The Computer and Cybercrimes Bill 2017 has undergone First Reading according to Parliamentary Standing Order 127 (3) and is currently committed to the Departmental Committee on Communications, Information and Innovation. The Bill proposes to provide a framework to prevent and control the threat of cybercrime. Parliament recently called for submission of memoranda on the Bill. Upon receipt of the call for memoranda, CIPIT called on members of the public to contribute their views on the bill which we have uploaded on the Jadili platform. Members of the public contributed their views on various issues as compiled here.

With regard to section 8(1), it is submitted that this sub-section does not protect the legitimate use of devices and programs such as ‘tcpdump and wireshark’ that are designed primarily to intercept and capture network traffic. They can serve a dual purpose that can be abused by malicious actors. The law should not ban them in a blanket manner but instead regulate only their malicious use.

It is noted that Part III of the Act provides for investigation procedures including search and seizure of stored computer data, such power to search without warrant in special circumstances, record of and access to seized data, production order and grounds for such application of a production order by a police officer, expedited preservation and partial disclosure of traffic data, such period for preservation and extension of the said period. More procedures detailed are real time collection of traffic data, interception of content data, procedure for making application to intercept and such grounds to be satisfied before such interception. This Part also provides for confidentiality of investigations and powers to deal with obstruction of investigations. With regard to Part III, it is submitted that there should be a clear explanation on qualification of who this law will regard as ‘an authorised person’. We propose a qualified digital forensics expert serving in the police service.

It is noted that this Bill delegates regulation-making powers to the Cabinet Secretary responsible for matters relating to Information, Communication and Technology. The Bill does not contain provisions limiting rights and fundamental freedoms. It is submitted that a statement on how the legislation aligns with protections in Kenya’s constitution and international obligations to protect human rights according to Article 21 of the Constitution which obligates the state to protect human rights should be front and centre of the Bill.

Further, the Bill appears to be heavily influenced by the Council of Europe’s Convention on Cybercrime (known as the Budapest Convention). But what underpins the Budapest Convention is safeguards, namely the UN ICCPR and the European Convention on Human Rights. A country cannot import the provisions without underpinning them with safeguards and making them meaningful. Without these safeguards, the entire Bill is extremely intrusive. Meanwhile, section 4(1) states that a person who causes, whether temporarily or permanently, a computer system to perform a function, by infringing security measures, with intent to gain access, and knowing such access is unauthorised, commits an offence and is liable on conviction, to a fine not exceeding five million shillings or to imprisonment for a term not exceeding three years, or to both. It is submitted that this section may have certain severe unintended consequences such as criminalising security research such as penetration testing.

Section 10(2) of the Bill defines “protected computer system” as a computer system used directly in connection with, or necessary for, a) the security, defence or international relations of Kenya. Whereas section 11(1) states that a person who unlawfully and intentionally performs or authorizes or allows another person to perform a prohibited act envisaged in this Act, in order to— a) gain access, as provided under section 4, to critical data, a critical database or a national critical information infrastructure. However it is not clear whether all protected computer systems qualify as critical infrastructure. More importantly, it is submitted that the bill does not define critical infrastructure.

Section 12 of the Bill provides that a person who intentionally publishes false, misleading or fictitious data or misinforms with intent that the data shall be considered or acted upon as authentic, with or without any financial gain, commits an offence and shall, on conviction, be liable to a fine not exceeding five million shillings or to imprisonment for a term not exceeding two years, or to both. It is submitted that this clause is unconstitutional to the extent that it limits freedom of expression beyond the limitations in Article 32 (2) of the Constitution of Kenya. Although section 13(1) of the Bill prohibits any person from intentionally publishes child pornography through a computer system, The offence already exists and can be dealt with under Section 16 of the Sexual Offences Act, 2006 on child pornography.

It is submitted that section 28 of the Bill is problematic. Kenya’s existing surveillance legislation only permits intelligence agencies and police officers above the rank of a Chief Inspector to apply for a warrant for this kind of surveillance (National Intelligence Services Act 2012 and the Prevention of Terrorism Act 2012). As such section 28(1) unjustifiably broadens the scope of law enforcement’s powers and is open to abuse.