Biometric data collection in Kenya risky

An edited version of this article was published in the  Daily Nation on February 21, 2018.

I was buying a sim card when the customer care agent asked me to pose for a photo. I asked why they wanted a photo of me as they had all my personal information including a scanned copy of my national identity card. He mumbled back that government required SIM Card agents to take subscriber’s photos. Not convinced, I probed further on this new law but he could not elucidate the reasons. I later on discovered after reading the Kenya Information and Communications (Registration of SlM-cards) Regulations, 2015 that such a requirement doesn’t exist. The customer care agent either didn’t know the requirements, or lied to me about them.

 

This was not an isolated incident. Every day people give out their biometric data to both state and non-state agencies such as professional bodies, banks and even schools. Despite this mass data collection taking place for a while now, parts of the Kenyan citizenry have always expressed their reservations with the collection of biometric data.

 

During the first biometric voter registration in 2012, rumours were rife in western Kenya region on how fingerprint scans would make it easy for chiefs to arrest petty village offenders. Joseph Kamaru’s rendition of Mau Mau’s song Uhoro Uria Mwaiguire tells of a community mourning the incarceration of their war heros who refused to have their fingerprints taken. This reservation and fear played out recently in 2017 when some Mau Mau veterans raised concerns around biometric voter registration for fear of arrest over crimes they did while fighting for independence. All these show a lingering historical concern on the use of technology that communicates how some feel about the collection and use of biometric data.

In addition, there is currently no data protection law stipulating how personal information like biometric data should be handled and processed by both private and state actors. In fact, the only place where biometrics have been mentioned in Kenyan law is in the Elections Act. According to this legislation, biometrics are unique identifiers or attributes including fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, DNA, and signatures. Even the abandoned Data Protection Bill of 2013 only contained a mention of fingerprints and blood type which were to be categorised as personal information.

 

Motivation behind collection of data

Data collection is part of know your customer logic, both for efficiency, trust and security. But increasingly, data collection has in itself become the business model of most companies. The value of personal aggregated personal thoughts, habits, and social networks are as valuable as any other high end market activities, witfully branded surveillance capitalism.

 

However, the collection and centralized storage of this highly sensitive and valuable data exposes these corporations to the risk of the data being misused at best and being stolen at worst. There are many reported cases of deliberate targeting of secure systems that hold sensitive data. These sensitive data is later sold to third parties in the black market who have illegal ways to monetize it such as by sale of data to fraudsters and identity theft.

 

In jurisdictions with data protection laws, the general privacy principle for corporations handling consumer data is that data obtained for one purpose shall not be used for any other purpose. This rule has general exceptions such as when the information is public, the data subject has given consent and public interest. However, Kenya has no data protection law which leaves personal information such as biometric data at the mercy of corporations that collect it. Security breaches and data loses are reported regularly in the US and Europe, but in Kenya there is no requirement for public or private sector entities to disclose such occurrences. Thus we don’t even know the risks that we face.

 

For example, during the 2017 general elections, many voters received targeted campaign texts messages that were rather too intrusive. The texts had the name of the voter and the exact constituency where they were registered as a voter. How politicians received access to the voter register and the voters cell-phone numbers remains a mystery to date. But it also shows us how vulnerable we are after subscribing for services where personal information is required, and could be shared with others without our knowledge.

 

One way we can push for accountability is by asking our newly elected parliamentarians to breathe life to Article 31 of the Constitution by legislating a data protection law. We are in dire need of a data protection law that give us, the data subjects, more say on how our personal information is collected and used by data processors. Daniel J Solove argued in his book ‘Conceptualizing Privacy’ that privacy ‘involves more than avoiding disclosure; it also involves the individual’s ability to ensure that personal information is used for the purposes she desires’.

 

Other than just the law, there is need for a legal obligation on data processors to be transparent about what data they are collecting, how will be used and who it will be shared with. This obligation can be based on the tort and crime of misuse of personal information. It will force data processors, such as public and private entities, to take data protection more seriously while protecting the data subject’s right to privacy. While many argue that they have nothing to hide, they should always remember that they have something to protect. Next time you think of buying a SIM Card, remember that you will probably be asked for more personal information than is required and that there is no law governing the use of that information.

Strengths and weaknesses of Cybercrimes Bill

There is a new bill

A revised version of this article was published in the Business Daily newspaper on the 21st of September 2017.

