access codes, child pornography, Computer and Cyber Crimes Bill, computer forgery, computer passwords, Computer system, Cyber crime, cyber-bullying, cyber-stalking, Data Infiltration, fraud, insider threats, ISACA, KICA, unauthorized disclosure
Cybercrime, referred to as crime conducted through the internet or some other computer network, has been rampant both in Kenya and around the world. According to the Kenya Cyber Security Report of 2015, the top cyber security issues in Kenya were: data exfiltration, social engineering, insider threats and database breaches. The risk of cybercrime is exacerbated by the fact that the number of internet subscribers is on the rise every year. According to the 2015 Economic Survey Report of the Kenya National Bureau of Statistics internet subscriptions increased from 1, 579,387 subscribers in 2009 to 8,506,748 in 2012. To top it off, there were about 26.1 million internet users in Kenya as of December 2014. Bearing in mind that the commission of cybercrime knows no territorial boundaries, there are numerous cyber security risks posed to companies, individuals and the government alike.
A few instances of cyber attacks in Kenya are worth mentioning. It will be recalled that in 2015, IFMIS passwords of senior county staff in Garissa were stolen and used to make illegal payments. It will further be recalled that in 2015, two computer experts were accused of hacking NIC Bank’s customer database and demanded to be paid Kshs. 6.2 million in bitcoins. We have also witnessed numerous phishing attacks on facebook users in Kenya.
According to the ISACA- Kenya, there are approximately 1000 certified ICT risk professionals in the Kenya. It may be argued that cybercrime in Kenya is on the rise for two reasons: lack of sufficient ICT risk professionals to deal with cyber security risks and lack of a proper legal framework to provide for cybercrime. In this post, we shall deal with the latter.
The Computer and Cybercrimes Bill, 2016 provides for offences relating to computer systems and facilitates international cooperation in dealing with cybercrime matters. Currently the legal framework providing for cybercrime is Part VIA of the Kenya Information and Communication Act particularly at sections 83U to 84I. These provisions are cannot adequately deal with the monster of crime that is affecting the nation. The Computer and Cyber Crimes Bill may be lauded for its efforts to:
- Protect confidentiality, integrity and availability of computer systems, programs and data by comprehensively making provisions for offences that violate confidentiality.
- Provide higher penalties for offenders which may serve to deter the commission of cybercrime.
- Facilitate the investigation and prosecution of cybercrimes.
- Facilitate the processing of digital evidence.
- Facilitate international cooperation in prosecution of cybercrimes.
- Benchmark international standards in the fight against cybercrime provided in the Council of Europe’s Convention of Cybercrime, also referred to as the Budapest Convention.
Offences against the confidentiality, integrity and availability of computer systems, programs and data
The Bill criminalizes unauthorized access to a computer system, unauthorized access to a computer system with intent to commit or facilitate a further offence, unauthorized interference to a computer system, program or data, unauthorized interception of computer data and unauthorized disclosure of passwords or access codes.
The Bill provides for high penalties of up to 5 years imprisonment or Kshs. 10 million fine, with the penalty increasing to 10 years or Kshs. 20 million fine if unauthorized interception or interference results in significant financial loss to a person, threatens national security, causes physical injury or death to any person, or threatens public health or safety.
In addition, the Bill criminalizes the manufacture, sale, procurement for use, importation, offering to supply or distribution of devices, programs, computer passwords or access codes for the purposes of committing any of the offences listed above. The offence extends to persons who knowingly receive or are in possession of the devices, programs, computer passwords or access codes. It is however a defence if devices, programs, passwords or access codes are acquired for purposes of authorized training, testing or protection of a computer system or if the same is done in compliance with a court order.
Computer Related Offences
These offences include computer forgery and computer fraud which are to be distinguished from fraud and forgery as provided for in the Penal Code. Computer forgery attracts a penalty of 5 years imprisonment or Kshs. 10 million fine or both whereas computer fraud attracts a penalty of Kshs. 20 million or 10 years imprisonment, or both.
A person who commits computer forgery with intent for wrongful gain, wrongful loss to another or for commercial benefit is liable to a maximum fine of Kshs. 20 million or to 10 years imprisonment, or both.
Content Related Offences
The two offences under this section are child pornography and cyber-stalking and cyber-bullying. The Bill maintains the definition of a child in the Age of Majority Act and the Children’s Act as being a person under the age of 18. The definition of child pornography under the Bill is not conclusive; it is stated to include data which whether visual or audio, depicts a child or a person who appears as a child engaged in sexually explicit conduct, and realistic images representing a child engaged in sexually explicit conduct.
The non-conclusive definition of child pornography and the extension of the subjects of child pornography to include ‘a person who appears as a child’ will likely cause ambiguity in interpretation of the offence.
It is an offence to aid or abet the commission of a crime under the Bill.
The unsuccessful commission of an offence does not exonerate one from being charged for attempting to commit an offence under the Bill.
Body corporates that commit cybercrime have a heightened penalty of Kshs. 50 million. The liability of a body corporate also extends to its principal officers, i.e. the directors or to its members where it is the members that manage the body corporate.
Other offences committed under any other law and with the aid of a computer system attract of penalty of Kshs. 3 million or 4 years imprisonment, or both, in addition to the penalty provided for under that law.
Powers of the Court
Besides passing a conviction and sentence under the Bill, the Court may:
- Order the confiscation or forfeiture of proceeds obtained from or in the commission of an offence including money, properties or assets.
- Order the restitution of assets gained from the commission of an offence.
- Award compensation to a person who faces loss directly from the commission of the offence.
The Bill makes provision for investigation procedures with respect to: criminal offences under the Bill, other criminal offences under other law and collection of electronic evidence for offences under the Bill or other law. It also reinforces the admissibility of electronic evidence derived from a computer system and provides for investigation procedures for cybercrimes without prejudice to those provided in the National Intelligence Service Act, 2012; the National Police Service Act, 2011; the Kenya Defence Forces Act, 2012; and any other law. It is further provided that whenever there is a conflict between the Computer and Cybercrimes Act and any other law, the Act shall supersede other law particularly on matters pertaining to cybercrimes.
Searches are one of the investigation procedures to be applied under the Act. Searches may be with or without a warrant in which case the provisions of the Criminal Procedure Code on searches will apply. This means that search warrants may be issued at any time and likewise executed at any time, and further that an officer may break into a building for purposes of obtaining a computer system or part of it, where entrance or exit cannot be freely obtained Computer systems may also be seized for purposes of investigation.
The provisions on international cooperation apply vis a vis the provisions of the Mutual Legal Assistance Act, 2011 which deals with mutual legal assistance between Kenya and other states on matters pertaining to investigation, prosecution and judicial proceedings of crimes. The importance of international cooperation cannot be gainsaid as the cybercrimes could be committed anywhere and still have an effect in Kenya.
The Attorney General may request assistance for purposes of: investigating cybercrime, collecting electronic evidence, and obtaining expeditious preservation of stored computer data, disclosure of traffic data, real time collection of traffic data, associated with specified communications or interception of content data.
It is important to note that open source data whether located in Kenya or elsewhere may be accessed or retrieved by a police officer of an authorized person.
The Bill gives Kenyan courts jurisdiction to try any Kenyan citizens for offences committed anywhere in the world. The Kenyan courts also have jurisdiction to try foreigners who commit offences in Kenya, against its citizens or against property belonging to the Government of Kenya.