SumTips: 3 Cybersecurity Bills You Should Protest Now (and How)

Pakistan, Zimbabwe and Russia have been making headlines lately, and the news isn’t good. These three countries have all passed or are in the process of drafting legislation that will only threaten free speech and privacy online. Below are three recent pieces of cyber legislation along with contact information should you choose to express your concerns.

Pakistan – Prevention of Electronic Crimes Bill (PECB)
Pakistan’s National Assembly recently approved a Prevention of Electronic Crimes Bill (PECB), which has been criticized for poorly protecting sensitive data, using vague language that ultimately infringes upon free speech and instilling harsh penalties. Although passed, the legislation has yet to be implemented.
Contact the National Assembly of Pakistan - assembly@na.gov.pk

Zimbabwe – Computer Crime and Cyber Crime Bill
Zimbabwe is in the process of drafting a Computer Crime and Cyber Crime Bill aimed at limiting unwanted social media use, including that used “to instigate violence, banditry, sabotage and general instability”. Furthermore, the legislation would allow police to intercept private communications and search and seize devices. The government is also at work on an Electronic Transaction and Electronic Commerce Bill and a Data Protection Bill.
Contact Zimbabwe's Ministry of Information Communication Technology - info@ictministry.gov.zw

Russia – “Yarovaya” Surveillance Law
Russia’s “Yarovaya” surveillance law mandates data retention, enables government backdoors into encrypted communications and even requires citizens to report their suspicions regarding terrorist acts or face a penalty of jail time.
Contact Russian President Vladimir Putin (http://en.letters.kremlin.ru/), but be aware: “Personal data of those sending letters by email is stored and processed in accordance with the provisions of Russia’s law on personal data.”

Make your voice heard, surf secure and stay Rando!

---

Want more SumTips? Read on!

• SumTips: 7 Ways to Ensure a Cybersecure August Holiday
• SumTips: 5 Ways the Brazil Olympics Threaten Your Cybersecurity
• SumTips: 10 Statements Worth Repeating from RSA Conference 2016 APJ

Want SumTips sent to your inbox? Sign up for our weekly newsletter ("Security Tips and News" at bottom of page). 

SumRando Cybersecurity is a Mauritius-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

Ghana Looks to Pass a Spy Bill by Another Name

Ghana, now is the time to let your parliament know how you really feel about the Interception of Postal Packets and Telecommunications Messages Bill.

Public outcry has already renamed the bill everything from an ‘Interception of Communications Bill’ to a ‘Spy Bill’, both widely seen as more to-the-point titles. At issue is the fact that the bill would allow the Ghanaian government to listen to, record and intercept the communications of individuals viewed as a threat to national security (without defining whom these individuals might be).

According to Ghana’s Ministry of Interior, “the object of the bill is to enact legislation for the lawful interception of postal packets and telecommunication messages for the purpose of fighting crime, suppressing organized crime including money laundering, terrorism, narcotic trafficking, identity theft and generally for the protection of national security.” As it is currently written, the bill establishes safeguards such as requiring a court order or warrant in order to intercept communications, but is also riddled with troubling loopholes.

Of main concern is provision 4(3) of the bill: “The national security coordinator may where there is the need for urgency, orally authorise the interception without a warrant of a postal-packet or telecommunication message but the oral authorization shall be confirmed by obtaining a warrant from the high court within 48 hours after the oral authorization has been issued.”

The clause has been criticized for deregulating the interception of communications and placing unchecked power—albeit briefly—in the hands of a single individual, as opposed to a court.

In the words of Ace Anan Ankomah and Susan-Barbara Adjorkor Kumapley: “What this means is that the National Security Coordinator, a person appointed by the President and who reports to the President, can intercept your correspondence/communications, listen to your phone calls, and read your letters and text messages, for 48 hours without any independent checks and balances, or guarantees against abuse; and he can simply avoid going to court by terminating the interception before the 48 hours is over. Then he can, arguably, resume the interception for another 48-hour cycle. There is no one to check to see what he is going to use that for because the Bill removes the legislative check captured in the EI [Executive Instrument] requirement, and defers (potentially indefinitely) the judicial check in seeking a court order/warrant.”

The lack of protections during this two-day window is in direct violation of Ghana’s 1992 constitution, a document which, as the Ghana Bar Association (GBA) acknowledged, “seeks to blunt the capricious effect of such circumstances by demanding safeguards that are rooted in the rule of law, best exemplified, for now, by making the judiciary (an independent institution) the first point of call for purposes of determining whether such interference qualifies within the exceptions justifying interference with a person’s privacy.” The GBA argued that the bill did not allow for the supervision necessary to regulate whether information was in fact obtained during or outside of the assigned 48-hour period and also asked that any information obtained during this questionable timeframe not be treated as “lawful” or admitted in court proceedings.

Of further concern is the fact that this bill would override the protections granted by several laws already in place. Currently, interception without a warrant is prohibited by the Security and Intelligence Agencies Act, EOCO Act, Narcotics Control Act, Electronic Communications Act (ECA), the Mutual Legal Assistance Act and the Electronic Transactions Act. Although the Interception of Postal Packets and Telecommunications Messages Bill would consolidate interception legislation into one place, its convenience would come at the expense of lost oversight, as its 48-hour clause eliminates not only warranted interception but also the process established for the President to intercept communications via an Executive Instrument (EI).

