Strengths and weaknesses of Cybercrimes Bill

There is a new bill

A revised version of this article was published in the Business Daily newspaper on the 21st of September 2017.

The question of how prepared Kenya is to deal with cybercrimes can no
longer be wished away. Cybercrimes not only cause damage but also
leave their victims embarrassed. Hence, not so many incidences are
reported by the victims. To address this issue, the Leader of Majority
Hon. Aden Duale sponsored the Computer and Cybercrimes Bill in June,
2017. It is a major improvement from the two cybercrime bills that
were published by Senate and the National Assembly last year.

The objectives of the draft act are to protect the confidentiality and
integrity of computer systems, programs, data while preventing the
unlawful use of computer systems. The proposed law is also meant to
facilitate the investigation and prosecution of cybercrimes and
facilitate international co-operation on cross-border cybercrime
matters.

Part two of the bill provides for the offenses covers various offences
in the cyberspace. As expected, hacking offences feature prominently
in this part. Hacking offences are where security measures of a
computer system are bypassed and unauthorised access, interference and
interception take place. To complement the anti-hacking sections, the
possession and use of stuff that can be used to hack for the primary
purpose of committing a crime is going to be outlawed. Sharing of
passwords with unauthorised persons to grant them unauthorised access,
interference and interception is also going to be a crime when the
bill becomes law.

A major positive in the bill are the provisions meant to protect
critical infrastructure. This includes public utilities (electricity,
water), public transportation, communications infrastructure, banking
and financial services among many others. This protection is crucial
because the economy can really suffer in the event of an unplanned
interruption such a mobile money outage. Safaricom recorded losses
earlier in the year when their systems went down countrywide.

Reports of Al-Shabaab destroying telecommunication masts show us that
foreign foes target critical infrastructure. From the Stuxnet attack
on the Iranian nuclear program, it is clear that there is a hanging
threat of cyber-attacks on our critical infrastructure. The draft law
has a provision on how to deal with a resident who aids a foreigner in
cyber-espionage and other attack on critical infrastructure.

Fake News
The draft law intends to outlaw false publications. The motivation
behind this definitely to curb the fake news menace that has become
major issue. While the idea is welcome, there is the fear that the
provision is beyond the scope of the limits of the right to freedom of
expression as contained in the constitution. A better approach would
have been to perhaps set a test to check the damage caused by the fake
news. The danger of this, damage; is that it makes it similar to the
old crime criminal defamation. In the landmark Jackline Okuttah case,
the High Court declared the crime of criminal defamation to be
unconstitutional.

Children’s rights find their way in this draft law with a provision
cracking the whip on online child pornography. This provision together
with the provision on cyber stalking and bullying will help save lives
of many internet users who meet human predators online. Computer
forgery and fraud are also going to be crimes once the bill becomes
law and this will help the many who get scammed online. The bill also
contains provisions on confiscation of proceeds of cybercrime and
compensation of victims, which is a major plus considering this is
criminal law.

The vague
A conspicuous section of the draft law proposes a punishment for
offenses under any other law through the use of a computer section.
The openness of this provision makes it vague and open to abuse the
way section 29 of the Kenya Information and Communication Act 1998
was. The KICA provision was declared unconstitutional in 2016 by Mumbi
Ngugi J in the case of Geoffrey Andere.

The investigation procedures acknowledge the need of a warrant prior
to an investigation also the exceptions are based on the Criminal
Procedure Code. Security agents with warrants will lawfully be able to
ask service providers to give out data and access to consumer computer
systems. The draft law provides for a protection of the service
provider from any liability.

The last part contains provisions on extradition and cooperation with
foreign nations in investigation and trial of cyber criminals. This is
a plus considering the cross border nature of cybercrimes.

The bill is clearer, well intentioned and covers much of issues to do
with cybercrime. With public participation and stakeholders input, it
will be a laudable cybercrimes law.