The question of how prepared Kenya is to deal with cybercrimes can no
longer be wished away. Cybercrimes not only cause damage but also
leave their victims embarrassed. Hence, not so many incidences are
reported by the victims. To address this issue, the Leader of Majority
Hon. Aden Duale sponsored the Computer and Cybercrimes Bill in June,
2017. It is a major improvement from the two cybercrime bills that
were published by Senate and the National Assembly last year.

The objectives of the draft act are to protect the confidentiality and
integrity of computer systems, programs, data while preventing the
unlawful use of computer systems. The proposed law is also meant to
facilitate the investigation and prosecution of cybercrimes and
facilitate international co-operation on cross-border cybercrime
matters.

Part two of the bill provides for the offenses covers various offences
in the cyberspace. As expected, hacking offences feature prominently
in this part. Hacking offences are where security measures of a
computer system are bypassed and unauthorised access, interference and
interception take place. To complement the anti-hacking sections, the
possession and use of stuff that can be used to hack for the primary
purpose of committing a crime is going to be outlawed. Sharing of
passwords with unauthorised persons to grant them unauthorised access,
interference and interception is also going to be a crime when the
bill becomes law.

A major positive in the bill are the provisions meant to protect
critical infrastructure. This includes public utilities (electricity,
water), public transportation, communications infrastructure, banking
and financial services among many others. This protection is crucial
because the economy can really suffer in the event of an unplanned
interruption such a mobile money outage. Safaricom recorded losses
earlier in the year when their systems went down countrywide.

Reports of Al-Shabaab destroying telecommunication masts show us that
foreign foes target critical infrastructure. From the Stuxnet attack
on the Iranian nuclear program, it is clear that there is a hanging
threat of cyber-attacks on our critical infrastructure. The draft law
has a provision on how to deal with a resident who aids a foreigner in
cyber-espionage and other attack on critical infrastructure.

Fake News
The draft law intends to outlaw false publications. The motivation
behind this definitely to curb the fake news menace that has become
major issue. While the idea is welcome, there is the fear that the
provision is beyond the scope of the limits of the right to freedom of
expression as contained in the constitution. A better approach would
have been to perhaps set a test to check the damage caused by the fake
news. The danger of this, damage; is that it makes it similar to the
old crime criminal defamation. In the landmark Jackline Okuttah case,
the High Court declared the crime of criminal defamation to be
unconstitutional.

Children’s rights find their way in this draft law with a provision
cracking the whip on online child pornography. This provision together
with the provision on cyber stalking and bullying will help save lives
of many internet users who meet human predators online. Computer
forgery and fraud are also going to be crimes once the bill becomes
law and this will help the many who get scammed online. The bill also
contains provisions on confiscation of proceeds of cybercrime and
compensation of victims, which is a major plus considering this is
criminal law.

The vague
A conspicuous section of the draft law proposes a punishment for
offenses under any other law through the use of a computer section.
The openness of this provision makes it vague and open to abuse the
way section 29 of the Kenya Information and Communication Act 1998
was. The KICA provision was declared unconstitutional in 2016 by Mumbi
Ngugi J in the case of Geoffrey Andere.

The investigation procedures acknowledge the need of a warrant prior
to an investigation also the exceptions are based on the Criminal
Procedure Code. Security agents with warrants will lawfully be able to
ask service providers to give out data and access to consumer computer
systems. The draft law provides for a protection of the service
provider from any liability.

The last part contains provisions on extradition and cooperation with
foreign nations in investigation and trial of cyber criminals. This is
a plus considering the cross border nature of cybercrimes.

The bill is clearer, well intentioned and covers much of issues to do
with cybercrime. With public participation and stakeholders input, it
will be a laudable cybercrimes law.

Is Kenya Ready for Unique Identifiers? Part I

It is reported that some 1.6 million students have registered to sit for the Kenya Certificate of Primary Education (KCPE) and Kenya Certificate of Secondary Education (KCSE) examinations in October 2017. As always, preparations for these examinations involves stringent security measures to curb cheating. Beyond cheating, forgery of academic degree certificates and other official documents is also on the rise. To fight this vice, the government has put various measures in place, the latest being introducing a six- character Unique Personal Identifier (UPI). This UPI will be linked to an electronic database with the educational records of all individuals from primary school up to university level. Other than blocking exam cheats and fake certificate fraudsters, the UPI will also be used to curb the theft of public funds by eliminating ‘ghost’ teachers and inflated student enrollment figures.

