentiality, integrity, and availability of computer data. This category includes the proposed offences like unauthorized access to a computer system; unauthorized interference or modification of a computer system or the data processed on a computer system; unauthorized interception of communications between or within systems; and misuse of devices, including the supply or possession of such tools.691 Furthermore, the Cyberlaws Framework covers aspects of jurisdiction and criminal procedural rules. On jurisdictional issues, the Framework proposes the extension of mandate to prosecute to cover offences committed in the territory even if the perpetrator resides in another jurisdiction and those involving both the victim and perpetrator residing within the same territory.692 On procedural issues, the Framework recommends taking necessary and concerted measures to ensure that the law enforcement agencies are equipped with the required powers, abilities and capabilities to investigate crimes, including but not limited to, powers to search and seize, obtain and access forensic data, interception of communications, and so forth.693 Based on the above analysis, it is evident that the Cyberlaws Framework has attempted to copy some features of the Council of Europe Cybercrime Convention, which is a commendable step. However, there are serious issues to note in the Framework. Firstly, the Framework is too general and it lacks clarity and the details which are necessary, if the recommendations contained therein are to be relied upon to achieve uniformity in cyberlaws in the EAC region. The positions stated in the Framework are too general as they do not go to the nitty-gritty of cybercrime. The vagueness contained in the Framework allows for the room for each country to legislate on its own ways something which may lead to different legal positions among the EAC member States, hence the essence of combining efforts and resources in fighting cybercrime uniformly as a bloc can hardly be achieved. Secondly, the Framework itself states that it is not a model law, rather it is a series of recommendations to the governments.694 This assertion by the Framework implies that the document lacks the legal force and it is not binding. Much as the document was approved by the EAC Council of Ministers, but that fact per se does not make it legally binding as it is the case with Council’s regulations, protocols, directives or decisions under the 690  The

East East 692  The East 693  The East 694  The East 691  The

African African African African African

Community Community Community Community Community

Task Task Task Task Task

Force Force Force Force Force

on on on on on

Cyberlaws, Cyberlaws, Cyberlaws, Cyberlaws, Cyberlaws,

p. 15. p. 15. p. 15. pp. 15–16. pp. 3 and 7.



D. An Overview of the EAC’s Anti-Cybercrime Framework149

Treaty.695 The above challenges render the Framework to amount to a less serious and legally non-binding commitment to fight cybercrime at the EAC level. 4. The EAC Protocol on Peace and Security, 2013 The EAC as a region unanimously admits that peace and security are crucial to attaining social and economic development. This position can be evidenced from the provisions of the EAC Treaty itself, and in particular article 124. In the same spirit, the EAC Council of Ministers in its 13th Meeting held in November 2006, adopted the EAC Peace and Security Strategy in order to provide a more coordinated guidance on peace and security interventions in the region.696 Basically, the cooperation in peace and security is intended to cover, among others, collaboration in preventing and combating cross-border crimes such as motor vehicle theft, drug trafficking, terrorism, money laundering and other crimes.697 The adoption of the Peace and Security Strategy culminated into the adoption of the EAC Protocol on Peace and Security on 15 February 2013. As it was for the strategy, the adoption of the EAC Protocol on Peace and Security was aimed at addressing peace and security in the region in a more legally committed and regulated manner. Assessing the Protocol against the war on cybercrime, one will note that it makes reference to cybercrime in two instances. The first one is on the scope of the Protocol where it states that the Partner States commit themselves to cooperate in, among others, combating transnational and cross-border crimes; including drug and human trafficking, illegal migration, money laundering, cybercrime and motor vehicle theft.698 The second instance where cybercrime is indirectly mentioned in the Protocol is in relation to the EAC Partner States’ undertaking to cooperate in carrying out operations to deal with transnational and cross-border crimes including intellectual property piracy.699 Notwithstanding the specialty of cybercrime, the Protocol does not provide for any specific provisions on substantive nor procedural measures against offenders in cyberspace. Worse enough, the Protocol does not put in place 695  See articles 16 and 151 of the Treaty for the Establishment of the East African Community, 1999. 696  East African Community, Peace and Security Overview. 697  East African Community, Peace and Security Overview. 698  See article 2(3)(i) of the East African Community Protocol on Peace and Security, 2013. 699  See article 12(1)(g) of the East African Community Protocol on Peace and Security, 2013.

150

Chap. 5: Preventing and Combating Cybercrime in East Africa

any institutional arrangements for the implementation of the provisions of the Protocol, rather it leaves for the EAC Council of Ministers to determine.700 In fact, considering the nature of criminality in cyberspace, the EAC Protocol on Peace and Security, 2013 is too general to qualify to be termed as one of the anti-cybercrime instruments in the EAC. Although a Protocol is a serious and binding commitment within the EAC legal framework, the generality of the EAC Protocol on Peace and Security renders the same to be not a very useful and effective instrument in so far as the war against cybercrime is concerned. Also, another challenge with the Protocal is that although the Protocol was signed in February 2013, it has not entered into force to-date as Burundi and Tanzania have not yet completed the ratification process. II. Anti-Cybercrime Institutions in the EAC Beside the feeble EAC legal framework on cybercrime as analysed above, there are also institutions worth the author’s examination in terms of their roles and responsibility in preventing and combating cybercrime. The institutions which seem to be relevant are basically two, namely the East African Communications Organization and the EAC Cyberlaws Task Force. The detailed accounts of each institution are hereunder provided. 1. The East African Communications Organisation (EACO) The East African Communications Organization (EACO) which was established in 2010, is a successor of the East Africa Regulators, Postal and Telecommunication Operators Organisation (EARPTO) which was formed in the 1990s.701 The EARPTO was a consortium of the then national regulators, telecommunication and postal operators of the three founding Partner States of the EAC, namely Tanzania, Kenya, and Uganda.702 Subsequent to their admission to the EAC in 2007, regulators and operators from Rwanda and Burundi joined EARPTO in 2009.703 The name change from EARPTO to EACO in 2010 was triggered by, among others, the technological advancement which necessitated expansion of regulator’s jurisdiction to include broadcasting services.704 In 2013, the EACO adopted its Constitution which

700  See

2013.

701  The

article 15 of the East African Community Protocol on Peace and Security,

East East 703  The East 704  The East 702  The

African African African African

Communications Communications Communications Communications

Organization, Organization, Organization, Organization,

EACO EACO EACO EACO

Strategic Strategic Strategic Strategic

Plan, Plan, Plan, Plan,

p. 8. p. 8. p. 8. p. 8.



D. An Overview of the EAC’s Anti-Cybercrime Framework151

replaced the Memorandum of Understanding under which it was previously established.705 Now, looking at the EACO Constitution the objectives that EACO pursues are harmonizing ICT policy and regulatory regimes in the region; promoting the development of broadcasting, postal and telecommunications / ICT services and related matters; and formulating ways and means to achieve fast, reliable, secure, affordable and efficient communications services within the EAC.706 In pursuit of the above objectives, the EACO particularly focuses on, inter alia, security issues in telecommunications and ICT related services, whereas cybercrime is one of them. Furthermore, the EACO’s Constitution allows committees and working groups to be established in order to facilitate implementation of its objectives.707 In so far as cybersecurity issues are concerned, EACO established the Working Group 5 which is called IP Networks, Standards and Cybersecurity (WG 5). The Working Group is entrusted with the responsibility as lead Working Group on all cybersecurity related matters. This mandate further includes, inter alia, examining and developing guidelines and standards for IP networks and cybersecurity; detecting and recommending solutions to issues relating to IP networks, standards and cybersecurity; recommending means of enforcing cybersecurity national regimes such as establishing and maintaining National Computer Emergency Response Teams (CERTs) in every single EACO Member States; recommending the EAC cybersecurity collaboration strategy; and conducting studies and researches on cybersecurity and related issues.708 Much as the EACO efforts in ensuring cybersecurity in the region are appreciated, however, there are challenges that need to be addressed. These challenges stem from the reality that EACO is established as an organization separate and independent from the EAC structure and institutions. This means that although the EACO’s efforts seem to carry the EAC regional label / agenda on cybersecurity, its functioning does not mingle with the EAC institutions, hence a vacuum is created between the two systems. This quagmire is further evidenced by the recent observer status given to EACO by the

705  See the preamble to the Constitution of the East African Communications Organisation. 706  See article 3 of the Constitution of the East African Communications Organisation. 707  See article 13 of the Constitution of the East African Communications Organisation. 708  The East African Communications Organization, Working Groups, and Committees.

152

Chap. 5: Preventing and Combating Cybercrime in East Africa

EAC.709 This status implies that although EACO is allowed to participate in all EAC’s meetings, its role is that of “an observer” and not “an actor”. There is no legally established and coordinated functional relationship between EACO and EAC, for the EACO lacks the mandate to take serious and deliberate actions and undertakings on its own. It simply means that the EACO is not an institution within the EAC institutional framework but it exists as an independent one with observer status in the business of the EAC. Also, EACO is reported to have budgetary constraints as it lacks diversified sources of revenue other than contributions from its members, which are so meager.710 The above challenges, consequently, handicap the ability and capability of EACO to sensibly and effectively contribute towards fighting cybercrime in the region. 2. The EAC Cyberlaws Task Force It has been stated in chapter 5 part. D.I. of this book that UNCTAD through the EAC Cyberlaw Reform Programme played a lead role in helping the EAC to mold its cyberspace framework. Following UNCTAD organizing capacity building workshops for training policy and legal experts from the Partner States and officers from the EAC, the Regional Task Force on Cyberlaws was established in December 2007.711 Four members of the Task Force from each Partner State were appointed from Ministries of Member States and Government Departments; associations of legal professionals (East African Law Society, East African Magistrates & Judges, East African Business Council); and the EAC Secretariat (EAC Secretariat Legal Department, East African Court of Justice, East African Legislative Assembly).712 The Task Force has been a pivotal body in spearheading the development of cyberspace laws in the region, particularly championing the efforts to approximate and harmonize policies and laws on ICTs regulation. One of the noteworthy undertakings of the Task Force is its active involvement in the preparation of the Cyberlaws Framework of 2008 (see chapter 5 part. D.I. above). It is further reported that even the idea that cyberlaws reform process be organized and monitored at the EAC level plus benchmarking the same against the international best practice was one of the recommendations from the Task force.713 709  The

East African Communications Organization, EACO Strategic Plan, p. 13. East African Communications Organization, EACO Strategic Plan, p. 36. 711  The East African Community Task Force on Cyberlaws, p. 4. 712  The East African Community Task Force on Cyberlaws, p. 4. 713  Ubena, p. 96. Also, see: The East African Community Task Force on Cyberlaws, p. 5. 710  The



E. Individual Countries’ Cyberspace Frameworks153

If one assesses the establishment and the working of the Task Force, will realize that its mandate ends with making recommendations to respective organs and Member States of the EAC. However, it appears that the recommendations are not legally sanctioned to the extent that the receiver of the same can be held legally accountable if fails to implement. For this relationship is not very well legally coordinated, the recommendations by the Task Force, however, best might be, are watered-down by the fact that are implementable at one’s will and not as a binding legal obligation as such. Also, with the example of the EAC Legal Framework for Cyberlaws, one will note that the recommendations were too general to provide guidance among members to achieve uniformity and commonality in their anti-cybercrime national frameworks.

E. Individual Countries’ Cyberspace Frameworks This part of the book is intended to critically analyze the anti-cybercrime regimes of the three EAC Partner States which are the founders of the Community, namely Tanzania, Kenya, and Uganda. These countries have been chosen because are notoriously leading in cybercrime incidents as indicated in chapter 5 part A. of this book above, hence the choice represents a true situational analysis of the EAC region. Also, most of the laws and official documents targeted for review in Rwanda and Burundi are written in French, the language which the author is not conversant with. In that regard, the analysis, where applicable and necessary, will be done at three levels, namely the policy level, law level, and finally the institutional level. The analysis is aimed at examining individual countries’ efforts, the correlation between the EAC cybercrime regime and individual countries’ regimes, and the envisaged uniformity and commonality, if any, in the region. I. Cybercrime Policy, Laws and Institutions in Tanzania The history of Tanzania in relation to computing and use of ICTs is somewhat checkered. There was a time in the 1970s when importation and use of computers in the country was banned for allegedly causing loss to the Government, but the pressure of globalization and developments in ICTs necessitated for the lifting of the ban in 1980s.714 From the 1990s onwards, Tanzania has witnessed a booming period in the ICTs sector. This cannot be claimed to be attributable to the internal forces alone, rather mostly to the global achievements recorded in the area of ICTs. It is for these reasons that the adoption of the National Information and Communication Technologies 714  Mwiburi,

p. 3. Also, see: Mgaya.

154

Chap. 5: Preventing and Combating Cybercrime in East Africa

Policy in 2003 was inescapable, and as a result, it subsequently triggered the promulgation of the corresponding pieces of legislation and institutions to enforce the same. Below is a survey of these policies, laws, and institutions with a view to establishing their relevancy and efficacy in preventing and combating cybercrime in Tanzania. 1. The National Information and Communications Technologies Policy, 2003 As already pointed out above, the timing of the ICT Policy was very critical in so far as regulation of ICTs is concerned. This is the time when technological environment made it possible for multiple convergences of content, computing, telecommunications and broadcasting to happen.715 The implication of this convergence was to allow a range of services to be provided under the ICT platforms, the fact which could attract service providers and consumers of these services to meet and transact in these platforms / cyberspace. Eventually, since human beings are criminal in nature (see a detailed discussion on this aspect in part. A. of chapter 1 of this book), cyber security issues, among others, were obvious to arise simultaneously with these developments. Moreover, the ICT Policy envisions making Tanzania a hub of ICT infrastructures and solutions with a view of achieving socio-economic development and poverty reduction both at national and global levels.716 On legal and regulatory framework, the Policy notes that the widespread of the Internet has resulted in new types of needs, rights, and vulnerabilities which need to be legally fixed.717 The Policy further points out that the then legal environment was not very supportive of the ICTs developments and there was a need to align laws and institutions with the pace of technological developments to avoid making the country a cybercrime haven.718 Finally, through the Policy, the Government commits to review the legal and regulatory environment with a view of amending the existed laws and enacting new ones to cater for privacy, security, cybercrimes, ethical and moral conduct, encryption, digital signatures, copyrights, intellectual property rights and fair trade practices.719

715  Ministry

of of 717  Ministry of 718  Ministry of 719  Ministry of 716  Ministry

Communications Communications Communications Communications Communications

and and and and and

Transport Transport Transport Transport Transport

(Tanzania), (Tanzania), (Tanzania), (Tanzania), (Tanzania),

p. 1. p. 2. p. 15. p. 15. pp. 15–16.



E. Individual Countries’ Cyberspace Frameworks155

Although the Policy was adopted in 2003, it took many years for Tanzania to have in place a sound legal and institutional framework that reflects the realities of electronic transactions and life generally in cyberspace. The commitment of the Government as articulated in the ICT Policy remained in papers for some years on the ground that internal processes and procedures were being undertaken. However, this leisureliness of the Government was very cumbersome, and it obviously caused hardship among the actors in eenvironment and cyberspace in particular. Even before the ICT Policy was adopted, the court could not close its eyes to the developments and let it go. For example, in the Trust Bank’s case, the court was confronted with a scenario where admission of the electronic evidence was crucial in determining the case, however, the same was not admissible under the then Tanzania Evidence Act, 1967.720 In appreciation of the developments in science and technology vis-à-vis the development of the law, the court allowed and actually admitted electronic evidence and made the following observations: The Court should not be ignorant of modern business methods and shut its eyes to the mysteries of computers. The court has to take due cognizance of the technological revolution that has engulfed the world. Generally speaking as of now, record keeping in our banks is to a large extent “old fashioned” but changes are taking place. The law can ill afford to shut its eyes to what is happening around the world in the banking fraternity.721

Although the above court’s decision was on a civil case, but it is still relevant in the discussion on cybercrime for it marks early and remarkable efforts of some legal institutions in appreciating the need of the law to be updated in line with technological developments. The above decision of the court provoked the Law Reform Commission of Tanzania to engineer amendments to the Evidence Act which ultimately resulted in the recognition and admissibility of electronic evidence in courts in civil matters. The amendments were effected through the provisions of the Written Laws (Miscellaneous Amendments) Act which was passed by the Parliament passed in 2007.722 So, the amendment to the Evidence Act is considered as one of the early legal steps deliberately taken in favour and recognition of transactions in the

720  Trust Bank Tanzania Ltd. vs. Le-marsh Enterprises Ltd. & Two Others, Commercial Case No. 4 of 2000, High Court of Tanzania (Commercial Division) at Dar es Salaam (Unreported). 721  Trust Bank Tanzania Ltd. vs. Le-marsh Enterprises Ltd. & Two Others, Commercial Case No. 4 of 2000, High Court of Tanzania (Commercial Division) at Dar es Salaam (Unreported). 722  See sections 32–35 of the Written Laws (Miscellaneous Amendments) Act, Act No. 15 of 2007.

156

Chap. 5: Preventing and Combating Cybercrime in East Africa

e-environment, however, the amendments have no direct bearing to cybercrime. 2. The Electronic and Postal Communications Act, 2010 The Electronic and Postal Communications Act, famously known as ­ POCA was passed by the Parliament on 29 January 2010. The Act puts E together the legal framework for regulation of electronic and postal communications in Tanzania. Briefly, EPOCA provides for matters related to, among others, licensing, interconnection and access, competition practices, spectrum management, content regulation, and enforcement mechanisms. More importantly for this book, EPOCA contains some provisions providing for communications related offences which have elements of cybercrime. Together with the fact that EPOCA establishes quite a good number of communications related offences, only a few of them are relevant for this discussion as it focuses mainly on cybercrime. The relevant offences under EPOCA include transmission of the obscene communication,723 interception of communication,724 fraudulent use of the network,725 interference of transmission of the electronic communication,726 and unauthorized access or use of computer system.727 Commendably, the acts and / or ommissions outlawed by EPOCA are very critical in making sure that electronic communication is secure and reliable. Another critical milestone achieved by the enactment of EPOCA, in so far as cybersecurity is concerned, is the establishment of the National Computer Emergency Response Team (CERT).728 The National CERT is a very important organ which has been entrusted with the obligations to coordinate responses to cybersecurity incidents internally, and also to cooperate with regional and international organs mandated to deal with cybersecurity incidents.729 The presence of CERT enables quick and effective steps to be taken against any cyber related attacks at the national level, and also it facilitate to team up with other countries in taking collective measures against cyber attacks. A good example of how CERTs are effectively used to protect people 723  See

section 118 of the Electronic and Postal Communications Act, 2010. section 120 of the Electronic and Postal Communications Act, 2010. 725  See section 122 of the Electronic and Postal Communications Act, 2010. 726  See section 123 of the Electronic and Postal Communications Act, 2010. 727  See section 124(3) of the Electronic and Postal Communications Act, 2010. 728  See section 124(1) of the Electronic and Postal Communications Act, 2010. 729  See section 124(1) of the Electronic and Postal Communications Act, 2010 read together with regulation 6 of the Electronic and Postal Communications (Computer Emergency Response Team) Regulations, GN. No. 419 of 2011. 724  See



E. Individual Countries’ Cyberspace Frameworks157

from attacks is the recent unprecedented cyber attack which hit the world on 12 May 2017, famously known as Ransomware. In this incidence, the Tanzania Communications Regulatory Authority together with the National CERT issued a warning about the attack, and further guided the users of cyberspace on how to protect themselves from the attack. It is also important to point out that the EPOCA regime does provide for obligations to service providers in relation to cybersecurity. Looking at the set of obligations entrusted with service providers, one will note that they are really meant to protect consumers of electronic communication services against any attacks. These obligations include providing secure environment for subscribers, responding effectively to threats, notifying and collaborating with the National CERT in the case of security threats, abiding by security guidelines as issued by the relevant authorities and so forth.730 So, in terms of communications related cybersecurity threats, the laws in Tanzania are very clear and elaborate to the extent that there are prescribed legal and institutional mechanisms as pointed out in the above discussion. Sincerely speaking, EPOCA is the first piece of legislation to introduce cybercrime in Tanzania. 3. The Cybercrime Act, 2015 On 1 April 2015, the Parliament of Tanzania passed the Cybercrime Act. The same was assented to by the President on 25 April 2015. The Act became operational on 1 September 2015 after its gazettement by the responsible Minister through the Government Notice No. 328 of 2015. It is after enactment and coming into force of the Cybercrime Act, that one can confidently say that the war against cybercrime was officially waged in Tanzania. In terms of the objectives of the Cybercrime Act, the Government Notice No. 8 of 20 February 2015 which gazetted the Cybercrime Bill, states that the Bill is proposed to be enacted into law to cater for offences related to computer systems and ICT; and to cater for matters related to investigation, collection, and use of electronic evidence.731 The general picture of the Cybercrime Act is that it contains seven parts, namely preliminary provisions (Part I); offences and penalties (Part II); jurisdiction (Part II); enforcement provisions (Part IV); liability of service providers (Part V); general provisions (Part VI); and consequential amendments (Part VII). To begin with, part II which basically creates offences, one will 730  See regulation 8 of the Electronic and Postal Communications (Computer Emergency Response Team) Regulations, GN. No. 419 of 2011. 731  See page 27 of the Government Notice No. 8 of 20 February 2015.

158

Chap. 5: Preventing and Combating Cybercrime in East Africa

note that the Act establishes a total number of twenty four different offences. Some of the offences so established match the categories of cybercrime as contained in the Budapest Convention which includes computer data and systems offences, computer related offences, content related offences, intellectual property infringement offences, and so forth. In the category of computer data and systems offences, the Cybercrime Act criminalizes illegal access, illegal interception, illegal data interference, illegal system interference and misuse of devices in a similar manner as the Budapest Convention.732 On the same category, the Cybercrime Act provides for two more offences as opposed to the Budapest Convention, namely illegal remaining and data espionage. The offence of illegal remaining refers to the situation where a person was lawfully allowed access to a computer system, but intentionally and unlawfully, remains in a computer system after the expiration of time one was allowed access to the computer system.733 Furthermore, data espionage according to the Cybercrime Act happens when a person obtains computer data protected against unauthorized access without permission.734 Another category of offences in the Act which is similar to the Budapest Convention is that of computer related offences. This category covers only two offences, namely computer-related forgery and computer-related fraud.735 In addition to the above, there is another category of content related offences whereas there is a big divergence between the Act and the Budapest Convention. While the Convention provides for child pornography as the only content-related offence, the Act provides for eleven different offences in this group.736 The additional offences found in the Act are publication of pornographic or obscene materials as opposed to only child pornography under the Convention, identity-related crimes, publication of false information, racist and xenophobic material, racist and xenophobic motivated insult, genocide and crimes against humanity, unsolicited messages, disclosure of details of investigation, obstruction of investigation, and cyber bullying.737 However, the Act does not provide for a definition as to what amounts to pornography or obscene information. It is further important to point out that the offences 732  See sections 4, 6, 7, 9, and 10 of the Cybercrime Act, 2015; and compare with articles 2–6 of the Budapest Convention on Cybercrime, 2001. 733  See section 5 of the Cybercrime Act, 2015. 734  See section 8 of the Cybercrime Act, 2015. 735  See sections 11 and 12 of the Cybercrime Act, 2015; and compare with articles 7 and 8 of the Budapest Convention on Cybercrime, 2001. 736  See sections 13–23 of the Cybercrime Act, 2015; and compare with article 9 of the Budapest Convention on Cybercrime, 2001. 737  See sections 13–23 of the Cybercrime Act, 2015.



