A first-instance Court in the United Kingdom ruled
in October 2016 that the relationship between, ride-sharing app, Uber and its drivers was that of an employer and employee. Uber unsuccessfully contended that its drivers were merely independent contractors. The case – Aslam v Uber BV  IRLR 4 – naturally sent ripples throughout the gig-economy, given the wider implications for similar gig-apps.
One of the larger potential implications of that decision is that the business model of Uber and other gig-apps will have to be adjusted to account for the fact that they now have more employees. With drivers as employees and not independent contractors, it means, for example, that those drivers now enjoy entitlements like minimum wage and leave pay.
Uber, like many hugely successful internet giants, operates a multi-side platform. The basic idea is, distinct groups of users of the platform provide network benefits to each other (think of Google’s ads. Those who buy adwords aren’t the same as those who are searching on Google but both are ‘customers’ of Google). In Uber’s case, one distinct user group would be the drivers and the other, passengers. Broadly, the Aslam case, potentially means that Uber is being asked to merge its role with one of it’s target groups. In the result, Uber would be forced to abandon it’s role as a middle-man providing a two-sided market platform in favour of the less dynamic, traditional seller-to-purchaser sales
Another implication, albeit indirect, is that Courts in other jurisdictions may opt to follow the U.K.’s position. The result: Uber’s business model and bottom-line could be impacted far beyond the shores of England. In this prevailing context, Uber recently announced its debut in Trinidad and Tobago; a first for the Caribbean region. On the face of it, a legal development in the United Kingdom has no direct connection with what happens in the twin-island republic. However, on deeper reflection, one will recall that Trinidad and Tobago’s legal system has its roots in – and shares a common legal heritage with – the U.K. via the Common Law. This, therefore, means that decisions made in U.K. courts, while not binding on any Trinidadian court, are at least, highly persuasive.
Another minor matter to note, Trinidad, like the U.K., has a general provision in its laws allowing for the payment of a minimum wage. See generally, the Minimum Wage Act and the Minimum Wage Order 2015. Accordingly, on the face of the current statutory regime, any future designation of Uber as an employer, at least theoretically, opens the doors to drivers in Trinidad, like their colleagues in the Aslam case, being entitled to a minimum wage.
Before getting too far ahead of ourselves, it is important to note that Aslam v Uber is the subject of a pending appeal by Uber. Accordingly, there is no certainty that the decision of the ERT will, ultimately, stand.
Future developments in Aslam may, ultimately, force a reworking of Uber’s business-model in a number of its markets including Trinidad and, depending on the outcome, may well see it pull out of some of those markets. Therefore, how it navigates this and dozens of related legal battles targeted at its model will likely determine the continued meteoric rise of the gig-economy juggernaut or… the beginning of its demise.
In September 2017, I gave a presentation at a breakfast seminar put on by the Barbados Coalition of Service Industries. The seminar was focused on E-Commerce in Barbados and I was asked to consider legal implications.
My presentation touched on:
Elements of an enabling e-commerce environment.
Common barriers of e-trade + e- commerce.
Opportunities for service sector firms through e-business in Barbados and other CARICOM states.
Best practices for service sector firms with successful e-commerce business models.
Next steps in the advancement of e-commerce solutions.
Working Group 1 of the Freedom Online Coalition (“FOC”) has published a list of recommendations which it hopes will lead to cybersecurity policies which are inherently more rights respecting. These Recommendations were produced at the sixth iteration of the FOC’s annual conference in Costa Rica.
The FOC, according to its website, is “…a group of governments who have committed to work together to support Internet freedom and protect fundamental human rights – free expression, association, assembly, and privacy online – worldwide.” The FOC’s noticeably diverse membership currently stands at 30 nations and includes, among others: Agentina, Kenya, Mongolia, The United States and Canada.
Cybersecurity policies and decision-making processes should protect and respect human rights.
The development of cybersecurity-related laws, policies, and practices should from their inception be human rights respecting by design.
Cybersecurity-related laws, policies and practices should enhance the security of persons online and offline, taking into consideration the disproportionate threats faced by individuals and groups at risk.
The development and implementation of cybersecurity-related laws, policies and practices should be consistent with international law, including international human rights law and international humanitarian law.
Cybersecurity-related laws, policies and practices should not be used as a pretext to violate human rights, especially free expression, association, assembly, and privacy.
Responses to cyber incidents should not violate human rights.
Cybersecurity-related laws, policies and practices should uphold and protect the stability and security of the Internet, and should not undermine the integrity of infrastructure, hardware, software and services.
Cybersecurity-related laws, policies and practices should reflect the key role of encryption and anonymity in enabling the exercise of human rights, especially free expression, association, assembly, and privacy.
Cybersecurity-related laws, policies and practices should not impede technological developments that contribute to the protection of human rights.