To read the rest of the article, click here.

Quick Thoughts on Biometrics, General Elections and Security in Kenya

In 1927, Liberian opposition presidential candidate Thomas J Faulkner was confident of unseating the incumbent in the general elections. The Faulkner-led People’s Party had marshalled support from all corners of the country and across all classes of people. On Election Day, Faulkner received 9,000 votes in what was supposed to be a landslide win. In the end, Faulkner lost to the incumbent Charles D. B. King who received 243,000 votes in an election with only 15,000 registered voters! Charles D.B. King’s script has been replicated in many African states and in the year 2007, it was replicated in Kenya.

In 2007 General Elections, voting irregularities were the order of the day and the results were violently contested. Many lost their lives and hundreds of thousands had to flee from their homes. The international community mediation team led by former UN Secretary General Kofi Annan came and negotiated a power-sharing deal between the incumbent Mwai Kibaki and opposition candidate Raila Odinga thereby forming a national coalition government.

To read the rest of the article, click here.

Fake news: The battle for clicks

fake news

It is no secret that technology has disrupted the media industry. In the past few years, media houses have downscaled operations, leading to many loss of jobs and have also changed their approach and joined the muddy battle for clicks. Every media house now has an online news blog even though the quality of news that they post leaves a lot to be desired.

In this new age, media houses do not just compete amongst themselves but also against blogs for traffic. As they say, all is fair in love and war. In this war, a huge number of blogs have resorted to posting sensational news so as to get views. This is because higher site views equals to higher ad revenue from online advertisers.

But fake news hasn’t been an issue until the recent US Presidential election when its impact was seen. Whether it has the potential to destroy a candidate or make him, politicians are now keen on social media now than before. One may say that maybe because of their knack for finances (adverts) over news that main media is now losing their credibility. This has created an opportunity for random blogs who rushed to update readers with the latest unbiased news. Unfortunately, this news is usually biased. Social media is set such that the algorithms feed a user with ‘more of what they want’. Hence denying them a chance to access divergent opinions and material posted on the network.

Suggestions have been made world over on the ideal remedy for this menace but in democracies, it is hard because it goes against the principles of free speech. The Canadian Supreme Court has held in a case to strike down a false news provision of law that the provision was contrary to the constitutional freedom of expression.

“The reality is that when the matter is one on which the majority of the public has settled views, opinions may, for all practical purposes, be treated as an expression of a ‘false fact,” the Learned Justices of the Court said.

In Kenya, the law limits the right to freedom of expression to the extent that one is not allowed to spread propaganda for war, incite people to violence, hate speech and advocate for ethnic hate. These limitations also apply to the media according to Article 34. The same constitutional provision also provides for the establishment of the Media Council of Kenya.

One of the roles the drafters of the Constitution envisioned this body to play is setting media standards while regulating and monitoring their compliance. It is with this powers that are expounded on in the Media Act that the Council accredits journalists while requiring them to follow the Code of Conduct for the Practice of Journalism. While the standards on accuracy, integrity and accountability apply to journalists; these standards do not apply to bloggers.

Hence they cannot be held to have breached the Code when they post fake news online. From the angle of defamation laws, some of these stories are not defamatory. Neither do they constitute a breach of Article 33(2). For example the many speeches attributed to Presidents Robert Mugabe and Donald Trump about Kenyans and corruption. If they were to be counter checked against the elements of defamation, they will fail. The statement might be false but not damaging per se, hence not warranting a suit for damages.

Some of the sites are not even within the Kenyan jurisdiction and no claim of damage may be sustained against them

Keeping in mind that this year is an election year in Kenya, the impact of sensational stories laced with ethnic chauvinism is a major concern to all. The Communications Authority of Kenya is already threatening an Internet shut down in the event people spew hate online. Recently, an ‘international’ propaganda website full of fake news on a Kenyan politician was exposed. The writer who hid under the name David Field was discovered to be a Kenyan techie. Even though it did not contain hate, the rising of such sites is a genuine cause for alarm.

Solutions that have been fronted include presentation of scientific evidence and engaging in reasoned arguments. However, the society as a whole finds academics unpalatable overrated. Evgeny Morozov’s solution however is the most reasonable. In his article, Moral panic over fake news hides the real enemy – the digital giants, he writes that the only way we can deal with click baiting fake news is by making online advertising less in our lives, especially at work and in communication.

