The implementation of the right to access information has been a topic of conversation as early as the 18th century. Sweden became the first country in Europe to do so (implement right to access). Anders Chydenius’ believed that democracy and workers’ rights were crucial to the economic growth of a state and urged that freedom of press and information is a vital right that should be accessible to all citizens; the English parliament also recognized the need and importance of abolishing political censorship in the 17th century. Eventually India, being the first non-European country, followed suit in the 20th century by incorporating the right to information into their own laws (known as the Right To Information Act).
Artificial Intelligence (AI) is the effort to create computers capable of intelligent behavior. It can be classified into two types of AI “narrow AI”-computer systems that are better than humans in some specific, well-defined field, and “general AI,” systems that can surpass human capabilities in many domains. AI relies on large amounts of data to learn, create patterns that it uses to perform the actions it is tasked to do. The world is currently experiencing its fourth industrial revolution popularly referred to as Digital Transformation and AI is earmarked as being at the heart of this new era.
Governments have done a modest job at ensuring modern technology is applied to making the physical world a safer place. Laws which account for physical safety evolve relatively quickly and pressure companies to apply the latest safety standards to structures, transportation technologies and the like.
Newer technologies such as wearable tech monitor our blood pressure and heart rate, which helps detect early warning signs of a medical emergency. However, the possibility to sell patient health information gathered from wearable tech remains a grave concern amongst citizens. Do governments have the responsibility to address these invasions of privacy? Many citizens would agree they do.
As the global digital sphere expands, so too do intellectual property infractions. Brand power is more accentuated than ever, leading to greater levels of trademark appropriation. What’s more, new research by Wharton shows that strong intellectual property protection benefits the ‘small guy’. Essentially, protecting new trademarks brings growth for small businesses.
As a result, intellectual property and information technology (IT) legal professionals are in great demand and can expect generous remuneration; Payscale suggests that the potential pay ceiling can reach USD $198,000. Furthermore, as small businesses develop their own systems, having legal assurance embedded will be key to maintaining growth. For a graduate, there is a clear path into the discipline.
Developing and displaying the necessary skills
Communication, problem-solving, determination and natural assertiveness are the core skills that all legal professionals need to possess. For an IP/IT lawyer, it is to your benefit to lay claim to a few other key areas. Firstly, while all lawyers need to stay up to date with law, IP/IT areas are a particularly fast-moving space; accordingly, legal professionals specializing in the field should have a comprehensive knowledge of online resources, and a talent for preempting what big changes will impact a company. The EU’s General Data Protection Regulation, which came into force in May this year is set to have impacts across Africa and the wider world. According to Thomson Reuters, compliance is high on the agenda; both consultant and in-house lawyers will be busy. When constructing an application, or formalizing your resume, ensure the relevant skills are clearly highlighted.
Understanding the job market
The good news about the IP/IT job market is that it is wide open. As Daily Nation outlined in a report concerning business best practices, there aren’t many intellectual property focused lawyers operating in Kenya, let alone digitally native ones. However, the Kenyan digital startup industry is absolutely booming: startups scooped half of all of Africa’s startup funding in the first 6 months of 2018, totaling nearly USD $50m, according to Business Today. With such a huge expansion in digital businesses, there is a clear market for expert legal advice that will also help to protect the industry, guaranteeing its onward profitability and the reputation of legal experts in the field.
The potential future
IP/IT is a fascinating and rapidly growing area of law. The nature of intellectual property laws are not necessarily set in stone when it comes to digital applications – take, for example, Apistry v Amazon, 2013, in which the case was dismissed in favor of Amazon, with the court finding that the patents involved were ‘abstract ideas’ given their internet-based application. As the world becomes more and more globalized and internet usage continues apace, it’s likely that definitions will shift and previously dismissed claims will become more relevant. The role of the legal professional in the field will only become more valuable and more important.
Moving into intellectual property and information management law is an exciting way to further your career. In Kenya, with businesses booming into the digital age, there are countless opportunities. Seizing is a case of determination and honing the right skills.
The freedom of association has traditionally been defined as the right to be with other people for a legal reason, cause or purpose, without interference. However, with the advent of modern technology, today’s emergent associations differ in important ways from traditional political and social organizations.
