Kenya: The Computer and Cybercrimes Bill of 2017

​The Computer and Cybercrimes Bill of 2017 has had a varied reception by the Kenyan public. It has been mostly welcomed as an important countermeasure against the alarming incidences of cybercrime in the country and as a key step in securing Kenya's fledgling digital economy.
 

Human rights activists, IT professionals and everyday internet users have some reservations about the Bill believing that the government will abuse the powers provided thereunder to claw away at Kenyan netizens internet freedoms, constitutional rights to privacy, freedom of expression and to access information. The Bill has been out for public comment and will be soon coming up for its second reading in Parliament when it is hoped that some of the lingering concerns will be addressed.

The Computer and Cybercrimes Bill 2017, in its own words is intended protect the confidentiality, integrity and availability of computer systems and data, to prevent the unlawful use of computer systems, to provide procedures to be used when investigating cybercrimes and lastly to create the framework and outlines the procedures for regional and international cooperation in investigations into cyber-crimes.

In summary, this is to be a criminal law, setting out certain crimes as 'computer' and 'cybercrimes', and prescribing certain offences. It is not, as some may have imagined, a law that creates obligations and regulation (outside of criminal sanctions) around online or 'cyber' transactions, e-commerce or even data privacy. We surmise that the largest beneficiaries of this law will be corporations, particularly in the financial services sector, and to a lesser extent, consumers and users of online services and facilities.

Below we go over the Bill, analyse its main features being its three main parts i.e. the offences it creates, the investigation  procedures it provides and the means for international cooperation it outlines. We also identify some of the shortcomings that need to be addressed by the National Assembly when it comes up for debate.

Offences

The offences provided for in the Bill are not entirely new. In fact many of these offences are already provided for under the Kenya Information and Communication Act.

What the Bill does differently to the Kenya Information and Communication Act is to adopt the language and the content of the Budapest Convention of Cybercrime. This similarity is deliberately intended to harmonise the Bill with accepted international standards of cybercrime criminalisation.

Harmonisation of global cybercrime law is key part of the fight against it. Cybercrime so often has a transnational element to it. It is often committed across state boundaries and it therefore has to be fought across multiple countries. A lack of a global harmonised legal regime could lead to the creation of cyber-crime safe havens.  A cyber-crime safe haven is one that doesn't criminalise cyber-activity that is criminalised in other countries or whose penalties are relatively lower to those of other countries. Cybercriminals can take sanctuary and operate from these safe havens and knowing that they are beyond the reach of the authorities in countries where the victims of their crimes are situated or alternatively that they can commit their crimes and suffer relatively low penalties. Therefore in developing cybercrime legislation, drafters try to ensure that they have criminalised the same cyber offences using the same language and provided penalties that are similar to those in other countries.

• Offences against the confidentiality, integrity and availability of computer data and systems - These are offences that have as their object computer systems, data and communications. Examples of these offences in the Bill are the offences of unauthorised access and unauthorised interference of computer systems and data;
• Computer related offences - These are offences that have as means of perpetration of the crime the use of a computer system. Examples of these offences in the Bill include cyber-bullying and cyber stalking and computer related fraud and forgery; and
• Content related crimes – These offences concern the content of computer storage and internet transmission. Examples of these offences in the Bill include child pornography and false publications (fake news!).

The Bill however does not provide for all the offences identified in the Convention such as offences related to trademark infringements. This is perhaps because these are dealt with sufficiently under existing legislation i.e. the Trade Marks Act and the Anti-Counterfeit Act. The Bill's failure to provide for certain common cybercrimes however seems like a gross oversight.

A cybercrime that the Bill fails to provide for is that of identity theft. Identity theft is an offence related to the theft and misuse of identity related information such as identity card and passport data, banking information, email and social media accounts and IP addresses.  Identity thieves can be devastatingly effective in this digital age due to the large amounts of personal information they can access about internet users from their social media pages, and their use of e-commerce sites.

The online solicitation of minors for their sexual abuse or 'grooming' is another offence that isn't specifically criminalised in the Bill. Internet communication gives sexual predators access to minors that they would not otherwise have physical access to. Grooming activity is a precursor to sexual abuse and can be as destructive as the abuse itself and it should therefore be equally criminalised.