While people may shun traditional media because of its links to politicians and corporations, they forget that the Internet companies they run to still act the same way. Perhaps the day we finally deny social media and search engines the clout they have in problem solving in all sectors including our politics is the day we will be free from the hazards of fake news online.

Screen shots, consumer protection and online (in)justice

This article was first published in the Nairobi Business Monthly December 2016

Web presence is a requirement in modern business. It is hard to trust a business entity which you cannot Google. How else will you know about the previous customers’ feedback?
Trending online can really boost sales and businesses strive to trend for all the right reasons. The biggest nightmare is trending online negatively. The people online are more courageous and unforgiving due to their presumed anonymity.

A lot of customer service is done on social media platforms. Service providers and their customers prefer this since it is convenient. This can be said to be in line with consumer protection right under Article 46 of the Constitution. This exercise can be said to be enabled by the exercise of the right of freedom of expression and the right to information.

Other than customer care, people have used online platforms to push for proper governance and to ask for accountability. People have even pressured public officers into doing their duty like in the Koffi Olomide incident where the musician kicked his dancer at the airport and the pressure on social media forced government officials to take action and the musician was deported.

Screenshot Era

Online forums are sharing platforms. Media files in the form of videos and photos circulate by the minute. Since the Internet has revolutionized communication, a lot of it is done online. Smartphones now can have over three messaging applications for users. These phones enable users to take screenshots and users have developed a habit of sharing screenshots of their communications with others.

In 2015, screenshots of ‘Brother Ocholla’ circulated all over the Internet. ‘Brother Ocholla’ had apparently sent a rather inappropriate text to his prayer group on WhatsApp forum and a member leaked a screenshot. The screenshot trended on social media for a while with people making fun of the situation that ‘Brother Ocholla’ was in.

All too recently, a customer care agent of a telecommunication company contacted a customer whom he had served. The customer wasn’t too amused by his deeds and not only told him off by sharing the screenshot of the brief chat with the world. As a result, the young customer care agent lost his job since his employer had to show that it is doing something concerning the alleged privacy breach.

According to Kenya’s Evidence law, screenshots are admissible in a court of law. Section 106B of the Evidence Act states that any information contained in an electronic record shall be deemed to be a document, hence admissible. This is subject to several statutory conditions though.

The general rule is that whatever is posted online is not subject to privacy laws. This was the position in the US case of Palmieri v. United States. In this case, the American court found that if an individual discloses information to their Facebook friends, they have potentially disclosed it to the entire world. The petitioner had shared information with a friend on Facebook and the friend shared the information with the US government.

The court, in its analysis stated that from the moment the petitioner, Palmieri, disclosed information to his Facebook friends, they were free to use it as they wished. Because of this, he could not claim that his rights to privacy have been breached. And the same principle applies to anyone who sends an email or even writes a letter; they lose any expectation of privacy once it is delivered.

While we have a right to free speech, sometimes sharing screenshots can amount to a breach of the right to privacy. People ought to be careful not to expose too much information about others arbitrarily. If the image contains sensitive information, blur it. It is not yet law, but it is good practice. A suspected pedophile recently boasted of his misdeeds on social media. The young man even posted the child’s picture on his timeline.

Due to rage, people online shared the screen shot while calling for his arrest. In the process, they breached the minor’s rights as a victim of alleged defilement.

Similarly, the lady who complained online about the customer care agent’s privacy breach ought to have at least blurred the young man’s contacts before sharing the information online. Though she was enraged, the maxim states that he who goes to equity must do equity. The young man still had a right to be heard before any decision was made under application of the maxim audi alteram partem.

According to the Kenya Data Protection Bill, personal information or data includes contact details including telephone numbers of the person. This provision puts contacts at the same ambient as health records which we all agree is sensitive information. Hence it is safe to say that the lady had a prima facie case, but her mode of handling it leaves a lot to be desired. Social media is not even a genuine court of public opinion since it usually depends on the opinions of the influencers. The loudest in terms of traffic win even if they are wrong.

It would have been better to publish that information after inaction from the service provider after reporting it. A best-case scenario is the online reporting by Karimi Mwari who shared her experience with rogue Dakika Sacco matatu crew online after reporting the matter to the authorities. Action was taken and the culprits were apprehended.