E. Individual Countries’ Cyberspace Frameworks159

such as racist and xenophobic material, racist and xenophobic motivated insult, and genocide and crimes against humanity have been similarly captured in the Act as in the Additional Protocol to the Convention on Cybercrime, concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed through Computer Systems, 2003.738 Furthermore, intellectual property offences are covered in the Cybercrime Act in a similar manner as the Cybercrime Convention.739 Apart from intellectual property offences, the Act treats as principal offenders, persons who counsel, aid or abet in the commission of any offence under the Act, and it contains provisions on attempts. Here again, the Act does not differ with the Budapest Convention.740 However, the Act further provides for conspiracy to commit any offence as a separate offence, while the Convention does not cover conspiracies.741 In addition to the above, the Act introduces a new array of offences relating to critical information infrastructure. First of all, the Act allows the Minister Responsible for Information and Communication Technology to designate a certain computer system as critical information infrastructure.742 And now once such a computer system is so designated, any person who commits an offence in relation to such a computer system is said to commit an offence relating to critical information infrastructure.743 Since the offences so created by the Cybercrime Act are many and it is not possible to discuss them all in details, two critical ones are further considered here for an in depth analysis. The reasons for selection of these two offences are mainly two. One is the inconsistency in the conception of offences that exists between the Cybercrime Act and other regional and international cybercrime instruments. Two is the perception of the members of the public, and human rights and democracy advocates on the same. To begin with, the offence of publication of pornographic or obscene materials,744 the Cybercrime Act seems to have gone too far on this offence compared to other regional and international cybercrime instruments. While 738  See sections 17–19 of the Cybercrime Act, 2015; and compare with articles 4–6 of the Additional Protocol to the Convention on Cybercrime, concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed through Computer Systems, 2003. 739  See section 24 of the Cybercrime Act, 2015; and compare with article 10 of the Budapest Convention on Cybercrime, 2001. 740  See sections 25 and 26 of the Cybercrime Act, 2015; and compare with article 11 of the Budapest Convention on Cybercrime, 2001. 741  See section 27 of the Cybercrime Act, 2015. 742  See section 28 of the Cybercrime Act, 2015. 743  See section 28 of the Cybercrime Act, 2015. 744  See section 14 of the Cybercrime Act, 2015.

160

Chap. 5: Preventing and Combating Cybercrime in East Africa

other international legal instruments prohibit only child pornographic materials, the Act goes beyond those limits by making publication of any such materials to amount to an offence on top of child pornography. For example, the EAC Legal Framework for Cyberlaws proposes dealing in child pornographic materials to be criminalized, but the Act criminalizes even adult pornographic materials. This is perceived by the public to be unnecessarily very harsh and it denies the adults the right to choose the type of information and contents they want or are interested in. While protection of children against such contents is critically important because children are defenseless and incapable of making appropriate decisions, but adults have the conscience to choose what type of information or material are fit for them.745 Much as the Cybercrime Act was seriously needed to deal with criminality on cyberspace, provisions like these are bringing the sense of the Parliament to have over-criminalized some acts and omissions, and a deliberate denial of freedom to choose. Furthermore, the way the word “publish” has been defined under the Act seems to cover any type of sharing of information from one person to another. So, one may correctly say that even exchanging pornographic or obscene materials between two adult individuals at their own consent would amount to the prohibited publishing, hence liable for the offence.746 Another offence that has attracted public scrutiny is that of publication of false information under the Cybercrime Act.747 This type of offence does not feature anywhere in the Budapest Convention nor in the regional framework. Tanzania has been strongly criticized on this type of offence and the Cybercrime Act generally as it seems to have been purposely enacted to undermine freedom of expression in the country.748 The critics against the Act did not end up with media and among academics and analysts, but even a constitu745  A similar situation on what contents should be allowed to the public was a question of controversy in the case of Reno vs. American Civil Liberties Union, 521 U.S. 844 (1997) whereas the American Communications Decency Act, 1996 was challenged successfully in the Supreme Court for being unconstitutional as the blanket restriction on contents was unjustifiable. 746  For the broad definition of the word “publish” see section 3 of the Cybercrime Act, 2015. 747  See section 14 of the Cybercrime Act, 2015. 748  On 28 March 2016, the Board of Directors of the Millennium Challenge Corporation (MCC) issued a statement to suspend partnership with Tanzania for allegedly, among others, the Cybercrime Act’s enforcement undermines freedom of expression which is contrary to the ideology and commitment of MCC. As a result of this suspension, Tanzania lost sponsorship from MCC of multi-million dollars project. For another critic see: Marari, Tanzania’s Cybercrimes Law and the Threat to Freedom of Expression and Information. Further see: Marere, The Cybercrimes Act, 2015: A Weed in the Garden of Freedom of Expression in Tanzania.



E. Individual Countries’ Cyberspace Frameworks161

tional petition was preferred to challenge the constitutionality of some provisions of this Act. The Petitioner, Jebra Kambole, filed his petition to the High Court of Tanzania challenging sections 4, 5, 6, 7, 8, 9, 10, 11, 14, 19, 21, 22, 31, 32, 33, 34, 35, 37, 38 and 50 of the Act for being unconstitutional.749 However, the court in its decision, agreed with the Petitioner that only section 50 of the Cybercrime Act which gives power to the Director of Public Prosecution (DPP) to compound offences, was unconstitutional for infringing the right to be heard and to appeal. Furthermore, the presence of the offence of publication of false information in the Act has been related to the timing and the way the Cybercrime Act was passed in the Parliament. It is said that the Act was forcefully passed at night and at the alarming speed in 2015 (the year when the general election was held) so as to shut-up the public from criticizing the Government using online forums for fear of being prosecuted.750 In fact, of all the provisions of the Cybercrime Act, section 16 which establishes the offence of publication of false information seems to be the most notorious and stringent provision. Even in the Field Assessment Report of Policing in the 2015 General Elections which is published on the website of the Tanzania Police Force, it shows that there are a number of complaints from the public on section 16 of the Act together with its enforcement.751 It is further reported that within two months of coming into force of the Act, ten individuals (social networks users) were arraigned in court for allegedly contravening the piece of legislation.752 These cases are ongoing at different stages and courts in the country, and for the convictions to be obtained, the prosecution is required under the law to prove their cases beyond reasonable doubt.753 Another area of the Cybercrime Act which deserves scrutinizing is the issue of punishments for the offences so established. The Act provides for excessively heavy punishments even for offences which would otherwise attract moderate punishments. For example, publication of pornographic materials (not child pornography) is punishable by either fine of between twenty to thirty million Tanzanian Shilling (approximately USD 8,950 to 13,400), or imprisonment of not less than seven and the maximum of ten years, or both 749  Jebra Kambole vs. Attorney General, Miscellaneous Civil Cause No. 32 of 2015, High Court of Tanzania (Main Registry) at Dar es Salaam (Unreported). 750  Sperber, Tanzania’s New Information Laws Draw Fire from Critics. Further see: The Collaboration on International ICT Policy for East and Southern Africa (CIPESA), p. 14. 751  The Hanns Seidel Foundation, Assessment of the Policing of the 2015 Tanzanian Elections Field Assessment Report. 752  Small Media, p. 32. 753  See section 114(1) of the Evidence Act, Chap. 6 R.E. 2002.

162

Chap. 5: Preventing and Combating Cybercrime in East Africa

fine and imprisonment.754 On the offence of publication of false information, the punishment is a fine of not less than five million shillings (approximately USD 2,250) or to imprisonment for a term of not less than three years or to both.755 Based on the above examples, it suffices to say that the penalties under the Act are excessively and disproportionately punitive and they fail the test of proportionality as enshrined in the Budapest Convention.756 However, a commendable approach regarding punishments in the Act is that it allows the court to order compensation to be paid to the victim of the offence for the loss occasioned by the commission of an offence.757 Jurisdiction is an important aspect in cyberspace. The Cybercrime Act caters too for jurisdiction and related matters. The provisions of the Act on jurisdiction are jealously expansive. The Act claims jurisdiction over offences committed within Tanzania, on a ship or aircraft registered in Tanzania, by a national of Tanzania, by any person regardless of his nationality or location if committed using a computer, device or data located in Tanzania or the intended victim is in Tanzania.758 Furthermore, on enforcement measures the Act allows searches, seizures disclosure of data, use of forensic tools and so forth to be applied which is more or less the same as the provisions of the Cybercrime Convention.759 Finally, the Act conferred the DPP with the power to compound offences at any time before the verdict of the court is pronounced, but with the consent of the accused person and the penalty so imposed was not appealable.760 However, through the Jebra’s constitutional petition cited above, the court struck out the provision for being unconstitutional and directed the Government to make necessary amendments within twelve months from the date of the judgment (2 December 2016). Having looked at the policies and laws, below is a discussion on institutions. 4. Tanzania Communications Regulatory Authority The Tanzania Communications Regulatory Authority (TCRA) is a semiautonomous Government Authority charged with overseeing the Communi754  See section 14(2) of the Cybercrime Act, 2015. For further discussion on the severity of punishments see: The Collaboration on International ICT Policy for East and Southern Africa (CIPESA), p. 14. 755  See section 16 of the Cybercrime Act, 2015. 756  See article 13 of the Budapest Convention on Cybercrime, 2001. 757  See sections 13(3), 24(2)(b) and 48(2) of the Cybercrime Act, 2015. 758  See section 30 of the Cybercrime Act, 2015. 759  See sections 31–38 of the Cybercrime Act, 2015; and compare with articles 19–21 of the Budapest Convention on Cybercrime, 2001. 760  See section 50 of the Cybercrime Act, 2015.



E. Individual Countries’ Cyberspace Frameworks163

cations and Broadcasting sectors in Tanzania.761 The TCRA is a creature of a statute, the Tanzania Communications Regulatory Act No.12 of 2003.762 Basically, the core functions of TCRA are to regulate electronic communications and postal services, and manage the national frequency spectrum in Tanzania.763 The Authority officially started to operate on 1 November 2003 as a successor of the then Tanzania Communications Commission (TTC) and Tanzania Broadcasting Commission (TBC).764 Furthermore, the Authority envisions, among others, a secure cyberspace by promoting environmentally friendly services to consumers. In terms of relevant functions of TCRA in preventing and combating cybercrime in Tanzania, one will note that the Authority is firstly charged with licensing, regulating and monitoring the provision of communications services in the country.765 In so doing, TCRA enforces, among others, the Electronic and Postal Communications Act which provides for different mechanisms of ensuring security in cyberspace.766 It is evident that TCRA as a communication watchdog is the number one player in preventing and combating cybercrime, both in terms of its legal mandate as described above, and also in practice. For example, in part. E.I. of chapter 5 above, it has been shown that the law establishes CERT to coordinate response to cyber security incidents,767 and it has actually been established under the auspices of TCRA. This is just one typical example of anti-cybercrime efforts employed by TCRA. Also, following the recent “WannaCry” malware attack which had global effects, on 13 May 2017, TCRA and the National CERT issued an alert on what steps the public should take to avoid falling victims of the attack. Furthermore, TCRA cooperates with other public and private institutions (Police, communications service providers) in the investigation of cybercrime incidents and so forth. 5. Tanzania Cybercrime Unit The Cybercrime Unit is a section in the Tanzania Police Force composed of police officers specialized in cybercrime investigations. The Tanzania Po761  Tanzania

Communications Regulatory Authority, TCRA Profile. section 4 of the Tanzania Communications Regulatory Act No.12 of 2003. 763  Tanzania Communications Regulatory Authority, TCRA Profile. 764  Tanzania Communications Regulatory Authority, TCRA Profile. 765  See sections 5 and 6 of the Tanzania Communications Regulatory Act No.12 of 2003. 766  For the mandate of TCRA to enforce EPOCA, see sections 114 and 115 of the Electronic and Postal Communications Act, 2010. 767  See section 124(3) of the Electronic and Postal Communications Act, 2010. 762  See

164

Chap. 5: Preventing and Combating Cybercrime in East Africa

lice Force is established in accordance with the law to deal with the preservation of peace, maintenance of law and order, prevention and detection of crime, apprehension and guarding of offenders and protection of property, and performance of other similar duties.768 Simply stated, the Police Force is there to enforce criminal law. So, cybercrime being part of criminal law, it falls well within the mandate of the Police Force. Now, the Cybercrime Unit being one of the sections of the Police Force, deals with the investigation of cybercrime incidences under the coordination of the office of the Director of Public Prosecution (DPP).769 So, the role played by the Cybercrime Unit in the fight against cybercrime in Tanzania is that of conducting investigations of cybercrimes and gather evidence which will facilitate prosecution of the perpetrators by the DPP. Basically, the contribution of the Unit in the dispensation of criminal justice is critically important. In terms of history, the Cybercrime Unit was established in 2007 at the headquarters of the Police Force in Dar es Salaam.770 Subsequently, operations were launched in other five pilot regions, and as of now, the Unit is operating almost in all regions countrywide. After having analysed cybercrime polices, laws and institutions in Tanzania, it the time now to look at similar developments in Kenya. Below is the detailed discussion on anti-cybercrime efforts in Kenya. II. Cybercrime Policies, Laws and Institutions in Kenya Kenya is said to be the strongest economy in the East African region. It is further said that as of 2013, ICTs contributed to 12.1 % of Kenya’s GDP.771 As pointed out in chapter 5 part. A. above, the records show that Kenya is the country with the most cybercrime incidences in the East African region. Online bank frauds, mobile money frauds, and denial of service attacks are among the common cyber offences committed in Kenya.772 However, there have been efforts at different levels to address cyberspace criminality in Kenya. For example, for quite some time now, Kenya has been closely working with Interpol on different anti-cybercrime campaigns.773 Below is an in depth examination of policies, laws, and institutions on cybercrime in Kenya. 768  See sections 3 and 5 of the Police Force and Auxiliary Services Act, Chap. 322, RE 2002. 769  Section 16 of the National Prosecutions Service Act, 2008 designates the DPP as the coordinator of all criminal investigations in Tanzania. 770  Mwiburi, pp. 80–81. 771  Gagliardone / Sambuli, p. 3. 772  Murungi, p. 210. 773  Murungi, p. 211.



E. Individual Countries’ Cyberspace Frameworks165

1. National Information and Communications Technology Policy, 2006 In February 2003, a formal process of making the National Information and Communications Technology Policy, 2006 started in Kenya with the then newly elected Government of President Mwai Kibaki.774 The said National ICT Policy of Kenya envisions a prosperous ICT-driven Kenyan society. The Government through the Policy clearly utters its commitment to improving the livelihoods of people by creating the environment that will guarantee the availability of accessible, resourceful, reliable and reasonably priced ICT services.775 Furthermore, the Policy states that through developments in ICT, among others, economic development, poverty alleviation, and promotion of social justice and equity can be achieved.776 Also, the Policy is said to be founded on four guiding principles, namely infrastructure development, human resource development, stakeholder participation, and appropriate policy and regulatory framework.777 Among the four guiding principles as stated above, this work concentrates mainly on the appropriate policy and regulatory framework, specifically cyberspace regulatory framework. On ICT regulation framework, the Policy clearly states that despite the presence of some pieces of legislation on science and technology, broadcasting and communications, there is a gap to be addressed in terms of dealing with issues pertaining to convergence, e-commerce, and e-Government.778 Furthermore, the Policy categorically states that a wide-ranging policy, legal and regulatory framework is required to cater for, inter alia, privacy, e-security, ICT legislation, cybercrimes, ethical and moral conduct, copyrights, intellectual property rights and piracy.779 The issues and gaps identified by the Policy on e-security and cybercrime, in particular, were subsequently addressed by amending the then Kenya Communications Act, 1998 through the Kenya Communications (Amendment) Act, 2009. It is alleged that the delay in implementing the Kenya ICT Policy was caused by the political crisis in 2007 which led to the post-elections violence.780

774  Bowman,

p. 98. of Information 776  Ministry of Information 777  Ministry of Information 778  Ministry of Information 779  Ministry of Information 780  Bowman, pp. 89–90. 775  Ministry

and and and and and

Communications Communications Communications Communications Communications

(Kenya), (Kenya), (Kenya), (Kenya), (Kenya),

p. 1. p. 2. p. 2. p. 4. pp. 4, 7 and 9.

166

Chap. 5: Preventing and Combating Cybercrime in East Africa

2. The Kenya Information and Communications Act, 1998 Before the year 2009, Kenya had no law with express provisions on cybercrime. The then Kenya Communications Act, 1998 had created some offences which could be seen as cyber offences, however, their scope was solely limited to improper and / or fraudulent use of telecommunications infrastructures.781 The Kenya Communications (Amendment) Act, 2009 which was operationalized effectively from 2 January 2009 made major changes to the 1998 Act by, inter alia, introducing a number of cyber offences. Apart from the new array of offences so introduced by the amendment, the name of the Act was also changed from the Kenya Communications Act to the Kenya Information and Communications Act.782 This change was necessary to reflect the element of information which is an important component of modern communications technologies. Basically, the Kenya Communications (Amendment) Act, 2009 introduced Part VIA to the Kenya Communications Act, 1998, which deals with electronic transactions. In fact, this new part recognizes electronic transaction and records, and it also provides for cybercrime. Now, looking at the cyber offences in the Act by categorizing them as per the Cybercrime Convention, one will note that in the offences against confidentiality, integrity, and availability of computer data and systems, the Kenya Communications (Amendment) Act, 2009 establishes ten different offences. These offences are unauthorized access to computer data; access with intent to commit offences; unauthorized access to and interception of computer service; unauthorized modification of computer material; damaging or denying access to computer system; unauthorized disclosure of password; unlawful possession of devices and data; unauthorized access to protected systems; re-programming of mobile telephone; and possession or supply of anything for reprogramming mobile telephone.783 On computer related offences, the Kenya Communications (Amendment) Act, 2009 criminalizes electronic fraud and tampering with computer source documents.784 Furthermore, the Act introduces publishing of obscene information in electronic form and publication for fraudulent purpose as the only content related offences. Publication for fraudulent purpose is defined under the Act to mean knowingly creating, publishing or making available an elec781  See

sections 28–34 of the then Kenya Communications Act, 1998. section 3 of the Kenya Communications (Amendment) Act, 2009. 783  See sections 83U–84A, and 84F-84H of the Kenya Communications (Amendment) Act, 2009. 784  See sections 84B and 84C of the Kenya Communications (Amendment) Act, 2009. 782  See



E. Individual Countries’ Cyberspace Frameworks167

tronic signature certificate for any fraudulent or unlawful purpose.785 The Act on content related offences does not cover child pornography specifically, but it just prohibits publication of obscene information. The Act does not provide for copyright-related offences as provided in the Cybercrime Convention. In December 2013, further amendments to the Kenya Information and Communications Act, 1998 were made through the Kenya Information and Communications (Amendment) Act, 2013. The 2013 amendments became effective on 2 January 2014. These amendments have little to do with cybercrimes because there are quite a few improvements on the anti-cybercrime regime. Among the new things brought by the 2013 amendments include the compulsory registration of SIM cards and contravention of the same amounts to an offence; and the offence of alteration, deletion, suppression, etc. of the telecommunication system.786 Sincerely speaking, the current cybercrime regime in Kenya is not robust enough to address the challenge of criminality in cyberspace. It becomes challenging to prevent and fight cybercrimes in Kenya because, among other reasons, the scope of offences created under the Kenya Information and Communications Act, 1998 together with its amendments of 2009 and 2013 do not clearly and aggressively capture the problem of criminality in cyberspace. The offences are narrowly created to the extent that are based on ICT and their related infrastructures rather than cybercrimes in their wider sense. Kenya lacks a proper cybercrime regime and it is in the process of enacting a cybercrime statute. The current regime provides for what are known as communications offences which are just a small portion of a wider cybercrime phenomenon. Actually, what is provided in the Kenya Information and Communications Act is relatively similar to the provisions of the Electronic and Postal Communications Act of Tanzania which is not a core piece of legislation on cybercrime, rather on communications generally. The provisions of the Kenya Information and Communications Act cater more suitably for communications regulatory functions than of a solid anti-cybercrime regime. The weakness of Kenya’s anti-cybercrime regime can also be demonstrated by a recent incident whereas 76 Chinese and one Thai national were arrested for alleged possession of illegal ICT equipment aimed to be used to fraudulently obtain money from bank systems and mobile money networks.787 It is said that following this incidence, the Chinese Government requested for the extradition of the suspects because China has a more aggressive re785  See

section 84E of the Kenya Communications (Amendment) Act, 2009. sections 12 and 26 of the Kenya Information and Communications (Amendment) Act, 2013. 787  Gagliardone and Sambuli, p. 3. 786  See

168

Chap. 5: Preventing and Combating Cybercrime in East Africa

gime in investigation and prosecution of cybercrime while the Kenyan was seemingly thought to be very weak.788 Also, the Kenya Information and Communications Act, 1998 as amended does not provide for other matters relevant to preventing and combating cybercrime such as the big questions of jurisdiction, investigation and international cooperation. These three law enforcement aspects are very important and critical to be spelt out clearly in a cybercrime statute. Because of the increased cyberattacks and loopholes in the law as identified above, the Government of Kenya adopted the Cybersecurity Strategy of 2014 which is analysed hereunder. Also, in 2016 the Computer and Cybercrimes Bill was approved by the Cabinet, and it is currently going through the legislative processes and procedures before it becomes effective.789 3. The National Cybersecurity Strategy, 2014 The National Cybersecurity Strategy, 2014 is yet another effort by the Government of Kenya to demonstrate its direction and commitment towards combating and fighting cybercrime. The Strategy is aligned with the Kenya’s 2030 vision which is to create a globally competitive and prosperous nation with a high quality of life.790 The Strategy is meant to define the Government of Kenya’s cybersecurity vision, objectives, and commitment to ICT developments and protection of critical information infrastructures.791 In terms of the goals, the Strategy points out four goals, namely enhancing the national cybersecurity; building national capability through awareness raising among the people; encouraging information sharing and collaboration among stakeholders; and providing cybersecurity leadership through setting out common vision, goals, and objectives.792 In furtherance of the third goal, as stated above, the Strategy further states that the Government of Kenya intends to enact the necessary laws, regulations, and policies to secure cyberspace in Kenya.793 It is based on these commitments in the Strategy that the 788  Gagliardone / Sambuli, p. 3. On the strength of the Kenyan anti-cybercrime regime see: Council of Europe / Project Cybercrime@Octopus, pp. 5–8. 789  Rwakenya, Kenya Set to Pass Cyber-crime Bill as East Africa Seeks Legal Harmony. 790  Ministry of Information, Communications and Technology, National Cybersecurity Strategy, p. 5. 791  Ministry of Information, Communications and Technology, National Cybersecurity Strategy, p. 1. 792  Ministry of Information, Communications and Technology, National Cybersecurity Strategy, p. 5. 793  Ministry of Information, Communications and Technology, National Cybersecurity Strategy, p. 8.



E. Individual Countries’ Cyberspace Frameworks169

Government of Kenya approved the Computer and Cybercrimes Bill, 2016 which is still in the enactment processes. After having explored different policy and legislative measures on cybercrime in Kenya, it is now the right time to look at different institutions and their contributions in anti-cybercrime campaigns. 4. The Communications Authority of Kenya The Communications Authority of Kenya is a successor of the Communications Commission of Kenya (CCK) which was established in 1999 under the Kenya Communications Act, 1998.794 When firstly established, the CCK was mainly mandated to licence and regulate telecommunications, radio communication, and postal services.795 Following the 2009 amendments to the Kenya Communications Act, 1998, the object and purpose of CKK were also slightly extended to include licensing and regulating information and communication services.796 In these amendments, the word “information” was added to the CKK’s mandate. Furthermore, in the 2013 amendments, CCK was renamed to Communications Authority of Kenya (CAK).797 Today the Communications Authority of Kenya works as an independent communications regulator in Kenya and is directly overseeing, among others, licensing of communications services providers, championing the development of e-commerce, managing competition among licencees, and protection of consumers and their rights.798 It is important to note that the obligation to protect consumers and their rights extends to making sure that they are safe from cyber-attacks. Moreover, in so far as combating and fighting cybercrime is concerned, the Communications Authority of Kenya is a very important player as it manages the Kenya National Computer Incident Response Team Coordination Centre (KE-CIRT / CC).799 As the name suggests, the centre basically deals with offering cybersecurity advice and coordination of responses against cyber-attacks. These are very important roles in so far as dealing with the challenge of cybersecurity is concerned.

