The making of a cybercrimes law: A tale of two Bills before Parliament

cyber law

An edited version to this article was first published on Business Daily August 15, 2016

If there is an industry that is hard to regulate, it is information and communication technology. Other than being too dynamic, it is complex. There is a common saying that states that a year in tech is 90 days. This out rightly means it is an industry which states all over the world will continue playing chase when it comes to regulation. Here in Kenya, the legislature has come up with two bills of similar nature. Namely, the Computer and Cybercrimes Bill, sponsored by Leader of Majority Hon. Aden Duale and the Senate’s Cybercrimes and Protection Bill sponsored by Chairperson, Committee on Information and Technology Sen.Mutahi Kagwe.

The Good

Cybercrime rates have been growing by the day and it is encouraging to see that the government is taking action. The Computer and Cybercrimes Bill seeks to criminalise unauthorised access and interference, gaining access with the intention of committing an offence and unauthorised interception. The latter being in the spirit of protecting the right to privacy which is enshrined in the Constitution.

Unauthorised disclosure of passwords or access codes, child pornography, computer forgery, computer fraud, cyber stalking and cyber-bullying are also criminalized. Distinct features of this bill are the clauses which provide for confiscation or forfeiture of assets and proceeds of cybercrime. The bill also provides for a compensation order for victims and it has an entire chapter on how cybercrimes committed outside Kenya will be prosecuted. The extraterritorial nature of this proposed law is good considering the nature of cybercrimes. The Bangladesh Bank was hacked into by persons who were not within its borders. The chapter also provides for extradition of suspects, though relying on the Mutual Legal Assistance Act 2011. Lest we forget, Kick Ass Torrents creator Artem Vaulin was extradited from Poland to the United States of America under such an agreement.

The Cybercrimes and Protection Bill on the other hand will criminalise unlawful access to a computer system, system interference, unlawful interceptions, fraud and cyber-bullying. All these are covered in the other bill. The other offences in this senate bill are interception of electronic messages or money transfers, wilful misdirection of electronic messages, forgery, unauthorised modification of data and even cyber terrorism.

One can say that this bill is elaborate since it ropes in more cyber offenses that are not in the Computer and Cybercrimes Bill. These offenses include issuance of false e-instructions, phishing and identity theft and impersonation which is rampant in this age of social media. Electronic distribution of pornography and child exploitation are also outlawed. The provision on child exploitation will be in important in curbing the developing menace where children meet people on social media who later take advantage of them sexually. This proposed law will also make it illegal to distribute intimate images of a jilted lover while it also illegalizes cyber-squatting.

 The Bad

The investigation procedures in the Computer and Cybercrimes Bill leave a lot to be desired. While the normal procedure is that a court issues a warrant is before security officers take any action that would infringe the privacy of an individual, there are clauses that allow any officer to act without a warrant. While it may be argued that the intention of the provisions is to avoid unnecessary delay, there is a high likelihood of human rights breaches if the bill is enacted into law without those provisions being aligned with the Constitution.

The Cybercrimes and Protection Bill on the other hand has clauses that have some constitutional conformity as far as the right to privacy is concerned. The bill prohibits the sharing of some personal information in the course of investigation like health records. Despite this, Kenya still needs the Data Protection Bill 2013 to be assented into law because data protection principles would provide a better guide with the handling of personal data. The bill also proposes a National Cyber Threat Response Unit which will investigate cybercrime cases. This unit is not provided for in the Computer and Cybercrimes Bill which will allow any officer to confiscate a computer system just because they believe that one is committing a crime with it.

And the Ugly…

The mere fact that we have two draft laws seeking to regulate the same thing at the same time from the same legislature is appalling. It is at this point that we ask what mischief the legislature sought to remedy that they drafted two bills. In the event both bills become laws, we will have a situation similar to that in Lon Fuller’s book ‘The Morality of Law.’ In the book Lon Fuller tells the story of King Rex who made contradictory law and his subjects sent him a pamphlet written “This time the king made himself clear in both directions.” In this case of the two draft laws, the contradictions are likely to arise because one law provides for lenient sentences while the other prescribe a harsh sentences for the same crimes. With this in mind, will we be wrong if we say that the legislature made it clear in both directions?

