Tag: legislation

Comments on the Barbados Cybercrime Bill (2023)

nielharper

PART II – PROHIBITED CONDUCT

Illegal access

Part II (4) (1-2) is far too broad in its scope and can implicate innocent or well meaning individuals such as cybersecurity professionals, researchers, activists, and whistleblowers. It’s even more problematic where judicial officers aren’t trained to understand how to distinguish criminality from activities that serve the public interest, protect organizations, or advance the cybersecurity profession.* Certain guidance should be included with the legislation to distinguish between acceptable and criminal behaviours.

For example, the European Union (EU) General Data Protection Regulations (GDPR) includes 172 recitals – also known as preamble – that provides context and explains the reasons for the regulations. There was also an explanatory memorandum that provided further details on the proposed legislation.

Misuse of devices

Part II (9) (a-b) There are a number of dual use programmes and applications which can be and are used for both legitimate testing and protection of computer systems and conversely for malicious intent. There should be language here which acknowledges such and removes criminality in cases of ethical hacking for instance.

Disclosure of access codes

Part II (11) (1) There are several legitimate reasons for sharing access codes or credentials without authority, and this alone should not be illegal. The qualifier for criminality should be when the individual knowingly or has reason to believe that it is likely to cause loss, damage or injury to any person or property.

Critical information infrastructure system

Part II (12) (1) The list of critical information infrastructure (CII) systems is too limited in scope. A broader list should be published as an appendix or guidance note when the act is proclaimed (e.g., financial services, water utility, transportation, healthcare, hospitality, etc.). This should not be vague or left up to interpretation.

Note: Complementary critical infrastructure (CI) protection legislation is needed to ensure that:

  • There is a legal framework or a mechanism to identify operators of critical information infrastructure.
  • Operators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.
  • Public sector organizations are required to assess and manage cyber risks and/or implement cybersecurity measures.
  • A competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.

Malicious communications

Part II (19) (3) This is deeply problematic and can be used to stifle freedom of expression or valuable public commentary. It can also be leveraged to prevent criticisms of politicians/public personalities or for the purpose of political persecution. This same vague language exists in the Computer Misuse Act 2005, and has been improperly used for the same abuses identified. There must be safeguards and/or independent supervision in place to ensure that such vague clauses are not abused. This applies to several other elements of this Bill.**

Cyber bullying

Part II (20) (1) – Same as the previous comment.

Cyber terrorism

Part II (21) (1-2) This is too limited in scope and should include any use of computer systems for terrorism or organized crime. It should also include preparatory acts for terrorism or organized crimes (these are not the crimes themselves but the precipitating actions).

PART III – INVESTIGATION AND ENFORCEMENT

Search and seizure

Part III (23) (1-2) gives law enforcement excessively broad powers when it comes to confiscation and access to computer systems (including smaller form factors such as tablets and mobile phones). These types of powers require independent and effective oversight functions (as does this entire Act).

Assisting a police officer

Part III (24) (1-5) Some of the provisions in this section are concerning and can be used to force individuals to grant access to their personal devices, especially in the event that the grounds for disclosure have not been met. Again, this requires independent and effective oversight functions, and the oath of a police officer shouldn’t be enough to obtain a warrant that grants such far reaching powers.

Production of data for criminal proceedings

Part III (26) (1) This gives law enforcement excessively broad and intrusive surveillance powers when it comes to intercepting Internet communications, compelling service providers to handover subscriber data and Internet activity, and other potentially disproportionate collection or interception of online communications. These types of powers require independent and effective oversight functions. Again, the oath of a police officer shouldn’t be enough to obtain a warrant that allows for such intrusive acts.

Preservation of data for criminal proceedings

Part III (28) (1-3) There is no discussion of the conditions and safeguards for adequate protection of human rights and liberties when collecting and storing (preservation) data for criminal proceedings. This includes maintaining the “chain of custody”, protection of personal data in line with the Data Protection Act, handling of sensitive data, retention periods, adequate security measures, automated decisions (e.g., use of AI), sharing personal or sensitive data with third-parties, records of how data is accessed and used, etc. The provisions should also include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.

