INTRODUCTION TO INFORMATION TECHNOLOGY LAW

(LL.B COURSE)
CHAPTER 2: CRIME IN CYBERSPACE: CYBERCRIMES

UNDERSTANDING CYBERCRIMES
TYPES OF CYBERCRIMES
 LEGAL AND INSTITUTIONAL FRAMEWORK FOR CYBER SECURITY IN ETHIOPIA

*Abdata Abebe Sefara (LLB- HU) (LLM-UiO) (LLM-CEU), Ast. Professor (AU )

MARCH-2024,AMBO, ETHIOPIA
1
 INTRODUCTION
 Information systems are designed to serve people.
 It has created a focus of attention for an increasing number of individuals,
organizations and governmental agencies
 Unfortunately, information systems are likely to crash, and likely to cause disputes
and lawsuits
 Thus, many technological loopholes are constantly being exploited with malicious
intent, while technological opportunities are, at the same time, generating various
benefits as well………..chaos, disorder, social problems, and more severely,
crimes pose great threats to the security, reliability, and credibility of the
information society.
 Internet is enabling a remarkable variety of digital crimes and civil wrongs beyond
the reach of traditional criminal law and tort categories.
 Global ICT Law is a massive subject although it consists of less than two
decades of cases, statutes, international agreements, and cross-border
jurisdictional rules.
 National jurisdictions have also reacted to the internet’s threat by enacting
legislations to investigate and prosecute the new forms of crimes in the
cyberspace
What is Cybercrime?
 It can be defined as “the illegal usage of any communication device to commit
or facilitate in committing any illegal act”.
 Cybercrime is criminal activity that either targets or uses a computer, a computer
network or a networked device….most cybercrime is committed by cybercriminals or
hackers who want to make money.
 However, occasionally cybercrime aims to damage computers or networks for
reasons other than profit. These could be political or personal.
 Cybercrime involves a type of crime that targets or uses a computer or a group of
computers under one network for the purpose of harm.
 Cybercrimes are committed using computers and computer networks…they can be
targeting individuals, business groups, or even governments.
 Cybercrime involves one or both of the following:
 Criminal activity targeting computers using viruses and other types of malware.
 Criminal activity using computers to commit other crimes.
 Cybercriminal are persons who use their skills in technology to do malicious acts and
illegal activities known as cybercrimes.
 They can be individuals or teams. Cybercriminals can be individuals who are
trading in illegal online content or scammers or even drug dealers.
3
  Examples: Black hat hackers, Cyber stalkers, Cyber terrorists, Scammers etc.
 Types of cybercrime include;
 Email and internet fraud.
 Identity fraud (where personal information is stolen and used).
 Theft of financial or card payment data.
 Theft and sale of corporate data.
 Cyberextortion (demanding money to prevent a threatened attack).
 Ransomware attacks (a type of cyberextortion).
 Cryptojacking (where hackers mine cryptocurrency using resources they do
not own).
 Cyberespionage (where hackers access government or company data).
 Interfering with systems in a way that compromises a network.
 Infringing copyright.
 Illegal gambling.
 Selling illegal items online.
 Soliciting, producing, or possessing child pornography……..
Some famous examples of common cybercrimes;
4
TYPE DESCRIPTION
Malware  A malware attack is where a computer system or network is infected
attacks; with a computer virus or other type of malware. A computer compromised
by malware could be used by cybercriminals for several purposes. These
include stealing confidential data, using the computer to carry out other
criminal acts, or causing damage to data.
 A famous example of a malware attack was the WannaCry
ransomware attack, a global cybercrime committed in May 2017.
WannaCry is a type of ransomware, malware used to extort money by
holding the victim’s data or device to ransom. The ransomware targeted a
vulnerability in computers running Microsoft Windows.

Cyberextort  A crime involving an attack or threat of an attack coupled with a

ion: demand for money to stop the attack.
 One form of cyberextortion is the ransomware attack. Here, the
attacker gains access to an organization's systems and encrypts its
documents and files -- anything of potential value -- making the data
inaccessible until a ransom is paid. Usually, this is in some form of
cryptocurrency, such as bitcoin.