Ghana’s parliament went into Easter recess last week with the promise that the feedback of stakeholders and the public alike would be welcome components of the bill’s consideration. Don't let this opportunity go to waste...and regardless of the outcome, keep surfing secure and staying Rando!

---

Want the latest freedom of speech and cybersecurity news from around the world? Read on!

• All Quiet on the Apple Front--But Not for Long
• For Many, Nowruz Brings a 'New Day' But Not Peace
• St. Patrick's Day: Mythical Holiday vs. Modern Reality

SumRando Cybersecurity is a Mauritius-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

Cybersecurity in Ghana: A Promising Work in Progress

In a world of cybersecurity problems, Ghana is one country actively seeking solutions.

In 2015, the West African nation embraced a National Cyber Security Policy and Strategy, in which it first laid out a long list of concerns:

• Cyber cafes, a primary source of Internet access for many Ghanaians, have become “fertile” for cyberattacks.

• The growth of smart phone usage as well as M-commerce has led to increased mobile phone cybercrime.

• Multiple government websites have also fallen victim to cyberattacks.

• “Sakawa,” Internet fraud that takes advantage of traditional and religious rituals to gain money, continues to be popular and to be under-prosecuted due to an under-resourced and untrained police cybercrime unit and a lack of laws against such acts.

• A coordinated structure for reporting cyber incidences does not exist.

With a vision of creating, “A secure and stable connected Ghana with Internet users working and creating wealth in a safe cyber space, with a well-researched and trained academic and professional community protecting Ghana’s cyber space equipped with global standards and responding swiftly to cyber incidents, and with up-to-date laws and systems in place to efficiently prosecute cyber criminals,” it is clear that the Ghana National Cyber Security Policy and Strategy aims to remedy the aforementioned issues.

Such change, however, won’t happen overnight.

To achieve this vision, Ghana is focused on nine policy pillars, set to be achieved in a 5-year strategic plan between now and 2020. The pillars are: effective governance, a legislative and regulatory framework, a cyber security technology framework, a culture of security and capacity building, research and development towards self-reliance, ensured compliance and enforcement, child online protection, cyber security emergency readiness and international cooperation.

Although Ghana’s nine pillars remain a work in progress, last month’s inaugural Data Protection Conference in Accra demonstrated Ghana’s commitment to work in the present towards a more secure cyber space. The conference, themed, “Creating the Right Balance between the Need for Information and Data Protection,” strived to raise awareness about data protection issues and statutory obligations for data controllers and processors.

The event reminded the hundreds in attendance to adhere to the provisions set out in 2012’s Data Protection Act (Act 843), legislation that has been widely applauded for directly addressing the need for data privacy. Of note, the act establishes data protection principles and guarantees user rights regarding personal information, including the right to access and amend your personal information, to prevent processing of your personal information and to complain to the Data Protection Commission. Unfortunately, Act 843 is not without flaws. The Data Protection Act includes a vague exemption to all provisions of personal data processing when for the good of “public order, public safety, public morality, national security or public interest.” Such loosely defined terms can be—and frequently are—used to infringe upon individuals’ rights.

In the words of Ghanaian Chief Justice Georgina Theodora Wood at the conference, “Privacy fortifies our human dignity and guarantees other key values such as freedom of association and freedom of speech in our society. Our fundamental right to privacy as enshrined under Article 18(2) of the 1992 Constitution cannot and should not be compromised, especially today.”

We agree. The National Cyber Security Policy and Strategy and the Data Protection Act collectively establish Ghana as a leader in cybersecurity and protection of free speech. As we wait to see what that brings, remember your privacy and security remain in your own hands.

---

Want to know more about data privacy around the world? Read on!

• Karisma Advises Colombia to Dismantle Data Retention Regime
• SumRando's Guide to a Secure Brazilian Carnival Experience
• Happy Data Privacy Day, Randos!

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

Happy Data Privacy Day, Randos!

Today we celebrate Data Privacy Day in honor of the January 28, 1981 signing of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. 35 years later, legislation such as this has never been more important.

Convention 108, as the treaty is more commonly known, was the first legally binding international agreement dedicated to the protection of individuals’ personal data. As the National Cyber Security Alliance reminded us in its Data Privacy Day video:

“What you may not realize is that there is probably more of your personal information floating around in cyberspace than you think. Everything from what you post on social media and your browsing habits to the information organizations collect about you online leaves a digital footprint...Information about you such as the games you like to play, what you search online and where you shop and live has value, just like money. Be thoughtful about who gets that information and how it’s collected through apps and websites.”

A year ago, we celebrated Data Privacy Day by offering our readers tips to enhance their online safety. Take a look. Although we wish we could report otherwise, these seven recommendations are as necessary today as they were in January 2015.

What we suspect has changed in the last year is the willingness of individuals to actively engage in data protection. In comparing 2014’s celebration with 2015’s, StaySafeOnline.org witnessed a nearly 125% increase in web traffic and the number of registered Champions of Data Privacy Day increased approximately 45%. Given that terms such as cybercrime law, data breach, encryption, government backdoor and VPN (and the concern for personal safety that they bring) are far more common than they were in January 2015, we expect this year’s celebration to be bigger than ever before.

January 28 is a day to envision a world that 'Respects Privacy, Safeguards Data and Enables Trust.’ Join us in striving to make this goal a reality.