794  Bowman,

p. 95. section 5 of the then Kenya Communications Act, 1998. 796  See section 5 of the Kenya Communications (Amendment) Act, 2009. 797  See sections 2 and 3 of the Kenya Information and Communications (Amendment) Act, 2013. 798  Communications Authority of Kenya, What We Do. 799  Gagliardone / Sambuli, p. 3. 795  See

170

Chap. 5: Preventing and Combating Cybercrime in East Africa

5. Kenya Cybercrime Unit This is a Unit established in 2016 in the Criminal Investigation Department (CID) of the Kenya Police Service. The Unit was established following a special training attended by police officers from all 47 counties and at least six prosecutors.800 The roles played by the Unit are investigative in nature which include forensic examination of electronic devices; maintenance of lab processes of acquisition, archival and analysis; maintenance of digital evidence; analysis of deleted and active files; location and analysis of data; recovery of deleted or encrypted data, internet sites; and adducing expert forensic evidence in court.801 Based on the above, it is evident that the Unit provides important support in dispensation of criminal justice in the country. III. Cybercrime Policies, Laws and Institutions in Uganda As it is the case with Tanzania and Kenya, Uganda has also fallen victim of cybercrime incidences in a number of times. It has been indicated above that in 2016 alone the cost of cybercrime in Uganda was USD 35 million. This is a clear message that cybersecurity in Uganda is also an issue. Against the above, there have been efforts at different levels in Uganda to contain criminality in cyberspace. This part of the book is an attempt to analyse and examine the current legal and institutional framework in terms of policies, laws, and institutions pertaining to prevention and combating cybercrime in Uganda. 1. The National Information and Communications Technology Policy for Uganda, 2014 The National ICT Policy for Uganda, 2014 is an upgrade of the National Information and Communication Technology Policy, 2003.802 The Government of Uganda adopted for the first time an ICT related policy in 2003. The Policy was adopted not only as a way of coping with the technological advancements that were taking place globally, but also inspiring Ugandans to actively take part in the socio-economic, political developmental activities, with an ultimate view of improving living standards of the people of Ugan800  Kimani, O., Kenya to Set up Anti-Cybercrime Police Unit. Also, see: Kenya Broadcasting Corporation, Kenya to Set up an Anti-Cyber Crime Police Unit. 801  Directorate of Criminal Investigation, Cybercrime. 802  Ministry of Information and Communications Technology (Uganda), National Information and Communications Technology Policy for Uganda, p. 4.



E. Individual Countries’ Cyberspace Frameworks171

da.803 It appears that by the time when the ICT Policy (2003) was passed, cybersecurity was not an issue in Uganda, for the Policy just partially addresses matters pertaining to security. As pointed out above, the National ICT Policy (2014) overhauled the 2003 Policy by equipping it with the necessary updates that have taken cognizance of the new developments and challenges in the ICT sector.804 The Policy (2014) envisions Uganda as a knowledge society where ICT is central in all spheres of life.805 In terms of the role of ICT in development, the Policy (2014) openly acknowledges the link between ICT and human development. Furthermore, the Government of Uganda, through the Policy, believes that ICT has a vital role to play in realizing its vision 2040 which is “a transformed Ugandan society from a peasant to a modern and prosperous country within 30 years”.806 Specifically on cybersecurity, the Policy (2014) contains a chapter termed as cross-cutting policy areas. The chapter, among others, emphasizes and mirrors cybersecurity issues in two ways: one as a component in the legal and regulatory framework sub-topic; and two as a sub-topic on information security.807 On the legal and regulatory framework, the Policy (2014), inter alia, spots the need to revisit the current legal framework so as to address the complexities of cybercrime and other information security related matters.808 Furthermore, in relation to the information security, the Policy (2014) envisages a number of strategies which are clearly anti-cybercrime ones. These strategies, among others, include ensuring security of the nation’s critical information infrastructure; preventing, detecting and responding to cybercrime and misuse of ICT; contributing in fighting crimes with international character such as pornography, fraud, money laundering, drug trafficking and terrorism; ensuring inter-sectoral coordination in cybersecurity matters; developing security policies, standards and procedures; implementing ICT Se803  Ministry of Works, Housing and Communications (Uganda), National Information and Communication Technology Policy, pp. 1–2. 804  Ministry of Information and Communications Technology (Uganda), National Information and Communications Technology Policy for Uganda, pp. 4–5. 805  Ministry of Information and Communications Technology (Uganda), National Information and Communications Technology Policy for Uganda, p. 15. 806  Ministry of Information and Communications Technology (Uganda), National Information and Communications Technology Policy for Uganda, pp. 11–12. 807  Ministry of Information and Communications Technology (Uganda), National Information and Communications Technology Policy for Uganda, pp. 28–31. 808  Ministry of Information and Communications Technology (Uganda), National Information and Communications Technology Policy for Uganda, p. 28.

172

Chap. 5: Preventing and Combating Cybercrime in East Africa

curity awareness programmes; and using ICTs to improve the management, operation and administration of security matters.809 Based on the above strategies envisaged by the Policy (2014) on cybersecurity, one may correctly say that the policy articulations, if fully implemented will constitute a sound anti-cybercrime policy framework in Uganda. However, according to the Cybersecurity Capacity Review of the Republic of Uganda done by the Global Cyber Security Capacity Centre in 2016, it appears that there are challenges in implementing the ICT Policy (2014) in Uganda and the main one is the lack of coordination among the responsible institutions.810 The challenge is said to impede the full realization of the policy objectives. 2. National Information Security Strategy, 2011 Apart from the general ICT Policy, Uganda also has the National Information Security Strategy, 2011 (the NISS or the Strategy). The Strategy contains more precise articulations on how the Government of Uganda intends to deal with security issues on cyberspace and security of information generally. The Strategy generally defines information security and set out the objectives and the guiding principles in the implementation of the articulations stated therein.811 It further analyzes the then information security situation, provides for the strategy framework, and finally covers the operationalization of the strategy itself.812 Based on its vision, mission, objectives and the guiding principles, the NISS, therefore, presents itself as a strategic guideline for the synchronization of all efforts, at national and international levels, and the provider of direction in dealing with information security issues for the benefit of the people of Uganda.813 It is also worth mentioning that the NISS was prepared while fully cognizant of the efforts and measures taken in other jurisdictions to enhance information security. The Ugandan NISS cites examples, in terms of legal and administrative frameworks on information security, adopted by other countries such as Mauritius, Malaysia, India, and the United Arab Emirates 809  Ministry of Information and Communications Technology (Uganda), National Information and Communications Technology Policy for Uganda, pp. 30–31. 810  The Global Cyber Security Capacity Centre, pp. 8–11. 811  Ministry of Information and Communications Technology (Uganda), National Information Security Strategy, pp. 6–10. 812  Ministry of Information and Communications Technology (Uganda), National Information Security Strategy, pp. 11–54. 813  See: Ministry of Information and Communications Technology (Uganda), National Information Security Strategy, pp. 8–10.



E. Individual Countries’ Cyberspace Frameworks173

(UAE).814 Further to the foregoing, among others, the NISS recognizes the presence of specific laws on cybersecurity, but records the need to toughen the said laws by providing the necessary supporting standards. The said standards envisage presence of specifically designated institutions that will mandatorily carry out cybersecurity due diligence; creation of a framework for the nation’s critical internet resources; and spearheading more legislation in information protection, copyright laws, privacy laws and so forth.815 Together with the good pronouncements contained in the NISS as elucidated above, the implementation of the Strategy has revealed a number of challenges that render the realization of the intended goals to be problematic. For example, it has been reported that the NISS does not provide specific cybersecurity actionable directives that reflect the national goals on the same, as a result, every institution has found itself having different list of incidents and priorities that do not meet in the end.816 Also, budgetary constraints that hinder effective implementation of the Strategy have been noted.817 3. The Computer Misuse Act, 2011 The Computer Misuse Act, 2011 is the core legislation in Uganda in so far as anti-cybercrime legal regime is concerned. It was passed by the Ugandan Parliament in 2010, assented to by the President on 1 November 2010, and published in the Uganda Gazette No. 10 Volume CIV on 14 February 2011. The Act is meant to cater for the safety and security on electronic platforms, and provides for provisions which prohibit unwarranted and illegal conduct and / or omissions in the electronic environment, with an ultimate goal of increasing confidence and reliability of electronic transactions among the users. The Computer Misuse Act is divided into five major parts, namely preliminary provisions, general provisions, investigations and procedures, computer misuse offences, and miscellaneous provisions. The preliminary provisions part (part I), basically covers two items: the commencement date of the Act, which is said to be the date that the Minister will determine, and interpretation of different terms used in the Act.818 Part II which relates to general provisions, describes extensively some terminologies which form the 814  See: Ministry of Information and Communications Technology (Uganda), National Information Security Strategy, pp. 11–15. 815  See: Ministry of Information and Communications Technology (Uganda), National Information Security Strategy, p. 32. 816  The Global Cyber Security Capacity Centre, pp. 8–9. 817  The Global Cyber Security Capacity Centre, pp. 8–11. 818  See sections 1 and 2 of the Computer Misuse Act, 2011.

174

Chap. 5: Preventing and Combating Cybercrime in East Africa

basis of the subsequent provisions that create offences. These terminologies are: securing access, using a program, authorised access, references, modification of contents, and unauthorized modification.819 Having an extensive description of the terminologies in the Act is a commendable approach because, although the said terminologies are very common in many cybercrime statutes, assigning them a specific scope of application is a praiseworthy step as it reduces the possibility of interpreting them vaguely in the enforcement of the law. Part III of the Computer Misuse Act provides for investigations and procedures. The provisions in this part generally govern three matters, namely empowering the court to issue a preservation order where data is vulnerable or susceptible to loss or modification; allowing the court to issue a disclosure of preservation order in respect of preserved data; and authorizing the court to issue a production order in the event the disclosure of data is necessary for criminal justice dispensation purposes.820 Given the fragility of electronic data and information, the powers entrusted with the courts and investigation officers in this part of the Act are necessary for effective investigation and prosecution of cybercrimes. However, if not carefully exercised, the powers can be adversely used to discourage innovativeness, and encroach upon people’s rights. For example, under the alleged auspices of the above powers, State organs can justify interference with privacy of data and individuals, internet freedoms, and freedom of speech. It is, therefore, important that the above powers are used cautiously and in consideration of what are known as conditions of safeguards as provided for in the Cybercrime Convention.821 Part IV is the most important one because it establishes different cyber offences which are under the scrutiny of this book. In so far as offences against the confidentiality, integrity and availability of computer data and systems are concerned, the Ugandan Computer Misuse Act outlaws unauthorized access, denial of service to legitimate users, data interference, system interference, illegal interception, misuse of devices, and unauthorized modification of computer material.822 Other offences in this same category include unauthorized use or interception of computer service, unauthorized obstruction of use of computer, unauthorized disclosure of access code, and unauthorized disclosure of information.823

819  See

sections 3–8 of the Computer Misuse Act, 2011. sections 9–11 of the Computer Misuse Act, 2011. 821  See article 15 of the Convention on Cybercrime, 2001. 822  See sections 12–14 of the Computer Misuse Act, 2011. 823  See sections 15–18 of the Computer Misuse Act, 2011. 820  See



E. Individual Countries’ Cyberspace Frameworks175

A general outlook of the Computer Misuse Act in this category of cyber offences suggests that the Act criminalizes some conduct and / or omissions in a more or less similar fashion as the Budapest Convention does. However, a critical examination of the same implies that there are unnecessary duplications of offences and it seems that the Parliament of Uganda has done more than what was required. For example, the Act makes it an offence for any person to interfere with data in a manner that causes the program or data to be modified, damaged, destroyed or rendered ineffective.824 At the same time, the Act under a different provision prohibits unauthorized modification of computer materials or contents.825 From the above example, one will note that the modification of data, materials or computer contents which is prohibited under section 14 of the Act is already an offence under section 12(2) of the same Act. Further to the above, the denial of service to legitimate users has been criminalized under section 12(5) of the Act, but again in a more or less similar manner duplicated under section 16 in the name of unauthorized obstruction of use of computer. In fact, for all intents and purposes, the two offences imply that the intended actus reus to be prohibited is interference with the computer or computer system to the extent of denying the legitimate user service or access of the said computer. This zeal could be achieved by the provisions of section 12(5) of the Act with just slight modifications instead of creating another duplicate offence using just a different wording. While the Budapest Convention contains two sets of offences (computer related forgery and computer related fraud) in the category of computer related offences, the Computer Misuse Act of Uganda has only one offence, namely electronic fraud. According to the Act, electronic fraud covers all forms of deception deliberately performed wholly or partly through a computer, which is calculated to give the perpetrator an unfair or unlawful gain.826 The above definition of electronic fraud is commendable for being comprehensive enough to accommodate most of the fraudulent transactions, both online and offline. The third category of cybercrimes according to the Budapest Convention is the content related offences. The Convention read together with its Additional Protocol on cybercrime, concerning the criminalization of acts of a racist and xenophobic nature committed through computer systems prohibit child pornography and related offences; dissemination of racist and xenophobic material through computer systems; racist and xenophobic motivated 824  See

section 12(2) of the Computer Misuse Act, 2011. section 14 of the Computer Misuse Act, 2011. 826  See section 19 of the Computer Misuse Act, 2011. 825  See

176

Chap. 5: Preventing and Combating Cybercrime in East Africa

threat; racist and xenophobic motivated insult; and denial, gross minimization, approval or justification of genocide or crimes against humanity. On the other hand, the Computer Misuse Act of Uganda prohibits child pornography in its widest context as per the Convention, plus making pornographic materials available to a child.827 It also worth mentioning that dealing in pornographic materials (including online and offline electronic publication) is an offence under the Anti-Pornography Act, 2014.828 The Computer Misuse Act further prohibits cyber harassment, offensive communication, and cyber stalking.829 The Budapest Convention does not contain the last three offenses mentioned above. However, by and large, the elements constituting cyber harassment and cyber stalking as depicted in the Act look more or less similar for in both offences harassment and threats are required. In reality, cyber harassment is committed when one uses ICT to harass, control, or manipulate another person without a credible or implied threat of harm, while cyberstalking is the use of ICT to stalk, control, manipulate, threaten or make unwanted advances towards another person.830 In cyberstalking credible threat is an important element of the crime. Before venturing further on sanctions corresponding to the offences established under the Computer Misuse Act, it is imperative to note that, whether by design or default, the Act is silent on copyright infringement offences and related rights. Copyright offences which are designated as category four in the Budapest Convention are completely not covered by the Computer Misuse Act. Considering the rapid developments in ICT which have increased capability of tempering with intellectual property rights, the Act is wanting in this area. Further to the foregoing, it is worth noting that like the Tanzania Cybercrime Act, the Computer Misuse Act allows the trial court to order compensation to be paid to the victim of an offence if there will be any loss suffered as a result of the offence.831 This is a commendable approach as the Act states that the order of the court for compensation is executable in a manner similar to the way civil case judgments are executed.832 The Budapest Convention is silent on compensation to victims of cybercrimes.

827  See

section 23 of the Computer Misuse Act, 2011. sections 13 and 14 of the Anti-Pornography Act, 2014. 829  See sections 23–26 of the Computer Misuse Act, 2011. 830  Brenner (2004), pp. 127, 130–131. Also, for further details and understanding of cyberstalking see: United States vs. Rose, 315 F.3d 965 (8th Cir. 2003). 831  See section 27 of the Computer Misuse Act, 2011. 832  See section 27 of the Computer Misuse Act, 2011. 828  See



E. Individual Countries’ Cyberspace Frameworks177

In regard to sanctions, it is noted that the sanctions prescribed under the Act for the offences established are very punitive compared to the gravity of the offences. Because the punishments under the Ugandan Computer Misuse Act seem to be exceptionally excessive compared to Kenya and Tanzania on similar offences, a further analysis of those punishments under the Ugandan regime is preferred hereunder. Detailed analysis for Kenya and Tanzania will be done in chapter 6 in a comparative manner. Table 4 (see p. 178) captures some of the offences under the Computer Misuse Act in order to vividly demonstrate their harshness. Although the Budapest Convention requires that the punishments for cybercrimes should be effective and dissuasive, it equally requires proportionality in the imposition of those sanctions.833 It is unbelievable under the Computer Misuse Act as analysed above to note that, a person who illegally access, modify, intercept, or obstruct a computer system or data used in connection with security, defence, or banking, etc., regardless of the gain obtained or loss occasioned, is liable on conviction to life imprisonment and there is no alternative punishment. Sincerely speaking, these types of punishments are excessively and disproportionately severe for they appear to be more revengeful than reformatory. Furthermore, Part V of the Computer Misuse Act covers miscellaneous matters such as search and seizure, admissibility of electronic evidence, territorial jurisdiction matters, courts with jurisdiction to try the offences established, and power of the Minister to amend currency points as provided in the schedule to the Act. In regard to search and seizure, the Act is more or less on the same footing with the Cybercrime Convention for the same are capable of being done with the order of the court.834 On territorial jurisdiction, the Computer Misuse Act widely claims jurisdiction in all offences committed by citizens and non-citizens of Uganda wherever they are at the time of commission of the offence, provided that the computer, program or data was in Uganda at that material time.835 However, in regard to jurisdiction, the Cybercrime Convention confers jurisdiction to a State if the offence is committed in its territory, or on board a ship or aircraft registered under the laws of that State, or by a national of that State wherever one is.836 Further to the above, below is a detailed discussion on the institutions in Uganda that are responsible to enforce cyberlaws.

833  See

article 13 of the Convention on Cybercrime, 2001. section 28 of the Computer Misuse Act, 2011, and compare with article 19 read together with article 15 of the Convention on Cybercrime, 2001. 835  See section 30 of the Computer Misuse Act, 2011. 836  See article 22 of the Convention on Cybercrime, 2001. 834  See

Description of the Offence

Unauthorized access

Access with intent to commit or facilitate the commission of a further offence

Unauthorized modification of computer material

Unauthorized use or interception of computer service

Unauthorized use or interception of computer service

Unauthorized use or interception of computer service

Unauthorized obstruction of use of computer

Unauthorized obstruction of use of computer

Provision of the Act

Section 12

Section 13

Section 14

Section 15

Section 15

Section 15

Section 16

Section 16

360

240

168

360

240

360

240

240

Currency Points837

7.2 million

4.8 million

3.4 million

7.2 million

4.8 million

7.2 million

4.8 million

4.8 million

Fine in UGX 838

2,000

1,333

 933

2,000

1,333

2,000

1,333

1,333

Fine in USD

15

10

 7

15

10

15

10

10

Imprisonment in Years

Applicable on a subsequent conviction

Applicable if damage is caused as a result of an offence

Applicable on a subsequent conviction

Remarks

Table 4 Sanctions Under the Computer Misuse Act, 2011 178 Chap. 5: Preventing and Combating Cybercrime in East Africa

Unauthorized disclosure of access code

Unauthorized disclosure of information

Electronic fraud

Enhanced punishment for offences involving protected computers under sections 12, 14, 15 or 16

Child pornography

Cyber harassment

Offensive communication

Cyber stalking

Section 17

Section 18

Section 19

Section 20

Section 23

Section 24

Section 25

Section 26

120

 24

 72

360

Not Applicable

360

240

360

240

0.7 million

0.5 million

1.4 million

7.2 million

Not Applicable

7.2 million

4.8 million

7.2 million

4.8 million

 667

 133

 400

2,000

Not Applicable

2,000

1,333

2,000

1,333

 5

 1

 3

15

Life imprisonment

15

10

15

10

Offensive communication is defined as willfully and repeatedly using electronic communication to disturb or attempts to disturb the peace, quiet or right of privacy of any person with no purpose of legitimate communication.

Protected computer is defined under the Act to mean a computer or program or data used in connection with security, defence, banking, public utilities, etc.

Applicable on a subsequent conviction

837  According to section 2 read together with the schedule to the Computer Misuse Act, 2011, one currency point is equivalent to twenty thousand Ugandan Shillings. 838  UGX is the symbol for Ugandan Shillings which is the official currency of Uganda.

Note: The above punishments can be imposed in alternative (i. e. fine or imprisonment, or both) and ar maximum sentences.

Unauthorized disclosure of access code

Section 17

E. Individual Countries’ Cyberspace Frameworks179

180

Chap. 5: Preventing and Combating Cybercrime in East Africa

4. The Uganda Communications Commission The Uganda Communications Commission (UCC) is established under the provisions of the Uganda Communications Act, 2013.839 The UCC was established as an independent regulatory body to, among others, license and oversee provision of services in the communications sector, specifically in the areas of telecommunications, broadcasting, radio communications, postal communications, and data communications.840 In terms of history, the Uganda Communications Act, 2013 fuses and harmonizes the then Uganda Communications Act, Chap. 106 and the then Electronic Media Act, Chap. 104 into one piece of legislation.841 As a result of the fusion, the then Uganda Communications Commission and the Broadcasting Council were dissolved and reconstituted as the UCC which is now the successor of then two bodies.842 The relevancy and significance of the UCC in preventing and combating cybercrimes in Uganda lies first on its general mandate as a licenser and overseer of communications services in the country. Secondly, one of the specific statutory functions of the UCC is to safeguard consumers of communication services.843 The above implies that in furtherance of its statutory objectives and obligations, the UCC is directly concerned with cybersecurity issues. For example, it is reported that one of the achievements of the UCC recorded in respect of its 2013 / 14–2017 / 18 Strategic Plan is the establishment of the CERT which will be providing cybersecurity advisory and technical services to consumers and other stakeholders in the telecommunications sector.844 The Uganda CERT, among others, provides security highlights, updates and alerts on technological developments taking place in the communications sector.845 Together with the presence of institutions such as the UCC in the EAC region, inadequate investment in modern technologies and budgetary constraints have always been obstacles towards full realization of the intended objectives, and Uganda is not an exception.

839  See 840  See

2013.

841  See

section 4 of the Uganda Communications Act, 2013. section 3 read together with section 8 of the Uganda Communications Act,

section 96 of the Uganda Communications Act, 2013. sections 87–91 of the Uganda Communications Act, 2013. 843  See section 5(1)(k) of the Uganda Communications Act, 2013. 844  Uganda Communications Commission, Strategic Plan, p. 17. 845  For example, see: Uganda Computer Emergency Response Team, Highlights and Updates. 842  See



E. Individual Countries’ Cyberspace Frameworks181

5. The National Information Technology Authority, Uganda The National Information Technology Authority, Uganda (NITA-U) is an Authority established under the provisions of the National Information Technology Authority Act, 2009.846 The Act designates the NITA-U as an autonomous Authority in-charge of Information Technology (IT) in Uganda. The mandate that the NITA-U is entrusted with, among others, include provision of IT services to the Government, regulating and enforcing IT standards, providing support to IT users and service providers, advising the Government on IT matters, coordinating and supervising utilizing of IT, creating and managing national databank, researching on IT, and protecting users and consumes of IT services.847 While the UCC deals with matters related to communications (telecommunications, postal, broadcasting, radio, and data), the NITAU deals specifically with matters related to information technology, IT security being one of them. To be specific, the Act defines information technology to mean the technical knowhow of collecting and using information or data with the aid of computer systems and their peripherals in the acquisition, storage, processing, management, transmission or reception of the same.848 In so fat as cybersecurity is concerned, and according to the provisions of the National Information Technology Authority Act, 2009, the National Information Policy, 2014, and the National Information Security Strategy, 2011, the NITA-U is mandated to define standards, conduct risk management, and enforce strategies for information security in Uganda. Among the specific tasks that the NITA-U is in-charge of is creating and managing a National Computer Emergency Response Team (IT-CERT) as opposed to Communications CERT which is under the UCC. The NITA-U, therefore, coordinates IT security strategies together with other institutions such as the Ministry of ICT, the UCC, the Directorate of Information Security (DIS), and other public and private entities. One of the notable efforts of NITA-U is preventing and combating cybercrime is the recent launching of the online portal for reporting child sexual abuse images and videos.849 However, smooth coordination of these different institutions has been reported as among the challenges hindering effective implementation of cybersecurity strategies in Uganda.850 846  See

section 3 of the National Information Technology Authority Act, 2009. sections 4–6 of the National Information Technology Authority Act, 2009. 848  See section 2 of the National Information Technology Authority Act, 2009. 849  PC Tech Magazine, NITA, IWF Launch Online Child Sexual Abuse Reporting Portal. 850  The Global Cyber Security Capacity Centre, p. 16. 847  See

182

Chap. 5: Preventing and Combating Cybercrime in East Africa

6. Uganda Cybercrime Unit As it is the case with Kenya and Tanzania, Uganda also established a Cybercrime Unit within the Police Force. The Unit is part and parcel of the Police Force. The Uganda Police Force exists in accordance with the provisions of the Constitution of the Republic of Uganda.851 The Force is entrusted, under the Constitution of Uganda, with the duties to protect life and property, keep law and order, prevent and detect crime, and cooperate with the public and other authorities and bodies.852 Again as it is in Kenya and Tanzania, the Cybercrime Unit provides investigative support to prosecution machinery through its trained personnel.853 On the other hand, there is a lot of criticism on the establishment of the Cybercrime Unit in Uganda. There are complaints that the mandate of the Unit is not very clear to the public and it is believed that the Unit was established to curtail people’s freedom of speech especially in relation to the 2016 general elections.854 Activists are questioning on the timing of the establishment of the Unit as it appears the hidden agenda behind its establishment is to abrogate Internet freedoms, freedom of speech, privacy of data, and threatening people from criticizing the Government in the year of elections.855 In short, the Unit is perceived to be more of a threat than a relief to individuals’ rights and freedoms.