5
TYPE DESCRIPTION
Phishing;  A phishing campaign is when spam emails, or other forms of
communication, are sent with the intention of tricking recipients into doing
something that undermines their security. Phishing campaign messages
may contain infected attachments or links to malicious sites, or they may
ask the receiver to respond with confidential information.
 A famous example of a phishing scam took place during the World Cup
in 2018. ….the World Cup phishing scam involved emails that were sent
to football fans. These spam emails tried to entice fans with fake free trips
to Moscow, where the World Cup was being hosted. People who opened
and clicked on the links contained in these emails had their personal data
stolen
Credit card  An attack that occurs when hackers infiltrate retailers' systems to
fraud: get the credit card and/or banking information of their customers.
 Stolen payment cards can be bought and sold in bulk on darknet
markets, where hacking groups that have stolen mass quantities of
credit cards profit by selling to lower-level cybercriminals who profit
through credit card fraud against individual accounts

6
 cybercriminals use to bring down a system or network. Sometimes
connected IoT (Internet of Things) devices are used to launch DDoS
attacks.
 A DDoS attack overwhelms a system by using one of the standard
communication protocols it uses to spam the system with connection
requests.
 Cybercriminals who are carrying out cyberextortion may use the
threat of a DDoS attack to demand money. Alternatively, a DDoS may be
used as a distraction tactic while another type of cybercrime takes place.
 A famous example of this type of attack is the 2017 DDoS attack on
the UK National Lottery website. This brought the lottery’s website and
mobile app offline, preventing UK citizens from playing. The reason behind
the attack remains unknown, however, it is suspected that the attack was
an attempt to blackmail the National Lottery.
Cryptojacki  An attack that uses scripts to mine cryptocurrencies within
ng browsers without the user's consent. Cryptojacking attacks may involve
loading cryptocurrency mining software to the victim's system. However,
many attacks depend on JavaScript code that does in-browser mining if
the user's browser has a tab or window open on the malicious site. No
malware needs to be installed as loading the affected page executes
the in-browser mining code. 7
TYPE DESCRIPTION
Identity  An attack that occurs when an individual accesses a computer to glean
theft: a user's personal information, which they then use to steal that person's
identity or access their valuable accounts, such as banking and credit
cards. Cybercriminals buy and sell identity information on darknet
markets, offering financial accounts, as well as other types of accounts,
like video streaming services, webmail, video and audio streaming, online
auctions and more. Personal health information is another frequent target
for identity thieves.

Cyberespio  A crime involving a cybercriminal who hacks into systems or

nage: networks to gain access to confidential information held by a
government or other organization. Attacks may be motivated by profit
or by ideology. Cyberespionage activities can include every type of
cyberattack to gather, modify or destroy data, as well as using network-
connected devices, like webcams or closed-circuit TV (CCTV) cameras,
to spy on a targeted individual or groups and monitoring
communications, including emails, text messages and instant messages.
8
LEGAL AND INSTITUTIONAL FRAMEWORK FOR CYBER SECURITY IN ETHIOPIA