---

Want to know more about data privacy around the world? Read on!

• Sean Penn's "Secret Visit" With El Chapo Has Become Everyone's Business
• Free Speech in Kuwait Was Bad Before, And Now There's a Cybercrime Law
• This MLK Day, Think Before You Tweet

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

Free Speech in Kuwait Was Bad Before, And Now There’s a Cybercrime Law

If you believe everything the Kuwait Times tells you, you may think the country’s new cybercrime law was designed to benefit its people.

A January 14 article titled, “New cybercrime law protects on-line users” described the legislation as “aimed at protecting society from misuse of the internet and e-media by some users,” but offered little additional information in its 118-word blurb.

Sources outside of Kuwait seem to have a different interpretation and a bit more to say:

“This law does not belong to the 21st century. In spirit and indeed, in letter, it is a retrograde piece of legislation that merely draws upon earlier, repressive laws. Kuwaitis deserve better,” argued Amnesty International’s Said Boumedouha.

“This new law comes at a time when Kuwait is prosecuting many opposition politicians and activists, journalists, and other government critics using expansive interpretations of moral imperatives and national security requirements. It appears designed to allow the authorities even wider legal latitude to curtail Kuwaitis’ right to free speech,” opined Sarah Leah Whitson of Human Rights Watch.

In fact, punishable offenses under the cybercrime law, in effect as of January 12, include using the internet to insult religion, the emir (Kuwaiti leader) or the judicial system, to damage Kuwait’s international reputation and to publicize classified information even when in the public’s best interest. It furthermore allows the government to confiscate devices used to carry out such acts and to ban “outlets and locations” responsible for these actions.

A better understanding of the cybercrime law certainly helps to explain the Kuwait Times’ vague-yet-optimistic approach to it, which ultimately only demonstrated the danger of such legislation: a newspaper unable to critique its government is also unable to openly discuss basic facts. Surf secure and stay Rando, Kuwait!

---

Want to know more about government infringements of citizens' rights? Read on!

• This MLK Day, Think Before You Tweet
• A Democratic Malaysia Requires "Creative Activism"
• Arrests in Ethiopia Remind Citizens to Protect Their Digital Footprints

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

A Democratic Malaysia Requires “Creative Activism”

When technology and repressive regimes collide, “creative activism” can be a reform movement’s best hope. Just ask Malaysia’s Bersih 2.0.

Malaysia’s Coalition for Clean and Fair Elections, Bersih 2.0, is an electoral reform movement that has held a series of rallies since its inception in 2006. The latest, Yellow Mania, was held January 6 through 10 and took an approach that differed from the usual protests in the street.

Bersih Secretariat Manager Mandeep Singh described Yellow Mania as “relaxing and fun-filled”: “This event is to appreciate the Bersih 4 rally goers and all other supporters, who may have not attended for their own reasons. It is meant to be an educational eye-opener and a leisurely experience at the same time. It is also to appeal to those with interest in creative activism.”

The five-day event had something for everyone: photography, panel discussions, stand-up comedy, films, coloring for children and an activist-in-training bootcamp for young adults. What it almost didn’t have, however, was guest speaker and Indonesian human rights activist Mugiyanto Sipin.

Sipin, an activist with the International NGO Forum on Indonesian Development (INFID), was detained at Kuala Lumpur International Airport and deported back to Indonesia, on grounds of “political interference by a foreigner.” Regardless, modern technology allowed the show to go on: Sipin returned to Indonesia and participated in Yellow Mania via Skype, a Microsoft video calling service.

Such is the wonder that is today’s technology. Governments are able to control the physical presence of individuals, but digital presences have become a bit harder to contain. It would be naïve, however, to think that our unsecured digital presences do not follow us into the tangible world. In fact, a tweet posted about Sipin attending Yellow Mania is what led the Malaysian authorities to intercept him at the airport. Furthermore, Skype, the platform that ultimately brought Sipin to Yellow Mania, is well-known for its security vulnerabilities and tendency to share users’ conversations with governments’ prying eyes. (Communications are encrypted when in transit, but not from Skype itself.)

In a country like Malaysia, exposed communications and security vulnerabilities of all sorts become all the more worrisome. Malaysia’s 1948 Sedition Act was largely a forgotten holdover from colonial days until recent years. Since 2013, the legislation has been used repeatedly to punish dissent, a trend that has only strengthened since reports of embezzlement associated with Prime Minister Najib Razak surfaced in mid-2015. In October 2015, an attempt to challenge the constitutionality of the legislation was rejected by a federal court, meaning that to this day, to speak out against the government, its policies, royalty or Islam is to risk fines, imprisonment or even banishment from “any electronic device” altogether.

Amnesty International has argued that Mugiyanto’s deportation is part of a growing trend in Malaysia to violate the internationally guaranteed rights of freedom of expression, freedom to receive information and freedom to impart information. In response, the human rights organization has called on Malaysia to “respect and protect the right to freedom of expression.” In the meantime, SumRando Cybersecurity urges Malaysians to enact some “creative activism” and secure what they say and do online.

---

Want to know more about government infringements of citizens' rights? Read on!