F. Concluding Remarks Based on the analysis done in this book above, it is clearly evident that there are remarkable developments in the EAC region, in terms of penetration and application of ICTs. These developments have come with unacceptable tendencies which culminated into increased cybercrime incidents. This fact has resulted to the EAC region becoming one of the places where the cost of cybercrime is overwhelmingly high as indicated above. All these justify the necessity of conducting the study to evaluate the effectiveness and efficiency of the legal and institutional frameworks pertaining to prevention 851  See article 211 of the Constitution of the Republic of Uganda, 1995 (as amended from time to time). 852  See article 212 of the Constitution of the Republic of Uganda1995 (as amended from time to time). 853  The Global Cyber Security Capacity Centre, p. 15. 854  Bagala, Activists Cry Foul as Police Setup Cyber Crime Unit. Also, see: the Unwanted Witness – Uganda, Police Establishes Cybercrimes Unit to Curtail Online Freedoms. Further see: Slubambula, Powers of Uganda’s Cybercrime Unit Questioned. 855  Refer to the above footnote.



F. Concluding Remarks183

and combating cybercrime in the region at bloc and individual Member State’s levels. At the EAC level, it has been observed that there are ongoing efforts to harmonize and approximate cyberlaws in order to catalyze realization of the EAC’s goals and objectives. However, these efforts are not vigorous enough to fight cybercrimes, for there is the EAC Legal Framework for Cyberlaws whose legal status is not clear whether is a binding legal instrument, a policy, or regulations. Likewise, there are no legally established and mandated institutions at the EAC level to deal with cybercrime. This situation justify the conclusion that the EAC has not accorded cybercrime with the attention and seriousness it deserves. Fortunately, there are very clear provisions in the EAC Treaty that warrant harmonization of criminal laws and cooperation in judicial matters. For smooth realization of social, political and economic goals of the Community, peace, security and public order are very important. Therefore, absence of clearly defined legal and institutional mechanisms against cybercrime compromises other efforts aimed at achieving political, social and economic developments. At the individual country level, it has been observed that each EAC Member State has adopted her own ways in dealing with cybercrime. However, it is noted that there is coincidental uniformity and commonality in some aspects. For example, Tanzania has adopted some policies and cyberlaws, and established some institutions to enhance cybersecurity. The laws in Tanzania have established some cyber offences similar to those provided in the Budapest Convention and some are even not in the Convention. Likewise in Kenya, there are policies, laws and institutions adopted to prevent and combat cybercrime. However, most of the offences established under the Kenyan laws focus more on protecting communications infrastructures than addressing cybercrime in its wider sense. The Government of Kenya is now in the processing of enacting the necessary laws to address cybercrime accordingly. For the case of Uganda, the study has established that there are well established policies, laws and institutions in so far as cybersecurity in concerned. However, a problem of unnecessary duplication of offences and the sanctions provided in the laws are too severe and disproportionate to the offences. Also, there is a general perception among the people of all the three countries that some offences are established mainly for curtailing people’s rights especially freedom of expression. The common problems with the three countries under scrutiny (Tanzania, Kenya, and Uganda) are that most of the institutions established suffer from lack of proper coordination; lack of the required human resource capabilities; technological backwardness; and budgetary constraints.

Chapter 6

Comparative Assessment of Anti-Cybercrime Initiatives Between Europe and East Africa A. Introductory Remarks Chapters 4 and 5 of this work separately examine anti-cybercrime measures adopted in Europe and the East African region respectively. Basically, the examination in the chapters is at three levels, namely policy frameworks, legislative measures, and institutional frameworks. In the said chapters, the examination in question focuses on Europe under its two international anticybercrime regimes, namely the EU and the CoE frameworks; and in East Africa, the focus is on the Community (the EAC level) and individual Member States regimes. Having laid that foundation, this chapter builds-up on the above discussions in terms of closely comparing and contrasting those efforts by looking at the strengths and predicaments of each bloc with a view of pinpointing lessons to be learnt from each regime. The analysis in this chapter will, therefore, comparatively focus on the basic organization structures of the EAC, EU, and CoE as intergovernmental entities and their implications on the war against cybercrime; approximation and harmonization of laws; supremacy and direct effect of community laws; and the way these aspects influence the formulation and implementation of anti-cybercrime initiatives. Furthermore, the chapter comparatively assesses the efficiency and efficacy of different anti-cybercrime legislative and institutional mechanisms adopted in each bloc while highlighting the important lessons to be learnt.

B. Basic Integration Frameworks Among the EAC, EU, and CoE It appears that the recent nations’ survival in the world economy and market requires the world to be more interconnected than before.856 This requirement seems to explain why today nations are struggling to remove the formerly existed barriers and boundaries by the formation of interstate entities and / or organizations to propagate their collective agenda. It is further said 856  Masinde / Omolo,

p. 1.



B. Basic Integration Frameworks Among the EAC, EU, and CoE185

that, among others, the inspirations behind the recent interstate cooperation and regionalism is influenced by the EU’s integration success story.857 It is within the same wavelength that it has been noted in the discussions in chapter 3 above that the EAC which was revived in 2000, has, to some extent, copied some features and elements from the EU and CoE setups. Generally speaking, these features include some fundamental principles upon which the organizations are founded, objectives, the basic organization structure, and the mandate entrusted to the organizations.858 It is worth noting that there are areas of variations too among the organizations. These variations are influenced by the history and socio-economic and political conditions of a given region and / or Member States. For example, it is said to be challenging for developing countries to achieve a similar success story as that of the EU for integration success requires strong and diversified economies and robust political commitments to overwhelm the uneven benefits and expenses of integration.859 Comparatively, if one assesses the objectives, principles and the institutional frameworks of the EAC, EU and CoE vis-à-vis their capability to formulate and implement various matters, it becomes clear that the specificity, overlap, and complementarity between the EU and the CoE confer Europe with an added advantage to respond to issues effectively and efficiently as opposed to the EAC’s generality. This means that, as highlighted in chapter 3 part. E. above, while the CoE identifies itself as an organization dedicated to enhancing human rights, democracy and the rule of law, the EU concentrates more on economic integration without compromising the standards set by the CoE. The operation model between the EU and the CoE can be argued to be among the catalysts which made the CoE feel obliged and take early anticybercrime legislative measures which have been subsequently acceded to and implemented by the EU through its various framework decisions as further discussed in chapter 4. To the contrary, the EAC’s agenda and commitments are many. They range from economic to political ones. Under the so-called EAC’s pillars of integration, the EAC envisions a customs union, a common market, a monetary union, and ultimately a political federation.860 With this generality in the 857  Masinde / Omolo,

pp. 1 and 6. similarities on objectives, principles, institutions and mandate see and compare articles 5, 6, 7, and 9 of the Treaty for the Establishment of the East African Community, 1999 with articles 3, 5, 7, and 13 of the Treaty of the European Union, articles 2–6 of the Treaty on the Functioning of the European Union, and articles 1 and 10 of the Statute of the Council of Europe. 859  Masinde / Omolo, p. 6. 860  EAC’s pillars of integration have been further discussed in chapter 3. 858  For

186

Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives

EAC, it becomes challenging for the Community to respond to specific emerging issues like cybercrime. This implies that the divided and extensive commitment of the EAC seems to be an obstacle towards achieving a sound regime on specific and sensitive issues like cybercrime. For now, the attention of the EAC appears to be directed more on economic integration related matters than public order and security. However, based on the experience learnt from the EU, prioritizing security and public order in the integration process is equally important as economic integration. Of course, economic success cannot be guaranteed if peace and security are at stake.

C. Approximation and Harmonization of Laws in Europe and East Africa It has been stated repeatedly in this book that approximation and harmonization of laws is a key to any successful regional integration.861 This reality can be vividly evidenced in Europe, both at the CoE and EU levels and at the EAC as well. In appreciation of the role of approximation and harmonization, nowadays States all over have put more emphasis on having common legal approaches to problems / issues of common interests. Further to the above, approximation and harmonization is among the factors used to gauge integration maturity and intensity in any given regional integration. Now, measuring comparatively the integration maturity and intensity through approximation and harmonization of laws among the EU, CoE and the EAC, one will note that, there is a lot to be learnt. To start with the CoE, it is clear that efforts to put together common legal mechanisms in dealing with common criminal issues are as old as the CoE itself. There have been legal mechanisms against offences and offenders at the CoE level since in the 1950s. The European Convention on Extradition of 1957 was among the first criminal law related legal instruments adopted by the CoE. As of today, there are 223 treaties adopted by the CoE, out of which, more than 30 treaties have a direct bearing on criminal justice.862 Criminal justice related treaties so adopted cover, among others, extradition, road traffic offences, the validity of criminal judgments, terrorism, mutual assistance in criminal matters, corruption, and more importantly for this book, cybercrime.863 As already stated in this book, the CoE remains to be the world pioneer in the war against cybercrime for its championing the adoption of the Cybercrime Con861  See chapter 5 part. B. above for further discussion on approximation and harmonization of laws. 862  See the Complete list of the Council of Europe’s Treaties available at: https: /  / www.coe.int / en / web / conventions / full-list, accessed on 22 October 2017. 863  See further details on the treaties as discussed in chapter 4 part. B. above.



C. Approximation and Harmonization of Laws in Europe and East Africa 187

vention in 2001. This is an indication that there are remarkable developments at the CoE level in terms of collective concerted efforts in dealing with criminality in its different and complex forms. Much as the EU’s primary integration objectives were focused on economic cooperation, but the realities and demands of the world necessitated a paradigm shift, to include cooperation in criminal matters. The reasons advanced for the shift as indicated in chapter 4 part. E. of this book, among others, are evolution of new cross-border criminal trends; implementation of the Schengen Agreement which required a guarantee for public order, safety and security; abolition of internal frontiers in a single market; and a fear of increased criminality due to political instability in the East. It is, therefore, a combination of the above multiple factors that dictated the harmonization and approximation of criminal laws in the EU. It formally started with the Maastricht Treaty in 1992 whereas criminal matters were put in the area of Justice and Home Affairs, and after the adoption of the Lisbon treaty in 2007, some criminal matters with international elements (such as terrorism and cybercrime, among a few others) fall within the shared competence of the EU. This categorization has the implication of giving more mandate to the EU to decide and take more legally binding actions on penal matters. It is based on the above background and mandate that the EU has been able to adopt a number of anti-cybercrime legislative and enforcement mechanisms. These mechanisms, among others, as further discussed in chapter 4 parts F. and G. of this book, include Council Framework Decision on Combating Fraud and Counterfeiting of Non-Cash Means of Payment, 2001; the Council Framework Decision on Combating the Sexual Exploitation of Children and Child Pornography, 2003; the Framework Decision on Attacks against Information Systems, 2005; the Directive of the European Parliament and the Council on Attacks against Information Systems and Replacing Council Framework Decision 2005 / 222 / JHA, 2013; and the Council Framework Decision on Combating Certain Forms and Expressions of Racism and Xenophobia by Means of Criminal Law, 2008. In terms of enforcement mechanisms, the EU established, among others, the European Arrest Warrant (2002); the European Police College (1999); the European Police Office (1999); Eurojust (2002); European Union Agency for Network and Information Security (2004); and European Crime Prevention Network (2001). To the contrary, very little has been done in the East African region in so far as harmonization and approximation of criminal laws is concerned. Out of thirty or so international legal instruments (Treaties, Protocols, and Agreements) adopted at the EAC level, only two have a direct bearing on criminal matters. The Protocol on Combating Drug Trafficking in the East African Region and the Protocol on Peace and Security are the only relevant instru-

188

Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives

ments representing common efforts in criminal law in the region. It is also important to note that the legal status of the EAC Legal Framework for Cyberlaws, 2008 as discussed in chapter 5 part. D.I. of this book, is not very clear to the extent that it cannot be termed as a robust anti-cybercrime framework worth making reference to. Furthermore, based on the experience from the CoE and the EU above, it appears that harmonization and approximation of criminal laws are incidentally important in regional integration. The lesson to be learnt from Europe, in this case, is that, although the CoE and the EU started with different primary goals and objectives, it became inevitable to achieve the said goals and objectives without setting common approaches to criminal laws. It, therefore, follows that criminal laws form an important part of the integration process in order to achieve other objectives.

D. Comparison of the Efficiency and Efficacy of Anti-Cybercrime Legislative Measures in Europe and East Africa In chapters 4 and 5, attempts have been made to analyze anti-cybercrime legislative measures in Europe and East Africa respectively. The analysis to be done below is intended at vividly comparing those measures with a view to establishing their strengths and weaknesses, and ultimately what lessons can be learnt from them. The analysis below will focus on substantive cybercrime provisions and the proportionality of sanctions and other dissuasive measures. I. Substantive Cybercrime Provisions The Council of Europe Cybercrime Convention is one of the most celebrated international anti-cybercrime legislative mechanisms, both in Europe and globally. It is an instrument of its own kind at the international level to set substantive, procedural and other incidental provisions on cybercrime. And subsequent to its adoption, similar provisions have been widely replicated at both national and international levels. Also, the Convention has acquired the status of a common cross-border criminal policy intended at protecting the society against cybercrime and guaranteeing international cooperation on the same.864 Below is a tabulated comparative analysis of the substantive cybercrime provisions as enshrined in the Cybercrime Convention on one hand, and the way the same are reflected in the provisions of cybercrime related statutes of Kenya, Tanzania, and Uganda, on the other. 864  Keyser,

p. 296.



D. Efficiency and Efficacy of Anti-Cybercrime Legislative Measures189

As tabulated in table 5 (p. 190 et seq.), it is noted that there are both areas of commonality and discord among the CoE cybercrime regime and the selected EAC countries’ regimes. Specifically, some elements of commonality can be seen in offences against the confidentiality, integrity and availability of computer data and systems, and computer-related offences, whereas the approach by both sides appears to be more or less similar with just minor differences as indicated in the following table. On content related offences, serious differences between the CoE regime and EAC regimes are observed. The CoE Cybercrime Convention restricts content related crimes to only one offence of child pornography, while Kenya has publishing obscene information in electronic form and publication for fraudulent purpose as the only content offences. It is also worth noting that the Additional Protocol to the Cybercrime Convention provides for other content related offences in the form of racist and xenophobic material, racist and xenophobic motivated threat, racist and xenophobic motivated insult, and genocide and crimes against humanity. Tanzania and Uganda have more content related offences compared to Kenya. Also, child pornography and pornography are treated in Uganda and Tanzania as two distinct offences, with the former attracting a more stringent punishment. It is also important to note that the way the offences of publication for fraudulent purpose (in Kenya), publication of false information (in Tanzania), and offensive communication (in Uganda) are styled seems to abrogate the most cherished freedom, the freedom of expression in cyberspace among the EAC citizens. Because of the restrictions imposed through these offences, the constitutionality of such offences has been a subject of serious discussions in the region. Comparatively, on content related offences, it appears that the cybercrime regimes in Europe and the EAC countries have taken different approaches. The European approach seems to be mindful of the freedom of speech vis-àvis content offences because as stated in chapter 4 part. C.I. of this book above, freedom of speech is among the contentious matters in developed countries. In the US, for example, it is very challenging and probably impossible to pass the law which undermines the freedom of speech because of the constitutional protection available in favour the said freedoms.865 It is for this reason that it appears the Budapest Convention cautiously does not cover much on content related offences except for child pornography. To the contrary, as already stated above, in the laws of the EAC Member States, there are many content related offences which are complained against for undermining the freedom of speech. 865  See

the case of Reno vs. American Civil Liberties Union as cited above.

Offences against the confidentiality, integrity, and availability of computer data and systems

Categories of Offences

– Unauthorized access to computer data.871 – Access with intent to commit offences.872 – Unauthorized access to and interception of computer service.873 – Unauthorized modification of computer material.874 – Damaging or denying access to computer system.875 – Unauthorized disclosure of password.876 – Unlawful possession of devices and data.877 – Illegal access.878 – Illegal remaining.879 – Illegal interception.880 – Illegal data interference.881 – Data espionage.882 – Illegal system interference.883 – Misuse of devices.884

– Unauthorized access.885 – Denial of service to legitimate users.886 – Data and / or system interference.887 – Illegal interception.888 – Misuse of devices.889 – Unauthorized modification of computer material.890 – Unauthorized use or interception of computer service.891 – Unauthorized obstruction of use of computer.892

The Computer Misuse Act, 2011

The Cybercrime Act, 2015

The Kenya Information and Communications Act, 1998

The CoE Cybercrime Regime

– Illegal access.866 – Illegal interception.867 – Data interference.868 – System interference.869 – Misuse of devices.870

(Uganda)

(Tanzania)

(Kenya)

(Europe)

(Continue page 192)

On this category of offences, the CoE, Tanzania, Kenya and Uganda legal regimes have almost similar provisions with relatively common elements of offences. It is also worth noting that Kenya and Uganda have more offences in this category compared to Tanzania. However, the bottom line is that the acts and omissions prohibited under these different legal regimes are almost similar, hence they present no material difference.

Remarks

Table 5 Comparison of Cybercrime Regimes Between the CoE and Selected EAC Countries 190 Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives

892  See

891  See

890  See

889  See

888  See

887  See

886  See

885  See

884  See

883  See

882  See

881  See

880  See

879  See

878  See

877  See

876  See

875  See

874  See

873  See

872  See

871  See

870  See

869  See

868  See

867  See

866  See

article 2 of the Council of Europe Convention on Cybercrime, 2001. article 3 of the Council of Europe Convention on Cybercrime, 2001. article 4 of the Council of Europe Convention on Cybercrime, 2001. article 5 of the Council of Europe Convention on Cybercrime, 2001. article 6 of the Council of Europe Convention on Cybercrime, 2001. section 83U of the Kenya Communications (Amendment) Act, 2009. section 83V of the Kenya Communications (Amendment) Act, 2009. section 83W of the Kenya Communications (Amendment) Act, 2009. section 83X of the Kenya Communications (Amendment) Act, 2009. section 83Y of the Kenya Communications (Amendment) Act, 2009. section 83Z of the Kenya Communications (Amendment) Act, 2009. section 84A of the Kenya Communications (Amendment) Act, 2009. section 4 of the Cybercrime Act, 2015. section 5 of the Cybercrime Act, 2015. section 6 of the Cybercrime Act, 2015. section 7 of the Cybercrime Act, 2015. section 8 of the Cybercrime Act, 2015. section 9 of the Cybercrime Act, 2015. section 10 of the Cybercrime Act, 2015. section 12(1) of the Computer Misuse Act, 2011. section 12(5) of the Computer Misuse Act, 2011. section 12(2) of the Computer Misuse Act, 2011. section 15 of the Computer Misuse Act, 2011. section 12(3) and (4) of the Computer Misuse Act, 2011. section 14 of the Computer Misuse Act, 2011. section 15 of the Computer Misuse Act, 2011. section 16 of the Computer Misuse Act, 2011.

D. Efficiency and Efficacy of Anti-Cybercrime Legislative Measures191

– Offences – Publishing obscene related to information in child electronic form.903 pornogra– Publication for phy899 fraudulent pur– Racist and pose.904 xenophobic material.900

Contentrelated offences

– Tampering with computer source documents.901 – Electronic fraud.902

– Computerrelated forgery.897 – Computerrelated fraud.898

– Child pornography.907 – Pornography908 – Identity related crimes.909 – Publication of false information.910

– Computerrelated forgery.905 – Computerrelated fraud.906

– Child pornography.912 – Cyber harassment.913 – Offensive communication.914 – Cyber stalking.915

– Electronic fraud.911

– Unauthorized disclosure of access code.895 – Unauthorized disclosure of information.896

The Computer Misuse Act, 2011

The Cybercrime Act, 2015

The Kenya Information and Communications Act, 1998

The CoE Cybercrime Regime

– Re-programming of mobile telephone.893 – Possession or supply of anything for reprogramming mobile telephone.894

(Uganda)

(Tanzania)

(Kenya)

(Europe)

Computerrelated offences

Categories of Offences

(Table 5: Continued)

(Continue page 194)

While the CoE Cybercrime Convention criminalizes only child pornography, the Additional Convention on Cybercrime adds more content offences, namely publication of racist and xenophobic materials, racist and xenophobic motivated threat, racist and

While the CoE, Tanzania and Kenya legal regimes provide for two different offences in this category, Ugandan law has only one offence. However, the Ugandan provision is widely drafted to cover almost all the elements captured in the two offences by its counterparts.

Remarks

192 Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives

section 84G of the Kenya Communications (Amendment) Act, 2009. section 84H of the Kenya Communications (Amendment) Act, 2009. 895  See section 17 of the Computer Misuse Act, 2011. 896  See section 18 of the Computer Misuse Act, 2011. 897  See article 7 of the Council of Europe Convention on Cybercrime, 2001. 898  See article 8 of the Council of Europe Convention on Cybercrime, 2001. 899  See article 9 of the Council of Europe Convention on Cybercrime, 2001. 900  See article 3 of the Additional Protocol to the Convention on Cybercrime, Concerning the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems, 2003. 901  See section 84C of the Kenya Communications (Amendment) Act, 2009. 902  See section 84B of the Kenya Communications (Amendment) Act, 2009. 903  See section 84D of the Kenya Communications (Amendment) Act, 2009. 904  See section 84E of the Kenya Communications (Amendment) Act, 2009. 905  See section 11 of the Cybercrime Act, 2015. 906  See section 12 of the Cybercrime Act, 2015. 907  See section 13 of the Cybercrime Act, 2015. 908  See section 14 of the Cybercrime Act, 2015. 909  See section 15 of the Cybercrime Act, 2015. 910  See section 16 of the Cybercrime Act, 2015. 911  See section 19 of the Computer Misuse Act, 2011. 912  See section 23 of the Computer Misuse Act, 2011 read together with sections 13 and 14 of the Anti-Pornography Act, 2014. 913  See section 24 of the Computer Misuse Act, 2011. 914  See section 25 of the Computer Misuse Act, 2011. 915  See section 26 of the Computer Misuse Act, 2011.

894  See

893  See

D. Efficiency and Efficacy of Anti-Cybercrime Legislative Measures193

Categories of Offences

– Racist and xenophobic material.919 – Racist and xenophobic motivated insult.920 – Genocide and crimes against humanity.921 – Unsolicited messages.922 – Disclosure of details of investigation.923 – Obstruction of investigation.924 – Cyber bullying.925

The Computer Misuse Act, 2011

The Cybercrime Act, 2015

The Kenya Information and Communications Act, 1998

The CoE Cybercrime Regime

– Racist and xenophobic motivated threat.916 – Racist and xenophobic motivated insult.917 – Genocide and crimes against humanity.918

(Uganda)

(Tanzania)

(Kenya)

(Europe)

(Table 5: Continued)

(Continue page 196)

Furthermore, on content related offences, Tanzania has more offences than Kenya and Uganda. Tanzania is almost in line with the content offences as reflected in the Additional Protocol to the Convention, except that it does not criminalize racist and xenophobic motivated threat.

The laws further impose heavier punishments on child pornography than on adult pornography. Kenyan law criminalizes publishing obscene information with a comparatively lenient punishment.

Tanzania and Uganda have gone beyond child pornography by outlawing pornography generally.

xenophobic motivated insult, and genocide and crimes against humanity.

