Icons made by Nhor Phai from www.flaticon.com

By Margaret Zalo

A lot of information is shared back and forth on messaging platforms on a daily basis. While governments have an incentive to monitor private communication on these platforms to prevent the abuse of others’ rights; fears of surveillance, unauthorized data collection and other beaches of privacy drive individuals to seek security measures such as encryption to communicate without interference.[1]

Encryption is a data-protecting process that converts information or a message into an unreadable form, preventing access by anyone other than the intended recipient.[2]The use of online products/services that employ encryption mitigates the risk of incidents in which confidential, private or sensitive data –such as passwords, financial information and personal photographs– are copied, transmitted, viewed, stolen or used by persons unauthorized to do so.[3]  

As more people realise the value of online security, messaging apps gain a competitive advantage by adopting methods of protecting customer data such as encryption.[4] A common form of encryption used by messaging apps to protect user data is end-to-end encryption(E2EE). E2EE facilitates secure communication that allows parties to send and receive information or messages privately, while completely preventing access by any other party including the intermediary messaging apps.[5]

On end-to-end encrypted messaging apps such as WhatsApp and Signal, a message is encrypted on a sender’s device and transmitted through the intermediary’s servers to the recipient’s device in an unreadable format. When the intended recipient accesses the message, the information is decrypted for the recipient to its original form through a secret key.[6] The intermediaries’ servers cannot decrypt encrypted information and merely act as a medium to facilitate data transfer of encrypted information.[7] Hence, messaging apps that employ E2EE cannot read information shared by their customers.

E2EE better protects data from persons that may want to snoop on conversations as the privacy and security of customer communications cannot be compromised in transit even if attempts are made to hack or compromise servers. While individual devices may be hacked, it makes mass surveillance much harder.[8] What is frowned upon about E2EE is the fact that it conceals communications between criminals as well – making it harder for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future crimes.[9] Hence, there have been attempts to enforce a “backdoor” for government authorities to access communications on messaging platforms in the interest of combatting crimes such as terrorism and child pornography.[10] China and Russia, for instance, give their national security services the authority to order companies to install hardware and software that facilitate government surveillance.[11]

While disallowing E2EE could be beneficial to law enforcement, providing a backdoor for governments to access communications also poses a great risk to law-abiding citizens as it could create a vulnerability in the security of their data, easing invasive surveillance by hackers and governments.[12]   It also might not be a successful move considering the fact that the software for enabling end-to-end encryption is publicly available(“open-source”) and may still be accessed and used by criminals.[13]

Locally, the Data Protection Act addresses the use of encrypted communication by encouraging data processors and controllers to adopt measures such as encryption to integrate necessary safeguards in data processing and to implement data protection principles as outlined in the Privacy and Data Protection Policy.[14] No law necessarily restricts the use of E2EE by messaging apps. The Communications Authority(CA) and the National Cohesion and Integration Commission(NCIC) made an attempt to monitor the sharing of political messages on social media and other platforms by issuing Guidelines on Prevention of Dissemination of Undesirable Bulk and Premium Rate Political Messages and Political Social Media Content Via Electronic Networks in 2017.

According to the guidelines, social media service providers are required to pull down accounts used in disseminating undesirable political contents that have been brought to their attention. Unlike telecommunication service providers, messaging apps do not take legal responsibility for undesirable political messages sent by their customers and hence do not have to closely monitor the content disseminated on their platforms – which would otherwise affect the use of E2EE.[15] In view of the fact that the CA derives its authority from the Kenya Information and Communication Act(KICA), the CA has been criticised for acting outside of its mandate in issuing the guidelines since social media service providers do not fall under the scope of the Act.[16]

A significant development that has skipped people’s attention amid the Corona pandemic is the recent introduction of a Bill in the U.S. entitled the “Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act” which aims to protect children online. The Bill, if enacted, would revoke the default immunity offered to providers of “interactive computer services” from liability for information published by users and require tech companies to earn these protections instead.[17] Tech companies will have to meet certain safety requirements for children online in order to acquire immunity or else be held liable for illegal content shared by users. Though the Bill does not explicitly ban end-to-end encryption, the best way for messaging apps to take precaution would be to stop offering E2EE in messaging services and start screening for illegal content sent over their platforms.[18]

Despite the high value of privacy on communication platforms and its protection in law, there are several laws in Kenya that may enable government surveillance on both telecommunications services and messaging apps. The National Intelligence Service(N.I.S) Act spells out that the right to privacy for persons suspected to have committed an offence may be limited to the extent that the privacy of their communications may be investigated, monitored or interfered with by the N.I.S after acquiring a warrant to that effect.[19] In the investigation, prevention and detection of terrorism, the Prevention of Terrorism Act grants state authorities the power to limit the right to privacy through surveillance, allowing the privacy of a person’s communication to be investigated, intercepted or interfered with.[20] Likewise, the Security Laws(Amendment) Act gives National Security Organs the power to intercept communication to detect, deter and disrupt terrorism.[21]

