GOVERNMENT has come up with a new bill to widen its spying capability and monitoring of civilians at a time it its struggling to fully implement the new constitution that has an expanded bill of rights.
Faith Zaba/Hazel Ndebele
If passed, the draft Computer Crime and Cybercrime Bill in the Zimbabwe Independent’s possession, soon to be presented to cabinet, would allow government to remotely install spying tools onto citizen’s communication devices.
Zimbabwe already has a law, the Interception of Communication Act (ICA) 2007, which gives government significant powers of surveillance over the communications of its citizens.
A local human rights lawyer based in London, Arthur Gwagwa, says the only difference between ICA and the proposed cyber-security law is that rather than installing the monitoring device with the assistance of service providers, this law would allow authorities to remotely install spying tools onto a person’s device.
Under ICA, internet service providers are required to install at their own expense the hardware and software required for the state to carry out surveillance.
According to the draft bill the proposed law, among other stipulations, provides for a police officer to apply to a magistrate for authorisation to utilise a remote forensic tool which would be installed on the suspect’s computer system in order to collect relevant evidence.
A remote forensic tool is defined in the draft bill as an “investigative tool, including software or hardware installed on or in relation to a computer system or part of a computer system and used to perform tasks that include but are not limited to keystroke logging or transmission of an IP-address”.
A magistrate can authorise such action if s/he is satisfied on the basis of an application by a police officer.
The application will need to state that there are reasonable grounds to believe that applying non-invasive instruments listed in the bill cannot collect essential evidence, which is reasonably required for the criminal investigation.
The bill limits the duration of authorisation to three months but does not specify if that can be renewed.
The proposed law states this method can be used only for essential evidence in relation to a list of grave crimes including murder, treason, kidnapping, money laundering, drug offences, illegal firearm dealings, arson, terrorism and hijacking.
An ICT consultant, Chris Musodza told the Independent this week that although the bill contains limitations on the power to hack, it still introduces an “incredible” intrusive power and provides for its use in a wide array of circumstances.
“There is no requirement that the court oversees closely the implementation of the authorisation, nor is there any restriction on the repeated renewal of the authorisation,” he said.
“Hacking or the use of remote forensic tools is lawful in a very few countries, and there are a few examples of legislation which appropriately regulate the use of this power in a way that is compliant with human rights.”
Musodza added that: “The power instills in the police incredibly broad authority and responsibility that is highly prone to misuse and abuse, and which makes oversight and accountability very difficult. Equally, there is no requirement that the magistrate considers the identity of the person(s) targeted.”
The bill states that if a magistrate is satisfied on the basis of an application by a police officer, supported by an affidavit, that there are reasonable grounds to suspect or believe that the content of electronic communications is reasonably required for the purpose of a criminal investigation, he/she may order an internet service provider whose service is available in Zimbabwe to collect or record or to permit or assist authorities with the collection or recording of content associated with specified communications transmitted by means of a computer system, or authorise a police office to collect or record that data through application of technical means.
“This (remote forensic hacking) is the most concerning provision in the bill. Remote forensic tool is defined as an investigative tool including software or hardware installed on or in relation to a computer system or part of a computer system and used to perform tasks that include but are not limited to keystrokelogging — as you type on your keyboard it will be recording your keystrokes or transmission of an IP-address,” Musodza said.
“Moreover, the standard of ‘reasonably required for the purpose of a criminal investigation’ is too vague: there is no reference to what the police application should contain in order to enable the magistrate to decide on the measures of intrusion.”
In a paper titled Legal, Ethical and Tehinical Implications of Zimbabwe’s proposed Cyber Crime Law, Gwagwa says it was not clear whether the term “computer” will cover mobile devices.
“It is not very clear what the new proposed law will achieve that is not being achieved by the current Interception of Communication Act (ICA) 2007. This law gives the Zimbabwean government significant powers of surveillance over the communications of its citizens,” he says.
Former Information and Communications Technology (ICT) minister Nelson Chamisa said the government should engage ordinary people so that they have an input before enacting the law.
“There should be a clear law on data protection and clarity on when government can or cannot use remote forensic tools so that users are confident when they use their ICTs as every citizen has a right to privacy,” said Chamisa.
He said Zimbabweans have a right to freedom of expression, access to information and the right to privacy without undue intrusions.