Cybersecurity-related laws, policies, and practices at national, regional and international levels should be developed through open, inclusive, and transparent approaches that involve all stakeholders.
Stakeholders should promote education, digital literacy, and technical and legal training as a means to improving cybersecurity and the realization of human rights.
Human rights respecting cybersecurity best practices should be shared and promoted among all stakeholders.
Cybersecurity capacity building has an important role in enhancing the security of persons both online and offline; such efforts should promote human rights respecting approaches to cybersecurity.
The recommendations are, at first blush, hard to disagree with. Of course, the proof of the pudding will be in the eating. Naturally, therefore, eyes will be trained on the FOC member states to see the degree to which they actually observe these recommendations in their future law and policy making efforts.
You may ask what the utility of any of this is If you are from a country that is not party to the FOC. The answer: in practical terms, regardless of the membership status of a country with the FOC, the recommendations represent a, somewhat, normative reference point for any nation’s policy makers. Cybersecurity-related policies which are grounded in these recommendations will, accordingly, carry an inherently greater degree of credibility when held up to the light.
The Saint Vincent Cybercrime Act which was recently passed has come in for widespread criticism based on its perceived lack of appreciation for the basic rights of Vincentians to express themselves freely in online spaces. It is not hard to imagine that the resulting legislation could have been different had its framers had the benefit of and, importantly, took on board some of the principles in, the FOC Recommendations.
Those of us in the Caribbean who are (or wish to be) involved in the law and policy development process surrounding cybersecurity issues, may therefore want to include the FOC Recommendations in our armoury going forward. This includes not just the policy crafters themselves but also other vested stakeholders, including the business community and civil society.
A voluntary code titled: Voluntary Code on Safeguarding the Open Internet" (”the Code”) was publicly unveiled at the recently held Caribbean Association of National Telecommunication Organizations (“CANTO”) meeting in San Juan, Puerto Rico. The Code’s stated objective indicates that:
“The Code is in response to concerns brought forward by operators about consumer rights in accessing content over the internet. The Code seeks to balance consumer rights and responsibilities with the availability of flexible network management tools for operators. The wider objective of the Code is to provide a framework for operators across the Caribbean Region to collectively address the issue of Net Neutrality. ”
Net neutrality can be defined as the principle that all internet traffic should be treated equally. Where internet traffic passing through a network is not treated equally by the operator of that network, this amounts to data discrimination.
An open Internet is essential to the American economy, and increasingly to our very way of life. By lowering the cost of launching a new idea, igniting new political movements, and bringing communities closer together, it has been one of the most significant democratizing influences the world has ever known.
“Net neutrality” has been built into the fabric of the Internet since its creation — but it is also a principle that we cannot take for granted. We cannot allow (ISPs) to restrict the best access or to pick winners and losers in the online marketplace for services and ideas…
Within the past 4 years, the notion has gained increased importance globally and has even seen some countries including Chile, Slovenia, the Netherlands, Brazil and Guyana passing legislation to protect end-users against breaches of the principle by Internet service providers (ISPs).
Against this backdrop, the fact that ISPs in the region have voluntarily sought to observe a code in support of net neutrality is laudable.
Already, a number of ISPs operating in the region have signed on to the Code which has at its core, the following policy statement:
“CANTO and its members support the concept of the open internet and the general principle that legal content, applications and services, should not be blocked. ”
The Code’s objective is to secure the open internet by observing net neutrality. This is a rather noble ideal, especially when expressed by a collective of ISPs – the very parties most likely to breach net neutrality principles.
While supporting net neutrality is admirable, CANTO’s approach to achieving this end will likely see a divergence of views on the acceptability of the Code in its current form. Members of the business community and civil society actors in the region may have pause to be suspicious of the intent of the Code, when the details of the Code are brought into sharper focus .
Lawful and Legal
The Code repeatedly refers, throughout its three pages, to “lawful” or “legal” content, applications and services as a precursor to its signatories’ observation of net neutrality. However, the words are not defined in the document. This raises two sets of challenges for correctly understanding the placement of the phrases in the Code.
In the first instance, the potential implications of a repeated assertion that your obligation as an internet provider is to only allow ‘legal’ or ‘lawful’ content to be accessed in an unfettered manner are: 1. as an internet provider, you do not intend to allow unlawful content to be accessed via your connection and/or 2. You will allow unlawful content to be accessed, but, in a fettered manner.
The second challenge, which follows from the first is that an internet provider’s assertion that its net neutrality obligations are limited to allowing ‘legal’ or ‘lawful’ content to be accessed in an unfettered manner is that it begs the questions: Who gets to determine what is ‘legal’? What is that party’s definition of ‘legal’? In any event, how will a determination of lawfulness/legality be made?
This feature has been picked up by other observers as well. For e.g. ICT-Pulse notes:
“First, throughout the document it is continually emphasised that legal, lawful content, applications and services should not be blocked. However, should an operator be of the view that a particular service (for example) is illegal, does it go ahead and block it, or should that matter be first decided by a third party, such as the local telecoms regulator or the courts?”