• Arrests in Ethiopia Remind Citizens to Protect Their Digital Footprints
• CISA: Not the Christmas Surprise We Had Hoped For
• Shortened WhatsApp Ban Signifies a New Norm in Favor of User Choice

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

Arrests in Ethiopia Remind Citizens to Protect Their Digital Footprints

In the final two weeks of 2015, two journalists were arrested, five freed bloggers threatened with renewed terrorism charges and at least 50 protesters killed. In other words, it was just another fortnight in Ethiopia under Anti-Terrorism Proclamation No.652/2009.

Ethiopia gained international attention in April 2014 when the six Zone 9 bloggers, along with three journalists, were arrested for “terrorism”. Their crimes were publishing information about Ethiopia’s human rights violations, working to prevent censorship and actively promoting constitutional rights, including the right to protest. In July 2015, Zelalem Kiberet, Tesfalem Waldyes, Asmamaw Hailegiorgis, Mahlet Fantahun and Edom Kassaye were released, conveniently preceding a visit to Ethiopia by United States President Barack Obama. In October, those still detained—Atnaf Berhane, Natnael Feleke, Befeqadu Hailu and Abel Wabela—were also released, but the current situation in Ethiopia leaves the country with little to celebrate.

On December 30, five of the freed Zone 9 bloggers were summoned to court in response to an appeal against the dismissed charges. The result of the summons remains to be seen, but the appeal has already made clear the fragility of anyone’s innocence in Ethiopia today.

Meanwhile, on December 19, news anchor Fikadu Mirkana of the state-run Oromia Radio and TV was arrested and on December 25, editor-in-chief Getachew Shiferaw of online newspaper Negere Ethiopia was arrested. Setting the scene are weeks of protests against a government plan to expand capital city Addis Ababa by displacing local farmers, protests which have left dozens dead and hundreds arrested. In short, it is neither safe to express opinions nor to report facts in Ethiopia today.

At the heart of the issue is a piece of legislation known as Anti-Terrorism Proclamation No.652/2009, which has already contributed to the self-imposed exile of 57 Ethiopian journalists and to the country’s ranking as the third highest jailer of journalists in Africa. Several clauses of the Proclamation should cause concern for ordinary citizens as much as for journalists:

To prevent and control a terrorist act, the National Intelligence and Security Service may, upon getting court warrant: a) intercept or conduct surveillance on the telephone, fax, radio, internet, electronic, postal and similar communications of a person suspected of terrorism; b) enter into any premise in secret to enforce the interception; or c) install or remove instruments enabling the interception. Information obtained through interception shall be kept in secret. Any communication service provider shall cooperate when requested by the National Intelligence and Security Service to conduct the interception. The National Intelligence and Security Services or the Police may gather information by surveillance in order to prevent and control acts of terrorism.

The police may arrest without court warrant any person whom he reasonably suspects to have committed or is committing a terrorist act as provided under this Proclamation.

The police may request from any government institution, official, bank or a private organization or an individual to be given information or evidence which he reasonably believes could assist to prevent or investigate terrorism cases. Anyone so requested shall have the duty to give the information or evidence.

The following shall be admissible in court for terrorism cases: intelligence report prepared in relation to terrorism, even if the report does not disclose the source or the method it was gathered; hearsay or indirect evidences; digital or electronic evidences; evidences gathered through interception or surveillance or information obtained through interception conducted by foreign law enforcement bodies; and confession of a suspect of terrorism in writing, voice recording, video cassette or recorded in any mechanical or electronic device.

The House of Peoples' Representatives shall have the power, upon submission by the government, to proscribe and de-proscribe an organization as terrorist organization.

Where any organization is proscribed as terrorist in accordance with sub (1) and (2) of this Article, its legal personality shall cease.

There is much that could be said about the Ethiopian government’s treatment of its journalists and citizens, but to do so would be to risk one’s life. SumRando acknowledges the courage of those who have chosen to make their voices heard in the face of such oppression, as well as of those who operate under the radar, silently and surreptitiously doing what they know is right.

---

Want to know more about government infringements of citizens' rights? Read on!

• CISA: Not the Christmas Surprise We Had Hoped For
• Shortened WhatsApp Ban Signifies a New Norm in Favor of User Choice
• Draft Cybercrimes Bill Would Be a 'Sin' For South Africa

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

CISA: Not the Christmas Surprise We Had Hoped For

It came without ribbons. It came without tags. It came without packages, boxes or bags.

That’s right—the United States' Cybersecurity Information Sharing Act (CISA) that we thought we had avoided has snuck into our lives, all but unannounced.

After months of much-publicized debate, a late-night, mid-December session of the United States Congress quietly tacked CISA onto a must-pass funding bill. On Friday, December 18, President Obama signed the bill into law, and so, CISA is here to stay.

Widely seen to align more closely with surveillance than cybersecurity, the legislation encourages companies to share cyber-threat data with the United States federal government by strengthening protections against privacy lawsuits for businesses.

In response, longtime opponent Senator Ron Wyden explained that CISA has only become more of a threat to individuals since its inception: “The latest version of CISA is the worst one yet – it contains substantially fewer oversight and reporting provisions than the Senate version did.  That means that violations of Americans’ privacy will be more likely to go unnoticed. And the Intelligence Authorization bill strips authority from an important, independent watchdog on government surveillance, the Privacy and Civil Liberties Oversight Board. This will make it easier for intelligence agencies – particularly the CIA – to refuse to cooperate with the Board’s investigations. Reducing the amount of independent oversight and constricting the scope of the PCLOB’s authority sends the wrong message and will make our intelligence agencies less accountable.”