General observations – Part III

Part III (Investigation and enforcement) is missing key provisions related to:

  • Joint investigations or joint investigation teams
  • Expert witness testimony by video conferencing
  • Emergency mutual assistance (which is different to expedited disclosure)

ALIGNMENT WITH THE BUDAPEST CONVENTION

2nd Protocol of the Budapest Convention

It is clear that the Cybercrime Bill was patterned after the Council of Europe’s (CoE) Budapest Convention, which has been deemed as outdated or deficient for several reasons. The Additional Protocol and the Second Additional Protocol of the Budapest Convention treat additional issues around racism, xenophobia, enhanced cooperation, and access to electronic evidence (e-evidence). The drafters of this Bill do not appear to have integrated the substantive updates from the additional protocols or consider the protections and safeguards required by the Budapest Convention to protect human rights. So it looks like the government is essentially looking to enact legislation that is outdated and not in step with current technology developments or evolving jurisprudence.

* Training of judicial officers, especially with regards to technology law and privacy law, is a major problem in the country. Because these specialist areas of law are emerging, there is poor understanding of the issues by magistrates, judges, prosecutors, etc. and limited case law to refer to locally or in other regional jurisdictions. Consequently, many rulings / decisions have flawed bases, and individuals are often under- or over-penalised.

** The Budapest Convention, on which the Cybercrime Bill is based has an accompanying 60-page explanatory report that specifies the additional checks and balances and rule of law-based environment that countries like Barbados should have underpinning their cybercrime legislation. The explanatory report also covers the background, scope, objectives, and main provisions of the Convention, as well as the challenges and opportunities of cybercrime.

The current version of the Cybercrime Bill (2023) can be found here: https://bit.ly/3uLrSQC

UPDATE: On 6 May 2024, I presented a more detailed critique of the Cybercrime Bill to the Parliamentary Joint Select Committee. The presentation can be found HERE.

Too Many Unanswered Questions: The Barbados National Digital Identification (DID)

nielharper

In September 2020, it was widely publicised that the Government of Barbados would be introducing a national digital identification (DID) card. As expected, the announcement and subsequent reports have included the usual public service rhetoric about shifting to a digital economy, delivering social benefits, increasing the efficiency of doing business, and transforming the country into an innovation hub. Putting this flowery political language aside, there are a number of questions that remain unanswered regarding the delivery of the DID project. Questions around clear policy objectives, economic value capture, social impact, technology standards and legal requirements that need to be addressed if Barbadians at-large are to truly profit from this initiative.

To be fair, a DID system represents innumerable benefits to the nation. It will serve as a key foundational element in transitioning to more accurate and efficient online delivery of government services (e-government), enhancing poverty alleviation and welfare services, reducing fraud, increasing financial inclusion, and serving national security interests.

However, without proper implementation, oversight and control, DID can inflict great harm on society, including the government or corporations profiting from the collection and storage of personal data, political manipulation of the electorate, social control of particular groups through surveillance, and restriction of access to uses such as payments, travel, and social media. Additionally, in the absence of a qualified and experienced project management team, it will most definitely be a ‘white elephant’ – a massive waste of public funds that does precious little to improve the lives of citizens. In the ensuing sections, I will provide a detailed analysis of critical risk areas that pertain to digital ID systems and what must be done to successfully alleviate them. 

To read the full article, please click on this link.

Cybersecurity: Risks, Progress and the Way Forward in Latin America & the Caribbean

nielharper

I will be chairing this Global Cyber Forum on 21 October 2020, where we will be discussing the state of cybersecurity capacities and capabilities across the Caribbean region.

Our speaker will be Kerry-Ann Barrett, Cybersecurity Policy Specialist at the Organization of American States (OAS), where she offers technical assistance to Member States in the development and implementation of their national cyber security strategies as well as assists in the implementation of various technical projects with the OAS Cybersecurity Program.