In fairness to the regional ISPs, another side to this aspect of the debate does exist. It could be argued, with some merit, that the Code’s preoccupation with lawful content is merely reflective of existing globally accepted standards.
Consider the following two examples:
The FCC’s Open Internet Order at Appendix A, p203 reads: “A person engaged in the provision of broadband Internet access service, insofar as such person is so engaged, shall not block lawful content, applications, services, or non-harmful devices, subject to reasonable network management.”
The NetMundial Statement is widely regarded as the only statement of principles in respect of the internet which has, to date, received widespread acceptance from different stakeholders in the global internet community. Upon closer scrutiny, the NetMundial Statement also adopts language that accords a differentiated status to ‘lawful’ content. The relevant section of that statement reads: “[The] Internet should continue to be a globally coherent, interconnected, stable, unfragmented, scalable and accessible network-of-networks, based on a common set of unique identifiers and that allows data packets/information to flow freely end-to-end regardless of the lawful content. ”
Notably, in neither of the two examples is the phrase “lawful content” defined. Accordingly, it would not be without merit for the signatories to the CANTO Code to argue that qualifying their commitment to net neutrality by the insertion of references to ‘lawful/legal content’ in the Code is neither without precedent or unfounded in the current prevailing global context.
The Code doesn’t cover the full scope of net neutrality ills
The Code’s policy objective is directed at the internet service providers’ abstention from blocking content. On the face of it, this seems to be a deficient objective since the principle of net neutrality is not only breached when an internet provider blocks content. The neutrality of a network can also be eroded by any act of a network intermediary that distorts or impacts the integrity of the data passing between the provider of information on the internet and the end-user wishing to access it. So for instance, when data passing through the network is throttled or, where the network operator opts to implement some form of paid prioritisation of traffic, the principle of net neutrality will have been breached.
To the extent that the Code does not explicitly address other well-known means of interfering with net neutrality as a policy objective, it is open to reasonable interpretation that the exclusion of other means of interference with net neutrality was an oversight on the part of the framers of the Code. Alternatively, it may be interpreted that the Code was expressly crafted to allow ISPs in the Caribbean free rein to, for example, throttle their networks as they see fit.
If the exclusion of other forms of impinging on the neutrality of networks was an oversight, then clearly, the deficiency needs to be addressed. However, if the latter interpretation is accurate and the exclusion was deliberate, then from the perspective of tech entrepreneurs with web-based offerings, this may be a legitimate basis for concern.
If, for instance, a telecoms provider decides to throttle data associated with the service offerings of those entrepreneurs then this grey area may be problematic. Equally, if the ISPs decide to implement a paid prioritisation scheme, it then means that early stage “techtrepreneurs”, without significant funding. will probably not be in a position to effectively compete with more entrenched competitors who can afford to pay to have their data transmitted to regional end users. This could potentially have a strangling effect on the development of a thriving technology-focused entrepreneurial environment in the region.
For the purpose of clarity, the stated objective of the Code may require some revising.
Safeguarding the Internet on whose behalf?
The Code positions itself as an attempt by the signatories to safeguard the open internet. The open internet, by definition, is a neutral network. Therefore, in teleological terms, a code in support of the ideals of net neutrality which seeks to place terms and conditions on the manner in which a party embraces net neutrality is, inherently, antithetical to the notion of net neutrality itself. I would therefore not be surprised if astute civil society advocates zeroed in on this fact.
Civil society actors in the region will not be the only ones viewing this latest move with some consternation. The code of practice may also give pause to technology-focused business interests whose products may compete with value added offerings of signatories to the Code. Such fears would not be without foundation in recent experiences. The clear example: the blocking of over the top (”OTT”) VOIP traffic by several internet providers [link]. This has implications for the supra-national OTT services who probably would not care too much but more importantly, indigenous developers of web apps who stand to suffer a similar fate.
Arguably, the Code’s reference in the title to “safeguarding the internet” is therefore, really not an expression of a broad-based desire to secure the internet with the interests of all the relevant various stakeholders in mind.
One potential outcome of the CANTO Code might be what amounts to a de-facto legitimisation of future efforts of the regional ISPs to stamp out OTT competitors to their own product offerings. It is one thing to take a course of action perceived to be draconian (such as taking a unilateral decision to block Viber, Skype and other OTT VOIP applications). Its quite another to justify that same course of action against an objective framework such as the Code. In this way, the Code could serve to remove the sense of ultimate responsibility of any one regional internet provider for any of their future actions in response to the perceived threat of OTT applications – in its stead, a cloak of collective responsibility that spreads across all the signatories to the Code.