Nathan White, of digital rights defender Access Now, similarly had little patience for Congress' Grinch-like trick: “We’re all feeling a collective sense of deja vu. This is like a bad sequel where we all know the ending, but shouting at the characters doesn’t change anything. Just like the USA PATRIOT Act, CISA was a collection of old ideas that Congress had repeatedly rejected. And just like the PATRIOT Act, they re-wrote the final bill in secret and snuck it through Congress before most people could even read it. And just like the PATRIOT Act, CISA will be used for far more than members of Congress think that they are authorizing. Ultimately this will be embarrassing for Congress.”

Much as individuals did in response to the Patriot Act, now is again a time for users to take privacy into their own hands. The United States government is well-positioned to enter 2016 with greater powers of surveillance for Americans and non-Americans alike, but users must remember that privacy and anonymity remain universally recognized human rights. In 2016, it is every users’ responsibility to be just as stealth as Congress was when it passed CISA and provide no business with any more information than necessary.

---

Want to know more about government infringements of citizens' rights? Read on!

• Shortened WhatsApp Ban Signifies a New Norm in Favor of User Choice
• Draft Cybercrimes Bill Would Be a 'Sin' For South Africa
• BlackBerry Exits Pakistan Amidst Overwhelming Privacy Concerns

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

Shortened WhatsApp Ban Signifies a New Norm in Favor of User Choice

Two noteworthy events took place last week: the banning of an American app affected the ability of an estimated 93 million Brazilians (nearly the entire online population) to communicate and, shortly thereafter, the suspension was reduced from 48 hours to far less than a day.

A Brazilian court had attempted to impose a two-day ban of messaging app WhatsApp as punishment for parent company Facebook not complying with a court-ordered police request for information. Facebook countered that the use of encryption made the data requested inaccessible, a choice that CEO Mark Zuckerberg defended in a post: “I am stunned that our efforts to protect people’s data would result in such an extreme decision by a single judge to punish every person in Brazil who uses WhatsApp."

Zuckerberg was far from alone in his sentiments. Just as #Nessas48HorasEuVou (#Inthese48hoursIwill) and its accompanying suggestions for finding ways to pass the time became Twitter’s latest trend, a second judge stepped in. Judge Xavier de Souza reinstated the service only hours after the ban began, suggesting a fine as a more appropriate way to address the situation, as it was “not reasonable that millions of users be affected by the inertia of the company."

This is one story that summarizes the current state of the Internet quite well:

• Even the strongest Internet law is penetrable: Marco Civil, Brazil’s Internet law, was passed in 2014 amidst praise for its capacity to protect online rights. An unannounced, nearly unexplained interruption of a communication service utilized by half of Brazil’s total population that disrupted everyday users more than WhatsApp itself is certainly a violation of the very rights Marco Civil purports to protect.

• There is strength in numbers: Judge de Souza’s argument for bringing WhatsApp back boiled down to one simple argument: everyone is on it. 

• Communication knows no country lines: The unusually high cost of services provided by Brazil’s telecom companies initially prompted millions of Brazilians to turn to WhatsApp, a foreign, low-cost alternative. If last week's brief outage was an attempt to get Brazilians to communicate the old-fashioned way, the takeaway is this: during the outage, Brazilians were at a loss for what to do with themselves—until they remembered that alternatives exist. Foreign-based services such as Telegram and SumRando Messenger were able to affordably fill a void that national services simply could not. 

 Last week's abbreviated WhatsApp ban signifies the coming of an era in which concerned citizens will dictate country policies. SumRando looks forward to a 2016 in which user choice brings the world closer to a free and open Internet for all.

---

Want to know more about government infringements of citizens' rights? Read on!

• Draft Cybercrimes Bill Would Be a 'Sin' For South Africa
• BlackBerry Exits Pakistan Amidst Overwhelming Privacy Concerns
• #Justice4Morocco Postponed, But In Reach

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

Draft Cybercrimes Bill Would Be a ‘Sin’ For South Africa

South Africa has spoken: the draft Cybercrimes and Cybersecurity Bill made public in September is not what she wants. The criticism poured in as the comment submission deadline approached:

Right2Know, a movement focused on freedom of expression and access to information, submitted a significant rebuttal to the Bill, and also condensed its complaints to “Seven Deadly Sins”, as the Bill would:

1.  Hand over control of the internet to the Ministry of State Security
2.  Give the state security structures the power to effectively declare ‘national key points’ of the internet—and potentially grant backdoor access to any network
3. Criminalise journalists and whistleblowers by sneaking in the worst parts of the “Secrecy Bill”
4. Increase the state’s surveillance powers and be even more invasive than RICA
5. Undermine South Africans’ civil liberties and particularly the constitutional right to privacy.
6. Contain 59 new criminal offences involving computer usage—many of which are so broad that they could ensnare ordinary computer users. The Bill considers suspects guilty until proven innocent.
7. Contain anti-copyright provisions so harsh you could be criminalized for even posting a meme. 

In a more concise statement, PEN South Africa expressed “extreme concern” over the Bill’s potential for harm: “We have submitted feedback to the Department of Justice and Constitutional Development, requesting that the Bill be withdrawn and redrafted with input from civil society. We have asked that the Bill be reformulated in such a way that it achieves the protections sought in the safest way and which takes into consideration the freedom of expression clauses in the Constitution and protection of the public interest.” PEN South Africa, an affiliate of PEN International, defends free expression and encourages literature.