We hope that the relevant bodies will work together and harmonise the two bills because together, it will be a very good piece of legislation. That way the weaknesses of each draft law will be dealt with. Conformity to the bill of rights as contained in the Constitution should guide the drafters in the harmonization.  In the same spirit, the Data Protection Bill and the Access to Information Bill should be enacted because they are long overdue.

Why the taxman should keep off our wallets

CXUdXDJW8AECupG

This article was first published on Nairobi Business Monthly August 2016.

It is true that two things are certain, taxes and death. It is also true that we are in the information technology age where technology is becoming a major part of our lives day after day. The effect is that we now have new mediums of conducting business. We have virtual lives, virtual businesses and even virtual wallets.

It is common knowledge that a third of what is always collected by the Kenya Revenue Authority is never accounted for. The efforts of sealing this loophole never see the light of day. The taxman however, is always keen on increasing tax so as to meet targets. This year he has gone after the small-scale farmers. He also wants to snoop into every individual’s bank account and mobile money account with the aim of catching tax cheats.

He wants to profile individuals using the confidential financial data. He intends on legitimizing his deeds in the Finance Bill 2016, which is still top secret yet it raises serious human rights concerns.

Lest we forget, Thomas Hobbes in his book the Leviathan writes on how man left the state of nature so as to form the commonwealth. In our case, the commonwealth is the state, a creation of man. The state did not form man, hence man reserves the right to self-determination. If we are to carry on with the Hobbesian theory, man surrendered his absolute rights so as to co-exist with others. His rights are inherent, not granted by the state, just recognized by it. This means rights like the right to privacy, a conscience and opinion on how affairs of the state should be run are not gifts but entitlements.

All this is asserted in the Constitution of Kenya whose preamble starts with the words; “We, the people of Kenya…” The first article of the Constitution carries on with this tempo by expressly stating that:

“All sovereign power belongs to the people of Kenya and shall be exercised only in accordance with this Constitution.”

On matters to do with finance, the grundnorm as Hans Kelsen calls the supreme law; in Article 201 states the principles of public finance. The first principle of public finance is that there shall be openness and accountability. The law was drafted to include the requirement of public participation so as to achieve this objective.

The supreme law also states in Article 31 that every individual has the right to privacy. This right includes the right not to have information relating to their private affairs unnecessarily required and revealed. It also protects the privacy of an individual’s communications since they are easily infringed in this technological era. Other than the grundnorm, the other laws that protect a person’s right to privacy are laws that regulate the telecommunications industry. This industry birthed mobile money services and the law prohibits the industry service providers from sharing confidential consumer information it collects with third parties.

With the security challenges that we face as a nation, the government has pushed for enactment of laws that limit certain rights. These laws have clauses with procedures on how confidential information in the custody of a service provider can be acquired by third parties (read governmental bodies). This procedure includes the relevant governmental bodies getting a court order to compel the service provider to release the information. The taxman desires to circumvent this procedure using the secretive Finance bill 2016.

Not the first time

The right to privacy has for a long time been under threat. It is not the first time state agencies have attempted to claw it. In 2014, the Security Laws Amendment Act was passed. In it were amendments to Section 36 of the NIS Act, which required the need of court order by the agency to access personal information. These provisions were challenged in court and were found unconstitutional in early 2015.

While so much effort is being put to claw the right to privacy, legal mechanisms that ought to be in place to protect it are not there. There has been reluctance by relevant state bodies to enact the Data Protection Bill of 2013 into law. Yet it would have played a big role in regulating the information technology industry, which is ever evolving. Every day, new innovations come with new legal challenges and the law is playing catch up.

In India, the taxman is now profiling people according to their Facebook posts. Woe unto you if you are in the business of selling impressions, for you will pay what they think you need to pay and not what you should actually pay as tax. With our ambitious Kenyan taxman, snooping into people’s mobile money accounts will catch so many ‘tax cheats’, from students who receive monies from parents to people in the rural areas who always receive money from the urban areas. The taxman is likely to create an unfair tax system that will rope in many illegible persons from the profiling he intends to do.