Remarks

194 Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives

916  See article 4 of the Additional Protocol to the Convention on Cybercrime, Concerning the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems, 2003. 917  See article 5 of the Additional Protocol to the Convention on Cybercrime, Concerning the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems, 2003. 918  See article 6 of the Additional Protocol to the Convention on Cybercrime, Concerning the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems, 2003. 919  See section 17 of the Cybercrime Act, 2015. 920  See section 18 of the Cybercrime Act, 2015. 921  See section 19 of the Cybercrime Act, 2015. 922  See section 20 of the Cybercrime Act, 2015. 923  See section 21 of the Cybercrime Act, 2015. 924  See section 22 of the Cybercrime Act, 2015. 925  See section 23 of the Cybercrime Act, 2015.

D. Efficiency and Efficacy of Anti-Cybercrime Legislative Measures195

– Unauthorized access to protected systems.928

N / A

– Offences against critical information infrastructure.929

– Violation of intellectual property rights.927

– Unauthorized access, modification, interception and obstruction involving protected computers.930

N / A

While the Cybercrime Convention does not differentiate between ordinary computer systems and critical or protected systems, in Kenya, Tanzania, and Uganda, the difference is very material for it determines the seriousness of the offence and so is the punishment.

The CoE Cybercrime Convention and the Tanzania Cybercrime Act provide for copyright related offences in a relatively similar manner. However, the laws in Kenya and Uganda are silent on copyright related offences and the same is left for specific copyright laws.

927  See

article 10 of the Council of Europe Convention on Cybercrime, 2001. section 24 of the Cybercrime Act, 2015. 928  See section 84F of the Kenya Communications (Amendment) Act, 2009 as amended by section 25 of the Kenya Information and Communications (Amendment) Act, 2013. 929  See section 29 of the Cybercrime Act, 2015. 930  See section 20 of the Computer Misuse Act, 2011.

N / A

Other Offences

926  See

– Infringement of copyright and related rights.926

Offences related to infringements of copyright and related rights

(Table 5: Continued)

196 Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives



D. Efficiency and Efficacy of Anti-Cybercrime Legislative Measures197

On copyright related offences, the Cybercrime Convention and the Cybercrime Act of Tanzania have almost similar provisions. On the other hand, cyberlaws in Kenya and Uganda do not address copyright infringement related offences and the same are left with respective copyright laws. Furthermore, it is important to note that there is one common feature among the cyberlaws of all the EAC countries which are under the scrutiny of this book. This commonality relates to the seriousness taken by the laws on cyber offences targeting to victimize protected / critical information systems. The laws contain enhanced punishments when cybercrimes are committed against such systems. In addition to the above, in Kenya and Tanzania, the discretion to determine what information systems amount to protected / critical information systems is vested with the Ministers responsible for communications,931 while in Uganda protected computers are clearly defined in the Act.932 This aspect is missing in the CoE Cybercrime Convention. However, together with this commonness, the seriousness of the sanctions corresponding to these offences are different in each jurisdiction. Based on the above analysis, it is fair to conclude that there are material differences in terms of approaches employed in Europe in fighting cybercrime compared to those adopted in the EAC region. Furthermore, even within the EAC region itself, there is no harmonized regime on cybercrime. Each country has individually adopted its own ways and mechanisms against cybercrime. The attempted joint efforts have not yet yielded any homogeneity in terms of having a sound and robust uniform anti-cybercrime regime in the EAC region. There are obvious and notable divergences among the EAC countries in the approaches against cybercrime as already discussed in chapter 5. Furthermore, even the perception and conception of offences among the EAC members are very different from one country to another. For example, it is not surprising to find that what is being perceived as a serious offence in one country, is treated as a misdemeanor in the other.933 For that reason, whatever uniformity and commonality in anti-cybercrime mechanisms, both legal and institutional, that have been found among the EAC members cannot be said to be by design, rather it is by coincidence or default. These differences are a hindrance for the cybercrime legal and jurisprudential developments in the region as they create loopholes and havens to be enjoyed by criminals. Taking an example of Kenya, with the Kenya Information and Communications Act, 1998 (as amended from time to time) alone, one may 931  See section 83Q(1) of the Kenya Communications (Amendment) Act, 2009; and section 28 of the Cybercrime Act, 2015. 932  See section 20 of the Computer Misuse Act, 2011. 933  See table 6 below for further details on this point.

198

Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives

hardly say that there are anti-cybercrime laws in place. This laxity in Kenya can also be evidenced by the ongoing legislative process to have a proper cybercrime statute in Kenya. II. Proportionality of Sanctions and Other Dissuasive Measures Against Offenders It is important to underline the fact that offences are created for the purpose of imposing punishments to the wrongdoers as a mechanism of dissuading the public from engaging in the prohibited conducts and omissions. Otherwise, there would be no reason to have certain conducts and omissions outlawed. Together with the above fact, justice further requires that punishments and other dissuasive measures should not be imposed arbitrarily. There must be a proportionality and correlation between the punishment imposed and the offence committed. The discussion in this part of the chapter is an attempt to compare and assess the proportionality of sanctions and other penal measures adopted against cybercriminals in Europe and East Africa. In the table below, some offences which are common in all the jurisdictions under scrutiny are selected and analysed to demonstrate the similarities and differences in penal approaches among the EAC countries in comparison with Europe.

Fine of not less than three million TZS937 or three times the value of the undue advantage received, or imprisonment of not less than one year or, both.938

Fine not exceeding 4.8 million UGX939 or imprisonment not exceeding ten years, or both.940

Sanctions in Tanzania Sanctions in Uganda

article 13 of the Council of Europe Convention on Cybercrime, 2001. is the symbol for Kenyan Shillings which is the official currency of Kenya. 936  See section 83U(1) of the Kenya Communications (Amendment) Act, 2009. 937  TZS is the symbol for Tanzanian Shillings which is the official currency of Tanzania. 938  See section 4(2) of the Cybercrime Act, 2015. 939  UGX is the symbol for Ugandan Shillings which is the official currency of Uganda. 940  See section 12(7) of the Computer Misuse Act, 2011.

935  KES

934  See

Effective, proportionate and dissuasive sanctions, which include deprivation of liberty and monetary sanctions.934

Illegal access

Fine not exceeding two hundred thousand KES935 or imprisonment not exceeding two years, or both. 936

Sanctions under Sanctions in Kenya the CoE

Types of Offences

(Continue next page)

While the Cybercrime Convention requires sanctions to be generally effective, proportionate and dissuasive, in Kenya and Tanzania, illegal access is treated as a misdemeanor punishable by the custodial sentence of one and two years respectively, but the same is considered as a grave offence in Uganda punishable by up to ten years of custodial sentence.

Remarks

Table 6 Proportionality of Sanctions and Other Dissuasive Measures Against Offenders Between the CoE and Selected EAC Countries D. Efficiency and Efficacy of Anti-Cybercrime Legislative Measures199

As above

As above

As above

Illegal interception

Data interference

System interference

Fine not exceeding two hundred thousand KES or imprisonment not exceeding two years, or both.947

Fine not exceeding five hundred thousand KES or imprisonment not exceeding three years, or both.944

Fine not exceeding five hundred thousand KES or imprisonment not exceeding three years, or both.941

Sanctions under Sanctions in Kenya the CoE

Types of Offences

(Table 6: Continued)

Fine of not less than two million TZS or three times of value the undue advantage received, or imprisonment of not less than one year, or both.948

Fine of not less than ten million TZS or three times the value of undue advantage received, or imprisonment of not less than three years, or both.945

Fine of not less than five million TZS or imprisonment of not less than one year or, both.942

Fine not exceeding 4.8 million UGX or imprisonment not exceeding ten years, or both.949

Fine not exceeding 4.8 million UGX or imprisonment not exceeding ten years, or both.946

Fine not exceeding4.8 million UGX or imprisonment not exceeding ten years or both; and in a subsequent conviction, fine not exceeding 7.2 million UGX or imprisonment not exceeding fifteen years, or both.943

Sanctions in Tanzania Sanctions in Uganda

Kenya and Tanzania treat system interference as a misdemeanor punishable by a maximum penalty of two years imprisonment, while Uganda gravely punishes the same by ten years.

Kenya and Tanzania set a punishment of three years imprisonment for data interference, while the same is excessively punishable by ten years in Uganda.

Illegal interception is considered as a serious offence and excessively punishable by up to fifteen years imprisonment in Uganda, while the same is leniently taken in Kenya and Tanzania.

Remarks

200 Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives

952  See

951  See

950  See

949  See

948  See

947  See

946  See

945  See

944  See

943  See

942  See

941  See

Fine not exceeding two hundred thousand KES or imprisonment not exceeding two years, or both.950

Fine of not less than ten million TZS or three times the value of undue advantage received, or imprisonment of not less than three years, or both.951

Fine not exceeding 4.8 million UGX or imprisonment not exceeding ten years, or both.952

83W(2) of the Kenya Communications (Amendment) Act, 2009. 6(2) of the Cybercrime Act, 2015. 15(1) of the Computer Misuse Act, 2011. 83X(1) of the Kenya Communications (Amendment) Act, 2009. 7(1) of the Cybercrime Act, 2015. 12(7) of the Computer Misuse Act, 2011. 83Y of the Kenya Communications (Amendment) Act, 2009. 9 of the Cybercrime Act, 2015. 12(7) of the Computer Misuse Act, 2011. 84A(5) of the Kenya Communications (Amendment) Act, 2009. 10(2) of the Cybercrime Act, 2015. 12(7) of the Computer Misuse Act, 2011.

As above

section section section section section section section section section section section section

Misuse of devices

(Continue next page)

Misuse of devices attracts a moderate punishment in Kenya and Tanzania, while the same is severely punishable in Uganda (up to years).

D. Efficiency and Efficacy of Anti-Cybercrime Legislative Measures201

Publication of obscene / lascivious information is punishable by fine not exceeding two hundred thousand KES or imprisonment not exceeding two years, or both.958

As above Offences related to pornography. Fine of not less than fifty million TZS or three times the value of undue advantage received, or to imprisonment of not less than seven years or to both, and fine of not less than thirty million TZS or

Fine of not less than twenty million TZS or three times the value of undue advantage received, or imprisonment of not less than seven years, or both.956

Fine not exceeding two hundred thousand KES or imprisonment not exceeding three years, or both.955

As above

Computerrelated fraud

Fine not exceeding 7.2 Million UGX or imprisonment not exceeding fifteen years or both, and fine not exceeding ten million UGX or imprisonment not exceeding ten years, for child pornogra-

Fine not exceeding 7.2 Million UGX or imprisonment not exceeding fifteen years, or both.957

N / A

Fine of not less than twenty million TZS or three times the value of undue advantage received, or imprisonment of not less than seven years, or both.954

As above

Computerrelated forgery

Fine not exceeding three hundred thousand KES or imprisonment not exceeding three years, or both.953

Sanctions in Tanzania Sanctions in Uganda

Sanctions under Sanctions in Kenya the CoE

Types of Offences

(Table 6: Continued)

The punishment for a relatively similar offence in Kenya is only two years’ imprisonment, while in Uganda and Tanzania is fifteen and ten years respectively.

In this offence, each country has given its own weight in terms of imposing the punishment, whereas the same is punishable by three years in Kenya, seven years in Tanzania, and fifteen years in Uganda.

While in Uganda computer related forgery is not expressly provided for, the same is punishable moderately low in Kenya compared to Tanzania whereas the punishment is more than two times severe compared to Kenya.

Remarks

202 Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives

962  See

961  See

960  See

959  See

958  See

957  See

956  See

955  See

954  See

953  See

Publication for fraudulent purpose is punishable by fine not exceeding one million KES or imprisonment not exceeding five years, or both.961 Publication of false information is punishable by fine of not less than five million TZS or imprisonment of not less than three years, or both.

Offensive communication is punishable by fine not exceeding 0.5 million UGX or imprisonment not exceeding one year, or both.962

phy and pornography respectively.960

(Continue next page)

While offences related to the publication of information are treated as serious in Kenya and Tanzania (punishable by five and three years respectively), the same is a misdemeanor in Uganda attracting a punishment of not more than one year.

84C of the Kenya Communications (Amendment) Act, 2009. 11(2) of the Cybercrime Act, 2015. 84B of the Kenya Communications (Amendment) Act, 2009. 29 of the Cybercrime Act, 2015. 19(1) of the Computer Misuse Act, 2011. 84D of the Kenya Communications (Amendment) Act, 2009. 14(2) of the Cybercrime Act, 2015. 23(4) of the Computer Misuse Act, 2011 and sections 13(2) and 14(1) of the Anti-pornography Act, 2014. 84E of the Kenya Communications (Amendment) Act, 2009. 25 of the Computer Misuse Act, 2011.

N / A

section section section section section section section section section section

Offences related to publication of informa­ tion.

to imprisonment of not less than ten years or to both, for child pornography and pornography, and lascivious or obscene pornography respectively.959

D. Efficiency and Efficacy of Anti-Cybercrime Legislative Measures203

N / A

Offences against critical / protected information infrastructure. Fine not less than one hundred million TZS or three times the loss occasioned or imprisonment of not less than five years, or both.964

Life imprisonment.965

Sanctions in Tanzania Sanctions in Uganda Offences against protected systems are the gravest cyber offence in Uganda punishable by life imprisonment with no fine option. The same are punishable by five and ten years in Tanzania and Kenya respectively with a fine option.

Remarks

963  See section 84F of the Kenya Communications (Amendment) Act, 2009 as amended by section 25 of the Kenya Information and Communications (Amendment) Act, 2013. 964  See section 29 of the Cybercrime Act, 2015. 965  See section 20(1) of the Computer Misuse Act, 2011.

Fine not exceeding ten million KES or ten years imprisonment, or both.963

Sanctions under Sanctions in Kenya the CoE

Types of Offences

(Table 6: Continued)

204 Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives



D. Efficiency and Efficacy of Anti-Cybercrime Legislative Measures205

As already noted in this chapter, there is a big difference in terms of how cyber offences are perceived and punished among Kenya, Tanzania, and Uganda. While the CoE Cybercrime Convention requires punishments to be effective, proportionate and dissuasive, in Uganda this aspect seems to be missing. All cyber offences are excessively punishable. Most of the cyber offences attract a punishment of between ten and fifteen years’ imprisonment which is very grave and disproportionate to the offences. To the contrary, in the UK who is a Member of the CoE, punishments for cybercrime are moderately lenient. For example, the offence of unauthorized access is punishable by imprisonment term between one and two years;966 unauthorized access with intent to commit an offence is punishable by imprisonment term between one and ten years;967 and unauthorized modification of computer material is punishable by imprisonment term between 6 months and five years.968 On the offences against critical / protected information infrastructure, while Uganda generally imposes life imprisonment, the punishment in the UK is fourteen years imprisonment, or life imprisonment if the offence causes or creates a significant risk of serious damage to human welfare or serious damage to national security.969 On the other hand, Kenya and Tanzania impose moderate sanctions with a few excessive punishment cases. The discrepancies in sanctions among the EAC countries as tabulated above clearly explain the reality that there is a lack of harmonization and approximation of cyberlaws in the region. The penal approach taken by Uganda in cyber offences is too different from those of Kenya and Tanzania. However, it appears that generally many offences are more severely punishable in Uganda than similar offences in Tanzania. Commendably, most of the fines imposed by the Cybercrime Act, 2015 of Tanzania take into consideration the value of the undue advantage enjoyed by the offender, if any, as a result of the crime. This is a very useful aspect in imposing punishments as ultimately the punishments will have a reflection of the unfair gain obtained by the perpetrator. This approach is in line with the principle that, he who benefits more as a result of a crime, suffers a more severe punishment, something which is logical. Consideration of the undue advantage enjoyed by the perpetrator of the crime in imposing the sanctions is an example of lessons that Europe can learn from Tanzania. 966  See section 1 of the Computer Misuse Act, 1990 (UK) as amended by section 35 of the Police and Justice Act, 2006. 967  See section 2 of the Computer Misuse Act, 1990 (UK) as amended by section 36 of the Police and Justice Act, 2006. 968  See section 3(7) of the Computer Misuse Act, 1990 (UK). 969  See section 3ZA of the Computer Misuse Act, 1990 (UK) as amended by section 41 of the Serious Crime Act, 2015.

206

Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives

E. Efficiency and Efficacy of Anti-Cybercrime Enforcement and Institutional Mechanisms in Europe and East Africa It has been explained above in chapter 2 that there are four approaches to cyberspace regulation, namely norms, law, market forces, and code or architecture.970 In the implementation of the said approaches, there are institutions which are inevitably involved. These institutions range from those which are legally mandated to coercively enforce the laws (designated hereunder as watchdog and coordination institutions), to those which are more friendly and persuasive that are dedicated to raising people’s awareness through anti-cybercrime campaigns and related activities. Below is a comparative analysis of the roles played by these institutions in the East African region and Europe. I. Anti-Cybercrime Watchdog and Coordination Institutions and Mechanisms in Europe and the EAC As intimated above, watchdog institutions in the context of this book refers to organizations entrusted with the responsibility of making sure that individuals and entities observe certain standards prescribed by the law and do not act illegally. In so far as the war against cybercrime is concerned, we have observed from the discussions in previous chapters that there are a number of institutions, both in East Africa and Europe, whose mandate is to enforce cyberlaws. To begin with the CoE level, one will note that the European Committee on Crime Problems (CDPC) was established way back in 1958 primarily aimed at dealing with prevention and combating crime.971 As further discussed in chapter 4 part. E.I. above, CDPC has successfully engineered the adoption of dozens of international conventions, protocols, and agreements in the area of criminal justice including the Convention on Cybercrime in 2001, and the Additional Protocol to the Convention on Cybercrime, concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed through Computer Systems in 2003 (the Additional Protocol to the Convention on Cybercrime, 2003). Apart from championing the adoption of the Cybercrime Convention, the CDPC has specific roles to play, which are legally assigned to it through the Convention. The first role CDPC plays is to submit its opinion to the Committee of Ministers on any proposed amendments to the Cybercrime Conven970  See chapter 2 part. F. above and for a detailed discussion on cyberspace regulation and governance see, Lessig (2006), pp. 4–6. 971  Klare, p. 377. Also, see European Committee on Crime Problems, About the European Committee on Crime Problems.



E. Efficiency and Efficacy of Anti-Cybercrime Enforcement207

tion.972 Also, it is the CDPC’s role to monitor the interpretation and application of the Cybercrime Convention.973 Furthermore, the CDPC is designated as a forum for disputes settlement in relation to the Interpretation and application of the Convention.974 It is clear from the above that the CDPC as an institution performs, among others, watchdog and coordination roles in ensuring that provisions of the Cybercrime Convention and the Additional Protocol to the Convention on Cybercrime, 2003 are properly interpreted and enforced. Besides the CDPC, the CoE cybercrime institutional framework has one more coordination institution known as the Cybercrime Convention Committee (T-CY). As opposed to the CDPC which generally oversees crimes in their complexities and entirety, the T-CY is a specific committee on cybercrime which represents the State Parties to the Cybercrime Convention.975 The T-CY was established based on the provisions of article 46 of the Cybercrime Convention which provides for the possibilities of State Parties to make consultations, exchange of information on legal, policy or technological issues relating to cybercrime and the collection of evidence amongst themselves; and deliberations on possible amendments to the Cybercrime Convention. Also, T-CY promotes capacity building in the areas of cybercrime and electronic evidence and encourages States which are not members to the Cybercrime Convention to accede to the Convention.976 Basically, the role of T-CY is that of coordinating and facilitating periodic consultations among the State Parties in order to guarantee effective application and implementation of the Convention. Regarding anti-cybercrime law enforcement mechanisms and institutions in the EU, the European Arrest Warrant (EAW) and the European Police Office (Europol) worth a mention and further discussion. To begin with the EAW, it is said that the EAW is the first legal mechanism adopted to implement the principle of mutual recognition in criminal matters in the EU.977 The relevancy of the EAW in law enforcement is that it is a form of judicial cooperation based on mutual trust and recognition among the Member States, which obliges the executing State to arrest or surrender the requested person (normally an accused or convicted person) to the issuing State without further delays and complications.978 The EAW, therefore, is a simplified and reliable 972  See 973  See

2001.

974  See

article 44(2) of the Council of Europe Convention on Cybercrime, 2001. articles 45(1) and 46 of the Council of Europe Convention on Cybercrime,

articles 45(2) of the Council of Europe Convention on Cybercrime, 2001. Council of Europe, Cybercrime Convention Committee. 976  See article 1 of the Cybercrime Convention Committee Rules of Procedure, 2014. 977  Fletcher / Loof / Gilmore, p. 105. 978  Fletcher / Loof / Gilmore, p. 112. 975  See

208

Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives

mechanism of effecting arrests and surrenders of accused persons or convicts in the EU, and ultimately subjecting the same to criminal justice. As opposed to extradition process which was not directly enforceable in a foreign country and was subject to political and diplomatic interruptions, the EAW receives an automatic recognition and is enforced like an order of a local court.979 Although there are also challenges in the implementation of the EAW in the EU,980 but considering the nature and characteristics of cybercrime, mechanisms like the EAW are very important in the enforcement of criminal law. Its predictability, reliability and time-saving features render it to be the most appropriate tool in the war against cybercrime. Considering the possible far-reaching effects of cybercrime, the EAW can be a very useful instrument to enable a quick containment of criminal incidences. The moment the whereabouts of a crime perpetrator are known, the EAW enables a speedy arrest and surrender of the said perpetrator to the criminal justice system. Finally, it is important to note that cybercrime is among the offences expressly falling within the scope of the application of the EAW.981 Finally, the Europol like any other traditional police service is the criminal law enforcement institution in the EU. It was established by the Council Decision 2009 / 371 / JHA of 6 April 2009.982 The relevancy of Europol in the discussion on cybercrime prevention is twofold. One, is based on the general mandate of the Europol as an institution vested with the mandate to support crime prevention and combating initiatives in the EU. Two, is the specific mandate that the Europol has on cybercrime.983 In the implementation of its mandate on preventing and combating cybercrime, the Europol through its cybercrime specialized centre, the European Cybercrime Centre (EC3), offers forensic expertise, training and capacity building, cybercrime strategies analysis, public awareness, cybercrime prevention programmes, and outreach and cooperation activities.984 Generally, the approach of the EC3 in the war against cybercrime can be packaged as a threefold namely, forensics, strategy, and operations.985 It is also worth noting that the Europol through the EC3 does more than law enforcement for it also engages in capacity building and public awareness programmes. In terms of operational success, Europol 979  Neagu,

p. 100. chapter 4 part. G.I. for the detailed discussion on the challenges of the EAW in the EU. 981  See article 2 of to the Council Framework Decision on the European Arrest Warrant and the Surrender Procedures between Member States of 13 June 2002. 982  See chapter 4 part. G.III. for the history and establishment of the Europol. 983  See article 4 and Annex to the Council Decision Establishing the European Police Office (Europol) of 6 April 2009. 984  See chapter 4 part. G.III. above. 985  The European Police Office, European Cybercrime Centre – EC3. 980  See



E. Efficiency and Efficacy of Anti-Cybercrime Enforcement209

in 2016 together with other institutions facilitated the arrest of 178 individuals suspected of money muling whose overall loss is estimated to be around 23 million Euro.986 Also, in 2017 Europol played an important role in dealing with cyber security events, including WannaCry ransomware which had almost global effects.987 While there are four different anti-cybercrime enforcement and coordination institutions and mechanisms in Europe, namely the CDPC, the T-CY, the EAW, and the Europol-EC3, there is only one institution at the EAC level (the EAC Cyberlaws Task Force) whose mandate is to coordinate and facilitate harmonization of cyberlaws in the region. Worse enough, the Task Force has not even been able to achieve the harmonization of laws as expected. As analysed in chapter 6 part. D. of this chapter above, it is evident that the EAC region, to a large extent, lacks uniformity and commonality in cyberlaws. For example, while Tanzania and Uganda have anti-cybercrime statutes properly so called, Kenya is still in the process of enacting one. Also, in the cybercrime statutes so enacted, if there is any uniformity and commonality among the EAC Member States, then that might have happened by default but not by design. This situation explains the failure of the Task Force to achieve the aims it was established for. It is even doubtful if at all the Task Force still exists as its establishment appears to be impromptu and ad hoc. At the individual Member State level, it has been observed that there are basically two institutions in each country with the duty of enforcing and coordinating anti-cybercrime laws and campaigns respectively. These institutions are the communications regulatory bodies, namely TCRA for Tanzania, CAK for Kenya, and UCC for Uganda, plus cybercrime units established in each country as units within the Police Forces. The general observation of the functions performed by the communications regulatory bodies are those of licensing and regulatory in nature. However, in the performance of these duties, the said bodies also supervise and enforce cybersecurity measures and standards which impact on the war against cybercrime. Considering the licensing and regulatory duties of these institutions, their influence in anti-cybercrime initiatives is not vigorous enough to match the complexity of cybercrime. In regard to cybercrime units attached to the Police Forces, it has been observed that they are meant to perform more or less similar duties to those of the Europol-EC3. They play key roles in providing investigative support and digital forensic services to the prosecution. However, lack of expertise, technology, and budgetary constraints have always been common challenges among these institutions, hence rendering their contribution in the war against 986  Europol, 987  Europol,

