Introduction:
The Internet has become a way of life in the digital world. Within every minute in an hour, individuals connect online by sharing information and ideas, communicating, and collaborative working tasks. The multi-stakeholder groups within the Internet Governance Ecosystem; Civil Society, Technical Community, Private Sector, Government, Academia, etc. are always working together to extend encryption through the usage of the internet thus protecting the privacy of the internet users through data sharing and information protection. [1]
In strengthening the Internet, The Internet Society states in their action plan advocating for end-to-end encryption, secure global routing, facilitating knowledge exchange about network and distributed system security, and examining the many ways digital sovereignty is interpreted by those who seek to assert it. [1]
The report calling for better online data privacy regulations and stakeholder coordination for greater impact comes at the end of a six-month study undertaken by Stears Data, with support from Luminate, a global philanthropic organization focused on empowering people and institutions to work together to build just and fair societies. [2]. The report provided insight into key issues in data and digital rights; effective approaches to addressing those issues; and opportunities for impact, with input from representatives in the public and private sectors, civil society, and media [3]. On data protection, the study found that “there is insufficient judicial and regulatory oversight available to sufficiently protect personal data” as provisions in the telecommunication and cybercrime legislation can be exploited for surveillance purposes by government departments. [4]
However, we can work to see the privacy protection of individuals is being regulated well by the various stakeholder group. This can be a regime through encryption of personal data for healthy internet usage in Africa. As stated in the Internet Society report, The most effective way to ensure the personal security of billions of people and the security of nations around the world is to not only continue preserving uncompromised, end-to-end encryption practices, but also by adopting and bolstering strong encryption policies. [5]
What do we have to say about Privacy Protection in Africa?
As stated by the IGF theme in data governance and privacy protection, Data is a key resource in the global digital age [6]. In Africa, data protection is always evolving in our everyday digital world and privacy protection is a key component related to data protection. Privacy protection refers to the ability to keep the information you’d like to save to yourself from getting into the hands of companies, hackers, government organizations, and other groups or the public. Also, Organization has a role to keep the personal data of their customers and clients in a secure way that does not go out to unauthorized users which shows that Privacy protection describes the ability to keep specific information private or restricted to a limited number of people. Privacy protection consists of physical
protection, virtual protection, third-party protection, and legislation protection for healthy internet and digital engagement. [7]
The African Union Convention on Cybersecurity and Personal Data Protection has been signed by 14 countries, and only eight countries ratified it by June 2020. Indeed, adherence to these instruments remains low [8].
The Privacy Protection Implications and Limitations against Healthy Internet usage:
It is known by a report from Dalberg’s advisors that the absence of existing data protection frameworks and the lack of supporting services presents a significant challenge for most African countries. With no African country currently deemed to be compliant with the GDPR, its introduction risks disrupting the USD 14 billion in annual exports from Africa’s digital economy to the EU. [9]
These limitations are connected to the various data protection principles below; Firstly, Collecting Data is a limitation to privacy protection. This means that Personal data must not be obtained and processed lawfully, fairly, and, to the extent possible, transparently in Africa. The quality of data is another limitation to privacy protection which shows that personal data sometimes is not accurate at the point of collection, and we must ensure reasonable steps are taken in the accuracy of data and how data is maintained throughout retention. Another limitation or implication is the purpose of specification of data which defines how personal data is collected only for specified, explicit, and legitimate purposes. This ensures that personal data should only be used for such other purposes as are compatible with applicable laws, such as archiving data that is in the public interest, or for scientific research. [10]
What do we say about Encryption?
To get a healthy internet through the privacy protection of an individual, Encryption in Internet security and privacy protection can be defined as the conversion of data in a readable format into an encoded format with the same data. It is known that encrypted data can only be read or processed after it has been decrypted. In the view of Internet and data protection encryption is set to be the basic building block of data security and data protection for a healthy Internet. In other views, Internet Society defines encryption as the process of scrambling or enciphering data so it can be read only by someone with the means to return it to its original state which also states that, there is a crucial feature of a safe and trustworthy Internet. It helps provide data security for sensitive information. [11]
From the report of CEPA, it is shown that encryption concerns in Africa include prohibitive regulation that hampers the use of encryption, compelled assistance by service providers, mandatory SIM card registration, and data localization requirements. All these can be exploited especially by states and their agencies to undermine citizens’ right to privacy and various other digital rights[12]. CEPA reports also shows that encryption is under threat from governments in Africa, as indeed in other parts of the world. Among the concerns cited by the brief are legislation and regulations that require registration and licensing of encryption service providers before they can offer cryptographic services.
