Much-needed bill leaves ambiguity where the security community needs it most

UPDATE As of Tuesday, a total of 26 sections have been suspended from Kenya’s Computer Misuse and Cybercrimes Act, marking a temporary success for the media outlets and bloggers who had been campaigning against the so-called draconian measures due to their broad definition of “fake news”. A full hearing on the disputed sections will take place on July 18, 2018. The rest of the law came into affect on May 30, 2018.

One of Africa’s leading digital economies has passed its first legislation aimed at cracking down on cybercrime, but civil rights advocates are worried about the scope it could leave for abuse.

Kenya’s Computer Misuse and Cybercrimes Act was signed into law by President Uhuru Kenyatta last week, following calls for the east African country to take proactive measures in combatting illegal activity online.

While considered a bustling center for tech start-ups and mobile transactions alike, Kenya has equally felt the strain of its digital prevalence – losing $210 million to cybercriminals in 2017, according to a report from pan-African cybersecurity firm, Serianu.

That same report found that the spread of fake news, threat of breaches caused by insiders, and ransomware were the most predominate factors in systems being compromised – 96% of which either go unreported or unsolved, Brencil Kaimba, information security consultant at Serianu told The Daily Swig.

“I believe the main intention [of the Computer Misuse and Cybercrimes Act] was to curb the increasing growth of cybercrime,” said Kaimba.

“The cybercrimes bill provides a framework for prosecuting cybercrime in Kenya, whereas previously we did not have a standard definition of what qualifies as a cybercrime. We now have a clear description of the offenses and procedures that law enforcement need to follow during investigation of these crimes.”

The resulting bill, an update to the Kenya Information and Communication Act, sets out to tackle a wide range of issues, having borrowed protocol from the 2001 Budapest Convention on Cybercrime – an international treaty providing a framework for tackling the full spectrum of web-based crimes including fraud, child pornography, hate crimes, and unauthorized access to computer systems.

Kaimba said that the new legislation provides guidance on how different cybercrimes should be prosecuted – nine offences related to the mishandling of computer systems or data, and three related to content.

Unlawful intrusion on computer systems, for example, carries a penalty of KES25 million (approximately $250,000), or 20 years in jail. But where this leaves instances of so-called ethical hacking remains unclear.

“Well it is true there are some very general clauses which leave room for such questions,” said Kaimba. “No exceptions have been explicitly defined, however, the law is clear that one needs to seek authorization before accessing or conducting activities that may lead to information disclosure and or disruption.”

But the broadness of much of the bill is what’s left many internet advocacy groups concerned, most notably in relation to surveillance and the stifling of discordant speech, which has previously resulted in the arrest of Kenyan bloggers and social media users.

“The presence of a law aimed at addressing cybercrime is fundamental,” Juliet Nanfuka of the internet policy organization CIPESA told The Daily Swig.

“Fear however arises where contentious provisions may be used to infringe on the privacy of individuals or limit freedom of expression, speech, opinion and information online.”

Nanfuka is primarily referring to clauses in the Act pertaining to the publishing of “false” or “fictitious” information where the language leaves room for interpretation to mean anyone critical of the State.

The process that law enforcement undergoes to intercept digital communications has also been criticized for being too lenient.

“This is made worse by the absence of safeguards in Kenya, especially the lack of a data protection and privacy law that would ensure accountability and transparency in the way personal data is managed,” said Nanfuka.

“But despite the shortcomings in the law, there are positive and progressive measures established to ensure that people’s rights to privacy are protected.

“The criminalization of unauthorized access and interference to computers and computer systems by individuals especially with criminal intent guarantees individuals protection of their privacy. This has not previously been guaranteed.”

Serianu said that 90% of organizations in Africa were operating on the ‘cybersecurity poverty line’ making attacks such as unauthorized access, data theft and manipulation, ransomware, social engineering and phishing all too commonplace on Kenyan computer systems.

“We still have a long way to go as cybercrimes continue to evolve,” said Kaimba. “We have to see the scenarios that play out in the future and then seek amendments accordingly.”

Kaimba added: “Cybersecurity is a new field in Africa, and even more so for the stakeholders involved in implementing the Cybersecurity bill.

“Law enforcement and judiciary will need advanced training and upskilling to bridge the skill gap and ensure that they can be able to implement the law.”