As Afghanistan Comes Online, It Grapples With Its First Cyber Security Laws

As one of Afghanistan’s contemporary female pop stars Aryana Sayeed, is used to getting misogynist comments for her work, her music, and even her appearance. After all, her songs, her performances, and her very existence are intentionally designed to make the many thousands of Afghan men who hold on dearly to patriarchal values uncomfortable.

She often ignores the many unbecoming remarks threats issued by extremists and insurgent groups, most of which are delivered from behind the anonymity provided by social media. But then there are those that are more difficult to ignore, such as a bounty announced by an Afghan social media user on Facebook offering 50,000 AFN (about $750) for the death of Aryana.

“What’s appalling is that not only is his post and profile both public, he makes no effort to hide his identity and there is no fear of the law,” said Hasib Sayed, Aryana’s manager.

While Aryana has approached the National Directorate of Security (NDS), Afghanistan’s primary intelligence agency, to help her track the threat, there are no mechanisms in place in Afghanistan for the millions of other users to report cybercrimes. However, that is about to change soon with a new cybersecurity bill currently under consideration by the Afghan government.

“What’s appalling is that not only is his post and profile both public, he makes no effort to hide his identity and there is no fear of the law.”
As a country reeling from decades of war, Afghanistan witnessed an exponential growth in the technology sector, primarily driven by user demand. Since the fall of the Taliban government in 2001, following the US invasion, the number of Afghan users connected to the internet has risen significantly, and continues to rise despite renewed conflict in the region. According to USAID, the latest data available indicates that there are around 20 million mobile users and about 3 million internet users in Afghanistan.

As empowering as the internet has been, especially for the average Afghan woman, it has come with its share of drawbacks—online harassment and privacy violations among many others, some more unique to the region than others.

“We have more knowledge and understanding of IT now along with institutions that support online activity for Afghans,” said Aimal Marjan, deputy minister for communication and IT, explaining why the bill took this long to be drafted. “Had we pursued this seven years ago, it would have had little real world application.”

Indeed, the telecom sector has substantially grown over the last decade to become one of the largest revenue generating sectors in Afghanistan with annual average revenue of $139.6 million— accounting for more than 12 percent—of total government revenues. Consequently, internet users have grown from a mere 300,000 in 2006 to over 4 million in 2016.

The Afghan Cyber Security Bill, prepared by the Afghan Ministry of Communication, Information and Technology (MCIT), lays down definitions of cybercrime and procedures to tackle them within the purview of the existing criminal law. The law also proposes that there needs to be a separate court to deliberate on cybercrimes, asks for an office under the Attorney General for matters of cyber offences, and someone trained specifically to handle these cases.

At face value, the law is rather impressive, borrowing from and adopting best practices from around the world. But a detailed peek into the document reveals an overtly ambitious plan, the implementation of which would require logistical and procedural systems that do not yet exist in Afghanistan.

“They [the government] are counting on too many non-existent state actors to bring it to reality,” said, Javid Hamdard, an Afghan IT expert and Consultant. Hamdard, who has in the past worked extensively with the MCIT and the IT private sector in Afghanistan, is skeptical of the practicality of the bill. “It is assumed that once approved, the required entities will act accordingly and have the capacity to do what is needed,” he said, pointing to the failure of the electronic ID-Card program that was entrusted to the Ministry of Interior (MoI) but never saw the light of day owing to a number of issues, ranging from lack of technical expertise and social and political hurdles.

In fact, just in the last three months, several Afghan government websites and social media pages have come under cyber-attack, some even believed to be conducted by increasingly tech-savvy insurgent groups. It also means that Afghan web is relatively free, owing to the lack of technical capacity needed to regulate it, which also means that insurgent groups and elements frequently exploit it as a tool of propaganda.

In its defense, the MCIT is working on setting up a Cyber Emergency Response Team (CERT) with a substantial budget and in consultation with several international counterparts, including US government security agencies. It will aim to build a forensics laboratory within the MCIT and train officials to conduct investigation into alleged crimes. “We will also provide support to the MoI, NDS and other defense agencies when needed,” Marjan said.

Hamdard is not convinced that either of the agencies tasked with this responsibility are capable of dealing with investigations into cybercrime.