Recent global events particularly those associated with the Arab Spring form prime examples of the need to examine and analyze the legal protections afforded to associations in the digital age and whether such protections are sufficient in the wake of emerging threats.
Thus, an analysis of the commonalities and the differing aspects of the contrasting viewpoints of the subject right as well as the impacts of this is well justified in light of the changing context within which the right is exercised and indeed with a view to building a wholesome definition having considered all relevant factors.
TRADITIONAL RIGHT VIS-À-VIS DIGITAL RIGHT
Freedom of association has commonly been associated with the notions of physical meetings and geographical proximity. However, advances in modern communication technology have greatly shifted the context of this right and led to a number of differing aspects with its traditional understanding. The prime difference consists in the non-requirement of geographical proximity. Previously, participation of one’s associational freedom often meant attendance of in person meetings. Conversely, in the present day, one can participate in the activities of an association without the need for physical attendance or geographical proximity due to the relatively inexpensive nature of internet connection. Global events ranging from the political uprisings that swept across the Arab world to the Occupy Wall Street Movement have highlighted the use of digital technology in the exercise of the subject right.
Another key differing factor is the platform on which the right is exercised. In its traditional understanding, the right is often exercised in public spaces such as city squares whereas the digital right extends to digital platforms such as discussion forums and chat rooms. This view was supported by the APC which stated that the right should be construed to include any space where people can meet, including online spaces.
A logical import from the differences highlighted is the central role of modern technology as a conduit to the exercise of the digital right. This view is reiterated by the 2012 report of the former Special Rapporteur where he called upon States “to recognize that the rights to freedom of peaceful assembly and of association can be exercised through new technologies, including through the Internet”. This view was also highlighted by the Human Rights Council in its Resolution 24/5 in which it:
“Reiterated the important role of new information and communications technologies in enabling and facilitating the enjoyment of the rights to freedom of peaceful assembly and of association…”
However, these differences do not constitute a comprehensive redefinition because of the commonalities shared such as the similar nature of the associations in both conceptions. As per the ‘Guidelines on Freedom of Association’ an association is “an organized, independent, not-for-profit body with an institutional structure based on the voluntary grouping of persons with a common purpose.” Online associations fulfill each of these requirements therefore enjoying protection even in the traditional understanding.
DEFINITION AND RELATION TO ASSEMBLY
In view of the differences as well as the commonalities of the contrasting interpretations of the subject right one can reasonably deduce that the digital right can be defined as the right to voluntarily join with others through collective action based on a common purpose through the use of modern communication technology without interference.
Perhaps an interpretational challenge in defining the subject right also owes to its confusion with the related freedom of assembly. Freedom of assembly secures the right of people to meet for any purpose connected with government whereas associational freedom protects the activities and composition of such meetings.
Digital technology has transformed the ways in which civic and political associations are formed and operate. Political and civic “work” in society is increasingly performed not by traditionally organized and well-defined associations but by decentralized networks of individuals. As such, online association has opened the door for a more effective advocacy of Human Rights issues which may be dangerous in authoritarian states and for the faster aggregation of resources for community development.
However, the same features of modern communications technology that enhance associational freedom also crucially enhance the threat posed by relational surveillance. Relational surveillance can loosely be defined as surveillance that makes extensive use of digital communications in order to determine the associative groups to which an individual belongs. Comprehensive surveillance has the unfortunate propensity to cause exploitation of vulnerable groupings in society. Indeed surveillance also highlights the occasionally involuntary nature of online association since it uncovers exploratory activities such as inquiries or admission into social media groups which could mark an individual as a “member” of an association before express consent has been made. Additionally, the networking tool of the internet is useful not only to legitimate civic groups but also to criminal and terrorist groups as they can also benefit from the pseudonymity of digital association.
Lastly, the central role of data in modern communications technology and continuous data collection often leads to the threat of profiling. It is no secret that platform providers retain consumer data often using it for targeted advertising purposes. However, the emergent use of data as a value tool whereby data is sold to advertisers and other firms has led to widespread privacy concerns highlighted best by the Cambridge Analytica scandal.