If people are not willing to be open with their spouses on matters to do with finances, what about the state? This push for access of personal information is not only in bad faith but also likely to be open to abuse.  We should pick a lesson from the old Arab fable of the camel nose. If the camel gets his nose in the tent, his body will soon follow. Allowing a little breach will allow more breaches to take place in the future by other bodies. And our Constitution will be nothing but an aspirational document just like its Chapter 6.

The word ’burden’ is used in the constitution to describe the duty of paying taxes. This burden ought to be shared fairly. This contribution to the national bourse further gives us the right to determine the direction that our nation takes. Be it in how we want to be governed or whether we agree to KRA using our data to create individual profiles, Article 255 gives us that right of determination through a referendum. Instead of burdening citizens with taxes, state agencies that deal with finances need to look at how it deals with the issue of graft, which bleeds our public coffers.

Computer and Cyber Crime Bill welcome long overdue

To address the problem, the ICT ministry has come up with the Computer and Cyber Crimes Bill 2016. Many say the proposed law is long overdue. The Bill seeks to combat cybercrimes and provides for international co-operation to punish perpetrators who are in other jurisdictions. Among the offences listed are unauthorised access and unauthorised interference of computer systems.

The Bill has a provision that criminalises unauthorised interception of communication.

We all remember the IFMIS procurement system and password saga at the National Youth Service (NYS). Now it will be a crime to share passwords without authority for unlawful purposes like wrongful gain. This crime will be punishable upon conviction with a fine not exceeding Sh10 million or imprisonment for five years.

The Bill has provisions that will go a long way in upholding data protection principles. Another plus in the Bill is the provision that outlaws child pornography. Issues dealing with cyber fraud and forgery have also been provided for in the Bill. These crimes are very common and many people have been victims.

Menace

Perpetrators of these crimes risk a jail term not exceeding ten years or Sh20 million fine. The major challenge with this provision is where fraudsters are in prison as has been the norm. It is not clear how the law will deal with such cases.

Online stalkers and cyber bullies are also at risk of conviction if this Bill passes. The menace has become rampant in this age of social media. The effect of this is usually psychological trauma with some victims opting to commit suicide.

For cases of fraud, the court can order for confiscation and forfeiture of assets acquired from the proceedings of cybercrime. The aspect of compensation of victims is also provided for expressly in this bill. Here, the court will order the convicted person to pay the victim a specified amount of money.

People who commit other crimes under other laws but using a computer system will be liable to conviction. On procedures, the Bill has provisions that will require investigating agencies to seek court orders before search and seizures. Here the agencies need to prove to the court that limiting the right to privacy is necessary.

The Bill can be said to be a step in the right direction. However, upon its enactment, civil education should be done extensively so that victims of cybercrime may know that they have recourse under the law.

CHASE BANK: How not to handle a misinformation crisis

Chase-Bank-524x350-620x350

This article was first published on  Nairobi Business Monthly June 2016

Today’s businesses have learnt that life and death are a click away. Whatever you say online will be used against you in the court of public opinion. Philippines boxing champion Manny Pacqiao learnt this lesson the hard way after his ratings dropped following a homophobic tweet which he had posted. His mistake cost him an endorsement contract with Nike.

When Central Bank of Kenya (CBK) Governor Patrick Njoroge placed Chase Bank under receivership after it faced liquidity problems, he cited inaccurate social media reports as one of the causes of the bank run that led to panic withdrawals. The Inspector General of Police later issued a statement that a blogger had been arrested and would be charged for misuse of social media to disseminate falsehoods against the sector.

The information shared during the period that the Chase Bank saga took place raises an interesting conflict of interest where the shareholders’ interests are pitied against the customers’. The bank released two conflicting financial statements, which aroused curiosity that many speculators in social media rode on. The arrest of the blogger after the damage shows how bad things can go when customers are kept in the dark in this age of information and technology.

Were bloggers really liable for the bank run?

