in constitution, Internet, law, opinion, thoughts

Unraveling the “Kenya Information and Communications Act” Amendment Zero-Drafts

Some time late last year, I’m going to say in November but I’m not certain, the Communications Authority of Kenya (CA) released 6 documents that would amend the Kenya Information and Communications Act, for public comment. You can find the notice for public comment and the drafts here. These documents were zero drafts, which means they are the first versions of these documents and are not yet even on the path to becoming laws as they are not even in parliament. The amendments would touch on the following issues:

  • Universal Access and Service
  • Infrastructure Sharing
  • Cybersecurity
  • Broadcasting
  • Electronic Transactions
  • Electronic Certification and Domain Names Administration

I guess now is the time for a couple of disclaimers! First, I read all the documents except the one on broadcasting. It was way too long and it covers an industry I was not very interested in (which is not to say it’s not important). Second, I’m not a lawyer nor have I ever attended a class on law. Finally, while there’s a lot that’s great with these amendments – the section on electronic transactions comes to mind – this post will be looking at everything that’s wrong. Unfortunately, I’ve gotten criticism that I’m always looking for the negative aspect in things, but somebody’s got to be that guy!

Now that that’s done let’s get into it

Cybersecurity Regulations

In the definition of cybercrime:

any activity in which a computer system or network are a tool, a target or a place of criminal activity. This shall include offences against the confidentiality, integrity and availability of computer systems and copyright-related offences.

We have copyright-related offences described as part of it. That phrase should be removed from the definition. It is misplaced here. The potential damage caused by this, compared to the other crimes listed, is minor. It is misplaced here. This may lead to outsized punishments for the mere mistake of uploading the wrong picture, video or audio online. If there’s a need to cover copyright-related offences then the copyright law should be amended to add computer related violations which is the best place for them.

Part 4 Attack on Computer Systems states:

It shall be an offence to:

  1. gain or attempt to gain unauthorized access to part or all of a computer system or exceed authorized access;
  2. gain or attempt to gain unauthorized access to part or all of a computer system or exceed authorized access with intent to commit another offence or facilitate the commission of such an offence;
  3. remain or attempt to remain fraudulently in part or all of a computer system;
  4. hinder, distort or attempt to hinder or distort the functioning of a computer system;
  5. enter or attempt to enter data fraudulently in a computer system;
  6. damage or attempt to damage, delete or attempt to delete, deteriorate or attempt to deteriorate, alter or attempt to alter, change or attempt to change computer data fraudulently.

This section makes no effort to distinguish between attempts and actual attacks. Other laws have different sentences for attempts and actual attacks, I don’t see why this can’t be the same for cyber crimes. Also, the law makes no mention of intent, which makes white hats, who discover vulnerabilities for pay and for fun, particularly exposed. This also applies to Section 5 on Computerised Data Breaches.

Section 5 on Computerised Data Breaches part f states: 

participate in an association formed or in an agreement established with a view to preparing or committing one or several of the offences provided for under this Convention.

This makes white hat groups and security consultants, such as AfricaHackOn, vulnerable.

Section 6, Content Related Offences, part f states:

threaten, through a computer system, to commit a criminal offence against a person for the reason that they belong to a group distinguished by race, colour, descent, national or ethnic origin or religion where such membership serves as a pretext for any of these factors, or against a group of persons which is distinguished by any of these characteristics

The singular word gender, is missing and should be added as discrimination against women is rampant. Leaving out this one word excludes half the population, a population that has historically been sidelined and left unprotected. I hope this will be corrected in the next draft.  

Section 6, part h states:

deliberately deny, approve or justify acts constituting genocide or crimes against humanity through a computer system.

This should be removed. It’s vague, largely depends of the views of historians and also assumes to try to control how people think also I doubt that a similar law exists for offline line equivalents, but I could be wrong.

Section 7, Operation and use of cybercafes and public wireless hotspots states:

Operators of Cyber Cafes and Public Wireless Hotspots shall:

  1. identify users before providing them with services;
  2. provide a system for user registration which ties each user to a mobile phone number. Operators of cyber cafes and public wireless hotspots shall be required to inform users of their service that it is illegal to use an unregistered mobile phone number for registration and access to cyber cafe and public wireless hotspot services;
  3. Information collected in (b) shall be made available to the authority for further action, as and when is deemed necessary.
  4. maintain a register for all its clients;
  5. install Closed Circuit TeleVision (CCTV) cameras to record the identify of its clients;
  6. use Public Internet Protocol (IP) addresses for its computers;
  7. ensure that system logs are retained in their original for periods of not less than one (1) year from the date of the communication. The Authority may issue guidelines on retention of communication logs from time to time.
  8. required to report any cyber-crime incidents to the Authority within 24-hours and as may be prescribed by the Authority from time to time;
  9. required to obtain an authorization from the Authority to provide cyber-café and public wireless hotspot services
  10. submit compliance returns to the Authority as may be prescribed from time to time.

This entire section should be removed as it’s wholly impractical and a violation of several constitutional rights particularly the one of privacy. The information collected can be arbitrarily demanded by the authority without a court order so if this section is to remain, and it shouldn’t, there needs to be some sort of oversight provided by a judge. Finally implementing this will be expensive both on the side of the operators and that of regulator. It also adds yet another license to do business in part I that will impede the ease of doing business. Further the meaning of public wireless hotspots is not defined at all.

Electronic Transactions

Part 5 Scope of Application states:

These Regulations shall apply to any service provider. Such service providers shall require an authorization from the Authority.

Given the broad definition of service provider:

any public or private entity that provides to users of its service the ability to communicate by means of a computer program, computer, computer system, or network, including the services that support the development or utilization of computer programs and/or the creation, storage, retrieval, processing, management, and deletion of computer data, traffic data, and content data; and/or any other entity that processes or stores computer data, content data, or traffic data on behalf of such service as set forth in this paragraph or users of such service.

this applies to anyone trying to sell anything with an online component including using platforms like Facebook and twitter. Implementation of the need of authorization will be difficult if not impossible, perhaps some thought should be given to adding thresholds.

Response from the CA

Response from the CA

Those are the few of the things that I found. I made sure to post these to the CA and though I was past the deadline I got a response, see screen shot above. I felt for the first time really part of the law making process and having done my part as a good citizen. It remains to be seen if any of my comments will be taken into the next version of the draft. The comment section below is open for any thoughts, comments or questions. Peace!!!