The third day of #IGF2017 was unique since two of the five sessions attended were on the cybersecurity theme. The first session kicked off at 9:00am on: ‘Legal challenges in cloud forensics and cross-border criminal and counterterrorism investigations’. In an era of pervasive commercial encryption and the critical state of law enforcement inability access to data at rest, cloud information has become more vital for successful prosecution in criminal investigations. Companies such as Google, Apple, Facebook and Microsoft, are experiencing increasing requests from law enforcement globally for access to user information and content. How these requests are received, interpreted, approved or denied, vary depending on laws from the originating nation and the specific format and nature of the request.

There are two major cases before the Supreme Court in the United States, that could have a profound effect on the cyberlaw enforcement in the U.S., but also globally with the way they play out. The first is Carpenter v. U.S. heard before the Supreme Court that deals with law enforcement surveillance of a suspect in a bank robbery case there was a court order issued for a cellular provider over the course of three or four months, they determined exactly all the different movements for the particular suspect, ultimately tied him to a series of bank robberies that he was tried and convicted and ultimately sentenced. The challenge in this case is weather U.S. based law enforcement should use search warrants for the purpose of tracking a person for that period of time, based on constitutional needs and dealing specifically with the Stored Communications Act. This Act is a federal statute that all must adhere to for the purposes of demanding that third party providers cellular providers, Internet service providers, social network providers, provide that information to law enforcement in the course of an investigation. The second case is salient and it is known as the Microsoft Dublin case. It deals with U.S. based access to data that is stored on a foreign soil in Ireland. The way the case came to be is federal law enforcement applied for a search warrant for data held by Microsoft. They were granted that search warrant. When they went to execute the search warrant, they received certain information back from Microsoft. The response was that other data was stored overseas and this was content data and could not provide that to law enforcement. There are a series of challenges that went all the way up to the US Supreme Court. The question now before the Court that we deal with is whether the federal U.S. Stored Communications Act allows for essentially the claim of extra-territorial jurisdiction, extra-territorial application of our search warrant capability? The case turns on the issue of whether the Stored Communications Act does or does not allow for this type of application of the search warrant.

Currently some of the legal challenges in cloud forensics, are storage access and the existing national cyberlaws are not fit for purpose. There is also the problem of hackers using stolen servers from another jurisdiction. In the age of cryptocurrency. the ability to connect a virtual wallet with a real person is a challenge. This challenge means criminals are basically getting away with criminality. Generally, getting around the dark net and encryption is not quick, easy and involved a significant financial cost. In the context of cybercrime and cloud forensics, every case is an international case – there is no such thing as local or country-based criminal investigations. One of the biggest challenges facing law enforcement is speed. Cloud data that is delivered to law enforcement agencies with a delay leads to nonexistent discovery of further investigations that means if the data is not received in time, they cannot seize the servers, cannot arrest the data abroad, and in fact, the investigation might stop if the access is not presented in a timely manner. Finally, some cyberlaw enforcement officials called for something like an international team to handle cloud investigations and prosecutions on an international scale. There is need to find new ways of cooperation, and find legal grounds in order to organize such a form of distributed prosecution among a global law enforcement community.

The session on: Biometrics and Identity in the Global South was of particular interest since biometric technology has grown steadily in use for the most different purposes, by governments and private actors, without a proper discussion about its impacts, without sufficient transparency of its providers and the conditions of security of the information, and without discussion about the impacts the individuals whose data goes in the machine (beyond the enthusiasm for larger amounts of data). Here at CIPIT, there is on-going research on how the privacy of Kenyan citizens was affected by the use of biometric data during the just concluded 2017 General Elections and repeat elections. This work is supported by Privacy International who were present during the session and later organised an informal meeting with CIPIT on the sidelines of the day’s sessions.

The next session titled: ‘The Dark Side of Internet Policy: How flawed policy can lead to censorship,surveillance and shutdowns’ started with the observation that the internet’s promise as an open civic space for democratic participation has increasingly come under assault, whether by government laws targeting political dissent online, censorship, and network disruptions, to the sophisticated use of troll farms, gender-based hate speech, and propaganda to poison public discourse. The situation in Zimbabwe which was discussed during the session has previously been discussed on this blog. Meanwhile in Ukraine, there are more than 1,000 Internet service providers and newly introduced legislation drafts that require for them to install black boxes for inspection and as a surveillance technique. In Sri Lanka, 6 million out of its 20 million citizens use Facebook and the conversations are currently vibrant, irreverent, and very diverse. As a result, the Sri Lankan government has taken steps that have narrowed spaces for online expression as well as looking for ways to regulate and control content online. Like in most countries, there’s a rise in hate speech online in Sri Lanka targeting ethnic, religious and sexual minorities, human rights defenders, and others. In response, the Sri Lankan government recently issued a public notice which reads in part, ‘making personal, defamatory or hate statements using a telecommunications system or social media should not be done. Instead, citizens are urged to use their freedom of speech and live wholesome communications”. This is a clear example of a national government attempting to crack-down on dissent or what the authorities consider to be irreverent or inconvenient or unacceptable speech or expression under the guise of creating a safe and open Internet for everyone to use.

In the afternoon, the first session was on ‘Crime and Jurisdiction in Cyberspace: Towards Solutions’. As a precursor for the session, it is noted that evidence not only in relation to cybercrime, but in relation to any type of crime is nowadays available – often only available – in the form of electronic evidence on a computer system, that is, increasingly on servers stored remotely in the cloud. This raises complex question regarding applicable law and jurisdiction and has major implications on the rule of law and security but also human rights in cyberspace. One part of the solution lies in cooperation, as highlighted in the morning session on legal challenges in cloud forensics. Similarly, efforts continue to address the need to access data overseas in a timely manner with appropriate protections. In this regard, some have come up with an idea of framework under which U.S. providers can disclose directly to a foreign government for investigations of a particular sort for non-U.S. persons outside of the United States under the legal framework of the foreign country. In this regard, it is clear that work should also focus on acceptable criteria to be built into any mechanism to deal with cross border requests that addresses human rights.

During the session on: ‘African IGF Open Forum’, a recap was presented on the 6th African Internet Governance Forum which took place recently in Egypt. It was not just one event, but a cluster of events which was enriching to participants. Among the events that took place was the African School on Internet Governance which hosted 30 young ICT leaders from across Africa. After ASIG, the African IGF was launched with three days of discussions among African colleagues on the African IGF. In terms of participation, the African IGF had 314 participants from 37 countries. In 2018, the African IGF will be held in Sudan.