The right to access to information has been in the minds of people as early as when the tenets of civilisation were established. Sweden is said to have recognised this right as early as 1766 followed by France in 1789 when it adopted the Declaration on Human and Civil Rights. In 1948, it was included in the United Nation Declaration of Human Rights, Article 19 and later the International Convention on the Civil and Political Rights of 1966.
The Constitution of Kenya in Article 35 provides the right to information to citizens as it states:

“(1) Every citizen has the right of access to—
(b) information held by another person and required for the exercise or protection of any right or fundamental freedom.”

The right to freedom of speech, which is found in Article 33 has also generally been held to include the right to know or the right to information since it states that:
“(1) Every Person has the right to freedom of expression, which includes;
(a) Freedom to seek, receive or impart information or ideas…”

Therefore one can rightfully claim their right to information in Kenya as they are provided in Article 35(1), and Article 33(1). Business entities are obligated by law to provide their customers with information as stated in Article 46 of the Constitution of Kenya, which states that:

“(1) Consumers have the right—
(b) to the information necessary for them to gain full benefit from goods and services;
(3) This Article applies to goods and services offered by public entities or private persons.”

Section 22 of the Banking Act requires banks to publish a copy of its last audited balance sheet and last audited profit and loss statements within three months of the end of each financial year in a national newspaper. All these laws require businesses and in particular financial institutions to provide its consumers with information so as to boost consumer confidence in their product. Failure to do so can be disastrous, especially during a misinformation crisis.

In 2014, the World Economic Forum listed digital misinformation as one of the threats to our society. These digital wild fires are capable of causing unprecedented damage because of there complexity and nature of big data. Since we live in a digital age where consumers yearn for information, failure to share information is disastrous. Hence the public relations team at Chase Bank should have done more. They should have countered the lies rather than expect things to fall into place with their press releases.

How to salvage such a situation

The best way corporations can deal with a digital misinformation crisis is by preparation. It is prudent that public relation practitioners are well prepared to handle such crisis without antagonizing the company’s image;

Prepare a digital misinformation counter crisis plan

Companies need to develop a digital misinformation counter crisis plan and test it. The plan is not a blueprint but a reference. It saves time during a crisis by pre-assigning tasks, pre-collecting information, and serving as a guide. This preparation presumes there is a designated crisis team where members know what to do.

Develop a social media policy for the company

The plan ought to be used in this step where a social media policy is developed and published. This policy ought to be clear on the best practices for differentiating the blurring lines between personal and professional activities. It should also establish clear guidelines for an appropriate commentary. The end result of this will be well-trained public social media managers who can correct the misinformation and reclaim the online narrative.

Start monitoring your company’s brand.

A maxim of equity that can be applicable in this case is “Equity aids the vigilant and not the indolent”. The social media managers and public relation officers ought to monitor the reputation of their brand so as not to be found flat-footed during a crisis. There are many free and cheap tools that can be used in brand monitoring and crisis warning. They enable the social media mangers to select keywords and they record each time they are used on various social media channels.

While at it, develop your social media presence and influence

The monitoring should help a company identify social media platforms relevant to their brand. The social media managers ought to listen and engage in online conversations. Credibility will be built in the long run since content-rich social media presence and goodwill is vital during a crisis. While doing this, it is important to engage industry influencers who will most likely communicate positive messages about your company’s brand in the unfortunate event of a crisis.

Work on your story in advance

If possible, a company can create a separate website for the crisis in advance as part of their digital counter crisis plan. It will be made live when it is required as its background information, facts and figures. It is the best place for a company to promote its side of the story during a crisis and their social media manager ought to drive traffic to it at that time.

During the crisis, listen then act

The negative comments ought to be put in context and the tone too needs to be checked. It is also important to investigate the commentator’s influence on social media and if their misinformed narrative is spreading like a wild fire.

Sell your story

Since a company has its crisis website ready and team prepared, they should execute their reputation redemption plan accurately and the story should be consistent. The communication provided at this time ought to explain the facts of the situation while explaining what the company is doing to address the crisis. Showing empathy is very important. It gives consumers hope that their concerns are being addressed. While doing this, it is important that the team monitors and listens any hashtag or keyword used to identify the crisis situation while responding accordingly.