Experience has shown us not to place absolute trust on the people in these online platforms. This is a lesson Peter Kenneth and Hillary Clinton know all too well. It applies to other situations too, such as seeking justice. It is advisable to follow due processes before sharing it because once it is out it is out.

Let them cry not in the Range Rover

This article was first published on Nairobi Business Monthly November 2016

Many apply foundation to hide black eyes. Others don shades to hide red eyes. Others fell on the stairs while others just ignore the whole vibe when it is brought up. Author Yvonne Adhiambo Owuor wrote in her book Dust (2013) about the four languages of Kenya: English, Kiswahili, Memory and Silence. We have embraced the former too quick. We refuse to talk about the ghosts that roam in our midst. The words accept and move on are engraved in our hearts. More will die and it will go unreported because of our selective outrage.

Gory images of chopped hands were all over digital media. The outrage was as instant as the middle class knack for tweeting and we saw some action being taken. Same script when musician Koffi Olomide kicked a dancer at the airport. The chap was arrested and deported without being tried, but the message was sent. You cannot assault a woman in public in our world of digital media.

But what about the world where people don’t really care about taking videos? What about that part of Kenya where the chief and pastors have to quell fires amongst couples day in day out? Should official action be a result of digital outrage? Can’t we just develop norms where women, primary victims in gender-based violence, are respected?

Kenya has really good laws that address this vice. The Constitution, Article 28 recognizes a person’s right to dignity and Article 29, recognizes the right not to be subjected to any form of violence from either public or private sources. The Penal Code’s Chapter 26 is on assault, which is basically used in charging perpetrators of gender-based violence.

However, these laws don’t seem to do much in terms of addressing gender based violence. There are two scenarios of this vice: Domestic violence and gender based violence at the work place. The latter is almost never reported because of fear of victimization and unemployment. So a lot of abuse goes unreported and even where there are out in the open, the victims are in too much fear that they apologise for provoking the boss. We saw this play out well when Koffi Olomide’s dancer recorded a video together with the singer to defend his action.

Few years ago, Alassane BA of Shelta Afrique was accused of assaulting staff, Karen Kandie. Upon his arrest, he invoked diplomatic immunity and the court held that he could not be tried in Kenya. This was among the few cases of gender-based violence at the work place that got reported. Unfortunately, Ms Kandie did not get justice.

When it comes to domestic violence, the challenge is that they are majorly crimes of passion.  A common scenario during trial processes of perpetrators is where the complainant withdraws charges so as to secure the release of the accused due to various reasons. In some cases, the perpetrator might be the sole breadwinner and their stay in remand is not doing the family any good. Or maybe the victim has been coerced by the perpetrators relatives to forgive him.  Or in cases where the accused was able to secure their release after paying cash bail, the complainant and accused who most likely still live together will attend court then go back to the same house, or even bed.

In 2015, the Protection against Domestic Violence Act was enacted to provide for the protection and relief of victims of domestic violence. The drafters of law seem to have understood the challenge of prosecuting domestic violence from the protection clauses the Act contains. The act seems to have picked the geist of the Criminal Procedure Code Section 176, which promotes reconciliation in cases of common assault.

The Act is elaborate in its definition of violence and a relationship, which is meant to clear all ambiguities during interpretation. It also obligates the Police Service to have protection mechanisms for victims of the violence. Hence there is no shortage of laws to address this vice.

The silver bullet seems to be in society developing norms where women are respected and protected, where women are viewed and treated as human beings with dignity and not property. Norms where reconciliation between parties in a case of domestic violence is done with the best interests of the victim and not family image.

To get a lasting solution to this vice, religious and community leaders must come together so as to avoid creating conflicting norms. In the recent case of Jackline Mwende, the lady who lost both hands, she narrated how her religious leader encouraged her to stay in the marriage. The vow ‘Till death do us apart’ does not include death induced by one of the partners in the marriage. Hence in their teachings, religious leaders must come out strongly against this vice while working together with security agencies in creating effective protection mechanisms.

We should strongly condemn gender-based violence and unite to eradicate an environment where the vice thrives. While silence is golden, in this case it is a poison that is killing us slowly. Creating an environment where people can speak out should be our priority.
“Of pain you could wish only one thing: that it should stop. Nothing in the world was so bad as physical pain. In the face of pain there are no heroes.” – George Orwell

Should we really regulate tech?

