Are Caribbean Cybercrime Bills based on flawed model law?

Reading Time: 5 minutes
Illustration by Weerapat, DepositPhotos.
Illustration by Weerapat, DepositPhotos.

By Shiva Bissessar

I previously presented a partial analysis on the Trinidad & Tobago Cybercrime Bill 2014, entitled “T&T Cybercrime bill demands multi-stakeholder input” which can also be found on my website www.pinaka.co.tt/publications. Within this analysis, some light was shone on perceived problems with outputs of the Harmonization of ICT Policies, Legislation and Regulatory Procedures in the Caribbean (HIPCAR) and Electronic Government for Regional Integration Project (EGRIP) model law exercises. Several Caribbean nations have subsequently used the HIPCAR and EGRIP model laws to develop their proposed cybercrime legislation.

A subsequent December 2014, Council of Europe discussion paper, entitled “Cybercrime Model Laws“, has come to light which examines the various cybercrime outputs from model law exercises in the context of the Budapest Convention.  This Budapest Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. 

In this discussion paper, the importance of having proper model law upon which to base legislation development is explained by the author, Zahid Jamil, Barrister-at law. The paper goes further to explain problems of developing legislation based on poor model law by describing the possible situation which states may find themselves in, when seeking international cooperation:

Thus, poorly drafted and divergent model laws can cause countries to enact cybercrime legislation with gaping lacunas whilst at the same time criminalizing and labelling conduct as cybercrime which other countries (especially many members to the Convention) from whom they may seek cooperation would never view as cybercrime.

The paper is also very critical of the methodology adopted in carrying out some model law exercises. For example, in summarizing the methodology employed in the ITU run @CP-ICT Programme which resulted in three model law exercises including HIPCAR, the paper states:

The Models largely appear to have been prepared through input from participants at workshops rather than representatives or experts with an official mandate from State parties and have not received any official assent from the general body of the ITU.

Of interest to the Caribbean, the paper includes analysis and discussion of the HIPCAR and EGRIP model law exercises and highlight significant problems with not only the methodology but also the eventual outcome of these exercises.   For example, specific to the HIPCAR model law output, the paper highlights various deficiencies, continuing:

Its greatest challenge, however, stems from its deviation and attempts to improve upon the language of the Convention (Budapest Convention) whilst inserting unique new offences within the scope of cybercrime, the language of which border on technical and legal absurdities.    

The question which comes to my mind at this point is: are there any instances of problematic model law clauses which have been subsequently incorporated into actual Caribbean cybercrime legislation? In performing analysis on the HIPCAR model law, the paper cites several instances of ‘invention of offences’.  Among these is one item in particular concerning illegally remaining on a system:

It attempts to invent an offence of “Illegal Remaining” which relates to conduct after the initial illegal access of the computer system. The offence considers the conduct of remaining logged in by the offender without any further action or consequence to be an aggravated offence of illegal remaining.

Subsequent analysis of Trinidad and Tobago Cybercrime Bill, 2015, reveals clause 6 which speaks to an offence of illegally remaining on a system as described above.  Hence, is Trinidad and Tobago considering the creation of an offence which is inconsistent with international best practice?   There are some other instances of problems with the HIPCAR cybercrime model law, as cited within the paper, which seems to have been subsequently integrated into our cybercrime legislation; however, I leave this up to others to explore and comment.

Is this kind of deviation from international norms a legitimate concern?  There may very well be legitimate reasons for these deviations, but it is incumbent upon the Government to explain same. The question also arises as to which other Caribbean states may have issues with their proposed cybercrime legislations based on HIPCAR and EGRIP exercises?  The paper cites that the EGRIP model law is even more divergent and problematic than the HIPCAR model law and highlights the case of Grenada which needed to remove certain EGRIP derived clauses from its cybercrime legislation.

In my previous July 2014 article I commended the efforts of Dominica to go beyond the HIPCAR and EGRIP model law efforts in seeking out assistance from the Council of Europe, OAS and Commonwealth Secretariat to review their proposed cybercrime legislation and ensure compliance with the Budapest Convention.  Is this the solution which other Caribbean states should be exploring?

At this juncture when we debate the future of own cybercrime bill, I again make the call for better stakeholder engagement in the development of this legislation and maybe even a review in light of the findings of this paper.

Additional food for thought…  

What about the other laws within Trinidad & Tobago’s e-Legislative agenda which were derived from the HIPCAR exercise?  

Do the methodology problems found in the HIPCAR cybercrime model law exercise extend to these other model laws as well? 

How sufficiently differentiated is our e-Legislative agenda from the HIPCAR model laws?

Mr Bissessar discusses responses to this column on his blog here,

Shiva Bissessar B.Sc. (Hons.) MBA M.Sc.

Shiva Bissessar
Shiva Bissessar

With almost 20 years of industry experience, Shiva Bissessar founded Pinaka Technology Solutions in 2013 as an Information and Communication Technology consultancy with specialization in Information Security at the strategic level. He recently joined the University of the West Indies, Arthur Lok Jack Graduate School of Business, as an adjunct lecturer within their Master Information Systems & Technology Management programme.

He has written several articles in various regional publications on issues such as cyber security, digital currency and technology innovation.   He recently completed a study and report as commissioned by the UN Economic Commission for Latin America and the Caribbean entitled “Opportunities and risks associated with the advent of digital currency in the Caribbean” which should be published by the end of March 2015.