Learning from experience also includes learning from other people’s mistakes. Observe how other companies have survived or perished through the crisis storm and do an analysis on whether your company is ready. Prevention is definitely better than cure. A good experience was when O2 had a massive network outage. Their Twitter account became inundated with complain tweets from frustrated customers. Instead of issuing the standard corporate responses that most companies release, they responded directly to the tweets with an honest and light-hearted demeanor. This human approach changed the sentiments that people had at that time.

Chase Bank failed in dealing with the wild fire online and as the Governor said, it consumed the company. The company did not put much effort in countering the narrative neither did it provide another narrative that would have restored consumer confidence in their brand. It is important that companies learn from this incident and prepare for this type of crisis.

Consumer Privacy and data protection in E-commerce in Kenya

Cyber-Security-2

This article was first published on Nairobi Business Monthly April 2016.

We have recently watched the standoff between technology giant Apple and the US Department of Justice over an order from a Federal Magistrate in California. The Magistrate asked the company to help the FBI to get into Syed Rizwan Farook’s iPhone by disabling a security feature that is likely to lock investigators out if they made 10 unsuccessful tries to determine the correct password. The move by Apple had been applauded by privacy rights groups all over the world as a step into the right direction in their cause. Back in Kenya, though not really moved by those events, we are one of the top nations in m-commerce since our e-commerce is through our cell phones.

We never ever give much thought about the security of the personal data in our communication gadgets. No one pays attention to the sheets of paper written “terms and conditions” that they sign. All they want is services, to send and receive money.

When Samuel D. Warren and Louis D. Brandeis wrote The Right to Privacy for the Harvard Law Review, they did not know that many years later technology would have brought forth a risk to informational privacy. Currently, there is the ability to learn the most intimate things about a person and unprecedented access to information about people. Prior to their 1890 article, there was no legal mechanism to protect the breach of this right. They called for the protection of the person, and for securing to the individual the right ‘to be let alone.’

Erwin Chemerinsky in his 2006 article Rediscovering Brandeis Right to Privacy has argued that what Warren and Brandeis had in mind was informational privacy and not privacy in the sense of autonomy, abortion, among others. According to his interpretation, the two stated that a principle, which protects personal writings and any other productions of the intellect, is the right to privacy. They concurred that the law had no principle to formulate the extent of this protection to the personal appearance, sayings and to personal relations.

50 years later, in 1948, the drafters of the Universal Declaration of Human Rights recognised the right to privacy in Article 12. This right has been enshrined in various international human rights instruments other than the Universal Declaration of Human Rights.  As technology advanced so has the need for the law to be developed to keep up.

The right to privacy is inseparable from the right to personal data protection. Other than standing for “the right to be let alone” and “concealment of information” from others, privacy also has to do with the “control over information about ourselves”. The European Union has recognised that and the European Union Data Retention Directive intertwines interferences with the right to privacy along with the right to data protection.

The Kenyan Constitution, which was enacted in the year 2010, states in Article 31, “Every person has the right to privacy, which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed and the privacy of their communications infringed.” The drafters of this clause must have had in mind the fact that in this age of the Internet and advanced telecommunications, corporates could access personal information without consent of the owner.

In the year 2013, the Data Protection Bill 2013 was drafted to give effect to Article 31(c) and (d). This can be said to be because most claims made whenever there is a breach of consumer data confidentiality; especially in jurisdictions where there are no laws on data protection, are made under breach of right to privacy.

How companies use consumer data

It is important to note that the more we advance in technology, the more we lose our grip on one fundamental human right that is crucial for our being. Every day, we give up key components of our right to privacy for the allure of being tech-savvy. Information and communication technology service providers like telecommunication companies, search engines; social media sites in the course of doing business collect data on their consumers.

They use this data to strategise and study their markets. They also use it to know the viability of their different business products.