An edited version to this article was first published on Nairobi Business Monthly October 2016

Lady Justice Mumbi Ngugi of the High Court of Kenya declared, in May, section 29 (b) of the Kenya Information and Communication Act unconstitutional. This provision of law was found to be vague by the learned judge. Geoffrey Andare, a web developer who was charged under that Section in 2015 successfully challenged its constitutionality and the charges against him were dropped. This was the case for other bloggers who had been arrested for the offense this year.

Fast-forward to July and a Bill whose purpose is to regulate ICT practitioners surfaced. Its vagueness is stupefying to the extent that it may appear like there must be a vague law that touches on ICT at any given time.

Laws are not created to be aspirational documents and it is unfair to everyone including lawmakers to engage in acts of futility. This is why understanding the subject matter of a law is important. Information and communication technology is not only complex but also disruptive. It is a wave, which has destroyed careers at the same rate that it has created them.

The proposed law in Section 2 states the definition of ICT which ropes in all the possible uses of the technology including collecting, storing, processing, using and sending out of information. The definition includes the use of computers, mobile apparatus or any telecommunication system in the aforementioned activities. Further in the same Section, ICT practice is defined as practice of ICT for a fee or gain either in kind or cash while a practitioner is an individual who will be registered under the law to practice. From those definitions, pretty much everyone in this digital age becomes an ICT practitioner. Why? We use computers at the work place – practice for gain. Doctors use computerized machines for diagnosis- practice for gain. Use your phone to place a bet for a soccer match – practice for gain. The Bill ropes in everyone who uses technology and it raises the various jurisprudential questions. What mischief does it seek to remedy by regulating use of ICT by everyone?

Section 6 of the Bill provides for an institute and states it functions, which are already being executed by the Ministry of Information and Communication Technology and the Kenya ICT Authority. Global market forces also play a big role in enforcing some of these functions such as ensuring high standards amongst persons who engage in ICT practice. In our current digital world, enterprises compete globally. That is evidenced by the heavy use of social media and email servers that are not locally owned. Hence purporting to enforce standards for ICT nationally while the market is forcing us to catch up with the rest of the world will be jocose.

The institute in the proposed legislation will engage in protecting, assisting and educating Kenyans on matters to do with the profession of ICT. While the protection aspect of that function can be supported by Article 46 of the Constitution, existing government bodies such as the Communications Authority of Kenya already have consumer protection regulations to execute that role. Other protection mechanism exist in the market where information spreads as fast as digital media, forcing those who engage in ICT practice to prioritise user experience and consumer needs. The ICT Authority has been engaging in education activities on ICT, which renders the institute’s proposed function redundant.

On proposed function of approving of courses and administering examinations, it may be argued that the institute intends on creating uniformity in terms of qualifications like lawyers and accountants have. This function leads to the next one, which is, registration and license of ICT practitioners who according to Section 15 must have a degree and three years of experience. These requirements show a clear lack of understanding as to how the ICT industry works. Bill Gates, Steve Jobs, Mark Zuckerberg and many other prolific innovators in the ICT world have no university degrees to their names but they have changed the world. Had they been Kenyan at this time, they would not be allowed to engage in the practice of ICT. The ICT labour market tends to pick on the brilliant innovators who can do the job rather than individuals with papers. That is why it has been able to grow so fast because it is open to everyone who has something to offer. Placing restrictions based on academic qualification will outrightly amount to stifling innovation because, now even school going children are coding and making applications.

The Bill also states that the proposed institute will act as an arbitrator in any disputes between a licensed ICT Practitioner and a client. This proposal seems to be off, considering we have Chartered Arbitrators in the country and law courts. From recent history of the industry, disputes seem to be between those who engage in the practice of ICT with the example of the dispute between the brains behind Angani Cloud. The institute would have been better placed addressing such disputes because they affect the growth of the ICT industry. It would also have proposed to promote the industry internationally rather than itself though almost all listed functions are and can be executed by the existing bodies.

Sections 20 and 23 of the Bill are a noose on the necks of many in the industry currently since it insists on one having a license and prohibits those who won’t have it from recovering fees for ICT services. In our current corporate world, companies have invested in social media managers who handle their social media. No course in school teaches this yet it is a service that is so crucial to today’s business where digital presence is key. The people hired for these jobs fall under the scope of this Bill by virtue of engaging in ICT practice for gain. So will the enactment of this law spell doom for these people who engage in ICT practice in a field that is not taught in any school? Will it be illegal to be a blogger or have a YouTube channel? What about those who work for international tech companies remotely? Will this proposed law apply to them?

