Kenya’s new cybercrime law opens the door to privacy violations, censorship

A new act is trying to lock down cyber crime in Kenya. Ink Drop/Shutterstock

More and more Kenyans are connecting to the internet, most frequently from mobile devices like phones and tablets.

There are, of course, big benefits to increased connectivity. These include the rise of mobile money transactions and access to loans. But there are downsides, too. The country has been targeted by hackers in several major attacks.

In May 2018 the Kenyan government responded to these and other high profile cyber attacks by signing the Computer and Cyber Crime Act into law. This seems a strange decision, since legislation already exists that deals with these issues.

The Kenya Information Communication Act and the Penal Code and its regulations already criminalised several cybercrimes. It could have been amended to, for instance, increase the penalties for certain crimes. Instead its provisions have been superseded by the Computer and Cyber Crime Act.

The new act is too vague when it comes to important details, particularly those that deal with the issue of surveillance. Will Kenya’s authorities use this legislation to “eavesdrop” on citizens? The act also criminalises the publication online of false information or hate speech. But it does not explain what “hate speech” entails in this context, and seems to lean towards outright censorship in parts.

The new act criminalises “false publications”, but offers no real definition of these. It also doesn’t give guidelines for distinguishing what it calls hate speech from speech that’s protected under Kenya’s existing laws.

That could pose a problem in a country where people often share opinions, news and views via the internet. Kenya is a polarised country – especially during election times. If one was to make a comment online that is offensive about a certain leader of a specific county it might be categorised under the new act as hate speech or incitement to violence.

The spirit of the act is to be applauded. It aims to boost security and Kenya’s cyber health. But it also violates fundamental individual rights and there is a need to reframe some provisions so it’s not abused by the criminal justice system.

What the act says

The new Computer and Cyber Crime Act has several stated aims. For instance, it offers a framework for the timely and effective detection, investigation and prosecution of computer crimes. Such crimes include unauthorised access to or interference with computer systems by third parties; the distribution of child pornography and online harassment like bullying and stalking; and the production of fake publications.

These and other crimes described in the act come with very steep fines. For example, the crime of “fake publication” attracts a fine of 5 million Kenyan shillings (USD$50,000) or 10 years in prison. Unauthorised interference or interception of state protected computers attracts the longest sentence: 20 years.

Unfortunately the legislation is extremely vague when it comes to defining some of the offences, leaving a great deal open to individual interpretation. That’s particularly troubling when it comes to things like “fake publications”, since the act could be misused to censor free expression in the online space. And that directly contradicts the country’s Constitution.

The provisions around “publication of false information” and “hate speech” are too broadly framed. The worry is that such blanket provisions might lead to a damping down of free expression. Citizens may even self-censor, not sharing different opinions or views, because they worry that these will somehow contravene the act.

The act also lays the ground for international cooperation around prosecuting cyber crimes. And it sets up a crime reporting database. Any person who has information about a threat, attempt or actual cyber attack is now legally obliged to share this with the database within 24 hours of the incident. If they don’t, they’re liable for a fine or could be jailed for up to two years.

One problem with this is that it shifts liability on to the victim or target of the cyber crime. There should be a distinction between aiding and abetting a crime and actually being an ignorant victim or target who is not aware of the act’s reporting requirement.

Another is that once a planned crime has been reported, surveillance will be necessary to confirm it. Section 24 of the Act has a provision for searches without a warrant. This may take the form of blanket surveillance of, for instance, a WhatsApp group because of one person’s comments in that group. Others in the group who are not involved in any crime will also be “watched” by the state. This is a violation of citizens’ basic rights.

Moving forward

This act will have a big impact on Kenya’s information technology environment. In some cases this is a good thing: cyber crime must be taken seriously and criminals brought to book.

But there are challenges, too. The act in its current form infringes on Kenyans’ right to privacy through surveillance and the collection of data from users. The Act should be returned to parliament to amend the same and include parameters and guidelines on how the freedom of expression and privacy are to be limited. For example giving guidelines for one to understand what is hate speech, violent speech or ethnic incitement. Which speech is not protected and why. If not then the questions for Kenyans to ponder would be whether they are willing to give up their rights for cyber security.

We need your help to elevate the voices of experts, not the shouters.