Given that the Computer Misuse and Cybercrimes Act’s chief focus is with regard to the content of the data rather than the collection and use of data and the relative lack of comprehensive data protection legislation outside the Constitution, it would seem that the local laws are ill equipped to deal with the issue of surveillance. Therefore, there is need for legislation to regulate and provide oversight on;
circumstances under which platform providers can collect and use data,
circumstances under which platform providers can share such data with government agencies and other 3rd parties.
Although modern communications technology has greatly enhanced associational freedom for many informal associations, it has also facilitated the emergence of new threats such as that of surveillance. This expansion of the scope of the subject right has meant that current legislation is insufficient in the wake of new threats. Therefore, it is imperative to review and update relevant legislation in order to comprehensively address these concerns.
Kenya’s traffic situation is dire with deaths due to road traffic crashes estimated between 3,000 to 13,000 each year. Based on 2017 stats of the National Transport & Safety Authority (NTSA), pedestrians are the most vulnerable groups representing 39% of fatalities. Another 22% of victims are passengers, 12% are drivers while casualties due to motorbikes reached 18%. The reasons for these are many including poor driving behavior such as speeding, breaking traffic rules including talking on mobile phones or driving under the influence of alcohol or drugs. Overloading vehicles, not wearing seatbelts, poorly maintained vehicles and bad surface roads contribute to the rise in road traffic accidents.
Driverless Cars Can Benefit Kenya
In his study of road accidents in Kenya, Odero concludes that 85% of road mishaps was caused by human errors. Collisions between vehicles and pedestrians were the worse. Utility vehicles and buses were involved in 62% of accidents that lead to injuries. Faulty or poorly-maintained vehicles were also to blame. The costs of these accidents are estimated at Sh300 billion or $2.9 billion a year according to the 2015 NTSA report.
The introduction of driverless cars can significantly reduce the rate of accidents in the country. But before these autonomous cars could be driven on Kenyan streets, extensive testing needs to be done. Moreover, once on the road, there are other factors that play before deployment can even be considered. One of these is the IT law.
Driverless cars are dependent on the development of autonomous driving technologies. The biggest issue that crops up once an autonomous vehicle is driven is: who is responsible for the car and its actions? Is it the owner of the vehicle, the manufacturer or the creator of the autonomous driving system?
Autonomous Vehicles Can Save Lives
Before we can tackle the question, let us look at how testing of AVs has evolved. Without a doubt, driverless cars are big business. That is why automakers and technology giants are scrambling to get a big piece of the action. The likes of Waymo, Uber, Tesla and Apple have invested heavily in developing autonomous vehicles that are ready for deployment on the road.
In an ideal world, these vehicles are safer. Autonomous vehicles (AVs) are fitted with 360 degree cameras that allow them to see from all angles. They can use LIDAR technology which is a detection system using laser enabling them to see better and further. AVs can plot their course based on real time information so they can also change their routes and adjust their speed. In short, they can see better than the human eye.
Safe Testing Is Critical
The Uber test vehicle that killed a pedestrian in March this year suggested that the technology is not fully developed. According to the police report, the Uber car failed to identify the victim as a pedestrian and did nothing to avoid hitting her. The human operator who was inside the AV was also apparently watching a video before the crash occurred. In another incident, a Tesla Model X SUV crashed into a road barrier and killed its driver. It was on auto pilot mode. These accidents tell us that more safe testing needs to be done before the technology can be considered roadworthy.
There is also no existing legal framework that puts people or entities liable for accidents and deaths that may occur due to failures of AVs. While some countries are in the process of putting laws and regulations in place before driverless vehicles are put in circulation, there are still many snags that need to be untangled. For now, safe road testing is a top priority along with legislation, local zoning and stringent testing requirements.
Implications for the Kenya’s Road and Traffic
Chaotic Kenyan roads are even more of a challenge for AV testing. Not only are there more humans on the road, there are also cyclists, motor bikers and even animals. Driverless cars will have to learn to navigate around so many obstacles. Perhaps, this is also where they might make the biggest difference as hectic cities are places where the most collisions happen claiming more lives.
There are many benefits of autonomous vehicles for humans and the environment. However, safe testing of their capability on roads should be further enhanced. In addition, regulatory measures and a legal framework must be in place before they circulate in traffic.