Lon Fuller in his book the Morality of Law writes about King Rex who promulgated a law that required his subjects to appear before the throne once summoned in ten seconds. His subjects responded by sending him a leaflet which read, “To command what cannot be done is not to make law; it is to unmake law, for a command that cannot be obeyed serves no end but confusion, fear and chaos.”

To criminalise the use of a computer or mobile phone for gain is not to make law. It is to unmake law. It is forcing our Silicon Savannah to drink hemlock. It is to command that which cannot be obeyed, enforced and even investigated, which is causing confusion, fear and chaos. The brains behind the Bill should really reconsider their stand and if possible, withdraw the Bill. If not, they should engage stakeholders. The Cabinet Secretary in charge is on record claiming that the Bill did not come from his Ministry and experts have found its provisions contradictory to the National Information & Communications Technology (ICT) Policy of 2016. As we embark on the journey of achieving Vision 2030, it is important for all of us to be on the same page so as to work together. For it is in our best interest as people that we progress together.

Why block chain technology can help resolve land transaction woes

land

An edited version to this article was first published on  Business Daily September 2, 2016

Land is dear to Kenyans. Despite how we abhor agriculture, everyone wants to own a plot somewhere. A result of this obsession is a lot of speculation in buying of land, over pricing and graft in the land registries. Law courts are busy deciding cases involving land transactions. And it runs across the divisions in the High Court, from the Land and Environmental Division to the Family Division.

We have recently witnessed high profile land rows where individuals have been accused of selling off a single parcel to many parties. While due diligence is key in investigation of titles especially in the conveyancing procedure, one can never be so sure with the results they get.

There are incidences where the official search results have shown the vendor as the owner only for the real owner to show up after completion of the transaction.

A solution to these pitfalls in the conveyancing process is block chain technology. A block chain is often described as a widespread, global distributed ledger running on millions of devices and open to anyone.

In it, anything of value like money, titles of land can be moved and stored securely and privately. The technology has a system of establishing trust though not through intermediaries like banks but through mass collaboration and powerful cryptography algorithms. This ensures integrity and trust between strangers while making it difficult to cheat. While cryptocurrencies like Bitcoin are the most notable products of block chain technology, land can be transacted through this technology.

The advantages that this type of transaction will have will be the availability of incorruptible land records. This will be availed by the distributed public ledger which tracks and records every transaction whose security is ensured due to its decentralised medium.

Hence where a buyer intends on investigating the title that a land vendor claims to have, block chain technology will enable verification of title since it will show the transaction records of that property and the owner and all previous owners.

South American countries like Honduras, have already committed to replace their existing land records with block chain technology which will eventually allow citizens to sell or buy property online. The distributed ledger is being embraced by more corporations like Factum which is applying it to the non-financial market of data management. The corporation uses public block chain-based identity ledgers in database management and data analytics to support applications.

Factom can be used by businesses and governments in simplification of records management, record business processes, and to address security and compliance issues. It maintains a permanent, time-stamped record of data in the block chain that allows companies and governments to reduce the cost and complexity of conducting audits, managing records while complying with the set laws. The Constitution of Kenya lists transparency as one of the principles of land policy and block chain technology will play a big role in ensuring that there is integrity in the system.

Bitland, a NGO in Ghana is also developing a land title system based on the Tao block chain. It is doing this since the Ghanaian government has failed to develop a fair and efficient land administration system despite numerous attempts. The system will also use GPS and satellite to verify the accuracy of the plots of land. Just like in Kenya where identifying the last owner of property rights over a  piece of land is an issue, they hope the system will reduce the disputes or make them more visible to prospective buyers. This will ensure security and reduce ownership cases.

Challenges

While the distributed ledger might be the technology’s biggest strength, many legal questions arise. The question on who to sue when things go wrong since the entire structure of the block chain is decentralised is major.

Another challenge is on the form of conveyancing transactions, keeping in mind that most transactions that are legally binding are based on precedent forms and documents.

There is hope for this though, since it is expected that as time goes on consensus will develop with code libraries and there will be a uniformity.

While solutions cannot just be copy pasted from another jurisdiction, Kenya can pick lessons from nations that have already started using the technology.

