Thursday 26 February 2015

Recent African Legislation Shows Why the AU Convention Should Not Be Ratified

A TrendMicro report positioned Africa as a “safe harbor for cybercriminals” in 2013. Today, much of the continent is living up to this label.

The African Union Convention on Cyber Security and Personal Data Protection was adopted by the AU in June 2014. To date not a single African nation has ratified the Convention. Regardless, African nations have begun to adhere to the principles of the Convention, an agreement that is incapable of providing the privacy protection that Africa needs. 

The preamble of the Convention makes clear the AU’s understanding of Africa’s precarious position: "Bearing in mind that the major obstacles to the development of electronic commerce in Africa are linked to security issues, particularly…The absence of specific legal rules that protect consumers, intellectual property rights, personal data and information systems...”

Despite these promising opening lines, the ensuing document is a lengthy list of vague suggestions and exceptions to rules that leave African states with the power to abuse freedom of expression and privacy rights.

In addressing Personal Data Protection, Article 13 of the Convention states that an individual’s personal data can be processed without consent if it is required in “compliance with a legal obligation” or if doing so is “in the public interest." Furthermore, “the collection, recording, processing, storage and transmission of personal data shall be undertaken lawfully, fairly and non-fraudulently." 

Article 14 prohibits states from collecting “sensitive data”—that which reveals information such as race, ethnicity, trade union membership, and political and religious beliefs—but also offers ten examples of how this protection can be removed, including when “a judicial procedure or criminal investigation has been instituted,” “processing is necessary in the public interest,” and “processing is necessary for compliance with a legal or regulatory obligation.”

The Convention repeatedly protects individuals only so far as is convenient to government, and leaves governments to define what is and is not legal; in effect, the individual’s rights are nonexistent. Worse, the Convention's emphasis on human rights has been interpreted by many countries as an invitation to combine greater censorship with increased surveillance, a stifling pairing.

International human rights organization Access recently compiled a list of a few of the many African nations that are doing just what the Convention allows them to do: initiating and passing legislation that simultaneously compromises individuals’ freedom of expression and their right to privacy. For example, Tunisia’s proposed cybercrime law would create penalties for “content showing obscene acts and assaulting good morals” and also allow the government access to user IDs and traffic data. Ratified or not, the Convention has already set the tone for cybersecurity across the continent.

Rather than ratify the Convention as is, the countries of the African Union should look to Mauritius, an island nation east of Madagascar, for cybersecurity guidance. Mauritius is one of 44 nations worldwide to ratify the Council of Europe’s 2001 Convention on Cybercrime (the “Budapest Convention”). As Eric Tamarkin, Institute for Security Studies consultant, pointed out in a recent interview, the elements of the Budapest Convention that could infringe upon free speech exist as an addendum, thus allowing states to support a collaborative international effort to combat cybercrime without requiring them to compromise rights to freedom of expression and privacy.

The African Union knows internet security is necessary for economic advancement. However, if it proceeds with the current iteration of the Convention on Cyber Security and Personal Data Protection, it will provide the safe harbor government cybercriminals need to flourish across the continent.

Port Louis, Mauritius

Thursday 19 February 2015

White House Summit Highlights Disconnect Between Washington and Silicon Valley

If the logical place to hold a White House summit is the nation’s capital, it’s worth noting that Stanford University played host to last Friday’s WhiteHouse Cybersecurity and Consumer Protection Summit.

In the heart of Silicon Valley, United States President Barack Obama called for greater collaboration between government and the private sector in strengthening the nation’s cybersecurity. His keynote address asked for support of well-intentioned but misguided legislation currently in Congress and concluded with the signing of an executive order to promote information sharing among the private sector and between the private sector and government.

The underlying message of the summit was clear: cybersecurity has become a top concern for the White House, but it cannot be addressed unilaterally; Obama needs the tech industry on his side. However, the CEOs of West Coast powerhouses Facebook, Google, and Yahoo were noticeably absent on Friday. Tim Cook, CEO of Apple, whose iMessage offers customers the protection of end-to-end encryption, did speak, but his words may not have been what Obama wanted to hear:

“We can imagine a day in the not so distant future when your wallet becomes a remnant of the past, your passport, your driver’s license and other important documents can be digitally stored in a way that’s safe, secure, and easy to access, but only by you.  After all, we shouldn’t have to trade our security for the convenience of having all of this information at our fingertips. When a system is designed properly, security and convenience can actually work in harmony. This is a world of greater privacy and a world where criminals find it much more difficult to carry out their crimes.

“By harnessing the technology at our disposal, and working together as businesses, government, and citizens, we believe we can bring about a future that fully embraces both privacy and security. We must get this right. History has shown us that sacrificing our right to privacy can have dire consequences.”

The White House continues to push for information sharing as its solution to cybercrime, and the Silicon Valley tech industry it came west to woo is standing strong in defiance. If Obama wants to move this conversation forward, he needs to do more than move closer—he needs to start listening.

Thursday 12 February 2015

First Comes Sony, Then Comes Anthem…

Last week Anthem Inc. became the latest in a seemingly endless string of corporations to succumb to a major security breach. The attack on Anthem, the second largest health insurer in the United States, is thought to have compromised the private data of up to 80 million people. Although Anthem has yet to determine who is behind the security breach, it has reported that the information accessed includes names, dates of birth, member ID/social security numbers, addresses, phone numbers, email addresses and employment information. 

Rarely has the news mentioned Anthem without also referencing Sony, the victim of another recent security breach. Rather than take the spotlight off its predecessor, the Anthem attack seems to have fed the media’s desire to continue to point to the Sony hack as a turning and tipping point in cybersecurity. Although the Sony attack currently threatens to overshadow that against Anthem, the latter is significant in its own right and must not be ignored.

Why does Anthem matter?

1. No industry is safe from hackers. The U.S. healthcare industry—a $3 trillion industry—is particularly vulnerable in part because it continues to use insecure, out-of-date computers.  Furthermore, the underground market price for health insurance credentials ($20) currently outweighs that of the average U.S. credit card ($1-$2). As an evolving threat, cybercrime has learned to go where access is easy and rewards are high.

      2. A cyberattack is no longer an isolated event; it is part of an accepted growing trend. The response to the Anthem hack has been that of expected acceptance, the inevitable next step in a post-Sony society. Rather than direct outrage at the attackers, the onus has been placed on the private and public sectors’ inabilities to protect their consumers’ data. U.S. Senator Angus King clearly stated the public’s frustration in a February 5 speech to Congress: “This week it is Anthem. A few weeks ago it was Sony. What is going to happen when it is the gas pipeline system, when it is the financial system, when it is the New York Stock Exchange, when people’s bank accounts disappear overnight? It is time for us to act, and it is time for us to act promptly.”  

      The Sony attack may have exposed global system vulnerabilities, but Anthem's recent breach provides proof that hackers are smart, everywhere, and here to stay.