This is the case in Benin, Chad, Cameroon, Congo Brazzaville, Democratic Republic of Congo (DR Congo), Ethiopia, Guinea, Ivory Coast, Malawi, Mali, Morocco, Senegal, South Africa, Tanzania, Tunisia, and Zambia, among others. Offering encryption services without a license attracts penalties, as does failure to hand over secret encryption codes to state authorities, or using prohibited encryption tools. [13]
Some various modes where encryption is needed for privacy protection.
With respect to Online business and Electronic Commerce, the use of encryption is needed to protect the privacy of user data on the internet. There is a trusted business to protect our financial transaction information when we buy and sell things online or when we use internet banking and other payment solutions. Encryption is then a key method in performing a such transaction.
Browsing is another mode in which encryption is needed to protect the privacy of the user and their data. This ensures that browsers and websites use HTTPS and an encrypted protocol, to provide secure communications, keeping our data from being read by bad actors while in transit use of the internet.
In secure messaging, encryption plays a key role and this is when we use a messaging app, we expect the messages to be private. Some messaging apps use encryption to maintain the privacy and security of their users’ communications while it is in transit. Others even use end-to-end encryption, so only the sender and receiver can read the messages. An example is the WhatsApp feature that uses end-to-end- encryption method to protect the information or communication from one user to another.
The Need to Increase encryption to protect privacy.
Some of the raised facts in Africa concerning encryption are prohibitive regulation that hampers the use of encryption, compelled assistance by service providers, mandatory SIM card registration, and data localization requirements. All these can be exploited especially by states and their agencies to undermine citizens’ right to privacy and various other digital rights. In Ghana from July 2021 to date, the government in partnership with the ministry of communication and the National Communication Authority has set policies and regulations to enroll on a mass sim card re-registration with the citizen identity Card (National ID). This is to ensure that the security and protection of individuals are protected by service providers. [14]
Some of the key benefits of using encryption are to protect the confidentiality of digital data stored on computer systems or transmitted over the internet or any other computer network. Also, encryption Increases consumer trust in privacy protection. Although entities in Africa will not have a strict encryption regulatory requirement whiles companies may wish to use encryption to gain trust from their customers. From CIGI-Ipsos Global Survey on Internet Security and Trust, “53% of respondents said they were more concerned about online privacy now than a year ago”. Given the erosion of trust that we’ve seen in recent years, advertising the fact that your business is conforming to certain encryption standards could give you a competitive advantage. [15]. looking at the rate at which the pandemic forced all entities to adopt remote working, encryption helps in Protecting Remote Workers. It is believed that the risk of a data breach is higher when employees work remotely. This is not surprising as many remote workers store confidential data on their devices, and companies have little control over how this data is accessed and shared.
If companies enforce strict encryption, remote worker’s privacy will be protected whiles using the internet for healthy workplace. [15]
Some means and approaches in which encryption can be used to protect privacy in Africa.
Firstly, we can use encryption at rest as a way to protect the privacy of individuals in Africa. This means Encrypted data stored in servers and/or in databases. In the case of data exfiltration, or if the network/systems are compromised, the data will remain encrypted. Examples are the Advanced Encryption Standard (AES) and the Data Encryption Standard (DES) [16]
Secondly, Encryption-in-transit is a means by which the privacy of data can be protected and this Encrypts traffic between two entities or systems which also protects against MITM or sniffing, where even if the communication is intercepted, it becomes useless. Encryption is done at the transport layer. Upon receiving the message, the endpoint is authenticated, then data is decrypted and verified. Examples are TLS or Transport Layer Security which is often used for encryption in transit. [17]
Thirdly, Encryption-in-use is also another way to protect the privacy of the individual which seeks to Protect the data while it is being used to run analytics or computation lining it with an example of Format Preserving Encryption (FPE). [18]
Looking further to the above means we can say that the various stakeholder groups must ensure or use these strategies stated below for effective encryption of data for a healthy internet in Africa.