The overall basis for the session will be the 2020 Cybersecurity Report prepared by the Inter-American Development Bank (IDB), Organization of American States (OAS), and the Global Cyber Security Capacity Centre, University of Oxford. Our discussions will focus on the progress made thus far across the Caribbean, and what steps are necessary to move to the next level, including key areas such as national cybersecurity strategies, related action plans, or other cybersecurity capacity-building programs.

Tune in for what will be an engaging and informative session!

Towards the Single Telecoms Market: Analyzing the Performance of the Body of European Regulators for Electronic Communications (BEREC)

nielharper

BEREC

There is no doubt that BEREC’s performance to date has been generally satisfactory. It has so far fulfilled its functions in a commendable manner, most notably with regards to Article 7/7a procedures, in addition to its contributions to the dialogue on international roaming and net neutrality. It has federated the NRAs in a way that its predecessor failed to: it has compelled them to be more accountable to themselves and to consumers. It has enabled further harmonization and strengthened interactions between the Member States and the EU institutions. It can be said that BEREC’s uniqueness is based on two elements: On the one hand, it is a body uniting highly skilled professionals who perform their tasks independently from any public or private entity. On the other hand, BEREC comprises representatives of different Member States and allows for regular exchange and deliberation between them cascading the results of these processes to the European level.

BEREC’s independence, while imperfect, has proven to be a laudable feature of the organization. Its legal foundation (the Framework Directive) provides measures to ensure separation of powers and prevent unnecessary political or private sector capture. The mixed funding model in place serves to curtail any attempts by the providers of the body’s financing to obstruct the effectiveness of its activities in delivering trans-national or pan-European services. However, this is not to say that the independence of BEREC concerning the individual NRAs doesn’t require improvements, especially towards the goal of fashioning an overarching European groupthink that overrides the national interests of the constituent NRAs.

The current organizational structure from the technical to the decision-making level provides balance between stability and flexibility. It also leaves room for the negotiations to take place at different levels considering all views in an efficient manner. The EWGs have improved their performance and work in a more professional manner. In the last years, the quality of the reports has been enhanced at the same time that the deadlines are met in the practical totality of the cases. However, rules or guidelines for the EWG work may also be useful for the better functioning of BEREC.

BEREC’s lack of decision-making/enforcement powers can be a double-edged sword. On the one hand, it manifests as a weakness in cases where NRAs choose to reject opinions from BEREC, and pursue undertakings that run counter to the strengthening of the single market. On the other hand, it can serve as a balancing influence as it pertains to the regulatory powers of the Commission and the national regulators. Fortunately, BEREC has had a more balanced record whereby it has taken on several opinions that support the draft decisions of NRAs, and both the Commission and the national regulators have largely agreed with the opinions of BEREC in instances where there was divergence.

Clarity around its accountability continues to be a challenge for BEREC. The body was formed to provide expert opinions on relevant topics, define priorities and advise the EU institutions regarding the harmonization of the single market. It is of critical importance that BEREC demonstrate greater accountability for its own objectives. This can be achieved by documenting its commitments or tactical goals for each coming year, and then through reporting on its achievements to EU institutions at the close of the year.

Models of regulatory governance vary in the level of discretion granted to regulators. This determines the level of transparency required to reassure stakeholders and build legitimacy around regulatory decisions. European citizens and residents have very strong beliefs about the right to access information related to their political and legal institutions. Additionally, the Commission has been vigorously promoting open data and generating value through the re-use of a specific type of data – public sector information. Simply put, BEREC needs to demonstrate their commitment to openness and transparency to build greater trust and legitimacy among its stakeholders. There isn’t much more to it.

The ultimate success of the EU single market depends on the existence of a body that can effectively influence outcomes in national markets and begin to erode the pervasive ‘national’ market approach of Member States. The failure of the ERG is one of the main reasons why the European e-communications market remained a patchwork quilt of national markets for some time. BEREC has many of the elements to become a successful force in coordinating national approaches and bringing consistency through decentralized regulation. However, it could also become a major obstacle in harmonization policy of the Commission by becoming a center for European regulation that protects and lobbies national interests. The verdict is still out on which way the pendulum will swing.

The full academic paper can be found here: http://bit.ly/3mzDGLU