178 Arrests in Successful Hit against Money Muling. 2017, the Year When Cybercrime Hit Close to Home.

210

Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives

cybercrime to lack the expected impact. It is important to highlight at this juncture that the letters of the law always obtain their breath of life from the institutions mandated to enforce them, therefore, good laws cannot be appreciated if there are no strong institutions to enforce the same. II. Other Anti-Cybercrime Institutions This category of other anti-cybercrime institutions focuses on those bodies established with the aim of providing the necessary support in the fight against cybercrime, but not necessarily enforcement of the laws. As indicated above, these institutions include those dedicated to capacity building and providing cybercrime awareness both to individuals and entities. In this category under the CoE framework, there is a Directorate of Information Society and Action against Crime as an institution responsible with, among others, overseeing and promoting freedom of expression, data protection, action against cybercrime, European audiovisual observatory, and actions against other crimes.988 These activities are carried out through various departments established within the Directorate. Taking a specific example of the Directorate’s role in the promotion of freedom of expression, the Directorate stands to be guided by article 10 of the European Convention on Human Rights.989 It is clear from the unfolding discussion that the CoE is fully aware of the fact that freedom of expression is an important aspect of democracy, therefore, in a bid to regulate cybercrime and ICT generally, States may attempt to compromise or excuse themselves from strict application of the freedom of expression as widely captured in the European Convention on Human Rights. Although this book does not mainly focus on human rights, it is important to appreciate the fact that there are so many human rights violations in the history of the world that are being done through an excuse of enacting and enforcing criminal laws stringently. Further to the above, the Cybercrime Programme Office of the Council of Europe (C-PROC) is yet another institution in the CoE cybercrime framework.990 As opposed to the Directorate of Information Society and Action against Crime which deals with more than cybercrime, the C-PROC is specifically designated to solely deal with cybercrime and related matters. In so doing, the C-PROC provides the necessary support to countries worldwide in the solidification of their legal capabilities in addressing the challenges posed by cybercrime and electronic evidence in line with the benchmarks set by the 988  See Council of Europe, Information Society and Action against Crime Directorate. 989  Refer

to the above footnote. chapter 4 part. E.IV. above for further details on the establishment and functioning of the Cybercrime Programme Office of the Council of Europe. 990  See



E. Efficiency and Efficacy of Anti-Cybercrime Enforcement211

Convention on Cybercrime. Basically, the C-PROC is a capacity building institution.991 In providing the said support, the C-PROC, inter alia, safeguards rule of law, human rights, and data protection; conducts training to judges, prosecutors and law enforcement officers; enhances cooperation between private and public sectors; and promotes international cooperation.992 On the other hand at the EU level, there are similar institutions whose mandate mainly is coordination of cooperation among members, providing the required technical support and guidance, and capacity building on cybersecurity issues. One of those institutions in the EU is Eurojust. Although Eurojust is composed of one member from each EU Member State, who must be a prosecutor, judge or police officer, but its roles are not that of law enforcement.993 It basically coordinates and enhances judicial cooperation among the Member States while focusing on preventing and combating of serious crimes. Eurojust encourages and coordinates cooperation among authorities of Member States in the investigation, prosecution, and mutual legal assistance.994 The relevancy of Eurojust in combating and preventing cybercrime comes from the fact that the Council Decision 2002 / 187 / JHA which establishes Eurojust, expressly confers mandate to Eurojust on cybercrime.995 As repeatedly stated in this work, the borderlessness nature of cybercrime and technological dynamics require not only laws with international cooperation aspects, but also strong institutions with international mandate and experience on the same. European Union Agency for Network and Information Security (ENISA) is another institution whose role is to secure Europe’s information society. It is established under the Regulations adopted by the European Parliament and the European Council.996 In dealing with network and information security, ENISA enhances EU Member States’ capability to respond to security issues; assists and advises Member States on policy and legal issues pertaining to network and information security; catalyzes the engagement between public and private sectors in matters related to network and information security; and more importantly, coordinates EU and Member State’s Computer Security Incident Response Teams (CSIRTs) and Computer Emergency Response Teams (CERTs).997 In the performance of its duties, ENISA approaches net991  Cybercrime Programme Office of the Council of Europe, About C-PROC, pp. 1–2. 992  Cybercrime Programme Office of the Council of Europe, About C-PROC, pp. 1–2. 993  For

a detailed discussion on Eurojust see chapter 4 part. H.IV. above. article 3 of the Council Decision Setting up Eurojust with a View to Re­ inforcing the Fight against Serious Crime of 28 February 2002. 995  See article 4 of the Council Decision Setting up Eurojust with a View to Re­ inforcing the Fight against Serious Crime of 28 February 2002. 996  For a detailed discussion on the establishment and mandate of ENISA see part. H.V. of chapter 4 above. 994  See

212

Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives

work and information security issues in a multi-disciplinary approach ranging from policy and legal to IT expertise. A multi-disciplinary institutional approach to cybercrime is a commendable way, for legal initiatives alone cannot successfully deal with criminality in cyberspace. The last institution in the EU in this category is the European Crime Prevention Network (EUCPN). Like the above institutions in the EU, it is also a creature of the Council Decision 2001 / 427 / JHA.998 The EUCPN is composed of contact persons from each Member State, who represents national authorities in dealing with crime prevention, researchers and academics and designated contact points.999 In terms of roles and functions, the EUCPN facilitates cooperation and the exchange of information; sets good practices and experience in crime prevention; organizes seminars and conferences on crime prevention and particularly the Annual European Crime Prevention Award; provides expertise on crime prevention to the Council and the Commission; and issues publications on various aspects of crime prevention.1000 For example, among the programs on cybercrime currently undertaken (from June 2014 to February 2018) by the EUCPN, is the Cost and Impact of Cybercrime in Belgium which aims at studying the evolution and realities of cybercrime in Belgium.1001 Again, the role of EUCPN in cybercrime prevention cannot be ignored. Its modern approaches to crime prevention through the exchange of information, researches and education are commendable initiatives. Comparatively, it is unfortunate to note that there are no specifically designated institutions at the EAC and individual State levels specifically dealing with cybercrime in terms of capacity building, providing cybercrime awareness, research and technical support, and enhancement of cooperation at international levels. Most of the institutions are set to enforce the laws, while there are very little initiatives on capacity building, research, and public awareness. It has been further noted that the same law enforcement institutions (mostly communications regulatory authorities) in individual countries somehow do conduct public awareness and capacity building programs, but given their tedious and tiresome enforcement, licensing and generally regulatory functions, they have not been able to create a remarkable impact in the war against cybercrime. Presence of multiple institutions and players addressing the problem of cybercrime from different levels, disciplines, and 997  See paras 31 and 32 of the Preamble to the Regulation EU No. 526 / 2013 of 21 May 2013. 998  For a detailed discussion on EUCPN see part. H.VI. of chapter 4 above. 999  See article 2 of the Council Decision Setting up a European Crime Prevention Network of 28 May 2001. 1000  See article 4 the Council Decision Setting up a European Crime Prevention Network and Repealing Decision 2001 / 427 / JHA of 30 November 2009. 1001  European Crime Prevention Network, Work Programme 2017, p. 11.



F. Concluding Remarks213

perspectives is an important element missing in the EAC region’s institutional framework. Further to the above, it is important to note that there are so many lessons that the East African region can learn from the activities of the CoE and EU’s anti-cybercrime institutional frameworks. On top of the conventional law enforcement institutions, there exist other parallel institutions which play an instrumental role through the non-coercive means. For example, the role of the Directorate of Information Society and Action against Crime, especially on the aspect of promotion and protection of human rights vis-à-vis fighting criminality on cyberspace and elsewhere cannot be overlooked as it is a lesson worth learning. This is because as observed in chapter 5 above, anti-cybercrime legislative initiatives in the individual Member States of the EAC know little about human rights and are being criticized for curtailing human rights, especially freedom of expression. Also, it has been observed that there are no robust regional institutions which oversee the protection of human rights against the Governments as such, and worse enough even the mandate of the EACJ, in so far as human rights are concerned, is crippled.1002 For that reason, as the East African region strives to adopt a vigorous cybercrime framework, it should do so while fully informed of the importance and necessity of having similar institutions that will focus beyond dogmatic criminal law enforcement. Furthermore, doing so would reflect what is stated above as bringing the equilibrium between law enforcement and respect for human rights and fundamental freedoms.1003

F. Concluding Remarks Based on the foregoing discussions, it is the considered opinion of the author that there is a lot that the EAC region can learn from Europe. The lessons range from the basic organization structure of the integration regime itself to the specific aspects of cybercrime. While the cybercrime regime in Europe seems to be robust and organized, it seems not to be the case with the EAC. However, together with the robustness of the European cybercrime regimes, it is important to note that there are some areas which have not been properly addressed by the regimes. For example, the category of content related offences has not been covered adequately. The Cybercrime Convention together with the Additional Protocol to the Convention recognize pornography, racist and xenophobic material, racist and xenophobic moti1002  For a detailed discussion on the jurisdiction of the EACJ see part. B.IV. of chapter 3 above. 1003  See the detailed discussion in part. C. of chapter 4 above.

214

Chap. 6: Comparative Assessment of Anti-Cybercrime Initiatives

vated threat, racist and xenophobic motivated insult, and genocide and crimes against humanity as the only content related offences. However, in reality, there are other serious offences such as cyberterrorism, grooming and spamming that have been left out of the scope of the Convention and its Additional Protocol. Also, the Convention and its Additional Protocol do not provide for identity related crimes. Regarding the EAC region, even at individual state levels, a number of issues have been noticed on their cybercrime regimes, both the way the offences have been conceived and established and their punishments as well. There are material differences observed among the EAC countries in terms of the weight and seriousness attached to some conducts which amount to cyber offences. The totality of these discrepancies as discussed above justifies a conclusion that there is lack of uniformity in terms of the way cybercrime is considered in the EAC region. Much more needs to be done to address criminality in cyberspace for the threats posed by cybercrime are likely to hinder developments in other areas of the EAC integration. As once observed by the then Interpol Secretary General, cybercrime is emerging as a very concrete threat and considering its anonymity, it may be one of the most dangerous criminal threats the world will ever face.1004 On anti-cybercrime institutions, it can be fairly concluded that all the institutions involved in anti-cybercrime initiatives at the CoE and the EU levels obtain their mandates from the mainstream organizational frameworks. They are duly and legally established by the specific legal instruments to perform their tasks. However, together with multiple institutions in the fight against cybercrime, it is the author’s observation that the multiplicity of institutions in the CoE and EU is unnecessarily costly and may not necessarily help to achieve the desired level of efficiency and success. There are so many institutions in Europe dealing with cybercrime and there is a kind of overlap and / or duplication of mandate among the institutions the fact which may lead to lack of proper coordination and confusion among the people. On the other hand, at the EAC level, the institutions are not clearly linked to the mainstream organizations of the Community as some of them exist as independent organizations established under different frameworks. For example, the EACO is separately established under its constitution as a Non-governmental Organization (NGO), hence it lacks a direct link with the EAC. It has also been noticed that there are more coercive institutions in the EAC region than educative and coordination institutions that offer public awareness on cybercrime. Also, the number of institutions generally seem to have less impact on cybercrime compared to Europe. 1004  For

more details see chapter 1 part. A. above.

Chapter 7

General Conclusion This book mainly assesses the efficiency and effectiveness of the measures adopted in preventing and combating cybercrime, as a new phenomenon, in East Africa and globally, while considering what lessons can be learnt from Europe’s cybercrime frameworks. In East Africa, the book has concerned itself with the collective anti-cybercrime initiatives and mechanisms at the EAC level, on one hand, and individual countries’ regimes of Kenya, Tanzania, and Uganda, on the other. In Europe, the book focuses and draws examples from the two anti-cybercrime regimes, namely the CoE regime and the EU cybercrime framework. The study has been prompted by the rampancy of cybercrime incidents in the EAC region and globally, together with the costs associated with cybercrime in the world economy. This book, among others, examines the role of the law in preventing and combating cybercrime; investigates the extent to which the current laws address the cybercrime problem; assesses the role of regional integration in fighting cybercrime; evaluates legal and institutional challenges in dealing with cybercrime; and considers best ways through which the East Africa region can prevent and combat cybercrime without inhibiting social, political and economic developments. In realizing the above, the book was based on three premises. The first premise is that Member States of the EAC lack effective legal and institutional framework to prevent and combat cybercrime. The second premise is that cybercrime being cross-territorial in nature, collective efforts to prevent, detect, apprehend, investigate, prosecute the same are required among States. The third premise is that international legal frameworks such as the European cybercrime frameworks offer good lessons and basis upon which the EAC can similarly align its regime in dealing with the challenges posed by cybercrime. Based on the above examination, the author has observed that the problem of cybercrime is real not only to the security and welfare of individual countries, but also the globe as a whole. Since ICTs has, among others, integrated the world into one small village, and borders do not matter much anymore, rampancy of cybercrime poses genuine security threats and / or issues to the whole world. There have been vivid examples of how systems of the world can be disturbed just by a mere single click on a computer. The ransomware, famously known as “Wannacry”, is a recent incident that can better explain

216

Chap. 7: General Conclusion

the risks associated with computing, and cybercrime in particular, at both global and individual countries levels. Apart from the ransomware, it has been indicated above that in 2016 alone, Europol facilitated the arrest of suspects of money muling estimated to cause monetary loss of about 23 million Euro. Similarly, it has been noted in this book that the cost of cybercrime in the EAC region is overwhelmingly colossal. The book further observes that the evolution of cybercrime has impacted, to a certain extent, the field of criminal law. The said impact is not only seen on the possibility of traditional crimes being committed using advanced electronic means, but also cybercrime itself as a new form of criminality. Furthermore, it has been noted that fighting cybercrime seems to be perplexing due to its features and associated challenges such as borderlessness, committed in computer environment, veil of anonymity and lack of statistics, constant technological changes (volatility), easiness to commit, difficulty in harmonization of laws, and the moderation between anti-cybercrime measures and human rights. Due to this complexity, the book finds that cyberspace governance and the war against cybercrime, in particular, requires multi-dimensional approaches in the form of laws, norms, architecture / technology, and market forces. This implies that success cannot be recorded by relying on just a single approach. As noted above, this book compares the anti-cybercrime mechanisms among the EAC, EU, and CoE, therefore, it was imperative to assess and compare the history, legal basis, objectives, mandate, organization structures and institutions upon which these intergovernmental organisations are founded. In so doing, it has been noted that although these intergovernmental institutions are separately established, all are intended at combining their members’ efforts in addressing their common problems through extension and intensification of cooperation with the ultimate view of fostering social, economic, cultural and political welfare of their subjects. Comparatively, the book has also noted that integration is more extensive in Europe than in the EAC, for the European integration involves much more areas / fields. Furthermore, the book observes that while the people in the EAC question its legitimacy, grassroots representation (inclusiveness), transparency and democracy, there are similar debates and struggles in Europe regarding the EU’s gradual increment of its mandate over time vis-à-vis individual States’ sovereignty. Also, in some countries like Germany, the question as to which law between the EU law and domestic laws prevail over the other, is still perplexing. Despite the above challenges, the European integration and its setup have been vital to guide and inform the discussions on the EAC and this book generally.



Chap. 7: General Conclusion217

It is further the observation of the author of this book that Europe realized early that for the economic, social, and political success of the integration to be achieved, prioritizing security matters was inevitably critical. This explains why it was necessary for Europe to take collective legislative and institutional measures against crimes as early as 1950’s. This background and experience from Europe in dealing with crimes at international level, among others, paved a smooth way for the adoption of the Convention on Cybercrime and its Additional Protocol at the CoE level. After the adoption of such legislative and institutional measures at the CoE, it became easier for the EU to formulate its anti-cybercrime framework. On anti-cybercrime legislative, institutional and other enforcement measures, the author concludes that Europe has succeeded in establishing robust frameworks which is a good lesson worth learning. However, the scope of the substantive cybercrime provisions leaves out of the picture some undesired conduct and behaviours which ought to be outlawed. These conduct include identity theft offences, grooming, spamming and so forth. On the institutional setup, it has been noted that there is the multiplicity of institutions that deal with more or less similar issues to the extent that it may cause inefficiency in coordination and unnecessary confusion among the people. On the anti-cybercrime measures adopted in the EAC region, the book concludes that very little has been achieved at the Community level, both in terms of substantive legal and institutional mechanisms. The EAC Legal Framework for Cyberlaws, 2008 which appears to have been aimed at forming the basis and roadmap for the Member States to align their domestic laws, lacks the requisite legal force within the EAC legal framework. Its legal status is unclear because, in terms of the provisions of the EAC Treaty, a binding legal instrument of the Community ought to be in the form of a Treaty, Protocol, Act, Agreement, Regulation, Directive or Decision, and the 2008 Cyberlaws Framework is none of them. Also, the Framework itself expressly states that it is not meant to act as a model law, something which is a big challenge by itself. Furthermore, at the individual country level, Member States of the EAC under the scrutiny of this book (Kenya, Tanzania, and Uganda) have taken their own varying approaches against cybercrime. Tanzania and Uganda have specific cybercrime laws, while Kenya uses the communications regulatory laws and other non-cyberlaws to prevent and combat cybercrime. The book has further noted the currently ongoing anti-cybercrime legislative process in Kenya. The above position justifies the conclusion reached by the author in this book that, the EAC seriously lacks collective legal and enforcement measures in countering cybercrime. Also, there are notable disparities among the EAC Member States in their individual approaches taken against cybercrime,

218

Chap. 7: General Conclusion

which signify lack of uniformity and harmonization on the same. Offences and their corresponding sanctions are conceived differently in every individual country, and where there is any uniformity, it is just accidental and not by design. Lack of serious institutional cooperation and coordination at the EAC level has been observed as well. There is also little cooperation among the EAC Member States in enforcing criminal laws, and that cooperation is not founded on the EAC framework as such, rather on bilateral and other reciprocal international arrangements such as mutual assistance in criminal matters, extradition and so forth. Such discretionary arrangements were proven to be ineffective and inefficient in Europe that is why they were replaced with more functioning enforcement mechanisms like the EAW. Based on the foregoing, it is fair to conclude that the EAC has more lessons to learn from Europe in the adoption of its cybercrime framework. Based on the foregoing, this book, therefore, concludes that there are clear disparities and lack of approximation and harmonization in the EAC region on the war against cybercrime. Also, considering the cross-territorial nature of cybercrime, it becomes imperative for the EAC and the globe generally to ensure that there are adequate and effective joint efforts to prevent, detect, apprehend, investigate and punish cybercrime which is becoming an immeasurable threat to the global peace and security. Furthermore, considering the progress achieved in Europe, it becomes important for the EAC and other regional integration institutions, to learn how best the challenges posed by cybercrime can be addressed. Having observed the above, the author finally notes that cybercrime is a multi-disciplinary phenomenon involving, among others, law, science, and technology, economic, social and political elements, therefore, when dealing with the same, it is important to take a multi-dimensional approach. Also, considering the borderlessness and volatility character of cybercrime, harmonization of laws and procedures at regional and global levels should be prioritized in order to eliminate cybercrime havens. Furthermore, institutional cooperation and robust law enforcement mechanisms are necessary to enable a quick exchange of information, prevention, detection, investigation, and prosecution of cybercrime possible. Further to the above, adequate resources at individual country, regional and global levels need to be committed towards facilitating cybercrime preventive and apprehensive measures. The book further observes that more investment need to be done by both public and private sectors in areas of technology, research and other academic / scientific studies including investigative research, and effective law enforcement. Also, more efforts are required in areas of education and creation of public awareness on cybercrime, so as to enable the public to take



Chap. 7: General Conclusion219

appropriate actions and encourage reporting of cybercrime incidences whenever they occur. Moreover, it is important to note that enjoyment of freedoms requires the creation of the world as an area of justice where crimes and criminals are seriously dealt with, and this is only possible through collective concerted efforts against criminality by all countries in the globe. Therefore, for the EAC to reap the desired results from the regional integration, more focus needs to be directed towards peace and security, and criminality in particular, so as to create a fertile ground for other aspects of integration such as customs union, common market, monetary union, free movement of persons, and ultimately political federation to blossom out.

References Achieng, Robert: East African Community, Cyberlaws and Regulations for Enhancing E-Commerce: including Case Studies and Lessons Learned, Regional Case Study: Cyberlaw Reform in the EAC, A Paper Presented at the Experts Meeting on Cyberlaws, Geneva, Switzerland, 25–27 March 2015. Agaba, Stephen: The Future of International Commercial Law in East Africa, European Journal of Law Reform, Vol. 13, 2011, pp. 505–513. Ajay, Mane et al.: An Examination of Cybercrime and Cybercrime Research, Golden Research Thoughts Journal, Vol. 4, Issue 10, 2015, pp. 1–17. Alkaabi, Ali et al.: Dealing with the Problem of Cybercrime, in: Baggili, I. (Ed.), Digital Forensics and Cyber Crime, London, Springer, 2011, pp. 1–18. Baggili, Ibrahim (Ed.): Digital Forensics and Cyber Crime, London, Springer, 2010. Bainbridge, David: Introduction to Computer Law, 5th edition, London, Pearson Education, 2004. Bălan-Rusu, Minodora-Ioana: The European Arrest Warrant, European Integration – Realities and Perspectives, Vol. 7, 2012, pp. 28–34. Balleste, Roy: Internet Governance Forum and Technology: A Matter of Human Development, Loyola Law and Technology Annual, Vol. 7, 2006–2007, pp. 37–70. Blair, Alasdair: Companion to the European Union, London, Routledge, 2006. Borchardt, Klaus: The ABC of European Union Law, Luxembourg, Publications Office of the European Union, 2010. Bothe, Michael: The Judgment of the German Federal Constitutional Court Regarding the Constitutionality of the Lisbon Treaty, Istituto Affari Internazionali, Documenti IAI0920. Bowman, Warigia: Governance, Technology, and the Search for Modernity in Kenya, William & Mary Policy Review, Vol. 1, No. 87, 2010, pp. 87–120. Brenner, Susan: Cybercrime Criminal Threats from Cyberspace, California, Praeger, 2010. – U.S. Cybercrime Law: Defining Offenses, Information Systems Frontiers, Vol. 6, No. 2, 2004, pp. 115–132. Brown, Steven: Combating International Crime: the Longer Arm of the Law, New York, Routledge-Cavendish, 2008. Buckland, Benjamini / Schreier, Fred / Winkler, Theodor: Democratic Governance Challenges of Cybersecurity, the Geneva Centre for the Democratic Control of Armed Forces (DCAF) Horizon 2015, Working Paper No. 1.