Similarly, the concluding remarks of the Freedom of Expression Institute’s submission argued, “The Cybercrimes and Cybersecurity bill is a ‘necessary evil’ addition to South Africa’s legislations; however, there are aspects of the Bill that unreasonably infringe on the rights of access to information and freedom of speech. These infringements must be expeditiously remedied in the revised versions of the proposed legislation.”

The Open Web Application Security Project (OWASP) of Cape Town, which focuses on improving the security of software, provided a detailed analysis that noted a close-to-home concern for SumRando Cybersecurity: “[The Bill] offers no protection to whistleblowers or personal privacy, and adds significant risk to any person or business who wish to operate in the information security field…The result will be that the very people that we need to develop to enhance cybersecurity will find other alternatives rather than run the risk of bad legislation possibly criminalizing their actions. Those that are interested in cybersecurity will in all likelihood leave the country to pursue their profession elsewhere.”

In short, a cybercrimes bill is very much needed, but concerned citizens and organizations are not about to bite the apple that has been offered. Now that the public comment period has closed, expect the real discussion to begin.

---

Want to know more about government infringements of citizens' rights? Read on!

• BlackBerry Exits Pakistan Amidst Overwhelming Privacy Concerns
• #Justice4Morocco Postponed, But In Reach
• SumVoices: Problems Without End In Algeria's Internet

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

Blackberry Exits Pakistan Amidst Overwhelming Privacy Concerns

In a reminder that user security will be 2016’s bottom line, on November 30, BlackBerry decided the best way to do business with Pakistan would be to not do business at all.

At stake is BlackBerry Enterprise Service (BES), which provides secure email and messaging communications. Pakistan wanted backdoor access to all BES traffic; BlackBerry responded by exiting the country altogether.

“BlackBerry provides the world’s most secure communications platform to government, military and enterprise customers. Protecting that security is paramount to our mission. While we recognize the need to cooperate with lawful government investigative requests of criminal activity, we have never permitted wholesale access to our BES servers,” explained BlackBerry Chief Operating Officer Marty Beard in a blog post.

BlackBerry’s exit is a fitting end to a year that has made Pakistan synonymous with surveillance state. Currently under review is a proposed Prevention of Electronic Crimes Bill (PECB), a document that has accurately been described as “a clear and present danger to human rights.” A joint statement from concerned parties including ARTICLE 19, Human Rights Watch, Privacy International and Pakistan’s Bolobhi and Bytes for All highlighted several flaws of the Bill:

• It would enable government to order service providers to remove or block access to any speech, sound, data, writing, image, or video, without any approval from a court.

• It would allow the Federal Government to share intelligence gathered from investigations with foreign spy agencies like the United States National Security Agency, without any independent oversight.

• It would mandate service providers to retain data about Pakistanis’ telephone and email communications for a minimum one year.

• It would enable the government to “seize” programs or data, defining seizing as to “make and retain a copy of the data”, without specifying the procedures by which the seized data is retained, stored, deleted or further copied.

 “Tipping the scales: Security & surveillance in Pakistan,” a July 2015 report from Privacy International, further exposed Pakistan’s less-than-impressive record. According to the report, mass surveillance has been in place since at least 2005 and has been used to target journalists, lawyers, activists and opposition politicians, amongst others. Since 2011, all Internet service providers and phone companies have been ordered to ban encryption and virtual private networks. The report concludes on a grim note: “The practical capacity of the Pakistani government for communications surveillance now outstrips the current capacity of domestic and international law for effective regulation of that surveillance.”

Farieha Aziz of Bolo Bhi, a Pakistani pro-digital security and privacy not-for-profit that has drafted a letter in protest of PECB, was quick to predict that BlackBerry wouldn’t be the only company to resist the draconian Pakistani state. November 29th tweets from Aziz include: “Data demands by govt forcing Blackberry to exit Pak. Yet govt claims Amazon, eBay & PayPal are coming” and “Companies to whom privacy of data and protection of speech matters will be weary of presence in Pakistan. Getting worse, not better.”

Aziz may be right that BlackBerry will be the first of several businesses to refuse to do business in Pakistan, but this also may be one situation that has to get worse before it can get better. In 2016, a surveillance state without business will soon be no state at all.

---

Want to know more about government infringements of citizens' rights? Read on!

• #Justice4Morocco Postponed, But In Reach
• SumVoices: Problems Without End In Algeria's Internet
• UK's Investigatory Powers Bill: A "Breath-taking Attack" on Internet Security

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

UK's Investigatory Powers Bill: A "Breath-taking Attack" on Internet Security

In keeping with global trends, the UK released its own draft Investigatory Powers Bill last week. The legislation sets out to clarify and simplify previous law, but also to negatively impact privacy and security for all.

Key measures include:

• Internet connection records (ICRs) retained for one year, to be accessed in order to identify the sender of a communication or the communications services a person is using or to determine whether a person has been accessing or making available illegal material online. ICRs include main web addresses visited, but not the content or profiles viewed or the searches performed on each page.

• Targeted interception of phone calls and emails with Secretary of State-issued, Judicial Commissioner-approved warrants.

• Targeted equipment interference, allowing for data to be obtained from computers, tablets, smart phones, cables, wires and static storage devices, through a warrant process similar to the aforementioned.

