Lesotho’s legislative response to cybercrime culminated in the tabling of the Computer Crime and Cyber Security Bill, 2024, a comprehensive framework intended to modernise the country’s approach to digital threats. The Bill seeks to address the rise of computer-enabled criminal activity, national security vulnerabilities, and the growing incidence of electronic fraud, cyberbullying, and malicious communications. While its objectives are commendable, certain provisions, most notably section 66, raise serious constitutional and human rights concerns.
This article examines the content and implications of section 66 of the Bill, which authorises state agents to engage in remote surveillance and data interception. Drawing from international law, digital rights jurisprudence, and comparative regulatory standards, it argues that section 66 is overbroad, lacks sufficient safeguards, and is susceptible to abuse. A set of targeted legal reforms is proposed to better balance national security imperatives with the constitutional rights to privacy, dignity, and freedom of expression.
The Legal Architecture of Section 66
Section 66 of the Bill empowers authorised law enforcement officials to covertly install software tools, such as keyloggers or remote spyware applications, on electronic devices belonging to persons suspected of having committed a cybercrime. The operative threshold for authorisation is that the intrusion must be “reasonably required for the purposes of investigation.” Notably, section 66:
- does not expressly limit such surveillance to serious or high-risk offences;
- does not require post-surveillance notification to affected individuals;
- imposes no obligation to delete non-relevant or lawfully acquired data;
- offers limited judicial oversight and leaves implementation largely to executive discretion.
This formulation is deeply problematic. It risks authorising state-sponsored mass surveillance, undermining the presumption of innocence, and enabling function creep, the use of powers for purposes beyond those originally intended.
Comparative and Normative Concerns
The language of section 66 falls short of international best practice. Under the Siracusa Principles on the Limitation of Rights (UN ECOSOC, 1984) and the Johannesburg Principles on National Security, Freedom of Expression and Access to Information (ARTICLE 19, 1996), state interference with fundamental rights must be:
- prescribed by clear law;
- necessary and proportionate;
- subject to adequate oversight and review;
- and least restrictive to the rights in question.
A blanket surveillance power, absent compelling thresholds, procedural safeguards, and transparency, is inconsistent with these principles.
Comparative jurisprudence also supports this position. The European Court of Human Rights has consistently held that digital surveillance regimes must provide for effective guarantees against abuse (see Szabó and Vissy v Hungary (2016) ECHR 579). Likewise, in Carpenter v United States 138 S. Ct. 2206 (2018), the US Supreme Court recognised that access to sensitive digital data engages the Fourth Amendment and requires judicially sanctioned probable cause. Lesotho’s section 66 provision, by contrast, relies on a vague necessity standard and delegates excessive discretion to investigative authorities.
Threats to Privacy, Expression and Legal Certainty
The potential harms that may arise from section 66, if enacted in its present form, are both conceptual and practical:
(a) Chilling effect on expression:
The knowledge that the state may surreptitiously access one’s communications, keystrokes, or device metadata could deter individuals from expressing controversial opinions, engaging in activism, or seeking information online, especially in political or sensitive contexts.
(b) Erosion of informational privacy:
Without data minimisation principles, collected data, whether relevant to the investigation or not, may be stored indefinitely. This poses serious risks of profiling, secondary use, and breach of the right to privacy under section 11 of Lesotho’s Constitution.
(c) Absence of legal certainty and review mechanisms:
By failing to define key terms (e.g. reasonably required, serious offence) and by excluding independent oversight, the section falls foul of the rule of law requirement that restrictions on fundamental rights must be clear, narrowly tailored, and reviewable.
Recommended Reforms
To remedy the defects identified above, the following legislative amendments are proposed:
(a) Introduce a Probable Cause Standard
Section 66 should only apply to investigations involving serious offences, such as cyberterrorism or high-level organised cybercrime. The threshold should be revised to require a showing of probable cause, with a court determining whether surveillance is warranted based on objective, concrete evidence.
(b) Mandate Post-Investigation Notification
Where covert surveillance has been authorised, the law should require that the subject of the investigation be notified within a reasonable time after the conclusion of the surveillance, except in clearly defined and exceptional circumstances (e.g., if notification would endanger an ongoing operation or national security).
(c) Establish Data Minimisation and Deletion Obligations
The Bill should compel the automatic deletion of all information that is unrelated to the offence under investigation. In addition, an independent mechanism (e.g., judicial officer or data protection authority) should be tasked with ensuring compliance and data integrity.
(d) Create an Independent Oversight Body
A multi-stakeholder oversight body, comprising members of the judiciary, civil society, legal profession and cyber experts, should be established to review, audit, and report on the use and effectiveness of digital surveillance tools.
Conclusion
Lesotho’s push to modernise its legal framework in response to cybercrime is laudable. However, in seeking to secure the digital domain, the state must not sacrifice constitutional liberties on the altar of expediency. Section 66 of the proposed Bill, in its current form, grants overly broad powers of surveillance without sufficient safeguards to ensure transparency, accountability, and proportionality.
Reforming this provision is not merely a matter of legislative housekeeping; it is a constitutional imperative. In the digital age, security and privacy are not mutually exclusive, they are co-dependent principles. Lawmakers must therefore design legal instruments that are fit for purpose, grounded in rights, and capable of securing both justice and liberty in cyberspace.
--
Read the original publication at Mayet & Associates
.jpg)