 It is the Criminal Code of 2004 that introduced the cybercrimes for the
first time.
 Arts 706, 707 and 708 respectively, penalizes computer hacking,
spreading malware and DoS attacks.
 Art 709 criminalizes acts committed with the view to ‘facilitate the
commission of computer crime’.
 There are two basic common threads among these cybercrime rules.
 All of the listed crimes, except the fourth one – adding and abetting
commission of computer crime – are punishable when committed both
intentionally and negligently.
 They are punishable when the perpetrator acted in the absence of any
authorization to do so – ‘without authorization’ The law restricts its
scope only when the act was committed ‘without authorization’. This
means that potentially punishable acts that are done by ‘exceeding
authorization’ that is already given are not punishable under the Code.
The cybercrimes Proclamation No. 958/2016, however, changes this
and renders the act publishable if it done ‘without authorization’ or ‘by
exceeding authorization’ already granted by law, contract or practice.
 The Criminal Code of 2004 provisions on cyber crimes were inadequate and
outdated….one of the reasons that prompted the enactment of Computer Crime
Proclamation No. 958/2016
 The major limitations of the Code are;
 It criminalizes only three items of cybercrimes and hence does not address new
varieties of the offence. In addition to common forms of cybercrime such as
hacking, spreading malware and dos attacks, a range of new cybercrimes have
emerged in the wake of the enactment of the code.
 The computer crime rules of the code do not provide tailored procedural and
evidentiary provisions that would be necessary in the investigation and prosecution
of such offences.
 The cybercrime rules of the code were not crafted to take full account of the cross-
border nature of this form of criminal behaviour and the need for international
cooperation in the prevention, investigation and prosecution of cybercrime.
 Besides the computer crime law proper, cybercrimes are also addressed in other
Ethiopian laws.
 Prevention and Suppression of Terrorism Crimes Proclamation No.
1176/2020
 Telecom Fraud Offences Proclamation No. 761/2012
10
The Telecom Fraud Offences Law
 Telecom services have become integral to daily life, enabling remote
communication and bringing people closer.
 However, challenges such as crime acts and cyber-attacks pose
threats to data and infrastructure in the telecom sector, requiring
careful consideration and security measures.
 Ethiopia faces challenges in implementing a law due to unclear
terms, vague stipulations, and discrepancies with other laws,
especially considering the expedited privatization process and the
country's complex crime nature and infrastructural preparedness.
 Telecom fraud is generally defined as an abuse of telecom services,
subscription frauds, bypass frauds and also dissemination of any illegal
content via the telecom network.
 There are different types of telecom frauds and techniques; among
others are;
 SIM box frauds,
 bypass fraud, and
 call termination 11
 The Ethiopian telecommunications sector is governed by
proclamations, regulations, and directives, all influenced by
government policy choices.
 Private investors can invest in telecommunications services jointly with
the government, but Ethio-Telecom remains the only service provider
up until recently.
 According to the preamble of the Telecom Fraud Offence
Proclamation (TFO), (i.e., Proclamation No. 761/2012), its objectives
are to:
 (i) ensure that the telecom sector is promoting peace,
democratization and development in Ethiopia,
 (ii) protect the public monopoly over telecommunications;
 (iii) safeguard national security, and
 (iv) bridge existing legal gaps
 The Proclamation consists of 19 provisions, with nine being substantive
criminal rules, with some of the most significant rules under part two
being highlighted.
12
 Offences related to unauthorized telecommunications equipment
 The first type of act penalized under the Proclamation concerns unauthorized
manufacturing, assembly, import or offer for sale of any telecommunications
equipment-art-3/1
 The Telecommunication Proclamation No. 49/1996, which prohibited the
manufacture, import, or distribution of radio communication equipment and
TVRO without prior approval from the Ethiopian Telecommunication Agency, was
repealed in 2002.
 The TFO Proclamation now requires prior approval for any telecom equipment
unless it falls under a category prescribed by the Ministry of MCIT.
 This change was prompted by practical problems caused by the failure to specify
equipment that requires prior approval, making it difficult to prosecute those who
possessed such equipment.
• Offences related to the provision of telecommunication services or
operators
• The Telecom Fraud Offence Proclamation criminalizes the provision
of telecommunication services without a license, call back service,
and bypassing Ethio-Telecom.
• This change was made under the predecessor telecom legislation,
which prohibited private or commercial telecommunication services
without a license. 13
 • The Proclamation also amended offences concerning call back
services, which were already prohibited by the previous legislation.
• Penalties for these acts range from 2 to 5 years imprisonment and a
fine of up to Birr 10,000.
 Offences related to telephone Call Services through the Internet
 In Ethiopia, voice over internet services were initially criminalized by
the 2002 Telecommunication Proclamation.
 The regulatory treatment of VoIP varies across jurisdictions,
depending on market conditions and national legislations.
 In Ethiopia, the current legislation prohibits VoIP services in a
qualified manner, as per Art 10 of the Telecom Fraud Offence
Proclamation. This provision of services is punishable with rigorous
imprisonment and fines.
 The 2002 legislation completely banned the use or provision of
voice communication services through the Internet, while the Telecom
Fraud Offence Proclamation outlaws unauthorized provision of
telephone call services and obtaining the service from illegal
providers.
14
 The Proclamation does not ban VoIP services categorically but forbids
unauthorized provision of telephone call services and obtaining the
services from illegal providers.
 The wording of Art 10(3) that singles out 'telephone call' from 'voice
communication' could not be accidental. The Proclamation should be read
cumulatively with Arts 2, 4, and 9, as it treats VoIP services as
telecommunication services and not as computer-based information
services.

 Ethio-Telecom has deployed 4G LTE services in Addis Ababa, enabling

customers to make mobile VoIP calls at a fraction of the price of
traditional mobile.
 This latest technology supports all-Internet Protocol (IP)-based
communication services, making the Proclamation more progressive than
the 2002 legislation.