The use of the collected data is not governed by any written law. These companies have the discretion to use the data in other commercial activities such as Targeted Online Advertising also known as Online behavioral advertising (“OBA”) where web companies engage collect information about your specific online activity (like WebPages you frequently visit) and use the information to show you advertisements and content that they believe might be of relevance to you.

While this might sound wrong, consumers actually agree to this in the terms and conditions when they sign-up and set up their online accounts with the different service providers. Hence, Internet companies are absolved of any blame when it comes to breach of the right to privacy.

A review of top service providers’ terms and conditions show that they claim that they have rights over the data they collect. Google’s Terms of Service state that by using their services, a consumer agrees that Google can use his or her data in accordance to their privacy policies. In their privacy policies, they indicate that they use the information they collect from all their services to provide, maintain, protect and improve them, to develop new ones, and to protect the company and their users. They also confess that they use the information to offer consumers tailored content like more relevant search results and adverts. Considering that consumers do not pay for these services, the collection and use of consumer data by companies like Google and Facebook can be justified.

Kenyan companies have not been left behind in the exploiting of consumer’s personal data. In the Terms and Conditions of the Okoa Stima Service clause 11, a consumer authorizes the service provider (Safaricom) to reveal, receive, record or utilize consumer data relating to their use of the service by merely registering for it. The terms also state that the service provider may reveal consumer data to a third party involved in the provision of the services including but not limited to Kenya Power; who is the sole electricity provider in Kenya, perhaps the only reason why a consumer registered for this service. It further states that it may reveal for reasonable commercial purposes connected to your use of the Services, such as marketing and research related activities.

How far can they go?

But questions always arise on how far is too far with the use of data collected from consumers and clients by these companies. In 2014, the Canada’s Privacy Commissioner found that Google Inc. had violated Canadian privacy law through targeted online advertising. This was after a man complained about adverts targeted to him based on a medical condition. He had searched for a device to help with his sleep apnea when he later noticed adverts for similar devices when he visited other websites. The adverts were delivered by Google’s AdSense service. The Interim Privacy Commissioner Chantal Bernier said that it is up to the organization collecting the data (in this case, Google) to identify what is sensitive information and ensure it is not used improperly.

This case brought up the debate on what is sensitive information that cannot be used by service providers. In Canada, the law allows an organization to collect personal information without consent of the individual but that section of the law has a claw back. The collection has to be in the interests of the individual especially where consent cannot be obtained in a timely way. That law gives further guidance on how the information can be used.

According to section 2 of the UK Data Protection Act 1998, sensitive personal data is personal data consisting of information on the racial and ethnic origin of the data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, whether he is a member of a trade union, his physical or mental health or condition, his sexual life and the commission or alleged commission by him of any offence, the disposal of such proceedings or the sentence of any court in such proceedings. The Kenyan Bill on Data Protection has borrowed from the UK law verbatim but the process of enacting seems to have stopped.

The Bill has been criticized by experts as wanting in some crucial aspects. It has no provision for extraterritorial jurisdiction which is crucial considering the nature of the subject matter and advancement of technology. The bill also does not cover direct marketing yet it can be a serious breach of privacy and data protection rights. This is because a consumer’s contacts and personal activities are usually used to profile an individual. The Bill does not restrict the transfer of personal data to other third parties who may be in or outside Kenya. This tends to happen even when a company is sold and its assets are acquired by other entities during mergers and acquisitions.

The only source of protection to personal data seems to be the Kenya Information and Communications (Consumer Protection) Regulations Section 15, which is on confidentiality.

This section prohibits service providers from monitoring and disclosing the content of any information transmitted through their licensed systems by intercepting communications and related data. It also prohibits service providers from selling personal information without the consent of the consumer. Section 17 of that law prohibits unsolicited communications, which is usual with marketers.

The country is in dire need for a data protection law that will regulate the handling of consumer personal data. The proposed Bill should be passed with relevant changes that will protect consumers from data mining activities that are likely to happen. The proposal in the Bill to have the Commission on Administrative Justice to act on breach of data protection laws can be said to be a step in the right direction since the Commission has offices in all Huduma Centres, hence very accessible to members of the public.