In February and March 2015 he presented on this topic at public forums hosted by the Sim Kee Boon Institute of Financial Economics, Singapore Management University, Singapore and the Bitcoin Centre New York City, New York, respectively.

Twitter • Slideshare • LinkedIn • Blog •Website

  • Kwesi Prescod

    This analysis is based on a single source document…the OPINION of a Barrister-at-law that was SUBMITTED to the CoE. The opinion was NOT RATIFIED by the CoE.

    The OPINION makes some broad based statements based on the author’s own biases. Then it attempts to rate a number of other documents without clearly identifying its scoring criteria, though providing a rating scale. On further analysis, after reading the Convention which it defends and the documents it critiques, a number of thing are evident about the OPINION:

    1) The author apparently did little research into the drafting requirements and styles of the nations the model laws seem to serve. If he did, then many of the criticism of “needless innovations” or “definitions not known in law” would not have issued from his typewriter.

    2) The author apparently did little research into the wider statutory frameworks within which the Model Laws are to function. If he did, he may realise that some of the things he laments are missing from the Cybercrime statute/ model laws, are evident in other common statute in the regions that are to be served. As such, repetition in the cybercrime law may not be relevant.

    3) the author was ignorant of the process that resulted in the Model laws developed. He tried to protect himself from claims of carelessness with the caveat “The Models largely appear to have been” before making his spurious critique of the methodology. This hubris underscores a contempt for the work of others, where his own work seems to suffer from greater missteps in process and methodological thoroughness.

    4) the author did not reference any of the developments in the area of Cybercrime since the 2001 Convention. This presumes cybercrime has stayed unchanged in the past 15 years. I leave the reader to consider the rationality of such a position. Member of the CoE have gone far beyond the bounds of the original convention in the statute passed to treat with evolving forms of cyber-malfeasance…this is not at all reflected in the OPINION.

    Given these above concerns about the OPINION upon which this article is based, I fear this analysis cannot be given much credence beyond a brief snapshot into the less than stellar work that sometimes reaches the hallowed halls of CoE submission tables.

    Indeed, this piece reads more on an attack on the HIPCAR initiative, without any analysis of the initiative itself, its approach, methodology and outputs. Has the author of this piece even read any of the HIPCAR project’s outputs..?

    • Kwesi, again, its unfortunate that at you commenting without stating your personal involvement in the HIPCAR project. Regardless of what you think of my article; the referenced CoE discussion paper spells out quite clearly the deficiencies of the HIPCAR and EGRIP cyber crime model law exercises both in terms of methodology and eventual outcome. So rather than criticize me for bringing this matter to the attention of local and Caribbean readers, please let me hear how you intend to defend “…inserting (of) unique new offences within the scope of cybercrime, the language of which border on technical and legal absurdities”.

      • Kwesi Prescod

        I have no problem declaring my involvement in the HIPCAR project. I was a regional subject matter expert on a variety of the issues treated with during the project, which was sponsored by the ITU and the EU. I worked with a phalanx of multinational consultants (from Germany, Brazil, Russia, USA among others) working with ICT professionals, Civil Society Gov’t policy makers and Legislative Drafters from across the region. I’m sorry you missed it! It was a significant piece of work that has resulted in significant development of the legislative frameworks across the region!. It should not be taken lightly.

        I was not the lead on the cybercrime component…that was led by an internationally recognised german consultant from the Cybercrime Research Institute. So the impression that is given that the project was not peopled with people of calibre is just plain false! In fact, the HIPCAR project seemed to have more expertise in their various fields than the critic has provided in putting together his opinion.

        secondly…I did not criticise you. I criticised the OPINION. I have no problem with you raising this document to the attention of “local and Caribbean readers.” I’m sure you also appreciate open discourse which will provide context to those readers’ consumption of the document.

        thirdly…that quoted statement is EXACTLY why I find the OPINION less than ideal. Did the discussion paper identify the “new offences” which “border on technical and legal absurdities”? It did not! Can you?

        Further, in principle:
        (i) what is intrinsically wrong about identifying new offences when the Budapest Convention is over 15 years old? Do you think it reasonable to assume that over the last 15 years, with ALL the development in ICT that there have been no new ills identified which would require codification into law? Well most people think that there have been new ills…which is why many jurisdictions (including those in the EU) have passed other laws which treat with matters related to, and expanding upon, some of the initial ills identified in the Convention. Do the research, it’s all there on the Internet.

        (ii) having worked with the HIPCAR Cybercime consultant, a PhD in Law specialising in Cybercrime from a creditable firm in the EU, I will defer to his guidance on the “technical and legal” language, over the unqualified, unspecified OPINION of a barrister-at-law who I have not had the pleasure of meeting.

        Basically, I am kind of disappointed that you seem so hung up on this one opinion, and you have not seemed to even consider the probity of the document on which you so blindly depend. I await your individual professional critique of the actual HIPCAR documents, rather than your depending on third party criticisms. As you are a graduate of a masters programme, and an adjunct lecture in a graduate school, I expected more academic rigour from you.

  • response to critics, discussion of Commonwealth cybercrime model law review, inclusion of provisions for cloud computing (which I identified as a deficiency a year ago), update from Jamaica debate on their cybercrime bill all at via blog post at http://beascycle.tumblr.com/post/121569368153/the-tt-cybercrime-bill-debate-continues-critics

  • Pingback: The TT Cybercrime Bill debate continues:  Critics, Opinions and Facts | Pinaka Technology Solutions()