Though these laws may be enforced on locally-based messaging app companies, if any, and telecommunications service providers such as Safaricom, a global question still remains as to whether foreign laws can be imposed on foreign tech companies, which are outside of a country’s legal jurisdiction. This is problematic because the rights of foreign citizens may be undermined by laws from other jurisdictions. Thus, if an encryption policy is passed in a foreign country compelling multinational apps to make changes in their encryption methods, the application of the foreign law will likely have an effect on the right to privacy of Kenyan citizens as well.  The conflicting interests in the right to privacy and government surveillance reveal an underlying need for international consensus on how online content should be regulated in view of the global reach of online products and services.

[1]Human Rights Council, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, 22 May 2015, 1.

[2]Olufohunsi T, ‘Data Encryption’ Cyber Security, Threat Intelligence and Forensics-University of Salford, Manchester 2019 –<https://www.researchgate.net/publication/337889039_DATA_ENCRYPTION_Olufohunsi_T#fullTextFileContent> on 3 April 2019

[3]Galante M, ‘What is End-to-End Encryption and Why You Really Need It’ Square –<https://squareup.com/us/en/townsquare/end-to-end-encryption> on 11 April 2020.

[4]Ranger S, ‘Encryption has created an uncrackable puzzle for the real world’ ZDNet – <https://www.zdnet.com/article/encryption-has-created-an-uncrackable-puzzle-for-the-real-world/> on 15 April 2020

[5]Galante M, ‘End-to-End Encryption and Why You Need It’ Square –<https://squareup.com/us/en/townsquare/end-to-end-encryption> on 11 April

[6]Perlroth N, ‘What is End-to-End Encryption? Another Bull’s-Eye on Big Tech’ The New York Times, 19 November 2019 –< https://www.nytimes.com/2019/11/19/technology/end-to-end-encryption.html> on 12 April 2020

[7] Thakkar J, ‘End-to-End Encryption: The Good, the Bad and the Politics’ Hashedout, 4 November 2019 –< https://www.thesslstore.com/blog/end-to-end-encryption-the-good-the-bad-and-the-politics/> on 2 April 2019

[8] Perlroth N, ‘Another Bull’s-Eye on Big Tech’ The New York Times, 19 November 2019 –< https://www.nytimes.com/2019/11/19/technology/end-to-end-encryption.html> on 12 April 2020

[9] Jackson M, ‘EU and UK ISPs Oppose Moves to Ban End-to-End Encryption’, ISPreview, 7 October 2019 –< https://www.ispreview.co.uk/index.php/2019/10/eu-and-uk-isps-oppose-moves-to-ban-end-to-end-encryption.html > on 4 April 2020.

[10] Endeley R, ‘End-to-End Encryption in Messaging Services and National Security—Case of WhatsApp Messenger’, 9(1) Journal of Information Security, 2018.

[11]Centre for Strategic and International Studies, ‘The Effect of Encryption on Lawful Access to Communications and Data’ February 2017, 18.

[12] Thibodeau M, ‘End to End Encryption and the Quest to Ban It’ HedgeTrade, 4 July 2019 <https://hedgetrade.com/end-to-end-encryption-ban-attempts/> on 14 April 2020.

[13] Thibodeau M, ‘End to End Encryption and the Quest to Ban It’ HedgeTrade, 4 July 2019 <https://hedgetrade.com/end-to-end-encryption-ban-attempts/> on 14 April 2020.

[14] Section 41, Data Protection Act (Act No. 24 of 2019)

[15]Guidelines On Prevention of Dissemination of Undesirable Bulk and Premium Rate Political Messages and Political Social Media Content Via Electronic Communications Networks, July 2017.

[16]Article 19, Kenya: New Draft Guidelines on dissemination via Electronic Communications Networks should be scrapped, 28 July 2017 –<https://www.article19.org/resources/kenya-new-draft-guidelines-on-dissemination-via-electronic-communications-networks-should-be-scrapped/> on 27 April 2020; Geoffrey Andare v Attorney General & 2 others [2016] eKLR.

[17] Section 230, Communications Decency Act 47 U.S.C.

[18] Fisher D, ‘Earn It Act Casts a Long Shadow On Encrypted Services’ Deciper, 13 March 2020–<https://duo.com/decipher/earn-it-act-casts-a-long-shadow-on-encrypted-services> on 5 April 2020.

[19] Section 36, National Intelligence Service(NIS) Act (Act No. 11 1998).

[20] Section 35, Prevention of Terrorism Act (Act No. 30 of 2011).

[21] Section 69, Security Laws(Amendment) Act (Act No. 19 of 2014).