The making of a cybercrimes law: A tale of two Bills before Parliament

cyber law

An edited version to this article was first published on Business Daily August 15, 2016

If there is an industry that is hard to regulate, it is information and communication technology. Other than being too dynamic, it is complex. There is a common saying that states that a year in tech is 90 days. This out rightly means it is an industry which states all over the world will continue playing chase when it comes to regulation. Here in Kenya, the legislature has come up with two bills of similar nature. Namely, the Computer and Cybercrimes Bill, sponsored by Leader of Majority Hon. Aden Duale and the Senate’s Cybercrimes and Protection Bill sponsored by Chairperson, Committee on Information and Technology Sen.Mutahi Kagwe.

The Good

Cybercrime rates have been growing by the day and it is encouraging to see that the government is taking action. The Computer and Cybercrimes Bill seeks to criminalise unauthorised access and interference, gaining access with the intention of committing an offence and unauthorised interception. The latter being in the spirit of protecting the right to privacy which is enshrined in the Constitution.

Unauthorised disclosure of passwords or access codes, child pornography, computer forgery, computer fraud, cyber stalking and cyber-bullying are also criminalized. Distinct features of this bill are the clauses which provide for confiscation or forfeiture of assets and proceeds of cybercrime. The bill also provides for a compensation order for victims and it has an entire chapter on how cybercrimes committed outside Kenya will be prosecuted. The extraterritorial nature of this proposed law is good considering the nature of cybercrimes. The Bangladesh Bank was hacked into by persons who were not within its borders. The chapter also provides for extradition of suspects, though relying on the Mutual Legal Assistance Act 2011. Lest we forget, Kick Ass Torrents creator Artem Vaulin was extradited from Poland to the United States of America under such an agreement.

The Cybercrimes and Protection Bill on the other hand will criminalise unlawful access to a computer system, system interference, unlawful interceptions, fraud and cyber-bullying. All these are covered in the other bill. The other offences in this senate bill are interception of electronic messages or money transfers, wilful misdirection of electronic messages, forgery, unauthorised modification of data and even cyber terrorism.

One can say that this bill is elaborate since it ropes in more cyber offenses that are not in the Computer and Cybercrimes Bill. These offenses include issuance of false e-instructions, phishing and identity theft and impersonation which is rampant in this age of social media. Electronic distribution of pornography and child exploitation are also outlawed. The provision on child exploitation will be in important in curbing the developing menace where children meet people on social media who later take advantage of them sexually. This proposed law will also make it illegal to distribute intimate images of a jilted lover while it also illegalizes cyber-squatting.

 The Bad

The investigation procedures in the Computer and Cybercrimes Bill leave a lot to be desired. While the normal procedure is that a court issues a warrant is before security officers take any action that would infringe the privacy of an individual, there are clauses that allow any officer to act without a warrant. While it may be argued that the intention of the provisions is to avoid unnecessary delay, there is a high likelihood of human rights breaches if the bill is enacted into law without those provisions being aligned with the Constitution.

The Cybercrimes and Protection Bill on the other hand has clauses that have some constitutional conformity as far as the right to privacy is concerned. The bill prohibits the sharing of some personal information in the course of investigation like health records. Despite this, Kenya still needs the Data Protection Bill 2013 to be assented into law because data protection principles would provide a better guide with the handling of personal data. The bill also proposes a National Cyber Threat Response Unit which will investigate cybercrime cases. This unit is not provided for in the Computer and Cybercrimes Bill which will allow any officer to confiscate a computer system just because they believe that one is committing a crime with it.

And the Ugly…

The mere fact that we have two draft laws seeking to regulate the same thing at the same time from the same legislature is appalling. It is at this point that we ask what mischief the legislature sought to remedy that they drafted two bills. In the event both bills become laws, we will have a situation similar to that in Lon Fuller’s book ‘The Morality of Law.’ In the book Lon Fuller tells the story of King Rex who made contradictory law and his subjects sent him a pamphlet written “This time the king made himself clear in both directions.” In this case of the two draft laws, the contradictions are likely to arise because one law provides for lenient sentences while the other prescribe a harsh sentences for the same crimes. With this in mind, will we be wrong if we say that the legislature made it clear in both directions?

We hope that the relevant bodies will work together and harmonise the two bills because together, it will be a very good piece of legislation. That way the weaknesses of each draft law will be dealt with. Conformity to the bill of rights as contained in the Constitution should guide the drafters in the harmonization.  In the same spirit, the Data Protection Bill and the Access to Information Bill should be enacted because they are long overdue.