The making of a cybercrimes law: A tale of two Bills before Parliament

cyber law

An edited version to this article was first published on Business Daily August 15, 2016

If there is an industry that is hard to regulate, it is information and communication technology. Other than being too dynamic, it is complex. There is a common saying that states that a year in tech is 90 days. This out rightly means it is an industry which states all over the world will continue playing chase when it comes to regulation. Here in Kenya, the legislature has come up with two bills of similar nature. Namely, the Computer and Cybercrimes Bill, sponsored by Leader of Majority Hon. Aden Duale and the Senate’s Cybercrimes and Protection Bill sponsored by Chairperson, Committee on Information and Technology Sen.Mutahi Kagwe.

The Good

Cybercrime rates have been growing by the day and it is encouraging to see that the government is taking action. The Computer and Cybercrimes Bill seeks to criminalise unauthorised access and interference, gaining access with the intention of committing an offence and unauthorised interception. The latter being in the spirit of protecting the right to privacy which is enshrined in the Constitution.

Unauthorised disclosure of passwords or access codes, child pornography, computer forgery, computer fraud, cyber stalking and cyber-bullying are also criminalized. Distinct features of this bill are the clauses which provide for confiscation or forfeiture of assets and proceeds of cybercrime. The bill also provides for a compensation order for victims and it has an entire chapter on how cybercrimes committed outside Kenya will be prosecuted. The extraterritorial nature of this proposed law is good considering the nature of cybercrimes. The Bangladesh Bank was hacked into by persons who were not within its borders. The chapter also provides for extradition of suspects, though relying on the Mutual Legal Assistance Act 2011. Lest we forget, Kick Ass Torrents creator Artem Vaulin was extradited from Poland to the United States of America under such an agreement.

The Cybercrimes and Protection Bill on the other hand will criminalise unlawful access to a computer system, system interference, unlawful interceptions, fraud and cyber-bullying. All these are covered in the other bill. The other offences in this senate bill are interception of electronic messages or money transfers, wilful misdirection of electronic messages, forgery, unauthorised modification of data and even cyber terrorism.

One can say that this bill is elaborate since it ropes in more cyber offenses that are not in the Computer and Cybercrimes Bill. These offenses include issuance of false e-instructions, phishing and identity theft and impersonation which is rampant in this age of social media. Electronic distribution of pornography and child exploitation are also outlawed. The provision on child exploitation will be in important in curbing the developing menace where children meet people on social media who later take advantage of them sexually. This proposed law will also make it illegal to distribute intimate images of a jilted lover while it also illegalizes cyber-squatting.

 The Bad

The investigation procedures in the Computer and Cybercrimes Bill leave a lot to be desired. While the normal procedure is that a court issues a warrant is before security officers take any action that would infringe the privacy of an individual, there are clauses that allow any officer to act without a warrant. While it may be argued that the intention of the provisions is to avoid unnecessary delay, there is a high likelihood of human rights breaches if the bill is enacted into law without those provisions being aligned with the Constitution.

The Cybercrimes and Protection Bill on the other hand has clauses that have some constitutional conformity as far as the right to privacy is concerned. The bill prohibits the sharing of some personal information in the course of investigation like health records. Despite this, Kenya still needs the Data Protection Bill 2013 to be assented into law because data protection principles would provide a better guide with the handling of personal data. The bill also proposes a National Cyber Threat Response Unit which will investigate cybercrime cases. This unit is not provided for in the Computer and Cybercrimes Bill which will allow any officer to confiscate a computer system just because they believe that one is committing a crime with it.

And the Ugly…

The mere fact that we have two draft laws seeking to regulate the same thing at the same time from the same legislature is appalling. It is at this point that we ask what mischief the legislature sought to remedy that they drafted two bills. In the event both bills become laws, we will have a situation similar to that in Lon Fuller’s book ‘The Morality of Law.’ In the book Lon Fuller tells the story of King Rex who made contradictory law and his subjects sent him a pamphlet written “This time the king made himself clear in both directions.” In this case of the two draft laws, the contradictions are likely to arise because one law provides for lenient sentences while the other prescribe a harsh sentences for the same crimes. With this in mind, will we be wrong if we say that the legislature made it clear in both directions?

We hope that the relevant bodies will work together and harmonise the two bills because together, it will be a very good piece of legislation. That way the weaknesses of each draft law will be dealt with. Conformity to the bill of rights as contained in the Constitution should guide the drafters in the harmonization.  In the same spirit, the Data Protection Bill and the Access to Information Bill should be enacted because they are long overdue.