Published daily by the Lowy Institute

Developing PNG’s cybercrime policy: Local contexts, global best practice

The Cybercrime Act has had and will have major ramifications for the role the internet plays in Papua New Guinean society.

Photo: Flickr/eGuide Travel
Photo: Flickr/eGuide Travel
Published 16 Mar 2017 

With Papua New Guinea's national elections just over three months away, attention has turned to the government's legislative record. Last August the Papua New Guinean government passed the Cybercrime Act into law (despite the act being passed into law six months ago, it is not yet available for the public to read on the government’s website; a draft copy circulated in early last year can be found here). This act has had and will have major ramifications for the role the internet plays in PNG society.

With information becoming an increasingly valuable commodity, and the rising importance of network security and data integrity, it's positive to see cyber security is being taken seriously in PNG. Coincidentally, however, the law was introduced at a time when the government faced significant criticism online, raising concerns the act is simply government censorship under the pretence of security.

The Council of Europe's Convention on Cybercrime (ratified by 52 countries, and also known as the Budapest Convention) describes cybercrime as offences relating to computer-related data, fraud and network security, as well as copyright infringement. Cybercrime legislation and policy are established to protect citizens from such crimes and prosecute offenders, as well as to regulate and promote positive growth within the ICT sector. It is important for PNG to take local contexts into account alongside global standards, such as the Budapest Convention, as cybercrime offences often span both local and international jurisdictions. This includes best practice in both the policies and processes for drafting and enacting cybercrime legislation.

The fact that the PNG government has recognised the importance of cybersecurity is significant, given that cybercrime legislation is fairly patchy within the Pacific region. The draft bill outlines offences and penalties relating to data and network security, including cybercrime offences as recognised by the Budapest Convention such as unauthorised access, data and system interference. The policy also covers traditional offences committed via computer, such as electronic fraud and forgery (likewise recognised in the Budapest convention). This is relatively common practice; more and more personal information is held and transactions are carried out via electronic means. This particular element of cyber legislation could be criticised on the grounds that fraud and forgery are already crimes regardless of whether they are carried out online or not – while keeping concerns over potentially creating another level of bureaucratic legality in mind, the components of the legislation relating to data and network security are all quite reasonable.

It is when the draft legislation deals with content-related offences that lines become more blurred and concerns about censorship and restrictions on freedom of expression arise. Articles which may be interpreted as suppressive include 'offensive publications' and 'defamatory publications', among others. The Act thus may deter online dissent to government action, a view aired by prominent blogger Martyn Namarong (who has since shut down his blog in protest). An online defamatory publication, which the legislation defines as using an electronic system to intentionally make publicly available material that may harm the reputation of another person, could potentially land someone in prison for decades, if the punishments prescribed in the draft bill remain intact in the final legislation.

However, Zinia Dawidi, a lawyer who helped draft the document, has stated these were ceiling penalties and that the actual penalty applied could range from zero to a maximum of the figures stated. It is unclear how this policy will apply to whistle-blowers or those that reveal confidential yet criminally compromising documents. One other article that stands out refers to cyber unrest, which the bill defines as the use of electronic media to incite any form of unrest and various other criminal actions defined in PNG's criminal code act. More clarity should be provided around what sort of cases can and cannot be tried under these articles, and emphasis placed on the protection of the right to freedom of speech and peaceful protest.

The other issue that has drawn criticism from domestic commentators is the process with which the act was drafted and passed, and in particular the lack of emphasis on consultation and public awareness. There has been much concern about the timing of the bill being passed into law – the months preceding its passing saw widespread protests organised through social media against the government, culminating in a shooting at the University of Papua New Guinea in June.

However, though the bill was not passed until August last year, the policy was launched in October 2015. The International Telecommunication Union also notes that there was a public consultation held in Port Moresby in December 2012 regarding cybercrime policy upon request from the government. There is little else to suggest a thorough consultation and public awareness campaign, but it clearly has been discussed for some time. Broader community consultation would strengthen PNG's cybersecurity strategy.

Despite the passing of this new legislation, PNG faces considerable challenges with regards to its cyber maturity, as reflected in its rankings in the Australian Strategic Policy Institute's 2016 report on 'cyber maturity' in the Asia-Pacific. The same report notes that 'countries with lower cyber maturity continue to approach cybercrime as a means through which to implement strong online censorship'.

Taking the initiative to legislate against cybercrime is an important first step from the PNG government. However, there are areas where PNG can strengthen its approach to cybersecurity. With persistent concerns about censorship hovering over the policy, further definition around certain articles is needed to prevent exploitation and cyber censorship. This should be done in consultation with stakeholders from business, civil society and academia and involve international organisations that work towards enhancing global cooperation on cybersecurity. Harmonisation and effective implementation of cyber legislation will help protect citizens against cybercrime and contribute to stability and growth in a changing global economy.

You may also be interested in