Also, it would appear that net neutrality is becoming more of a meaningful consideration for Caribbean society – certainly at the governmental level. This is borne out by the slew of recent legislative and policy activity throughout the region which expressly addresses the open internet. Some examples include the proposed
If these movements are signalling the beginning of larger region-wide move towards legislating for the protection of net neutrality, this could translate into a scenario where, as in the case of ECTEL, civil society and other actors may have inputs into the drafting of regulations. Consequently, it could also mean that more enforcement mechanisms with teeth may result and, certainly, more genuinely rights-respecting provisions may be put in place. Such a restricting regulatory environment is not ideal for ISPs looking to benefit from the lack of restrictions on their ability to take appropriate actions to protect their investments.
In this prevailing context, the Code may be viewed as a preemptive strike against the imposition of further regulatory constraints by regulators in the region. If the ISPs, especially in a unified manner, can point to the existence of a pre-existing means of self-regulation via soft law that fills the erstwhile vacuum, it may lessen the impetus of regional regulators to step into the fray.
From the perspective of legislators in the region, it may be necessary to begin questioning whether the self-imposed code by ISPs is sufficient to protect the rights of netizens in the West Indies.
More broadly, there seems to be sufficient scope for a larger discussion of what, if anything, net neutrality actually means to us in the Caribbean and what our collective response, irrespective of our stakeholder grouping, ought to be.
This response must take into consideration that a completely neutral network is, perhaps, more grounded in an ideal than in reality. As exemplified by the FCC Order, even the most pro-net neutrality regulatory agencies, when attempting to regulate net neutrality, have
expressly recognised that exceptions must exist.
In the Caribbean, it may be that too much of the debate surrounding net neutrality has progressed on false parameters – those adopted from first world countries who based the debate on their circumstances. In other words, are we, in the tradition of V.S. Naipaul, being mimic men in respect of how we are even framing this conversation? After, all, low per capita income and low rates of internet penetration are not issues that, say, most Western European or North American states have to factor when considering net neutrality. Accordingly, how we in the Caribbean conceive of regimes to deal with net neutrality may have to differ from those examples as well.
A good example of a nuanced approach to legislating for net neutrality, while taking into account the country’s particular circumstances, is the Marco Civil in Brazil [mirror]. In the Marco Civil, only two exceptions to net neutrality are allowed: technical requirements essential to the adequate provision of services and applications; and prioritization of emergency services. In a first world state with predominantly high speed fibre optic connections to the network and multiple, overlapping networks for data to flow on, there may well be no need to prioritise the network traffic of emergency services. However, in a developing world context where the quality of networks and available speeds are a live issue, this would clearly be a relevant basis for legislating an exception to the rule.
It would seem that the key consideration is: when legislative or policy positions are being adopted in the Caribbean, what exceptions to the net neutrality principles should we be willing to collectively accept as valid input considerations, given the particular country’s circumstances?
When framed in this way, the Code may be viewed as the ISPs placing their view on the table as a
constituency grouping. In keeping with the multi-stakeholder model which has been the bedrock of global internet policy and governance decision making, it may now be time for end-users, civil society, regional NGOS, the business constituency and individual Caribbean Governments to share their vision of what net neutrality in a Caribbean context should look like.
In keeping with the effects of the Monroe doctrine and the Caribbean Basin Initiative, when the USA sneezes, we catch a cold in the Caribbean. At least, so goes the standard narrative of regional geo-politics, If we accept that there is any truth to this, then paying attention to every huff coming from our neighbors to the north is, therefore, a necessary aspect of predicting our likely short-to medium term (reactionary) trajectories.
In the sphere of cyber laws and policy, therefore, it is also important to consider the position of the U.S.A on matters of international consequence. In this context, the recent joint statement of Canada, Mexico and the United States, at the recent 2016 North America Leaders Summit, on global cyber issues is noteworthy:
Global Cyber Issues
Canada, Mexico, and the United States affirm the importance of an open, interoperable, resilient, and secure Internet, underpinned by the multi-stakeholder model of Internet governance for collective prosperity, security, and commitment to democracy and human rights. The leaders emphasized that everyone should enjoy the same human rights online as well as offline. All three countries commit to continuing our foreign ministry-led Trilateral Cyber Experts Group to strengthen online cooperation, and look forward to the Internet Governance Forum and the Meridian Conference on Critical Information Infrastructure Protection, which Mexico will be hosting in 2016.
Canada and the United States support the Budapest Convention on Cybercrime as the best instrument to fight cybercrime at the international level. The two countries, along with Mexico, commit to enhancing cyber collaboration through capacity building efforts. In this regard, the three have partnered on an initiative to strengthen regional participation in the G7 24/7 Network, which connects national law enforcement points of contact in the battle against high-tech crime. Canada, the United States and Mexico will work together to promote cyber security awareness globally by coordinating our national activities, including Canada’s Get Cyber Safe campaign, the Stop. Think. Connect. Coalition, and the Global Forum on Cyber Expertise.
