Are Caribbean Cybercrime Bills based on flawed model law?

Illustration by Weerapat, DepositPhotos.
Illustration by Weerapat, DepositPhotos.

By Shiva Bissessar

I previously presented a partial analysis on the Trinidad & Tobago Cybercrime Bill 2014, entitled “T&T Cybercrime bill demands multi-stakeholder input” which can also be found on my website www.pinaka.co.tt/publications. Within this analysis, some light was shone on perceived problems with outputs of the Harmonization of ICT Policies, Legislation and Regulatory Procedures in the Caribbean (HIPCAR) and Electronic Government for Regional Integration Project (EGRIP) model law exercises. Several Caribbean nations have subsequently used the HIPCAR and EGRIP model laws to develop their proposed cybercrime legislation.

A subsequent December 2014, Council of Europe discussion paper, entitled “Cybercrime Model Laws“, has come to light which examines the various cybercrime outputs from model law exercises in the context of the Budapest Convention.  This Budapest Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. 

In this discussion paper, the importance of having proper model law upon which to base legislation development is explained by the author, Zahid Jamil, Barrister-at law. The paper goes further to explain problems of developing legislation based on poor model law by describing the possible situation which states may find themselves in, when seeking international cooperation:

Thus, poorly drafted and divergent model laws can cause countries to enact cybercrime legislation with gaping lacunas whilst at the same time criminalizing and labelling conduct as cybercrime which other countries (especially many members to the Convention) from whom they may seek cooperation would never view as cybercrime.

The paper is also very critical of the methodology adopted in carrying out some model law exercises. For example, in summarizing the methodology employed in the ITU run @CP-ICT Programme which resulted in three model law exercises including HIPCAR, the paper states:

The Models largely appear to have been prepared through input from participants at workshops rather than representatives or experts with an official mandate from State parties and have not received any official assent from the general body of the ITU.

Of interest to the Caribbean, the paper includes analysis and discussion of the HIPCAR and EGRIP model law exercises and highlight significant problems with not only the methodology but also the eventual outcome of these exercises.   For example, specific to the HIPCAR model law output, the paper highlights various deficiencies, continuing:

Its greatest challenge, however, stems from its deviation and attempts to improve upon the language of the Convention (Budapest Convention) whilst inserting unique new offences within the scope of cybercrime, the language of which border on technical and legal absurdities.    

The question which comes to my mind at this point is: are there any instances of problematic model law clauses which have been subsequently incorporated into actual Caribbean cybercrime legislation? In performing analysis on the HIPCAR model law, the paper cites several instances of ‘invention of offences’.  Among these is one item in particular concerning illegally remaining on a system:

It attempts to invent an offence of “Illegal Remaining” which relates to conduct after the initial illegal access of the computer system. The offence considers the conduct of remaining logged in by the offender without any further action or consequence to be an aggravated offence of illegal remaining.

Subsequent analysis of Trinidad and Tobago Cybercrime Bill, 2015, reveals clause 6 which speaks to an offence of illegally remaining on a system as described above.  Hence, is Trinidad and Tobago considering the creation of an offence which is inconsistent with international best practice?   There are some other instances of problems with the HIPCAR cybercrime model law, as cited within the paper, which seems to have been subsequently integrated into our cybercrime legislation; however, I leave this up to others to explore and comment.

Is this kind of deviation from international norms a legitimate concern?  There may very well be legitimate reasons for these deviations, but it is incumbent upon the Government to explain same. The question also arises as to which other Caribbean states may have issues with their proposed cybercrime legislations based on HIPCAR and EGRIP exercises?  The paper cites that the EGRIP model law is even more divergent and problematic than the HIPCAR model law and highlights the case of Grenada which needed to remove certain EGRIP derived clauses from its cybercrime legislation.

In my previous July 2014 article I commended the efforts of Dominica to go beyond the HIPCAR and EGRIP model law efforts in seeking out assistance from the Council of Europe, OAS and Commonwealth Secretariat to review their proposed cybercrime legislation and ensure compliance with the Budapest Convention.  Is this the solution which other Caribbean states should be exploring?

At this juncture when we debate the future of own cybercrime bill, I again make the call for better stakeholder engagement in the development of this legislation and maybe even a review in light of the findings of this paper.

Additional food for thought…  

What about the other laws within Trinidad & Tobago’s e-Legislative agenda which were derived from the HIPCAR exercise?  

Do the methodology problems found in the HIPCAR cybercrime model law exercise extend to these other model laws as well? 

How sufficiently differentiated is our e-Legislative agenda from the HIPCAR model laws?

Mr Bissessar discusses responses to this column on his blog here,

Shiva Bissessar B.Sc. (Hons.) MBA M.Sc.

Shiva Bissessar
Shiva Bissessar

With almost 20 years of industry experience, Shiva Bissessar founded Pinaka Technology Solutions in 2013 as an Information and Communication Technology consultancy with specialization in Information Security at the strategic level. He recently joined the University of the West Indies, Arthur Lok Jack Graduate School of Business, as an adjunct lecturer within their Master Information Systems & Technology Management programme.

He has written several articles in various regional publications on issues such as cyber security, digital currency and technology innovation.   He recently completed a study and report as commissioned by the UN Economic Commission for Latin America and the Caribbean entitled “Opportunities and risks associated with the advent of digital currency in the Caribbean” which should be published by the end of March 2015.

In February and March 2015 he presented on this topic at public forums hosted by the Sim Kee Boon Institute of Financial Economics, Singapore Management University, Singapore and the Bitcoin Centre New York City, New York, respectively.

Twitter • Slideshare • LinkedIn • Blog •Website

About Shiva Bissessar

With almost 20 years of industry experience, Shiva Bissessar founded Pinaka Technology Solutions in 2013 as an Information and Communication Technology consultancy with specialization in Information Security at the strategic level. He recently joined the University of the West Indies, Arthur Lok Jack Graduate School of Business, as an adjunct lecturer within their Master Information Systems & Technology Management programme. He has written several articles in various regional publications on issues such as cyber security, digital currency and technology innovation.

Related posts