In the weeks leading up to and following Zimbabwe’s disputed 2013 election, Zimbabweans were hit by significant Internet-based attacks. Because the incident was not widely reported, it did not gain traction at all in the Internet Freedom Community. Yet the incident was one of a kind to be documented during an African election. It adversely affected Zimbabweans’ rights to stay informed including by accessing first-hand information on the elections to inform civic action and response to the election irregularities. This also had repercussions on the transparency and outcome of the election since those who were monitoring them on online platforms were deprived of necessary information to base their reports on. As part of the project Sub Saharan Africa Cyber Threat Modelling, I propose that as Zimbabwe prepares for the 2018 elections, civil society actors in Zimbabwe and those who support their digital security and integrity projects should use the 2013 incident to undertake a proper threat model that takes account of DDOS attacks. This will coincide with the Zimbabwe CSOs’ launch of the2018 Election Situation Room on 27 June 2018 – an initiative that seeks to coordinate their activities & enhance citizen monitoring & participation in electoral processes. Unlike other attack vectors that only affect information confidentiality and integrity, a DDOS goes after the availability of a system or a network. The nature of its attack is like having your home flooded – without warning; attackers can upend the availability of information during an election. When it hits a network, a long time can pass before detection and mitigation. In an ever-expanding field of adversaries and other attack vectors, DDOS is still often difficult to attribute as it can often be orchestrated remotely.
Around July 30, 2013, while working for the Zimbabwe Human Rights Forum, I woke up to realise that most of the real-time content of the website I managed had been compromised through deliberate defacement and selective data erasure. As I tried to locate the content, the site went offline. I fiddled with the network until a U.S. Congress Researcher, who had been following our blogs, alerted me to the DDOS attack directed at our web host Greennet and web hosts of other critical websites such as Electionride.com and Nehanda Radio.
The incident included two massive distributed denial of service (DDoS) on Greennet to disrupt the Forum’s activities, which in turn caused collateral damage to other sites like that of Privacy International. Despite the difficulty of the attack source attribution, experts believed that either a government entity or a private organisation was responsible for the attack given both its nature and magnitude: 100Gbps attack that used DNS reflection rather than an unsophisticated botnet to attempt to overwhelm its servers.
What is a DDOS attack?
Confidentiality, integrity, and availability are the fundamentals of information assurance. Organisations often rely on the so-called CIA (Confidentiality, Integrity, and Availability) triad to benchmark and evaluate their information security. For instance, the data defacement and erasure on the web pages of the Zimbabwe Human Rights Forum affected the integrity of the data and therefore its reliability. However, a DDoS does not go after the confidentiality or integrity of the CIA model. It’s meant to go after the ‘A’, the availability of a system or a network.
A Distributed Denial of Service (DDoS) attack is an attempt made to take a website or online service offline. Attackers use a variety of ways to do this, but they all are designed to overwhelm the site with traffic from multiple sources.
In a DDoS attack, the traffic flooding the site can come from hundreds or thousands of sources, which makes it near-impossible to stop the attack simply by blocking a single IP address. They can be distributed by infected computers via botnets or coordinated. Sites also struggle to differentiate between a legitimate user and attack traffic.
A DDoS attack differs from a Denial of Service (DoS) attack, which typically uses a single computer and connection to flood a system or site.
Zimbabwe experienced a Domain Name System (DNS) reflection attack. This kind of attack spoofs the target’s IP address in DNS requests, causing DNS servers to amplify the volume of data focused on the data centre under attack.
Unlike a malware in the class of worms, a DDOS could generally be classified in the virus category in its mode of attack. Like a DDOS, a virus generally refers to a malicious program that self-replicates but requires some user interaction to be initiated. In this case, the virus/bot has a malicious payload (instruction) that it is meant to execute.
Here is an example by my friend Jonathan Weismann at Rochester Institute of Technology:
If Harry the hacker sends ten, one hundred or even one thousand pictures to an important web server, nothing will happen.
However, if Harry the hacker puts a program on ten thousand user machines and they each are instructed to place programs on thousands of other machines, when the time comes, Harry the hacker will give the kill signal and all machines known as zombies in this botnet, robot network, will be sending traffic to a poor victim’s server that will come to a grinding halt.