All three countries commit to promoting stability in cyberspace based on the applicability of international law, voluntary norms of responsible state behaviour during peacetime, and practical confidence-building measures between states. The leaders affirmed that no country conduct or knowingly support online activity that intentionally damages critical infrastructure or otherwise impairs the use of it to provide services to the public; that no country should conduct or knowingly support activity intended to prevent national computer security incident response teams from responding to cyber incidents, or use its own teams to enable online activity that is intended to do harm; that every country should cooperate, consistent with its domestic laws and international obligations, with requests for assistance from other states in mitigating malicious cyber activity emanating from its territory; and that no country should conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to its companies or commercial sectors. Canada, Mexico and the United States will work together in the 2016/2017 UN Group of Governmental Experts, the G20, and the Organization of American States in support of these objectives.
Firstly, it is comforting that the three North American states have confirmed a commitment to the open internet. The notion that anyone can access any content they wish at any point, without interference is the underpinning of the net neutrality principle. At the very least then, this latest statement can be read as implicit support for the efforts of regional governments in Guyana and throughout the Eastern Caribbean to enshrine net neutrality via legislation.
On another note, it is also noteworthy that Canada and the United States have affirmed their support for the Budapest Convention. The Budapest Convention is typically considered to be the high water mark for internationally accepted best practices in respect of crimes committed via computer networks such as the internet. Both the U.S.A. and Canada are signatories to the convention.
This is not to say that no work has been done in the Caribbean in the cybercrime law space. Indeed,
the Computer Misuse Act, 2005-4 in operation in Barbados, was based on the Commonwealth Model Law of 2002 which was in large part, based on the Budapest Convention. Also, via a project known as
Harmonization of ICT Policies, Legislation and Regulatory Procedures in the Caribbean (HIPCAR), model legislation on, among other things, cybercrime has been produced which is (loosely) based on the Commonwealth Model Law. That said, besides St Kitts which enacted the Electronic Crimes act in 2009, it is unclear how many other countries in the region have actually implemented this model legislation.
Which brings us to the greater point: the dearth of actual implementation is hindering our ability to effectively participate in cross-border crime-fighting efforts. Taken another way, the lack of actually implemented legislation in the region means, in theory, that where elements of international crimes are committed from within our borders, we may, unwittingly be providing a judicial safe haven to criminal elements.
Beyond this, even if we were to implement HIPCAR legislation on cybercrime in its current state, one of the glaring inefficiencies therein are provisions to do with international cooperation. In other words, even if the only ready-made option available to us was utilised, regional governments would, largely, still be behind the curve on the one aspect of the cybercrime legislation which is critical to addressing the inherent nature of cybercrime: its often international scope.
While the intent is not to criticise HIPCAR, it would seem that its widespread adoption would foster harmonisation in the region but not internationally. This very fact runs counter to the border-less, international nature of preventing and prosecuting cybercrime.
It seems, therefore, that to the extent that implementation of any cybercrime legislation has been lagging, this may be to our advantage. It means that various Caribbean countries may still, look to bypass the legislative uncertainties inherent in the HIPCAR model text by directly acceding to the Budapest Convention. Lest we forget, all these years later, the Budapest Convention has withstood the criticisms which have been leveled at HIPCAR and remains the gold standard.
By their recent pronouncement, our neighbors to the north are in sync with international best practices on cybercrime. We can be too. Just, perhaps not with HIPCAR in its current state.
From an end-user perspective, the Consumer Protection regulations are clearly the most notable. Within those regulations are provisions which, interestingly, tackle net neutrality, protection of consumer data as well as privacy.
If passed, the Eastern Caribbean would, therefore, join an exclusive club of forward looking nations who have already explicitly enshrined net neutrality in legislative enactments. Pretty heady stuff.
On review, the Electronic Communications bill itself merely defines net neutrality and includes it as an object of the act. Curiously, the bill itself does not enshrine the right per se. Rather, the heavy lifting is left for the proposed consumer protection regulation. This is concerning for two reasons:
by placing it in the consumer protection regulation, it presumes that net neutrality is primarily about protecting end-users. Indeed, the language used, confirms that this seems to be the aim. This is problematic since it only covers half of the parties who are potentially negatively impacted by interferences with the delivery of content over the internet’s infrastructure. The reality is, it is also digital service providers who’s ability to deliver content over the internet who lose when an ISP decides to intervene.
if it is a substantive right then surely the appropriate place to secure it is in substantive legislation which, at the very least, would require the rigour of two houses of parliament to interfere with in future. With mere subsidiary statutory instruments, it is much easier to amend without rigorous scrutiny. Therefore, it stands to reason that it could easily be amended in future.