References221 Buckland, John: Combating Computer Crime: Prevention, Detection, Investigation, 1st Edition, New York, McGraw-Hill, 1992. Cairns, Walter: Introduction to European Union Law, 2nd Edition, London, Cavendish Publishing Limited, 2002. Calderoni, Francesco: Organized Crime Legislation in the European Union: Harmonization and Approximation of Criminal Law, National Legislations and the EU Framework Decision on the Fight against Organized Crime, Berlin, Springer, 2010. Casey, Eoghan: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet, 2nd Edition, London, Academic Press, 2004. Cătălin, Marinescu: Aspects Regarding the Implementation of the European Arrest Warrant, Management Strategies Journal, VII (4), 2014, pp. 445–454. Chawki, Mohamed et al.: Cybercrime, Digital Forensics and Jurisdiction, London, Springer, 2015. Christou, George: Cyber security in the European Union: Resilience and Adaptability in Governance Policy, New York, Palgrave Macmillan, 2016. Clough, Jonathan: A World of Difference: the Budapest Convention on Cybercrime and the Challenges of Harmonization, Monash University Law Review, Vol. 40, No. 3, 2014, pp. 698–736. – Principles of Cybercrime, Cambridge, Cambridge University Press, 2010. – The Council of Europe Convention on Cybercrime: Defining “Crime” in Digital World, Criminal Law Forum, Springer, 2012, pp. 363–391. Collin, Simon: Dictionary of ICT, 4th Edition, London, Bloomsbury Publishing Plc, 2004. Commission of the European Communities: Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions on Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime, 26 January 2001. – Communication from the Commission to the Council, the European Parliament on Mutual Recognition of Final Decisions in Criminal Matters, 26 July 2000. Communications Commission of Kenya: Sector Statistics Report April–June 2008 / 09, August 2009. Cook, Bernard: Europe Since 1945: An Encyclopedia, Vol. 1, New York, Garland Publishing Inc., 2001. Cornwall, Hugo: Data Theft, Computer Fraud, Industrial Espionage and Information Crime, London, Heinemann Educational Books, 1987. Council of Europe / Project Cybercrime@Octopus: The State of Cybercrime Legislation in Africa – An Overview, 11 May 2015. Craig, Paul / Burca, Grainne: EU Law: Text, Cases and Materials, 4th Edition, Oxford, Oxford University Press, 2007.

222 References Cret, Vasile / Pantea, Mădălina: The European Union (EU), AGORA International Journal of Juridical Sciences, No. vii, 2009, pp. 1–17. Cybercrime Convention Committee: 15th Plenary Meeting Report, Strasbourg, 25 May 2016. – Assessment Report of Implementation of the Preservation Provisions of the Budapest Convention on Cybercrime, Strasbourg, 21 June 2015. – Cybercrime @CoE Update, April-June 2016. Cybercrime Programme Office of the Council of Europe: About C-PROC, 28 January 2016. – C-PROC Activity Report for the Period April 2014–September 2015, Strasbourg, 23 September 2015. Davidson, Alan: The Law of Electronic Commerce, Cambridge, Cambridge University Press, 2009. Davies, Karen: Understanding European Union Law, 5th Edition, New York, Routledge, 2013. Dowrick, Frank: Juristic Activity in the Council of Europe-25th Year, International and Comparative Law Quarterly, Vol. 23, 1974, pp. 610–641. Dudley, Alfreda et al.: Investigating Cyber Law and Cyber Ethics: Issues, Impacts, and Practices, USA, Information Series Reference, 2012. Easttom, Chuck / Taylor, Jeff: Computer Crime, Investigation, and the Law, Boston, Cengage Learning, 2011. Elsuwege, Peter: The Interface between the Area of Freedom, Security and Justice and the Common Foreign and Security Policy of the European Union: Legal Constraints to Political Objectives, In: Holzhacker, R.L., and Luif, P. (Eds.), Freedom, Security and Justice in the European Union: Internal and External Dimensions of Increased Cooperation after the Lisbon Treaty, New York, Springer, 2014. Epstein, Richard: Can Technological Innovation Survive Government Regulation? Harvard Journal of Law & Public Policy, Vol.36, 2013, pp. 87–104. Esbenshade, Philip: Hacking: Juveniles and Undeterred Recreational Cybercrime, Journal of Juvenile Law, Vol. 23, 2003, pp. 52–64. European Commission: Press Release on Commission signing Agreement with Industry on Cybersecurity and Steps up Efforts to Tackle Cyber-Threats, Brussels, 5 July 2016. – Proposal for a Council Regulation on the establishment of the European Public Prosecutor’s Office (COM (2013) 534), 17 July 2013. European Committee on Crime Problems: Agenda of the 70th Plenary Session, Strasbourg, 27–30 June 2016. European Crime Prevention Network: Work Programme, 2016. – Work Programme, 2017. European Police College: European Police College Annual Report, 2015.

References223 European Union: The Cybersecurity Strategy of the European Union, 2013. Fafinski, Stefan: Computer Use and Misuse: the Constellation of Control, Ph.D. Thesis, University of Leeds, 2008. Fairhurst, John: Law of the European Union, 8th Edition, Essex, Pearson Education Limited, 2010. Ferrera, Gerald et al.: Cyber Law: Text and Cases, 2nd Edition, USA, South-Western, 2004. Fletcher, Maria: EU Criminal Justice: Beyond Lisbon, in: Eckes, C., and Konstadinides, T. (Eds.), Crime within the Area of Freedom, Security and Justice: A European Public Order, Cambridge, Cambridge University Press, 2011. Fletcher, Maria / Loof, Robin / Gilmore, Bill: EU Criminal Law and Justice, Massachusetts, Edward Elgar Publishing Inc., 2008. Gagliardone, Iginio / Sambuli, Nanjira: Cyber Security and Cyber Resilience in East Africa, Global Commission on Internet Governance, Paper Series No. 15, May 2015. Gastorn, Kennedy / Sippel, Harald / Wanitzek, Ulrike: Process of Legal Integration in the East African Community, Dar es Salaam, Dar es Salaam University Press, 2011. Giacomello, Giampiero: National Governments and Control of the Internet: A Digital Challenge, New York, Routledge, 2005. Goodman, Marc / Brenner, Susan, W.: The Emerging Consensus on Criminal Conduct in Cyberspace, International Journal of Law and Information Technology, Vol. 10, Issue 2, 2002, pp. 139–223. Grabosky, Peter: Virtual Criminality: Old Wine in New Bottles? Social and Legal Studies, Vol. 10, No. 2, 2001, pp. 243–249. Grosser, Alfred: The Federal Constitutional Court’s Lisbon Case: Germany’s “Sonderweg” – An Outsider’s Perspective, German Law Journal, Vol. 10, No. 08, 2009, p. 1263–1266. Haggenmüller, Sarah: The Principle of Proportionality and the European Arrest Warrant, Oñati Socio-Legal Series, Vol. 3, No. 1, 2013, pp. 95–106. Halberstam, Daniel / Möllers, Christoph: The German Constitutional Court says “Ja zu Deutschland!” German Law Journal, Vol. 10, No. 08, 2009, pp. 1241–1258. Harelimana, Abdulkarim: The East African Political Federation: Addressing Fears, Concerns, and Challenges, A Paper Presented at the Symposium of East African Legislative Assembly on the 10th EALA Anniversary on 2nd June 2011, Arusha Tanzania. Heathcote, Pat: ‘AS’ Level ICT, Ipswich, Payne-Gallaway Publishers, 2000. Holzhacker, Ronald L. / Luif, Paul: Introduction: Freedom, Security and Justice after Lisbon, in: Holzhacker, R.L., and Luif, P. (Eds.), Freedom, Security and Justice in the European Union: Internal and External Dimensions of Increased Cooperation after the Lisbon Treaty, New York, Springer, 2014.

224 References International Telecommunication Union: Understanding Cybercrime: Phenomena, Challenges and Legal Response, 2012. – Understanding Cybercrime: A Guide for Developing Countries, 2009. – ICT Facts and Figures, 2016. Ivan, Ion et al.: Non-Security – Premise of Cybercrime, Theoretical and Applied Economics, Vol. XIX, No. 4(569), 2012, pp. 59–78. Jaishankar, Karuppannan (Ed.): Cyber Criminology: Exploring Internet Crimes and Criminal Behaviour, CRC Press, USA, 2011. Jingchun, Cao: Protecting the Right to Privacy in China, Victoria University of Wellington Law Review, Vol. 36, Issue No. 3, 2005, pp. 645–664. Johnson, David / Post, David: Law and Borders – The Rise of Law in Cyberspace, Stanford Law Review, Vol. 48, No. 5, 1996, pp. 1367–1402. Kaczorowska, Alina: European Union Law, 2nd Edition, New York, Routledge, 2011. – European Union Law, New York, Routledge, 2008. Kamanga, Khoti / Possi, Ally: General Principles Governing EAC Integration, in: Ugirashebuja, E. et al. (Eds.), East African Community Law: Institutional, Substantive and Comparative EU Aspects, Leiden, Brill Nijhoff, 2017. Kenya Communications Authority: Second Quarter Sector Statistics Report for the Financial Year 2016 / 2017 (October-December), 2016. Keyser, Mike: The Council of Europe Convention on Cybercrime, Journal of Transnational Law and Policy on Cybercrime, Vol. 12: 2, 2003, pp. 287–326. Kiiver, Philipp: German Participation in EU Decision-Making after the Lisbon Case: A Comparative View on Domestic Parliamentary Clearance Procedures, German Law Journal, Vol. 10, No. 08, 2009, pp. 1287–1296. Klare, Hugh: The Work of the European Committee on Crime Problems, The British Journal of Criminology, Vol. 1, No. 4, 1961, pp. 377–380. Kolb, Marina: The European Union and the Council of Europe, New York, Palgrave Macmillan, 2013. KPMG International: “Cybercrime – A Growing Challenge for Governments”, Issues Monitor, Volume 8, July 2011. Kshetri, Nir: The Global Cybercrime Industry: Economic, Institutional and Strategic Perspectives, London, Springer, 2010. Larat, Fabrice: Presenting Narratives on European History and the Justification of EU Integration, German Law Journal, Vol. 06, No. 3, 2005, pp. 273–290. Lessig, Lawrence: Code, 2nd Edition, New York, Basic Books, 2006. – Law of the Horse: What Cyber Law Might Teach, Harvard Law Review, Vol. 113, Issue 2, 1999, pp. 501–549. – The Laws of Cyberspace, An Essay Presented at the Taiwan Net 98 Conference in Taipei, March 1998.

References225 Lloyd, Ian: Information Technology Law, 3rd Edition, London, Butterworths, 2000. Loader, Brian: The Governance of Cyberspace: Politics, Technology and Global Restructuring, New York, Routledge, 2005. Lu, Chi-Chao / Jen, Wen: A Historical Review of Computer User’s Illegal Behavior Based on Containment Theory, Journal of Software, Vol. 5, No. 6, 2010, pp. 593– 599. Lukumay, Zakayo: An Analysis of the Legal Basis for Electronic Banking in Tanzania, Ph.D. Thesis, University of Dar es Salaam, 2011. Mambi, Adam: ICT Law Book: A Source Book for Information and Communication Technologies and Cyber Law, Dar es Salaam, Mkuki na Nyota, 2010. Marcella, Albert / Menendez, Doug (Eds.): Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, London, Auerbach Publications, 2002. Marshall, Angus: Digital Forensics: Digital Evidence in Criminal Investigation, West Sussex, John Wiley & Sons, Ltd., 2008. Masinde, Wanyama / Omolo, Christopher: the Road to East African Integration, in: Ugirashebuja, E. et al. (Eds.), East African Community Law: Institutional, Substantive and Comparative EU Aspects, Leiden, Brill Nijhoff, 2017. Mbughuni, Azaria: Nyerere vs. Nkrumah: Why Did East African Federation Initiative Collapse in 1963? Business Times (Tanzania), 3 October 2014. Mchome, Sifuni: The Treaty of the East African Community: Is it the Equivalent of National Constitution? in: Gastorn, K., Sippel, H., and Wanitzek, U. (Eds.), Process of Legal Integration in the East African Community, Dar es Salaam, Dar es Salaam University Press, 2011, pp. 85–105. McQuade, Samuel (Ed.): Encyclopedia of Cybercrime, London, Greenwood Press, 2009. Medhurst, David: A Brief and Practical Guide to EU Law, 3rd Edition, Paris, Blackwell Science Limited, 2001. Mgaya, Klodwig: Development of Information Technology in Tanzania, Information Technology in Selected Countries: Reports from Ireland, Ethiopia, Nigeria and Tanzania, Tokyo, United Nations University, 1994. Middleton, Bruce: Cyber Crime Investigator’s Field Guide, 2nd Edition, London, Auerbach Publications, 2005. Ministry of Communications and Transport (Tanzania): National Information and Communications Technologies Policy, 2003. Ministry of Information and Communications (Kenya): National Information and Communications Technology (ICT) Policy, 2006. Ministry of Information and Communications Technology (Uganda): National Information and Communications Technology Policy for Uganda, 2014. – National Information Security Strategy, 2011.

226 References Ministry of Information, Communications and Technology (Kenya): National Cyber security Strategy, 2014. Ministry of Works, Housing and Communications (Uganda): National Information and Communication Technology Policy, 2003. Mitsilegas, Valsamis: EU Criminal Law, Portland, Hart Publishing, 2009. Morris, Henry Francis: Annual Departmental Reports relating to Kenya and the East Africa High Commission, 1903 / 4–1963. Muhika, Tulya: “Revival of the East African Cooperation and its Institutional Framework,” Perspectives on Regional Integration and Cooperation in East Africa, 2000. Mukandala, Rwekaza: “Political Cooperation”, Perspectives on Regional Integration and Cooperation in East Africa, 2000. Munga, Lucy: Financial Focus 2012, PricewaterhouseCoopers – Kenya, 2013. Munk, Tine Højsgaard: Cyber-security in the European Region: Anticipatory Governance and Practices, Ph.D. Thesis, University of Manchester, 2015. Murungi, Michael: Cybercrime in Kenya, Amsterdam, Kluwer Law International, 2011. Mwapachu, Juma: Ten Years of the East African Community-Achievements, Challenges and Prospects, in: Gastorn, K., Sippel, H., and Wanitzek, U. (Eds.), Process of Legal Integration in the East African Community, Dar es Salaam, Dar es Salaam University Press, 2011, pp. 45–65. Mwiburi, Abel: Legal Implications of Developments in Information and Communication Technology: An Appraisal of the Electronic and Postal Communications Act 2010 in Relation to Cybercrimes in E-Commerce in Tanzania, LL.M. Dissertation, University of Dar es Salaam, 2011. National Information Technology Authority: Uganda: National Information Security Policy, 2014. Neagu, Norel: General Principles of EU (Criminal) Law: Legality, Equality, NonDiscrimination, Specialty and Ne Bis in Idem in the Field of the European Arrest Warrant, Challenges of the Knowledge Society (Legal Sciences), 2010, pp. 100– 108. Niedobitek, Matthias: The Lisbon Case of 30 June 2009 – A Comment from the European Law Perspective, German Law Journal, Vol. 10, No. 08, 2009, pp. 1267– 1276. Norton: Cybersecurity Insights Report, 2015. Oddis, Dina: Combating Child Pornography on the Internet: The Council of Europe’s Convention on Cybercrime, Temple International and Comparative Law Journal, Vol. 16:2, 2002, pp. 477–518. O’Flynn, Michael Aaron: Harmonization and Cybercrime Jurisdiction: Uneasy Bedfellows? An Analysis of the Jurisdiction Trajectories of the Council of Europe’s Cybercrime Convention, Ph.D. Thesis, Queen Mary University of London, 2014.

References227 Oluoch, Wauna: Legitimacy of the East African Community, Journal of African Law, Vol. 53, Issue No. 2, 2009, pp. 194–221. O’Neill, Micheal: Old Crimes in New Bottles: Sanctioning Cybercrime, George Mason Law Review, Vol. 9:2, 2000, pp. 237–288. Orloff, Neil: Economic Integration in East Africa: the Treaty for East African Cooperation, Columbia Journal of Transnational Law, Vol. 7, 1968, pp. 302–332. Paranjape, Narayan Vishwanath: Criminology and Penology, Allahabad, Central Law Publishers, 2004. Paraschos, Emmanuel: Media Law and Regulation in the European Union: National, Transnational and U.S. Perspectives, Ames, Iowa State University, 1998. Parcalabu, Domnica Doina et al.: European Integration Realities and Perspectives: Importance and Necessity of International Judicial Cooperation in Criminal Matters, Legal Sciences, the 6th Edition of the International Conference, 2011, pp. 171–178. Podgor, Ellen: Cybercrime: Discretionary Jurisdiction, University of Louisville Law Review, Vol.47, 2009, pp. 727–738. – Cybercrime: National, Transnational, or International? Wayne Law Review, Vol. 50, Issue 1, 2004, pp. 97–108. Popa, Iulian: EU Cyberspace Governance: Which Way Forward, Research and Science Today, Vol. 5, Issue – Supplement, 2013, pp. 115–125. Possi, Ally: The East African Court of Justice: Towards Effective Protection of Human Rights in the East African Community, Ph.D. Thesis, University of Pretoria, 2014. Post, David: In Search of Jefferson’s Moose: Notes on the State of Cyberspace, New York, Oxford University Press, 2009. PricewaterhouseCoopers: “Cybercrime: the Benefits and Risks of a Networked World are Here to Stay; What You Don’t Know Can Hurt You”, Global Economic Crime Survey 2014. – The Global State of Information Security Survey, 2016. Rayport, Jeffrey / Jaworski, Bernard: Introduction to E-Commerce, 2nd Edition, New York, McGraw-Hill, 2004. Reinisch, August: Essential Questions in EU Law, Cambridge, Cambridge University Press, 2009. Reyes, Anthony / Wiles, Jack: The Best Damn Cybercrime and Digital Forensics Book Period, Burlington, Syngress Publishing, Inc., 2007. Reyes, Anthony et al.: Cyber Crime Investigations: Bridging the Gaps between Security Professionals, Law Enforcement, and Prosecutors, Rockland, Syngress Publishing, Inc., 2007. Savin, Andrej: EU Internet Law, Cheltenham, Edward Elgar Publishing Limited, 2013.

228 References Schell, Bernadette / Martin, Clemens: Cybercrime: A Reference Handbook, California, ABC-CLIO, Inc., 2004. Schjolberg, Stein: A Cyberspace Treaty – A United Nations Convention or Protocol on Cybersecurity and Cybercrime, A Paper Presented at the 12th United Nations Congress on Crime Prevention and Criminal Justice, Salvador – Brazil, April 2010. – An International Criminal Tribunal for Cyberspace (ICTC): A Background Paper for East-West Institute (EWI), Worldwide Cybersecurity Summit Special Interest Seminar: Harmonizing of Legal Frameworks for Cyberspace, New Dehli, India, 30–31 October 2012. – The History of Cybercrime 1976–2014, Norderstedt, Cybercrime Research Institute GmbH, 2014. Schönberger, Christoph: Lisbon in Karlsruhe: Maastricht’s Epigones at Sea, German Law Journal, Vol. 10, No. 08, 2009, pp. 1201–1218. Schütze, Robert: European Union Law, Cambridge, Cambridge University Press, 2015. Schwabach, Aaron: Internet and the Law Technology, Society and Compromises, California, ABC-CLIO, Inc., 2006. Sebalu, Paul: The East African Community, Journal of African Law, Vol. 16, Issue No. 3, 1972, pp. 345–363. Serianu: Africa Cyber Security Report, 2016. Shalhoub, Zeinab Karake / Al Qasimi, Sheikha Lubna: Cyber Law and Cyber Security in Developing and Emerging Economies, London, Edward Elgar Publishing Inc., 2010. Simion, Raluca: Cybercrime and its Challenges between Reality and Fiction. Where do We Actually Stand? Rivista di Criminilogia e Sicurezza, Vol. III, No. 3, 2009, pp. 296–312. Singh, Amarjeet: White Collar Crime, Singapore Academy of Law Journal, Vol. 14, Part 2, 2002, pp. 231–247. Singh, Pramod: Laws on Cyber Crime Along with IT Act and Relevant Rules, Delhi, Book Enclave, 2007. Sithole, Kundai: The Council of Europe: Political Legitimation and European Human Rights Protection, Ph.D. Thesis, University of Reading, 2010. Small Media: The Collaboration on International ICT Policy in East and Southern Africa (CIPESA), Defend Defenders, and Strathmore University’s Centre for Intellectual Property and Information Technology Law, Safeguarding Civil Society: Assessing Internet Freedom and Digital Resilience of Civil Society in East Africa, 2017. Soukieh, Kim: Cybercrime – Shifting Doctrine of Jurisdiction, Canberra Law Review, Vol. 10, Issue 1, 2011, pp. 221–238. Stahl, William: The Uncharted Waters of Cyberspace: Applying the Principles of International Maritime Law to the Problem of Cybersecurity, Georgia Journal of International and Comparative Law, Vol. 40, Issue 1, 2011, pp. 247–274.

References229 Svoda, Jerry: Transfer Tax and Development Bank: A New Look for the East African Community, Africa Law Studies, Vol. 2, 1969, pp. 93–102. Tanzania Communications Regulatory Authority: Status of Telecom Market; March 2009 Report. Tanzania Telecommunications Regulatory Authority: Quarterly Communications Statistics Report (October- December Quarter), 2016. Tharani, Aleem: Harmonization in the EAC, in: Ugirashebuja, E. et al. (Eds.), East African Community Law: Institutional, Substantive and Comparative EU Aspects, Leiden, Brill Nijhoff, 2017. The African Centre for Cyberlaw and Cybercrime Prevention (ACCP): Workshop Report on Effective Cybercrime Legislation in Eastern Africa, 2013. The Collaboration on International ICT Policy for East and Southern Africa (CIPESA): State of Internet Freedom in East Africa 2015: Survey on Access, Privacy and Security Online, September 2015. The East African Communications Organization: EACO Strategic Plan 2015–18. The East African Community: EAC Task Force on Cyberlaws: EAC Legal Framework for Cyberlaws, November 2008. – Secretariat, East African Community Facts and Figures, 2013. – 4th EAC Development Strategy (2011 / 12–2015 / 16): Deepening and Accelerating Integration, August 2011. – Report of the Committee on Fast Tracking East African Federation, 26th November 2004. The East African Legislative Assembly: Report of the Committee on Communications, Trade and Investments on the On-Spot Assessment of Regional Cooperation in ICT, November 2013. The European Union: The European Union Explained, How the European Union Works: Your Guide to the EU Institutions, 2014. The Global Cyber Security Capacity Centre: The Cyber security Capacity Review of the Republic of Uganda, 2016. Tillotson, John / Foster, Nigel: Text, Cases and Materials on European Union Law, 4th Edition, London, Cavendish Publishing Limited, 2003. Toure, Hamadoun: A Call for International Cooperation for Cyber Security, in: Bus, Jacques et al. (Eds.), Digital Enlightenment Yearbook, Amsterdam, IOS Press, 2012. Tripathi, Surya et al.: Internet Governance: A Developing Nation’s Call for Administrative Legal Reform, International Journal of Legal Information, Vol. 37, Issue 3, 2009, pp. 368–384. Tropina, Tatiana / Callanan, Cormac: Self and Co-regulation in Cybercrime, Cybersecurity and National Security, Heidelberg, Springer, 2015. Turner, Chris: Key Cases EU Law, 2nd Edition, London, Hodder Education, 2011.