• Bulk communications data obtained when required to protect national security, through the aforementioned warrant process.

Until 2016, the Bill remains a draft, leaving time for the very “scrutiny and debate” Home Secretary Theresa May requested in the Bill’s foreword.

One British human rights organization, Liberty, is promoting just that by encouraging concerned citizens to sign their names in support of an eight-point Safe and Sound plan, which seeks:

1. Prior judicial authorisation of all surveillance requests.
2. No blanket powers forcing communications companies to store more personal data.
3. Surveillance conducted for tightly defined reasons such as the investigation of serious crime and preventing loss of life, with requests and warrants targeting individuals on the basis of suspicion in criminal activity.
4. Improved redress and increased transparency for those who have been under unlawful surveillance or are no longer under suspicion.
5. Use of intercept evidence in court to bring perpetrators to justice.
6. Data-sharing arrangements between UK and other countries made public and set out in law.
7. Legislative protection against the breaking of our country’s encryption standards.
8. Recognition of the unique threat posed by hacking to British people’s security.

In the words of Liberty's Director, Shami Chakrabati, "After all the talk of climbdowns and safeguards, this long-awaited Bill constitutes a breath-taking attack on the Internet security of every man, woman and child in our country. We must now look to Parliament to step in where Ministers have failed and strike a better balance between privacy and surveillance."

The Investigatory Powers Bill is neither perfect nor complete; let Parliament know where you stand before this Bill becomes law.

---

Want to know more about cybersecurity legislation worldwide? Read on!

• CISA: Thankfully, Not Yet A Law
• Australia's New Law: A Honey Pot for Hackers
• Public Comment Welcomed on South Africa's Cybercrimes Bill

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

CISA: Thankfully, Not Yet a Law

What do United States Senators Wyden, Heller, Leahy and Franken have in common?

They all tried to mitigate the potential damage of the Cybersecurity Information Sharing Act (CISA), but to no avail. Their proposed amendments would have protected personally identifiable information and the framework of the Freedom of Information Act, and restricted the definitions of cybersecurity threat and threat indicator.

Instead, last Tuesday, the Senate approved CISA as is by a vote of 74 to 21. The legislation will allow U.S. companies to voluntarily share user data with the U.S. Department of Homeland Security, which in turn could pass that data along to the NSA and FBI. The bill, already widely criticized by the civil liberties and technology communities alike, has repeatedly been associated with two main concerns: first, it will enable companies to share users’ information regardless of protections under other laws and agreements and second, it will empower the U.S. government to domestically prosecute foreign nationals who have committed cybercrimes against U.S. companies, regardless of their location.

Australia's New Law: A Honey Pot for Hackers

Australia’s new data retention law has been labeled a honey pot for hackers and it’s not hard to see why.

The Telecom Amendment Bill of 2015, which went into effect this past Tuesday, requires phone and internet service providers to keep a 2 year record of Australians’ metadata, including phone numbers called and texted; time, date and location of calls; and emails sent and received. This information can then be turned over to predetermined government agencies, as well as any public or private agency publicly declared by the Attorney General, without a warrant.

Sadly, the law merely codifies what has largely been in place for years, as the Attorney General reminded us: "Data retention does not provide new powers for agencies to access metadata. It simply obliges telecommunications companies to retain and secure a limited set of records for two years."

Journalists have their own concerns to bear. A last-minute clause was added to require a warrant prior to using metadata in identifying journalists’ sources, but has already come under criticism. All requests submitted to telecommunications companies will look identical and all journalist warrants will be kept secret, leaving companies to simply trust that the behind-the-scenes warrants actually exist.  

Fortunately, no one is pretending that Australians are required to simply accept their new status quo, as the law’s passage has already seen the internet littered with tips to avoid such data collection, as well as reminders that doing so is perfectly legal. Senator Scott Ludlam, who has shifted from fighting the legislation to promoting ways around it, made a point of acknowledging that “There is nothing illegal about circumventing data retention” for all those unsure if now is the time to be proactive.

In fact, Malcolm Turnbull, journalist turned Communications Minister turned Prime Minister, could not have agreed more in a March interview: “If you have a device, a phone, a smartphone, and if I call you through the mobile phone network then there will be a record at my carrier. Let’s say my phone’s with Telstra, then there’s a record with Telstra that I’ve called your number. If on the other hand I communicate with you via Skype for a voice call or Viber, or I send you a message on WhatsApp or Wickr or Threema or Signal or Telegrammer — there’s a gazillion of them — or indeed if we have a FaceTime call, then all the telco can see is that my device has had a connection with the Skype server or the WhatsApp server. It doesn’t see anything happening with you…There are always ways for people to get around things, but of course a lot of people don’t.” 

Turnbull’s simultaneous support of data retention legislation and encouragement to work around it raises some significant questions. The Australian government is moving forward with a system that it knows is beatable. Does it hope to undermine the average citizen who does not think to protect himself, saving his data for a rainy day when it might be useful? Or is the next step to crack down on the secure messenger apps and VPNs that are currently keeping communication secure? 

For now, it’s best to take what precautions we can and Senator Ludlam’s tips are a good place to start: create strong passwords, use a secure messenger instead of texting, incorporate a VPN and Tor into regular internet usage and stay educated about ever-evolving laws and resources. Of course, there are certain secure messengers and VPNs we would suggest over others but ultimately, we just want you to surf secure and stay Rando!