To be sure, I have, in the past, argued that the most effective manner for a country’s legislature to handle changes in technology is to have subsidiary legislation bear the brunt of the particular legislative innovation. Therefore my view here may appear contradictory. However, net neutrality isn’t a fad concept or technology that requires a state to grapple with its shelf life as a consideration in determining the legislative rigour necessary to usher it into society. In 37 years netizens will still argue back and forth about protection of net neutrality as a fundamental internet-related right. It is an enduring principle and its rightful protection mechanism, therefore, is in substantive legislation.
The consultation period for the proposed legislation initially expired on March 11, 2016 but has since been extended to May 12, 2016, so there is time to review and make any comments.
The 2016 Cybersecurity Report is the result of the collaboration between the Inter-American Development Bank (IDB), the Organization of American States (OAS), and the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford. The report presents a complete picture and update on the status of cybersecurity (risks, challenges, and opportunities) of Latin America and the Caribbean countries.
Importantly, the report was the result of self-assessments by key stakeholders within each jurisdiction under review.
In respect of the key findings, a good summary comes from the preface by the current IADB President, Luis Alberto Moreno, who notes that:
The analysis of its 49 indicators shows that several countries in the region are vulnerable to potentially
devastating cyberattacks. Four out of five countries do not have cybersecurity strategies or critical infrastructure
protection plans. Two out of three do not count on command centers and cybersecurity control. The vast
majority of prosecutors lack the legal capacity to pursue cybercrime actions.
Among the more interesting aspects of the report is the model developed to assess the state of cybersecurity in LAC. The report applies what they describe as a “Cybersecurity Capability Maturity Model” (CMM). The CMM is based on a model developed by the
Security Capacity Centre at Oxford University and has five designations: startup; formative; established; strategic; and dyamic. After analysing each country’s situation, that country is graded using the CMM designations in respect of 49 specific indicators. In turn, the 59 indicators were grouped into five broad categories:
National Cybersecurity Policy
and Strategy (Policy and Strategy);
Cyber Culture and Society
(Culture and Society);
Cybersecurity Education, Training and
Legal and Regulatory Frameworks (Legal
Standards, Organizations and Technologies
From a Caribbean perspective, the report is very comprehensive. All 12 Commonwealth Caribbean Countries and 14 CARICOM-party states overall (Haiti and Suriname are also included) are covered in the report. For context, 32 Latin America and Caribbean countries were surveyed in total.
To my mind, the biggest value of this report for Caribbean states is the quick diagnosis it provides of the weak area(s) in various states. This understanding should significantly assist in determining which areas should be prioritised by governments in the region and, by extension, where scarce state resources should be directed. Similarly, it should also be useful to civil society actors and organisations in determining which cybersecurity and ICT issues need flagging and actioning the most in their respective territories.
Implicit in the foregoing, is another important purpose that this report serves: it underscored the nuanced challenges we face from jurisdiction to jurisdiction in respect of not just cybersecurity but ICT issues generally. By extension, the findings confirm that the one-size-fits-all-in-the-region approach to analysing and addressing challenges is woefully outdated.
Some months ago, I had mentioned that the Caribbean Development Portal of the United Nations Economic Commission for Latin America and the Caribbean (ECLAC) launched an online survey “to get a sense of views within the region regarding the relative importance of various policy objectives in the area of ICT”. Like most in the region, I anticipated the outcome of the report for the fact that it would be the first time that the various (sometimes siloed) information society actors in the region would have an opportunity to view a collective window into what ‘we’ considered to be important to the Caribbean region from an information society perspective.
In seeking to fulfil the survey’s objectives, respondents were required to provide a weighted score to various specific strategic goals (Not a Priority; Low Priority; Moderate Priority; Medium Priority; High Priority). In turn, these goals were organised under five broad thematic categories: Access and infrastructure; Social inclusion and sustainable development; Governance for the Information Society; Digital economy, innovation, and competitiveness; and e-Government and citizenship. Each category had varying numbers of strategic goals.
In total there were 37 respondents (full disclosure: that number included yours truly)
The Results As I would have suggested earlier, the real value of this survey was the window it offered into the thinking of ICT practitioners across various sectors in the region.
The total of 90 strategic goals were given a weighted score based on the average importance score give by the 37 respondents to the survey. Accordingly, it could be said that those results in the top third of the table were perceived to be the most important goals by respondents. The further down the table the strategic goal appeared, the less important it was to the community.
With this thinking in mind, I created the below table which divided the results into three tiers: top, mid and bottom. This was my means of seeking to readily reflect the importance of each strategic goal to the community of practitioners in the Caribbean. Each tier holds 30 responses.
What immediately jumps out is that the number of thematic goals offered for scoring to the respondents varied greatly across the five categories. The largest category: “Digital Economy, innovation and competitiveness” had 27 different strategic goals. By comparison, the “e-Government and citizenship” category only possessed 10 of these strategic goals. Obviously, this would render a category versus category comparison within each tier, an illegitimate analysis.
