Why convictions under the Computer Misuse Act are hard

On July 11, a story from Entebbe Chief Magistrate’s court made headlines not only in local media but also in international outlets such as the BBC, Voice of America, Associated Press, AFP, and Al Jazeera.

It is unusual for a court story, especially from a magistrate’s court outside Kampala, to gain such widespread attention. On July 10, Entebbe Chief Magistrate Stellah-Maris Amabilisi sentenced TikToker Edward Awebwa, who ran the account “Save Media Uganda,” to six years in prison for allegedly insulting President Yoweri Kaguta Museveni and members of his family, including his wife Janet Museveni, who also serves as the minister of Education, and his son Gen Muhoozi Kainerugaba, the chief of defense forces.

Awebwa employed a decades-old method of activism known as radical rudeness, using provocative language to challenge authority. In his videos, which have since gone viral following his conviction, Awebwa accused Museveni and his family of running down the country.

Awebwa was convicted and sentenced based on his own plea of guilty. His conviction and lengthy sentence sparked sustained debate online, with commentators questioning how one could receive six years for what many regarded as a flimsy crime. Moreover, his guilty plea, which typically would have resulted in a lighter sentence, added to the controversy.

Another point of contention was whether Awebwa was misadvised to plead guilty, especially considering the 2020 acquittal on appeal of academic and political activist Dr. Stella Nyanzi. In 2019, Buganda Road Magistrate Gladys Kamasanyu convicted and sentenced Nyanzi to 18 months in prison for insulting Museveni and his late mother, Esteri Kokundeka.

However, in his acquittal of Nyanzi, High court Judge Dr Henry Peter Adonyo found that the Buganda Road Magistrate court lacked the jurisdiction to entertain such a case. Nyanzi had been charged with two offenses: cyber harassment contrary to section 24(1), (2) (a) of the Computer Misuse Act, 2011, and offensive communications contrary to section 25 of the Computer Misuse Act, Act 2 of 2011. Nyanzi was acquitted of offensive communication and found guilty of cyber harassment.

In finding Nyanzi guilty of cyber harassment, the magistrate ruled that her posts on Facebook were obscene, lewd and indecent. In her appeal against the conviction and sentence, Nyanzi presented 10 grounds challenging both. A key point of contention was that the prosecution failed to prove that the device she used to post on Facebook was within Uganda at the material time, as alleged. Nyanzi argued that the court thus lacked jurisdiction over her case.

According to established jurisprudence, a court that lacks jurisdiction does not have the power to hear a case. Judge Adonyo’s decision confirmed this, establishing that Buganda Road magistrate’s Court did not have the authority to hear Nyanzi’s case.

In his 45-page ruling, Adonyo noted that the main prosecution witness, ASP Ndyamuhaki, a detective police officer attached to the CID who investigated the case, failed to provide evidence regarding the information on the phone Nyanzi used to post on Facebook.

The information needed included the location, traffic data, and other cell site location information to demonstrate that Nyanzi had the phone at the time the offensive communication was posted on Facebook.

“Testimony shows that while it is true that a posting on a Facebook page was activated using a specific device not produced in court, it is possible to prove its actual possession and its use to make the impugned post. This can be done by establishing the ‘Digital Footprint’ of the device used,” the judgment reads in part.

The judgment further explains, “Though it was unfortunate that the mobile phone allegedly used to make the impugned post was neither recovered from the Appellant’s person nor exhibited in court, there are a number of ways that mobile phone information can be identified.”

These methods include using the device’s International Mobile Equipment Identity (IMEI), a 15-digit unique number assigned to a specific device, which allows for precise tracking when the device is active. Another avenue to prove that the data was used within Uganda would have been to obtain such information from Facebook.

“The digital footprint left behind by a device on Facebook computers, such as the operating system, including the device’s settings like its GPS location, the name of mobile operators or ISP used, the language, the time zone, the mobile phone number, the IP address of the device, the connection speed of the device, and even information about other devices which were nearby, could be secured from Facebook by law enforcement agencies upon request or upon a court order.

Indeed, this shareability of information to pinpoint ownership and the location of a device used to post offensive materials by Facebook was noted as being a possibility upon legal authorization, as observed by the Irish court in the case of Fred Muwema vs Facebook Ireland Limited,” the judgment reads in part.

In that case, the court held that the details collected by Facebook relating to the identities and location of a person operating a Facebook page under the name ‘Tom Voltaire Okwalinga’ could be secured from Facebook to prove the residency of the device used in making an alleged offensive posting and the identity of the person doing so when legally sought. However, the court declined to issue the order for the release of the information after learning that there was a high likelihood that the information would be misused.

This denial follows a pattern by big tech companies not to disclose information pertaining to their customers for fear of it being used for victimization. It is even more challenging if the sought information is about people deemed to be activists for causes such as democracy, LGBTQ rights, climate change, and other issues the West considers important.

Therefore, the judge ruled that the lack of presentation in the lower court of a forensic report pointing to the location of both the device and the offender disadvantages anyone who seeks to convict someone under the Computer Misuse Act.

“Since the issue of jurisdiction goes to the root of the case with the consequence that any lack of it would render the decisions of the court, however technically correct or precise, to be of no legal consequence and therefore void… From the above, my conclusion is that the proof of the identity and the residency of the offending computer, program, or data, and the offender in relation to the commission of an offense as brought under the Computer Misuse Act, is crucial before a court can purport to try a case brought under the said Act… My finding is that the learned trial magistrate in the lower trial court did err in law and fact when she entertained the case against the appellant, yet her court had no jurisdiction. The illegal assumption of jurisdiction renders the trial in the lower court a nullity,” the judge ruled. He, therefore, set

Nyanzi free from prison. If this is the standard that must be met for anyone to be convicted under the Computer Misuse Act, it’s safe to say that it will be some time before the government can secure a conviction based on this law—unless, of course, the law is amended. The inability to secure a conviction under this law doesn’t mean the state will stop using it to target online critics, especially those employing radical rudeness.

Like it has used charges such as terrorism and treason to try political opponents, knowing these charges lack legal standing, they are, nonetheless, brought forward to inconvenience, threaten, and bog down opponents as they spend days or even months on remand in prison, and expend resources to hire lawyers, among other things.