 To ensure that VoIP regulation does not hamper investments, decrease

business competition, retard technological growth, and prevent consumers
from accessing better services, it is necessary to rewrite the law in clear
terms.
15
 Some writer’s view on TFL; HANA TESHOME, LLM Thesis,AAU,2021
 Telecom fraud is a challenging issue due to its transboundary nature,
complexity, and the cost-effectiveness of its execution.
 The information technology era is also a significant factor in this crime, as
it can be committed anonymously and update itself quickly.
 Countries like Kenya, Ghana, Egypt, and Myanmar have implemented
different legal measures to combat telecom fraud crimes, but there are
implementation gaps in the Telecom Fraud Proclamation.
 These gaps include the definition of terms, double criminalization, and
failure to state legal provisions for better prevention.
 The concept of telecom privatization also poses additional security
threats, as private operators may be exposed to cyber-attacks and
potential threats to key infrastructure and public security.
 Therefore, a comprehensive legal framework is needed to address the
dynamic nature of telecom fraud and ensure effective prevention,
criminalization, and institutional setups.

16
Computer Crime Proclamation No. 958/2016
 The new law has introduced the following significant reforms;
 It contains a definitional provision that defines a set of technical
concepts, as opposed to the 2004 criminal code which is devoid of
such definitions.
 It adds a range of new cybercrimes into the statute book. It puts
computer crimes into four major categories: ‘crimes against computer
system and data’; ‘computer-related forgery, fraud and theft’; ‘illegal
content data’; and ‘miscellaneous computer offences
 The provision of detailed procedural and evidentiary rules that are
vital in investigating and prosecuting computer crimes
 Most of the crimes are punishable when they are committed
intentionally and therefore only a few cybercrimes are punishable
when committed negligently.

17
The Institutional Framework for Cyber Security In Ethiopia;
 The Ethiopian Ministry of Information and Communication Technology (MCIT),
renamed as Ministry of Technology and Innovation (MTI);
 Is the primary government organ responsible for ICTs, drafting policies and laws in
ICT areas and setting standards for quality, reliable, and safe ICT services.
………..also the principal policy organ concerning cybersecurity, particularly
cybercrimes.
 The MCIT also sets and implements standards to ensure provision of quality,
reliable and safe ICT services…. Proclamation to Provide for the Definition
of Powers and Duties of the Executive Organs-1263/2021-art-29
 Each regional state has its own Communications and Information Technology
Agency,
 The Ethiopian Information Network Security Agency (INSA); የመረጃ
መረብ ደህንነት አስተዳደር
 An institution originally founded by Abiy Ahmed
 INSA is an Ethiopian government agency which is responsible to safeguard the
national interest in cyber space…… it’s mission is to protect Ethiopia’s national
interest by building a capability that enables to safeguard the country’s information
and information infrastructures 18
  The legal basis of creating INSA in 2006 was the Council of Ministers Regulation
No.130/2006, with goals including defence of Ethiopian information infrastructure…..
The Council of Ministers Regulation No.250/2011 and Proclamation No.808/2013
updated the initial legal definitions of INSA
 INSA formulates national policies, laws, and standards to ensure information security
and computer-based key infrastructure security.
 In October 2018, responsibility for INSA was given to the Ministry of Peace. It was
reverted back to the office of the prime minister in October 2021-art-79/8 of Proc.
1263/2021
 For more check; https://www.insa.gov.et/
• The Federal Police Commission;
 investigates crimes relating to information networks and computer
systems, taking necessary countermeasures and providing assistance in
preventing and investigating cybercrime.
.

19
• The National Intelligence and Security Service (NISS); ብሔራዊ መረጃና
ደህንነት አገልግሎት
 Is an intelligence agency of the Ethiopian federal government tasked with gathering
information of national interests.
 It does counter-terrorism in the country by informing the federal police, gathering
intelligence for the Ethiopian National Defense Force, and information for local law
enforcement.
 has generic powers to investigate cybercrimes, including following up and collecting
intelligence on other serious crimes that threaten national interest and security.
 Proclamation-no-804-2013-national-intellegence-and-security-services-establishment
 Accountable to the PM-art-79/9 of Proc. 1263/2021
 For more check; https://niss.gov.et/
 ተቋማዊ ተልእኮ
 የኢትዮጵያን ብሔራዊ ደኅንነትና ጥቅሞች ከማንኛውም ስጋት ለመከላከል፣
ለመጠበቅና ለማሳካት የሚያስችሉ፡-
 መረጃዎች መሰብሰብ፣መተንተንና ለሚመለከታቸው የመንግስት አመራሮችና
ተቋማት ማቅረብ፤
 የመንግስት ከፍተኛ አመራሮች፣ የውጭ ሀገር መሪዎችና ቁልፍ መሰረተ ልማቶች
ደኅንነት መጠበቅና ማስጠበቅ፤
 በሀገራችንና ህዝቦቿ ጥቅምና ክብር ላይ የሚቃጣ የስነልቦና ጦርነት መከላከልና
መቀልበስየሚያስችሉ ስራዎችን መስራት ነው
. 20
 Courts of Law;
 The constitutional devolution of judicial power is based on the federal
arrangement, with federal courts having criminal jurisdiction over
offenses related to the security and freedom of communication services
operating within multiple regions or at the international level.
 CCP, authorizes FHC to have jurisdiction to entertain cybercrimes
 FCEP, No-1234/2021 seems to give jurisdiction to FFIC
 Regional state courts may adjudicate cybercrime cases within their
territories, but state judicial jurisdiction on cybercrime is set out by the
respective court proclamation of each regional state.