Accordingly, the approach I took to making sense of the responses was to consider the percentage of each category that showed up in each Tier. I then went the additional step of highlighting (in pink) the tier in which each category was most dominant. When done, a clearer picture of the thinking of the Caribbean’s ICT practitioners begins to emerge.
What then becomes immediately striking is that infrastructure was most dominantly represented as a bottom tier priority. This is an Interesting outcome since, without the physical infrastructure in place to allow for access, there can be no true information society. It is the fundamental building block. To illustrate the point, not countingBarbados, most of the rest of the territories in the Caribbean can legitimately be categorised as lacking sufficient physical infrastructure to guarantee high speed internet access to the entire population.
This is a troubling collective view.
I would not dare suggest that a mere 37 practitioners accurately represent the thinking of all our region’s leading technologist. However, it is the only data of this kind that we do have. Having said that, on the face of it, if there is any merit in the survey, the ready conclusion is that our ICT thinkers and practitioners are perhaps too focused on ideal outcomes over practical, next-steps.
By now, the news cycle surrounding the temporary shutdown of Whatsapp by a Brazilian Court has petered out.
If you missed it (or are only reading this 50 years later!), the gist is that in 2015 Whatsapp is a large transnational mobile messaging service with global appeal and very high reach in Brazil. Prosecutors in Brazil required Whatsapp to hand over sensitive data in ongoing criminal proceedings. Whatsapp did not respond. The prosecutors moved the Court to punish Whatsapp. The Court applied provisions under the shiny, new Marco Civil statute to penalise Whatsapp by way of ordering the shutdown of the service in Brazil.
As a Caribbean lawyer, my natural curiosity lead me to wonder how this would have played out in the West Indian context. Perhaps more importantly, I started to consider the specific lessons arising from the events in Brazil for the region.
What is the Appropriate Approach to Legislating Technology?
For me, the starting point is the philosophical: how do we wish to deal with these situations? Specifically, how do we wish to attempt to legislate situations where a web service
refuses to comply with domestic laws or directives? To bring greater reality to the scenario, let us assume that said web service has i) truly global reach and ii) that web service more than likely has no data servers located within the physical jurisdiction of your state.
The Commonwealth Caribbean is part of an increasingly interconnected world where the importance of physical location, relative to matters of commerce, entertainment, knowledge transfer and productivity, is lessening by the day. This, thanks to advances with internet access and a multitude of useful internet-based services.
A rising tide lifts all ships and so, the almost too obvious corollary is that criminal and civil wrongs with an increasingly digital element are going to occur more frequently as well. Already, we see where these eventualities are increasingly occurring with the assistance of via new, leading edge internet-facing services such as Skype and Facebook.
On reflection, it would seem that the approaches that our parliaments in the region can take are to:
do nothing and hope that the challenges presented by the particular technological innovation doesn’t disrupt the general way of life or become too much of a live issue thereby demanding the intervention of the judiciary and/or the legislature;
do the bare minimum in the way of enacting broad laws, intermittently, which ostensibly touch and concern our current technology-mediated reality; or
accept the reality of a world that is heavily impacted and mediated by digital technologies and attempt to aggressively legislate to suit.
The first option is clearly untenable. It is the equivalent of an Ostrich hiding his head in the sand.
The second is closest to the reality in the region. While there are quite a few laws that are, ostensibly, enacted to tackle aspects of our new digital reality such as privacy and computer misuse, most are woefully bereft of updates which can tackle the novel, innovative challenges presented by newer technologies.
Additionally, as is exemplified by the Data Protection bill in Barbados which has been tabled since 2005, very often, legislation is often drafted but never actually makes the full journey to enacted law.
I suspect that while it is attractive in intent, the third option of aggressively legislating would not be practical or take us as far as we ideally imagine. Why?
Firstly, it would not be practical given the small matter of human resource constraints. We simply don’t have enough warm bodies to be deployed to research, and draft the relevant laws necessary to keep up with the times and avoid law lag.
Aggressively legislating perhaps would not have the desired effect since the assumption that the appropriate approach to protecting society in the face of advances in technologies is to aggressively and constantly throw new legislation or regulation at the advances is an inherently faulty one.
And plus, we have seen from the way the first instance Court in Brazil attempted to apply what is, for all intents and purposes, well heralded, cutting edge, digital rights legislation that, ridiculous outcomes can still flow. Even with the best of legislation, the human element can always lead to irrational consequences.
to focus on how the legal system holistically addresses technological change. We should examine the respective roles that administrative bodies, national courts, tribunals, law reform bodies, and other entities play in helping the law adapt to rapid technological change.
I can’t claim an answer to the conundrum but my own suspicion is that the ideal solution may well lay in deploying primary enactments that are, in their drafting, sufficiently seized of the likely direction, internet-facing technologies are taking. To be clear, when i refer to direction, I refer to the perceived unique manner in which a particular technological advance will likely mediate our lived reality. This, as opposed to the specific characteristics of any particular technology being deployed in the market at a particular time.