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider.

Take a Stance on Encryption at SaveCrypto.org

In the United States, October is National Cyber Security Awareness Month, an event that acknowledges the range of cyber threats in existence and promotes ways to reduce them. The solution, according to the U.S. government, is for all stakeholders to share in the responsibility of making the internet more cybersecure.

The Electronic Frontier Foundation and Access, along with privacy advocates such as the Committee to Protect Journalists, are celebrating October by providing an outlet for citizens and government alike to take responsibility for their security: an online petition asking the Obama administration to stand up for strong security and not allow secret backdoors in technology. 

Since launching on September 29, the petition has garnered more than 60,000 signatures; the White House will provide an official response if the petition reaches 100,000 signatures in 30 days. Its demands include publicly supporting encryption; rejecting laws, policies and mandates that undermine security; and no longer pressuring companies to store data, make data available or implement vulnerabilities.

Early October has already brought news from the White House that Obama won’t push for legislation that would allow access to encrypted communication, but many insist a non-stance is no substitute for a strong stance. 

Cybersecurity expert and Chief Technology Officer of Resilient Systems Inc., Bruce Schneier, had little optimism regarding government intrusions into privacy: “It’s been an issue since the mid-1990s, and it’s not going away because some president somewhere got momentarily sensible. I don’t believe for a minute that the pressure, overt or covert, is going to lessen.”

Techdirt’s Tim Cushing similarly pointed out that a momentarily sensible president is no long term solution: Obama will leave office in January 2017 and—if the current presidential candidates’ platforms are any indication—with him could go what sensibility the government currently has regarding encryption.

Access’s US Policy Manager, Amie Stepanovich, concurred that conversation in Washington regarding encryption amounts to little more than ‘posturing’: for her, last week’s declaration to not take a strong stance simply means that conversation can continue behind closed doors without public input and law enforcement can continue to petition for whatever access it can get, as seen in a recent attempt to force Apple to unlock a phone. 

It’s undeniable that encryption is slowly gaining greater acceptance in the United States, but it would be unwise to believe there isn’t more to do. This October, consider taking responsibility for your cybersecurity by asking President Obama to do his part as well. It is time the United States took a strong stance in support of encryption, for its own security and the security of the world.

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

India’s National Encryption Policy: Another Step in the Wrong Direction

India’s recent draft National Encryption Policy was so undesirable it was thrown out, but current politics in India imply the replacement won't be much of an improvement.

The policy was widely criticized for clauses that would have:

• Required citizens to “store the plaintexts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country.”

• Required citizens to only use products registered in India and, in turn, required vendors of encryption products (like SumRando) to register with the Indian government by submitting working copies of any hardware or software. (A later addendum clarified the exclusion of mass use products such as Facebook, Twitter and Whatsapp from this clause.) 

• Prescribed the use of certain algorithms, including the known-to-be-vulnerable RC4 encryption.

Flawed as it was, many of the draft’s extreme measures were not without explanation. As Siddharthya Swapan Roy pointed out, “The entire post-Snowden civil liberties furore in the American media is about how their government must go through their courts only when the target of the surveillance is their countryman—an American. India may be their biggest market, but when it comes to digital civil rights, India is just another clump of lesser mortals called the third world and like all non-West nations, her citizens, common and VIP, are all fair game. This imbalance of power is what has lent credence to the efforts of BRICS members like Russia and China to block out and/or seek homegrown alternatives to Google and Twitter.”

No one would cite Russia and China as exemplars in protecting citizens’ privacy rights, but Roy does have a point. Rather than sit back and watch foreign companies profit off of their citizens’ data, these nations have taken action. India’s draft Encryption Policy fits with a history of similarly pushing back on foreign-owned companies with greater access to citizen data than itself, such as its standoff with Blackberry that led the Canadian company to install accessible servers in India. The outrage the initial draft Encryption Policy has been met with is not unfounded, but should perhaps ask itself why the fight against government all-access passes to data has not been extended to corporations as well. 

In the meantime, Indian Prime Minister Narendra Modi has been actively promoting the Digital India initiative, an purported effort to provide all citizens the digital connections and information necessary to be competitive in today’s world via measures such as linking local governments to each other and providing public Wi-Fi hubs in schools and cities. It may sound good, but recent developments imply that Digital India won’t really be for all Indians and won’t be completed without at least one major corporation: in recent weeks, Modi initiated yet another temporary internet ban in Gujarat province in order to avoid protests against his government and held a meeting with Facebook’s Mark Zuckerberg, a melding of minds that appears to have led to the rebranding of Internet.org—previously seen as incompatible with India’s commitment to net neutrality—as the more marketable Free Basics.

A second draft National Encryption Policy will eventually emerge and, given the current climate in India, there is little reason to believe it will be much kinder than the first. An anonymous senior government official recently told Newslaundry, “Rest assured, the government will not give up its right to intercept all forms of communication. If this is not included in the proposed encryption policy, then it will be included in a new set of rules and regulations that govern over-the-top [OTT] applications.”

Both government and business currently find themselves with a vested interest in India’s expanding internet and, unfortunately, neither has shown signs of making the average internet user’s right to privacy a priority. Unless drastic change materializes in the coming months and years, India’s users should expect to rely on independent action to preserve what online safety they may.  

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!