A comment can also be made about the penalties prescribed by the Bill. The penalties provided for in the Bill are generally more punitive compared to equivalent 'offline' offences.  As an example the penalties for forgery are either 3 years or 7 years for certain specified types of forgeries such as forgeries of judicial documents. Computer forgery done with a dishonest intent to either gain or cause loss to another party is punishable by either fine of 20 million shillings or imprisonment for a term not exceeding ten years or both.

As a further example crimes committed with the aid of a computer system attract an additional penalty of a fine not exceeding three million shillings or to imprisonment for a term not exceeding four years or both.

Why computer related crimes should have higher penalties than equivalent 'offline' ones is not clear but is hardly justifiable. Computers are commonplace everyday objects and one's use of them to commit a crime doesn't add any more mischief to the act in order to warrant an added punishment.

Investigation Procedures

The Bill goes into elaborate detail into the procedures to be followed by security agencies investigating a computer or cybercrime including searches and seizures and investigations found in other laws with specific application to computer related crimes.

It also provides for certain measures to protect against some of the excesses we currently see from the law enforcement agencies when they investigate cybercrimes. For instance when  conducting a search on a warrant, the police are expected to use technological means to effect seizures for instance through imaging, mirroring or copying of relevant data but not through taking physical custody of the hardware containing the information of interest. When seeking information from a service provider concerning one of its subscribers, the police are expected to take measures to maintain the privacy of other users not party to the investigation. The Bill makes it an offence for a police officer to misuse the investigative powers provided thereunder.

By the same token however, the Bill provides means for the police to by-pass all these safeguards.

For instance, 'in special circumstances', the police need not seek warrants from the courts. What 'special circumstances' constitute is not provided for in the Bill. This vagueness is liable to be abused as enforcement agencies can make entries, searches and seizures in violation of citizens' constitutional rights to privacy on the pretext that special circumstances exist that justify the search without a warrant.

The Bill does try to provide a safeguard by requiring that police officers must take whatever is seized during a search without a warrant before a court without undue delay 'to be dealt with according to the law'. Our view that this belated brining of the matter before the court does will not sanitise the process. This is because the police are not required to justify their action as is required when obtaining a warrant in ordinary circumstances; the police need only present the evidence to the court.

The police do need powers to conduct searches without warrants however to properly safeguard the public the Bill should be amended to define these special circumstances where a search without a warrant can be conducted. Also, the Bill should be amended to give the courts a more control. For instance the Bill could be amended to provide that the police when conducting searches without warrants should only be allowed to collect or preserve information and should be specifically prevented from accessing the material until they have presented it before a court and given justification for their having conducted the search without a warrant.

International Cooperation

Cybercrime as has been mentioned earlier often has transnational elements and therefore cooperation with other states forms a vital part of cybercrime law enforcement. The drafters of the Bill recognised this fact and have provided for the international cooperation in the investigation of cybercrimes in the Bill by extending the operation of the Mutual Legal Assistance Act to the Bill and supplementing its provisions.

The Bill provides with specificity to cybercrimes, areas and means of cooperation between Kenya and foreign states. The areas of mutual assistance in the Bill are based on those of the Budapest Convention. Foreign countries may request for assistance with the collection of real time traffic data, the interception of content data, the expeditious preservation of stored computer data, the expedited disclosure of preserved traffic data and mutual assistance regarding accessing of stored computer data.

All requests by foreign states are channelled through the Central Authority (i.e. the Attorney General's office) established under the Mutual Legal Assistance Act. The Bill provides safeguards to prevent the abuse of the mutual legal assistance provisions by requiring the Central Authority to obtain authorisations from the court prior to honouring the requests by foreign states.

Conclusion

Cybercrime is a very real and present threat in the modern digital age. A comprehensive and up to date law such as that proposed by the Bill is an important first measure to dealing with this threat.

The Bill is a good piece of legislation and is certain to be passed. Amendments however need to be made to seal the loopholes that may be used by the enforcement authorities to bypass judicial oversight and constitutional safeguards such as provisions relating to searches without warrants. Amendments also need to be made to specifically criminalise the crimes such as child grooming and identity theft.

Aware of our own peculiarities in the digital sphere, it would have been laudable to have non-online but electronic crime covered under this proposed law, in view of the wide use of non-internet but electronic based systems such as USSD in Kenya.

Following the Bill's passing responsibility will now fall to the Executive and Judiciary to protect our cyberspace. Building capacity of local law enforcement and the criminal justice system to police, prosecute and adjudicate cybercrimes will then become a matter of high priority if the law is to be effective in the fight against cybercrime.