21
Some critics on the Law; Dagne Jembere and Alemu
Meheretu-IMPLICATIONS OF THE ETHIOPIAN COMPUTER CRIME
PROCLAMATION ON FREEDOM OF EXPRESSION
• Like many other countries, Ethiopia enacted Computer Crime Proclamation in
2016 in order to protect the national economic and political stability of the
country.
• However, the proclamation establishes serious offenses that are likely to adversely
impact on enjoyment of freedom of expression.
 The proclamation aims to protect individuals' and public rights but
has negative impacts on freedom of expression.
 It provides vague language and vague phrases, which can be
abused by government authorities.
 The proclamation criminalizes online defamation, but it is not
appropriate for regulating such behavior.
 It also makes Internet Service Providers (ISPs) criminally liable for
illegal content, causing ISPs to limit free speech subjectively and
allowing administrative authorities to order content removal,
potentially obstructing political sensitive speeches. 22
Summary of recommendations on the Proclamation;Article-
19, Ethiopia: Computer Crime Proclamation, Legal Analysis,
2016
General provisions;
 A clause should be inserted requiring that the Proclamation be interpreted in
accordance with human rights standards, in particular the rights to privacy and
freedom of expression.
Computer crimes;
• Articles 3-7 should be completely redrafted, incorporating the following principles:
 a requirement of dishonest intent should be introduced;
 a public interest defence should be provided for, covering the accessing or
intercepting of data for journalistic purposes and in the public interest;
 the offence should not be made out unless serious harm or damage was done or
likely to be done, particularly for data interference and system interference offences;
and
 the imposition of financial penalties as an alternative to imprisonment should be
provided for in order to provide a proportionate penalty for minor infractions.

23
 The offence of criminal defamation should be removed; or at the very least,
the penalty of imprisonment abolished;
 Provided the offence making exist in the Criminal Code, Articles 13 and 14
should be removed as unnecessary; any offline equivalent offences should
be reviewed and replaced with appropriately narrowly defined offense of
„stalking‟ and inciting violence or hatred , in line with the requirements of
international human rights law;
 Article 16 should be removed. Instead, service providers should be granted
immunity from liability in line with the Manila Principles on Intermediary
Liability; any liability should be civil rather than criminal; and
 If our recommendations about Articles 13 and 14 are followed, Article 19
should be removed as redundant; if not, at the very least, instead of
providing that different laws can apply concurrently, Article 19 of the
Proclamation should provide that only one law can apply
Preventive and investigative measures;
• Data retention requirements should be reviewed in line with international
standards on privacy;
• An independent body should oversee the implementation of the surveillance
regime established under the Proclamation;
24
 There should be annual reports on the number of surveillance operations,
providing as much detail as is possible without undermining any ongoing
investigations;
 Individuals who suspect that they have been subject to surveillance should have
access to redress, either through court or to a specialised tribunal;
 The power to conduct raids without obtaining any independent authorisation in
Article 25 should be repealed; and
 The duty to report cybercrimes under Article 26 should be repealed.
Evidentiary and procedural provisions;
• Articles 29-31 should be completely redrafted, incorporating the
following principles:
 Investigative powers should be required to only be used as necessary and
proportionate;
 Investigative authorities should be required to obtain a court order for any
intrusive searches, seizures or other orders, and courts should apply due
process and proportionality principles in deciding on applications;
 Investigative authorities should not be allowed to delete content or render it
inaccessible;
 The burden of proof should rest firmly with the prosecution 25