“The technical gap and imbalance among various Afghan government entities is massive,” he said. “There is a limited understanding of the problems, so much that in the past they have criminalised ‘white hat’ ethical hackers who tried to help them secure their networks, forcing them to either go underground or flee the country.”

This is evident in conversations with local police officials, who use the internet in their personal lives, but have little understanding of a user’s rights and protection on the internet. For instance, one of the men who commented on the post calling for Aryana’s execution was a law official.

“This NDS commander advised the man who issued the threat to be careful about posts online for the sake of his own security. He did not seem to think that there was anything wrong in the threat itself,” Hasib said.

Poor implementation could actually create newer hurdles and possible misuse of the law. Hamdard expressed concern over a particular Article 11 that allows MCIT’s technical officials the policing authority to seize equipment, peripherals, and material in cases of cybercrime.

“This isn’t constitutional to bestow ministry officials the authority to make legal and criminal judgments and take relevant actions, a role that is assigned for law enforcement agencies,” he said. “Additionally, the MCIT also does not have jurisdiction over content; that’s the job of the Ministry of Culture and Information (MoIC). And yet a lot of the cyber law drafted by them regulates content online.”

The law, in fact, attempts to be very culturally relevant and religiously compliant to Islamic values. “Activities that harm social fabric and are not allowed by religion are prohibited in the law including gambling, pornography, and dating,” Marjan informs. “For instance, there is a clause against all forms of pornography not just child pornography—unlike other countries where pornography is allowed,” he elaborates.

Also, there isn’t any special clause addressing issues related to vulnerable communities, including women, who remain disproportionately vulnerable online to harassment, privacy threats and even identity thefts that could result in dire consequences for them. “Those are matters of policy and will be addressed separately,” Marjan said. “The law is general and will equally protect everyone, regardless of who they are.”

Afghan users are concerned about the bureaucratic behemoth that could potentially be unleashed could cause more damage, rather than empower, especially for vulnerable groups in Afghanistan. “The law is supposed to create an environment of safety by creating systems that demand accountability for every action. I don’t see that happening with the way things are currently run,” said Elham, a young Afghan entrepreneur, who did not want to use his real name.

“The thing to understand here is that for my sister, the use of the internet wasn’t given to her as a right”
The internet came to the rescue for Elham’s 18-year-old sister, Freshta (name changed to protect her identity) when their conservative parents were reluctant to allow her to continue her education. It is fairly uncommon for most women in the region to pursue higher education, where gender roles dictate a life of early marriage and motherhood. In fact, none of Elham’s four sisters had studied beyond high school, and that Freshta aspired to was previously unheard of. Despite much cajoling, Elham couldn’t convince his family to let Freshta go to university, so he did the next best thing—enrolled her for an online degree.

He bought her a laptop and smartphone with an internet connection and helped set up social media accounts that she would need to connect with her classmates who participate from all over the world. Now for four days a week, Freshta logs on to the internet for three hours a day to attend her online classes in Persian literature. The rest of the week she works on her assignments and reading course materials and exchanging notes with her classmates. There is little left for anyone to object, and after the initial few days, their family has come to see that an online degree wouldn’t be too bad after all.

“The thing to understand here is that for my sister, the use of the internet wasn’t given to her as a right, but a privilege granted to her,” Elham said. “It could just as well be taken away from her if she faces any threats while she is online. And this could also discourage her from complaining about it,” he said, adding that law needs to be such that it becomes a deterrent to offenders.

Hamdard agreed. “For any law to work, there first needs to be a general acceptance of the rule of law, which is scarce in Afghanistan,” he said. “If there are still elements that can exert influence and threaten the public security in the real world, a law to protect someone online can only offer a semblance of safety.”

For now, the bill is still under consideration of the Supreme Court and is expected to go to the parliament in February.

With that timeline, the bill aspires to train technical officials, the attorney general’s office, and law enforcement agencies to recognize cases that fall under this law.

While there is a general agreement—even among critics like Hamdard—that the new law could be relatively sufficient in its current form, concerns over its implementation remain firmly rooted among stakeholders in Afghanistan, who, by experience, have learned to be cautious of the contemporary legal systems in the country.

Source:http://motherboard.vice.com/read/afghanistan-first-cyber-security-law