In 2016, the government of Vanuatu was rushing to address what was seen by politicians and senior bureaucrats as a rising tide of increasingly intemperate talk, bullying and unwanted information on the internet.
This coincided with a global effort by the executive of the International Telecommunications Union, or ITU. Without a mandate from its members, it set out to create a new reference framework for cybercrime law. The campaign reached smaller countries from the Caribbean to sub-Saharan Africa to the Pacific islands. It was a flawed model.
A report commissioned by the Council of Europe excoriated the effort. As I reported in the Vanuatu Daily Post in 2016, the model law was ‘technically and legally incorrect, confusing, ambiguous’, ‘poorly drafted’, ‘unsafe’, and of ‘dubious’ credibility.
Vanuatu’s draft cybercrime bill cleaved closely to the model in almost every respect. It proposed to create crimes previously unheard of in cybercrime circles. Among the new offences: ‘illegal remaining in a computer system’, which is difficult to distinguish from what satirist Terry Pratchett called ‘loitering with intent’.
The crimes themselves might have been laughable, but the punishments weren’t. Spammers could have been imprisoned for up to five years. Mere possession of a nude or risqué photo taken without permission could result in two years imprisonment. So-called ‘red team’ security audits (which involve hacking into your own systems) would have been illegal, subject to up to seven years in jail.
Happily, the bill died on the order table in late 2016. The Public Prosecutor and other stakeholders took advantage of the opportunity to press reset and try again, this time with the assistance of the Council of Europe, which spearheaded the creation of the Budapest Convention, the current international standard for cybercrime.
The result is a vastly improved bill. It replaces ambiguity with globally recognised terms and definitions. It makes action against new threats such as cyberbullying, stalking and digital hate crimes easier, but carves out important protections for free speech, the public good, and identity protection.
The old bill would have required people who store, cache or even link to other people’s data to dob in any infringing clients to the Attorney General in order to avoid criminal liability. The new bill merely requires them to cooperate promptly and fully with investigators.
And investigations have to clear an appropriately high bar in order to proceed. An expert Commissioner must vet all applications for a warrant before they can be submitted to a judge.
The scope and duration of the warrant must be clearly justified, and the ability to conduct fishing expeditions in private data is curtailed. Surveillance of doctors, priests, lawyers and others as ‘specified by the Court’ may be further restricted by a judge.
Disappointingly, there’s no explicit media carve-out. But judges are required to consider “if the public interest from the production of data… outweighs the right to privacy of a person, whose privacy may be affected as a result….”
None of this rigour was present in the first cybercrime bill.
In a recent interview at Australia’s National Security College, Deputy Secretary for National Security Caroline Millar harked back to the simpler times of mutually assured nuclear destruction with a rueful chuckle. Things aren’t that simple anymore, she told Professor Rory Medcalf. “Everything is grey.”
Vanuatu’s new cybercrime legislation takes away a bit of the grey. It encapsulates and clearly addresses important concerns relating to cybercrime, and empowers law enforcement officers to act decisively. But not at any price.
It also provides something missing entirely from the 2016 cybercrime bill: clear terms for sharing data between jurisdictions.
After the recent announcement that Vanuatu would host the Pacific Fusion Centre, the much-touted regional hub for security cooperation in the region, regional security expert Jose L Sousa-Santos posted a series of questions on Twitter, asking among other things “who decides how the intelligence is disseminated, which intelligence, and to whom?”
If this bill is adopted next month, it will go a long way to answering those questions. If other countries follow Vanuatu (and the Council of Europe) in enacting similar laws, regional cooperation on cybercrime could become an important tool for securing our societies while preserving Pacific values. The importance—and potential impact—of cybercrime on Pacific societies and economies is highlighted in the Boe Declaration.
Sousa-Santos goes on to ask: “How will the issue of security clearances for Pacific analysts posted to the PFC be handled? Especially in regards to information or intelligence which is sensitive to Australia? Will this create a tiered system within the PFC? What is the role of partners such as NZ & US?”
With a well-aligned legal regime in place, Pacific countries would at last be entitled to stand as peers, not clients, of the powers operating in the region’s security environment.
That would be a welcome change.
Written by Dan McGarry
Originally posted on the Griffith University Pacific hub