Under this approach, the legislation would thereafter seek to be informed by the particular milieu of rights and duties of the various actors (end users, consumers, service providers, government etc) in the broadest terms. The legislation ought not to be so prescriptively specific that a sudden or unexpected shift in society’s appetite for a particular technology would render the piece of legislation useless.
This is the first part, the second piece of the puzzle requires that such statute be supplemented by a regulatory framework where the regulators are given sufficiently broad remit and allowed the necessary discretion to promulgate and retire regulations as they see fit. The sum effect is that regulations, as opposed to the primary enactment, would be attuned to the nuances of a particular technology wave. The idea being, regulators, already empowered by statute to so act, would not necessarily be as encumbered as legislators. Indeed, so long as in regulating, they do not attempt to create or remove substantive rights afforded by the primary, empowering statute, the regulators could more quickly put relatively robust frameworks in place for managing how a particular new media entity offering an internet-based service ought to operate in the particular society.
Dearth of relevant laws.
So, let us assume that these new media entities with a global footprint were huge fans of the rule of law, were not beholden to primarily capitalist motivations and were willing to comply with local laws. The question then would be, what would they be complying with? A common complaint from technologist in the region is that, generally speaking, there are a dearth of laws which are cognisant of and deal directly with the reality of a technology-centric era. Where such laws exists, their actual reach pales in comparison to the reality presented by technological advances.
Without question, there are no enacted laws in the Commonwealth Caribbean designed to recognise and protect ‘digital rights’ in a manner akin to the Marco Civil in Brazil. Although, we should not feel too badly on this ground; Brazil is a world leader in recognising and seeking to protect rights with regards to the internet. As recently as last year, when they passed the Marco Civil into law, no other country had done it.
Having said that, we need no better illustration of the relative state of our legal advances in the region than the recent Trinidadian High Court decision in: Theresa Ho v Lendl Simmons. There, the judge had to carry out an admirable feat of juristic gymnastics to pin liability to a man who had used his phone to share sexually explicit photos of a former lover. The judge noted:
It must also be recognized that while the Courts in the United Kingdom are now obligated to apply the law in relation to breach of confidence in a manner that is consistent with that Nation’s obligations under the Human Rights Act 1988 and its obligations under the European Convention for the Protection of Human Rights and Fundamental Freedoms, no such obligation exists in this jurisdiction.
The instant case reinforces this Court’s belief that it cannot confine itself to a myopic view of the law and in the absence of legislative protection, the common law concept of Breach of Confidence has to be moulded so as to address modern societal demands. The law has to be dynamic and has to develop in such a way to ensure that it remains relevant and it must be recognised that there is an obligation of conscience which requires that videos, photographs and/or recordings that capture private intimate relations, should be clothed with a quality of confidentiality.
My own conclusion: had a similar situation to the Brazil/Whatsapp decision occurred in the Commonwealth Caribbean, there would be no specific enough statutory regime to compel compliance of a transnational service based in another country. We would be left, like the judge in the Ho v Simmons case to ‘reach’. The one positive: the vast majority of countries in the Commonwealth Caribbean apply the common law, an inherently dynamic approach to law making which allows judges, in appropriate circumstances, to mould and grow the law to to fit nuanced circumstances. Even then though, common law, unsupported by a statutory backing can be somewhat unpredictable in its case by case application of principles; even in scenarios where the law is clear.
Ultimately what we saw in the Brazil/Whatsapp situation was the flexing of the muscles of the Brazilian judiciary in a country with a population of 200.4 million people. While the quick action of the Appellate Court to reverse the decision staved off a bigger showdown, the truth is, large transnational digital media companies like Whatsapp, Facebook and Microsoft are more likely to comply or, in the very least, sit at the table to negotiate when dealing with some of the biggest economies in the world.
Consider the case of search behemoth Google. Google left China in 2010 under protest about China’s requirements for them to self-censure search results. Yay for human rights. Recently however, without as much fanfare, they have announced an attempt to get back in.
The lesson: where the country in which a transnational digital media giant wishes to extend its services has a statistically significant enough population, that new media company, once motivated by profit, will eventually want to play ball. Its not necessarily just about human rights issues like openness and privacy protection, as CEOs like Mark Zuckerberg would have us believe.
The hard truth is, the bigger the population, the larger the potential market for services and, in turn, the greater the potential for revenue generation. In the English speaking Caribbean, the population sizes range from a whopping 2.9 million in Jamaica to just over 50,000 inhabitants in St. Kitts.
Would Google or Microsoft cry about a court in a country in the Commonwealth Caribbean, in a fashion similar to the Brazilian Court, blocking access to their web-based services? It is left to be seen but I doubt it. Such media giants have nothing of value to lose. Not yet anyway.