One is the Classification of data: At the beginning, Companies or stakeholders need to identify what data to encrypt. We must understand and classify the different types of data being transmitted and stored (e.g., credit card numbers, customer information, company proprietary data) which is based on sensitivity, use, and regulatory impact.[19]
Another strategy is to Implement a strong key management practice. This is when keys fall into the wrong hands, where organizational data security is at stake. Policymakers need to keep an inventory of all the encryption keys, along with information on who has access to them and how and when the keys have been used. Key management solutions help you to store and manage encryption keys. This can also be done through inter-governmental capacity-building training and awareness training that can be enforced on various companies to follow as far as data protection and privacy of the citizens are concerned. [20]
The Role of Multistakeholder groups in strengthening the internet through encryption and Privacy Protection.
From learning resources in Introduction of internet governance by Internet Society, the Internet governance multistakeholder group model plays a key role in policies when it comes to the internet and digital protection. The multistakeholder model of Internet governance is also known as the best mechanism for maintaining an open, resilient, and secure Internet because, among other things, this is informed by a broad foundation of interested parties which includes businesses, technical community, civil society, academia, governments, IGO’s with a common goal.
It is recommended that the Government stakeholder group has to set policies and regulations that can protect various individuals’ privacy in their respective countries through a compliance model. The Technical Community must also ensure that there is system security, data encryption, access control mechanisms, database protection, network security, and other aspects of protecting the privacy of individuals and the internet. Academia as a multistakeholder group should be able to create training awareness and skills training for its community which will enable individuals able to know how to protect their privacy protection through encryption for a healthy internet. The private and business stakeholder group also ensures that institutions provide a common and shared understanding and principles that can guide them to be compliant with the privacy regulations set out by the regulatory authorities. Civil society is concerned about the various communities, the Lay people who need to understand such protection. Civil society must ensure that through local organizations their members understand the key principles and regulations that can help them protect their internet through encryption and protect their privacy for a healthy internet.
Conclusion.
As reported by Cynthia Rich (2016) Privacy Laws in Africa and the Near East (16) 6 Bloomberg BNA World Data Protection Report, there are currently 17 countries in Africa that have enacted comprehensive personal data protection legislation, namely Angola, Benin, Burkina Faso, Cape Verde, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Mali, Mauritius, Morocco, Senegal, Seychelles, South Africa, Tunisia and Western Sahara [21].
Africa Union must be able to sign all African countries for common regulations and privacy impact as we continue to create internet for everyone, growing the internet and also strengthening the internet, the security and privacy is also a key role all multistakeholder groups have to ensure that the internet is healthy for public use. As part of my speech at various conferences and awareness under the Internet Governance Forums and Internet safety, I have personally highlighted the need for data protection in various African countries. I also highlighted the gaps in privacy protection in our various policy regulations in Africa and how the youth can be involved [22]. At the global IGF 2022 where I am speaking about the data privacy gap from the global youth perspective, I recommend that action of awareness to protect privacy for a better and healthy internet among the youth is achieved by all Government stakeholder, Academia, Technical Community, Private Sector, Civil Society and the rest. [23]
In concluding this paper with all the learning from the Internet Society and other groups training, The African Union must be able to come up together policymakers in the various countries with other multistakeholder actors like ICANN, ITU, APC, African IGF, Internet Society to set up a Regional Data Protection regulation Agency and policies like the European Union (GDPR) which can ensure the privacy protection in Africa and also believe that encryption can be used as a tool to protect the privacy of the individual in Africa for a healthy Internet through regulations and policy documentation and implementation through a regional level approach which can help strengthen the internet making everyone connected and safe.
About the Author:
Selby Abraham is a Ghanaian and a long-term Information Technology Consultant, Tech Policy Analyst, and Internet Governance Advocate Speaker. He has served as a volunteer for the Global IGF 2021 and 2022 as technical support. He is an Internet Governance Fellow under AFRISIG, GhanaSIG, India SIG, VirtualSIG. He is also serving as AMS for the Cybersecurity SIG under the Internet Society Global and also Vice communication Chair for the Internet Society Ghana Chapter. He is also a Privacy Protection Advocate and media speaker and Daily Graphic writer on digital awareness. He is a Member of the Institute of ICT professional Ghana and Technical Support for EGIGFA and ISSSC