230 References Turrini, Elliot / Ghosh, Sumit: Cybercrimes: A Multidisciplinary Analysis, Berlin, Springer, 2010. Tzu, Sun: The Art of War, Pax Librorum Publishing House, 2009. Ubena, John: E-Documents and E-Signatures in Tanzania: Their Role, Status and Future, in: Bwalya, K. J., and Zulu, S. (Eds.), Handbook of Research on E-Government and Emerging Economies: Adoption, E-Participation and Legal Frameworks, USA, Information Science Reference, 2012. Uganda Communications Commission: Post, Broadcasting and Telecommunications Market and Industry Report, Third Quarter (July–September), 2016. – Strategic Plan 2014 / 15–2019 / 20. United Nations: Recent Developments in the Use of Science and Technology by Offenders and by Competent Authorities in Fighting Crime, Including the Case of Cybercrime, A Working Paper Prepared by the Secretariat for the Twelfth United Nations Congress on Crime Prevention and Criminal Justice, Salvador, Brazil, 12th–19th April 2010. United Nations Office on Drugs and Crime: Comprehensive Study on Cybercrime, 2013. – UNODC Role in Global Response to Cybercrime, September 2011. Velasco, Cristos: Cybercrime Jurisdiction: Past, Present and Future, Academy of European Law Forum, CrossMark, 2015, pp. 331–347. Verstein, Andrew: Violent White-Collar Crime, Wake Forest Law Review, Vol. 49, Issue 3, 2014, pp. 873–888. Walden, Ian: Computer Crime, in: Reed, C. and Angel, J. (Eds.), Computer Law, 5th Edition, Oxford, Oxford University Press, 2003. Wall, David (Ed.): Crime and the Internet: Cybercrimes and Cyber-fears, London, Routledge, 2001. Watney, Murdoch: Determining When Conduct in Cyberspace Constitutes Cyber Warfare in Terms of International Law and Tallin Manual of International Law Applicable to Cyber Warfare: A Synopsis, in: Baggili, I. et al. (Eds.), Digital Forensics and Cyber Crime, Heidelberg, Springer, 2014. Weber, Amalie: The Council of Europe’s Convention on Cybercrime, Berkeley Technology Law Journal, Vol. 18, 2003, pp. 425–446. Wennerström, Erik: EU Legislation and Cybercrime: A Decade of European Legal Developments, Scandinavian Studies in Law, Vol. 47, 2004, pp. 452–470. Wohlfahrt, Christian: The Lisbon Case: A Critical Summary, German Law Journal, Vol. 10, No. 08, 2009, pp. 1277–1286. Yar, Majid: Cybercrime and Society, London, SAGE Publications Ltd, 2006. – The Novelty of “Cybercrime”: An Assessment in Light of Routine Activity Theory, European Journal of Criminology, Vol. 2, No. 4, 2005, pp. 407–427.

List of Cases Commission vs. Council [1971] ECR 263. Democratic Party vs. The Secretary General of the East African Community, Attorney General of the Republic of Uganda, Attorney General of the Republic of Kenya, Attorney General of the Republic of Rwanda, and Attorney General of the Republic of Burundi, EACJ Appeal No. 1 of 2014. East Africa Law Society vs. The Attorney General of the Republic of Burundi and the Secretary General of the East African Community, EACJ Reference No. 1 of 2014. Flaminio vs. ENEL [1964] ECR 585. Gary MacKinnon vs. Government of the USA and Secretary of State for the Home Department [2007] EWHC 762. Germany and Others vs. Commission [1987] ECR 3203. James Alfred Koroso vs. The Attorney General of the Republic of Kenya; EACJ Reference No. 12 of 2014. James Katabazi and 21 Others vs. Secretary General of the East African Community and the Attorney General of the Republic of Uganda, EACJ Reference No. 1 of 2007. Jebra Kambole vs. Attorney General, Miscellaneous Civil Cause No. 32 of 2015, High Court of Tanzania (Main Registry) at Dar es Salaam (Unreported). Patrick Ntege Walusimbi & 2 Others vs. the Attorney General of Uganda & 5 Others, EACJ Reference No. 8 of 2013. Prof. Peter Anyang’ Nyong’o and Others vs. Attorney General of Kenya and Others, EACJ Reference No. 1 of 2006. Reno vs. American Civil Liberties Union, 521 U.S. 844 (1997). Samuel Mukira Mohochi vs. The Attorney General of the Republic of Uganda, EACJ Reference No. 5 of 2011. The Attorney General of the Republic of Kenya vs. Independent Medico Legal Unit, EACJ Appeal No. 1 of 2011. Timothy Alvin Kahoho vs. The Secretary General of the East African Community, EACJ Appeal No. 2 of 2013. Trust Bank Tanzania Ltd. vs. Le-marsh Enterprises Ltd. & Two Others, Commercial Case No. 4 of 2000, High Court of Tanzania (Commercial Division) at Dar es Salaam (Unreported). United States vs. Rose, 315 F.3d 965 (8th Cir. 2003).

List of Legislation International The Additional Protocol to the Convention on Cybercrime, Concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed through Computer Systems, 2003 The Additional Protocol to the Council of Europe Convention on the Prevention of Terrorism, 2015 The Convention for the Protection of Human Rights and Fundamental Freedoms, 1950 The Convention on Laundering, Search, Seizure and Confiscation of the Proceeds from Crime, 1990 The Council Decision Establishing the European Police Office (Europol), 2009 (Council Decision 2009 / 371 / JHA) The Council Decision Setting up a European Crime Prevention Network, 2001 (Council Decision 2001 / 427 / JHA) The Council Decision Setting up a European Crime Prevention Network and Repealing Decision 2001 / 427 / JHA, 2009 (Council Decision 2009 / 902 / JHA) The Council Decision Setting up Eurojust with a View to Reinforcing the Fight against Serious Crime, 2002 (Council Decision 2002 / 187 / JHA) The Council Framework Decision on Combating Certain Forms and Expressions of Racism and Xenophobia by Means of Criminal Law, 2008 (Framework Decision 2008 / 913 / JHA) The Council Framework Decision on Combating Fraud and Counterfeiting of NonCash Means of Payment, 2001 (Framework Decision 2001 / 413 / JHA) The Council Framework Decision on Combating the Sexual Exploitation of Children and Child Pornography, 2003 (Framework Decision 2004 / 68 / JHA). The Council Framework Decision on the European Arrest Warrant and the Surrender Procedures between Member States, 2002 (Framework Decision 2002 / 584 / JHA) The Council of Europe Convention on Cybercrime, 2001 The Council of Europe Convention on the Prevention of Terrorism, 2005 The Council of Europe Convention on the Protection of Children against Sexual Exploitation and Sexual Abuse, 2007 The Directive of the European Parliament and the Council on Attacks against Information Systems and Replacing Council Framework Decision 2005 / 222 / JHA, 2013 (Directive 2013 / 40 / EU)



List of Legislation233

The East African Community Customs Management Act, 2004 The East African Community Protocol on Peace and Security, 2013 The East African Community Protocol on Peace and Security, 2013 The European Convention on Extradition, 1957 The European Convention on Mutual Assistance in Criminal Matters, 1959 The European Convention on the International Validity of Criminal Judgments, 1970 The European Convention on the Suppression of Terrorism, 1977 The European Convention on the Transfer of Proceedings in Criminal Matters, 1972 The Framework Decision on Attacks against Information Systems, 2005 (Framework Decision 2005 / 222 / JHA) The International Covenant on Civil and Political Rights, 1966 The Merger Treaty, 1965 The Protocol for the Establishment of the East African Community Customs Union, 2004 The Regulation of the European Parliament and of the Council Establishing the European Network and Information Security Agency, 2004 (Regulation EC No. 460 / 2004) The Single European Act, 1986 The Statute of Council of Europe, 1949 The Treaty for the Establishment of the East African Community, 1999 The Treaty of Amsterdam, 1997 The Treaty of Lisbon, 2007 The Treaty of Nice, 2000 The Treaty of Paris, 1951 The Treaty on European Union, 1992 Tanzania The Cybercrime Act, 2015 The Electronic and Postal Communications Act, 2010 The Evidence Act, Chap. 6, R.E. 2002 The Police Force and Auxiliary Services Act, Chap. 322, R.E. 2002 The Tanzania Communications Regulatory Act, 2003 The Written Laws (Miscellaneous Amendments) Act, Act No. 15 of 2007

234

List of Legislation Kenya

The Kenya Communications (Amendment) Act, 2009 The Kenya Communications (Amendment) Act, 2013 The Kenya Information and Communications Act, 1998 Uganda The Anti-Pornography Act, 2014 The Computer Misuse Act, 2011 The Uganda Communications Act, 2013 United Kingdom The Computer Misuse Act, 1990 The Police and Justice Act, 2006 The Serious Crime Act, 2015

Online Materials Access Now: Emerging Threats in Cybersecurity and Data Protection Legislation in African Union Countries, 13 February 2015, available at: https: /  / www.accessnow. org / emerging-threats-in-cybersecurity-data-legislation-in-africa-union / , accessed on 16th May 2016. Australia Institute of Criminology: Definitions and General Information, available at: http: /  / www.aic.gov.au / crime_types / cybercrime / definitions.html, accessed on 4th  Oc­tober 2015. Bagala, Andrew: Activists Cry Foul as Police Setup Cyber Crime Unit, available at: http: /  / www.monitor.co.ug / News / National / Activists-cry-foul-as-police-set-up-cy ber-crime-unit / 688334-2249294-r8ixtjz / index.html, accessed on 24 July 2017. Bunyan, Tony: Trevi, Europol and the European State, 1993 (unpublished), available at: http: /  / www.statewatch.org / news / handbook-trevi.pdf, accessed on 2  July 2016. Carter, David: Computer Crime Categories: How Techno-Criminals Operate, FBI Law Enforcement Bulletin, Vol. 64, Issue 7, July 1995, available at: https: /  / www. ncjrs.gov / pdffiles1 / Digitization / 156176NCJRS.pdf, accessed on 13th October 2015. Communications Authority of Kenya: What We Do, available at: http: /  / www.ca.go. ke / index.php / what-we-do, accessed on 22 May 2017. Computer Crime Research (India): What is Cybercrime? 2004, available at: http: /  / www.crime-research.org / analytics / 702, accessed on 13th October 2015. Council of Europe: Cybercrime Convention Committee, available at: https: /  / www. coe.int / en / web / cybercrime / tcy?desktop=true, accessed on 19 August 2017. Council of Europe: http: /  / www.coe.int / en / web / conventions / full-list, as accessed on 18 August 2016. Council of Europe: Information Society and Action against Crime Directorate, available at: https: /  / www.coe.int / en / web / human-rights-rule-of-law / information-soci ety-and-action-against-crime-directorate?desktop=true, accessed on 20  August 2017. Council of Europe: Our Member States, available at: http: /  / www.coe.int / en / web /  about-us / our-member-states, accessed on 13 June 2016. Council of Europe: Values, available at: http: /  / www.coe.int / en / web / about-us / values, accessed on 13 June 2016. Cross, Michael: Scene of Cybercrime, 2nd Edition, an online book available at: http: /  / www.bookfi.org / s / ?q=michael+cross+scene+of+cybercrime&t=0, accessed on 20th October 2015.

236

Online Materials

Directorate of Criminal Investigation: Cybercrime, available at: http: /  / www.cid. go.ke / index.php / sections / specilizedunits / cyber-crime.html, accessed on 22 May 2017. Edward, Edward: Mtandao wa TACCEO Walaani Polisi Kuvamia Kituo chao, available at: http: /  / www.mwananchi.co.tz / habari / Kitaifa / Mtandao-wa-TACCEO-wa laani-polisi-kuvamia-kituo-chao / - / 1597296 / 2938334 / - / g9cojc / - / index.html, accessed on 1st November 2015. European Commission: The Commission Communication “Towards a General Policy on the Fight against Cybercrime,” Brussels, 22 May 2007, available at: http: /  / europa.eu / rapid / press-release_MEMO-07-199_en.htm, accessed on 7th October 2015. European Committee on Crime Problems: About the European Committee on Crime Problems, available at: http: /  / www.coe.int / en / web / cdpc / european-committeeon-crime-problems, accessed on 19 August 2017. European Committee on Crime Problems: About the European Committee on Crime Problems, available at: http: /  / www.coe.int / t / dghl / standardsetting / cdpc / CDPC_ en.asp, accessed on 7 September 2016. European Committee on Crime Problems: Conventions Elaborated under the Authority of the CDPC, available at: http: /  / www.coe.int / t / dghl / standardsetting / cdpc / 1 Conventions.asp, accessed on 7 September 2016. European Parliament: Tampere European Council 15 and 16 October 1999 Presidency Conclusions, available at: http: /  / www.europarl.europa.eu / summits / tam_en.htmc, accessed on 13 September 2016. European Union Agency for Network and Information Security: Mission and Objectives, available at: https: /  / www.enisa.europa.eu / about-enisa / mission-and-objec tives, accessed on 14 September 2016. Europol: 178 Arrests in Successful Hit against Money Muling, available at: https: /  /  www.europol.europa.eu / newsroom / news / 178-arrests-in-successful-hit-againstmoney-muling, accessed on 25 January 2018. Europol: 2017, the Year When Cybercrime Hit Close to Home, available at: https: /  /  www.europol.europa.eu / newsroom / news / 2017-year-when-cybercrime-hit-closeto-home, accessed on 25 January 2018. Europol: Cyber Strategy, available at: https: /  / www.europol.europa.eu / ec3 / cyberstrategy, accessed on 14 September 2016. Europol: Europol Priorities, available at: https: /  / www.europol.europa.eu / content / page  / europol %E2 %80 %99s-priorities-145, accessed on 13 September 2016. Europol: History, available at: https: /  / www.europol.europa.eu / content / page / history149, accessed on 13 September 2016. History-Computer, Konrad, Zuse: the First Relay Computer, available at: http: /  /  history-computer.com / ModernComputer / Relays / Zuse.html, accessed on 8th October 2015.



Online Materials237

International Telecommunications Union: Communications in Uganda, available at: http: /  / www.itu.int / net / itunews / issues / 2009 / 06 / 31.aspx, accessed on 23 August 2017. INTERPOL: Cybercrime, available at: http: /  / www.interpol.int / Crime-areas / Cyber crime / Cybercrime, accessed on 15th October 2015. Jackson, Tom: Can Africa Fight Cybercrime and Preserve Human Rights? Available at: http: /  / www.bbc.com / news / business-32079748, accessed on 30th October 2015. Kassim, Malale: Cybercrime ‘Thorn in Flesh’ of African Governments, The Guardian, 20 March 2014, at http: /  / www.ippmedia.com / frontend / ?l=659944, Accessed on 1 June 2014. Kenya Broadcasting Corporation: Kenya to Set up an Anti-Cyber Crime Police Unit, available at: https: /  / www.youtube.com / watch?v=E1EGEAXwSak, accessed on 22 May 2017. Kimani, O’Brien: Kenya to Set up Anti-Cybercrime Police Unit, available at: http: /  / www.kbc.co.ke / kenya-to-set-up-anti-cyber-crime-police-unit / , accessed on 22 May 2017. Lunker, Manish: Cyber Laws: A Global Perspective, United Nations Download, 2011, available at: http: /  / unpan1.un.org / intradoc / groups / public / documents / apcity / unp an005846.pdf, Accessed on 28 May 2014. Marari, Daniel: Tanzania’s Cybercrimes Law and the Threat to Freedom of Expression and Information, available at:https: /  / africlaw.com / 2015 / 05 / 25 / of-tanzaniascybercrimes-law-and-the-threat-to-freedom-of-expression-and-information / , accessed on 17 May 2017. Marere, Michael: The Cybercrimes Act, 2015: A Weed in the Garden of Freedom of Expression in Tanzania, available at: http: /  / www.academia.edu / 13212310 / THE_ CYBERCRIMES_ACT_2015_A_WEED_IN_THE_GARDEN_OF_FREEDOM_ OF_EXPRESSION_IN_TANZANIA, accessed on 17 may 2017. Mtweve, Sturmius: Cybercrime a Threat to Africa’s Development, available at: http: /  / www.thecitizen.co.tz / Business / Cybercrime-a-threat-to-Africa-s-develop ment / - / 1840414 / 1849552 / - / item / 0 / - / xldb5sz / - / index.html, Accessed on 1 June 2014. PC Tech Magazine: NITA, IWF Launch Online Child Sexual Abuse Reporting Portal, available at: http: /  / pctechmag.com / 2015 / 09 / nita-launches-online-child-sexualabuse-reporting-portal / , accessed on 24 July 2017. Polivanyuk, Vasili: Cybercrime Criminological Researches, available at: http: /  / www. crime-research.org / library / Polivan0703eng.html, accessed on 12th October 2015. PricewaterhouseCoopers (PwC): The Global Economic Crime Survey 2014 by available at: http: /  / www.pwc.com / gx / en / services / advisory / consulting / forensics / eco nomic-crime-survey.html, accessed on 10th October 2015. Rwakenya, Edgar: Kenya Set to Pass Cyber-crime Bill as East Africa Seeks Legal Harmony, available at: https: /  / www.scmagazineuk.com / kenya-set-to-pass-cyber-

238

Online Materials

crime-bill-as-east-africa-seeks-legal-harmony / article / 652047 / , accessed on 22 May 2017. Slubambula, Powers of Uganda’s Cybercrime Unit Questioned, available at: https: /  /  slubambula.wordpress.com / 2017 / 04 / 29 / powers-of-ugandas-cyber-crime-unitquestioned / , accessed on 24 July 2017. Sperber, Amanda: Tanzania’s New Information Laws Draw Fire from Critics, 18 June 2015, available at: http: /  / www.aljazeera.com / indepth / features / 2015 / 06 / tanzaniainformation-laws-draw-fire-critics-150617064824518.html, accessed on 17 May 2017. Tanzania Communications Regulatory Authority: TCRA Profile, available at: https: /  /  www.tcra.go.tz / index.php / about-tcra / tcra-profile, accessed on 17 May 2017. Tentena, Paul: Cybercrime on the Increase in Africa, The East African Business Week, available at: http: /  / www.busiweek.com / index1.php?Ctp=2&pI=868&pLv =3&srI=69&spI=221&cI=11, Accessed on 1 June 2014. The Australian Institute of Criminology available at: http: /  / www.aic.gov.au / media_ library / conferences / other / smith_russell / 2012-12-cdpp.pdf, accessed on 11th October 2015. The BBC: Cyber-attack: Europol Says it was Unprecedented in Scale, available at: http: /  / www.bbc.com / news / world-europe-39907965, accessed on 12 May 2017. The BBC: NHS ‘Robust’ after Cyber-attack, available at: http: /  / www.bbc.com / news /  uk-39909441?intlink_from_url=http: /  / www.bbc.com / news / topics / 90a7bae1-8 eda-4f6d-b2fe-41a301a93ebb / nhs&link_location=live-reporting-story, accessed on 12 May 2017. The Centre Virtuel de la Connaissance sur l’Europe (CVCE): The Origins of the Council of Europe, available at: http: /  / www.cvce.eu / en / education / unit-content / - / unit / 026961fe-0d57-4314-a40a-a4ac066a1801 / 13839cdf-3e7e-4985-995f-2b6d9b 534633, accessed on 12 June 2016. The Council of Europe: About the European Committee on Crime Problems, available at: http: /  / www.coe.int / t / DGHL / STANDARDSETTING / CDPC / CDPC_en.asp, accessed on 15 June 2016. The Council of Europe: Our History, available at: http: /  / www.coe.int / en / web / aboutus / founding-fathers, accessed on 12 June 2016. The Delegation of European Union to the United Republic of Tanzania, EU-EAC, available at: http: /  / eeas.europa.eu / delegations / tanzania / africa_eu / eu_eac / index_ en.html, accessed on 17 June 2016. The East African Communications Organization: Working Groups and Committees, available at:http: /  / www.eaco.int / index.php / working-groups-committees / typo-page /  wg-5-ip-networks-standards-and-cyber-security, accessed on 11 May 2017. The East African Community EAC Resource Mobilization Office: Regional Integration Support Programme (RISP), available at: http: /  / www.eac.int / rmo / index. php?option=com_content&id=154 %3Aregional-integration-support-programmerisp&Itemid=1, accessed on 17 June 2016.



Online Materials239

The East African Community: History of the EAC, available at: http: /  / www.eac. int / about / EAC-history, accessed on 18 May 2016. The East African Community: Peace and Security Overview, available at: http: /  / www. eac.int / sectors / peace-and-security, accessed on 10 May 2017. The Economic Times at: http: /  / economictimes.indiatimes.com / definition / invisiblehand, accessed on 3rd November 2015. The European Data Protection Supervisor: Members and Mission, available at: https: /  / secure.edps.europa.eu / EDPSWEB / edps / EDPS / Membersmission, accessed on 8 June 2016. The European Police Office, European Cybercrime Centre – EC3, available at: https: /  / www.europol.europa.eu / about-europol / european-cybercrime-centre-ec3, accessed on 1 September 2017. The European Union: Institutions, bodies and Agencies, available at: http: /  / europa. eu / contact / institutions-bodies / index_en.htmgoto_2, accessed on 4 June 2016. The European Union: The Founding Fathers of the EU, available at: http: /  / europa. eu / about-eu / eu-history / founding-fathers / index_en.htmbox_9, accessed on 28 May 2016. The European Union: The History of the European Union, available at: http: /  / europa. eu / about-eu / eu-history / index_en.htm, accessed on 30 May 2016. The European Union: Topics of the European Union, available at: http: /  / europa.eu /  pol / index_en.htm, accessed on 3 June 2016. The Hanns Seidel Foundation: Assessment of the Policing of the 2015 Tanzanian Elections Field Assessment Report, available at: http: /  / policeforce.go.tz / index. php / en / 11-habari-mpya / 145-assessment-of-the-policing-of-the-2015-tanzanianelections-field-assessment-report, accessed on 18 May 2017. The Unwanted Witness – Uganda: Police Establishes Cybercrimes Unit to Curtail Online Freedoms, available at: https: /  / unwantedwitness.or.ug / police-establishescyber-crimes-unit-to-curtail-online-freedoms / , accessed on 24 July 2017. Tumwebaze, Peterson: East Africa Seeks Joint Approach to Combat Cybercrime, The New Times Rwanda, available at: https: /  / www.newtimes.co.rw / section / read /  55210, Accessed on 21 May 2014. Uganda Computer Emergency Response Team: Highlights and Updates, available at: http: /  / www.ug-cert.ug / , accessed on 23 July 2017. Williams, Rhiannon: Cybercrime Costs Global Economy $445 bn Annually, The Telegraph, available at: http: /  / www.telegraph.co.uk / technology / internet-security / 10 886640 / Cyber-crime-costs-global-economy-445-bn-annually.html, accessed on 10th October 2015.

Subject Index Approximation  141 Borderlessness in cybercrime  20, 49 Communications Authority of Kenya  169 Competencies of the European Union  83, 117 Computer crime  28 Council of Europe (COE)  57, 184, 93, 91, 80, 121, 123, 125, 127 Court of Justice of the European Union  75, 82 Cyber security  47 Cybercrime as a cross-border phenomenon  42 Cybercrime Convention Committee (T-CY)  113 Cybercrime Programme Office of the Council of Europe (C-PROC)  115 Cybercrime  21, 28, 30, 39, 40, 102, 111, 113, 143, 144, 153, 163 Cyberspace  28, 29, 30, 31, 39, 48 Directorate of Information Society and Action against Crime  115 EAC Cyber Laws Task Force  152 East Africa Communication Organisa­ tion (EACO)  150 East African Community (EAC)  184, 61, 57, 63, 65, 69 East African Community’s Organs and Institutions  65 Euro just  113 European Arrest Warrant (EAW)  129 European Atomic Energy Community (EURATOM)  73, 74

European Coal and Steel Community (ECSC)  72, 74 European Committee on Crime Problems (CDPC)  111 European Court of Justice  75 European Cybercrime Centre (EC3)  132, 208 European Police College (CEPOL)  130 European Police Office (EUROPOL)  131 European Union (EU)  184, 117, 121, 71, 78, 80, 83 European Union Agency for Network and Information Security (ENISA)  133 European Union Crime Prevention Network (EUCPN)  135 European Union’s Organs and Institutions  80 Exclusive competence  79, 84, 85 Features of cybercrimes  39 Forms of cyber criminality  34 Harmonization of Laws  49 Individual rights  52 International cooperation in penal matters  101, 117, 141, 143 Internet  19, 20, 27, 30, 32, 33, 44, 49, 51 Jurisdictional issues in cyberspace  49 Kenya Cybercrime Unit  170 Mainframe computers  32 National Cybersecurity Strategy  204



Subject Index241

National Information Technology Authority Uganda  181 Networked computers  32 Novelty of cybercrime  31, 55

Sanctions and other dissuasive measures  198 Scope and Competences of the East African Community  69

Old wine in new bottles  31, 39, 55

Shared competence  84, 120, 187

Personal Computers  33 Pillars of cybersecurity  47 Principles governing the East African Community  63 Principles governing the European Union  78

Tanzania Communications Regulatory Authority  162 Tanzania cybercrime Unity  163

Regulation by code or architecture  47 Regulation by law  46 Regulation by market forces  46 Regulation by norms  45 Revival of the East African Community  61

Supporting competence  84, 86

Uganda Communications Commission  180 Uganda cybercrime unit  152 United Nations Office on Drugs and Crime  38 Veil of anonymity  40, 54