Attribution challenge and Recurrence
Cyber-attacks similar to the Zimbabwean one are difficult to attribute to any particular adversary unless such adversaries leave forensic footprints. We cannot predict recurrence during the 2018 election or in future with any degree of certainty because information controls are often applied in highly dynamic ways often responding to events on the ground displaying wide-ranging motives.
There has been an accelerated, dynamic and complex pace of events in Zimbabwe since the November 2017 power transfer. The country’s diversified international business partners potentially open up and diversify the vendors in the market for computer espionage and surveillance in addition to the so-called Huawei problem. Whereas China, also a major investor in Zimbabwe, continues to top the charts with its nation-sponsored surveillance activity, aspects of lesser-known nation-states and benign entities give cause for concern as they can hide in the darker parts of the internet. A good example was the hacking into the Zimbabwe Government websites. The attack vectors are expanding to include the use of social media to influence the opinions and actions of large populations.
The Zimbabwe case study and other recent attacks such as on the DNS Company Dyn shed a few lessons.
DDOS attacks happen very fast and are hard to detect, yet their consequence can be devastating. There can be a long time lapse between an attack, detection and mitigation. One needs a faster, more immediate means of threat detection to prevent severe damage. There’s little an organisation can do to prevent threats which may be the result of larger geopolitical forces but one can substantially reduce the likelihood of the adversaries’ chances to succeed by reducing their own vulnerability, and in turn, their own risk. This may include taking technical measures but also a holistic approach. For example, albeit on a different subject, Citizen Lab Research on targeted malware attacks reveal that the technical sophistication of [attacks] may be fairly low, with more effort placed on social engineering.
In our case the following non-prescriptive steps could have helped mitigate the impact of the DDOS attack:
Web content back up, including hosting a blog hosted on a separate platform where we could re-direct our readers.
Improving our firewall and password combinations as it appears the adversary gained entry onto our website dashboard to wipe out content.
Closely paying attention to the tell-tale signs such as the increase in the number of partisan subscribers.
Establishing a good relationship with the web-host and sharing concerns during key political events to enable their technical team to be prepared.
Draft an organisational DDOS attack playbook. This document sets out the systematic procedure to be followed in case of a DDOS attack. It helps ensure that organisational staff responds to the attack in an organised manner.
*An article by Akram Mathu first published on medium.
Cryptocurrencies have really changed the way people transact. In this new age and time, one no longer needs a defined financial intermediary to send money. People have been given the power to transact at a peer to peer level. With new ways of transacting, comes challenges. This post will focus on arbitration using smart contracts.
An arbitrator is a person officially appointed to solve a dispute.
Currently, if Jane has some project work she’d like to outsource, she would post it on a freelancing website. Once the website helps Jane to look for a contractor, she eventually is able to find John.
Jane tells John that she will pay him using bitcoin instead of local currency. Jane negotiates that she will only pay once the job is done well. They both end up agreeing that Jane would send half the fee immediately and remaining half once the task is completed and reviewed for satisfaction. Their ownership of ether is associated with digital addresses.
Digital addresses are long strings of numbers that have two components; a public key that functions as an address and a private key that gives the owner exclusive access to any coins associated with that address.
Back to Jane and John. John then decides after getting half the payment, that he will not do the job. Jane becomes helpless because she can’t do anything to John because of her inability to detect John’s whereabouts. Jane, therefore, wouldn’t be able to go to court for a breach of contract. Even if John had a profile on the freelance website, he can still refuse or disappear from the platform.
In order to be able to transact using contracts, you need to be able to trust a dispute resolution mechanism or a trusted third party. Lately, multi-signature has been created in order to counter such incidences.
Multi-signature or ‘multi-sig’ is a form of technology that adds more than one layer of security for cryptocurrency transactions. This means that private keys are not one, they are two or more.
Multi-signature technology allows every contract to have private keys shared with both the peers and the arbitrator in case of any dispute or conflict arising.
Private key 1 – To help all parties (the two peers and arbitrator) see that the bitcoin to be sent to the other peer is first deposited in the escrow account/multi-signature address. But the bitcoin can’t be moved or withdrawn.
Private Key 2 – Is only accessible to the arbitrator and this key allows him/her to send the bitcoin to the party they think rightfully deserves the money if there’s a dispute or not.
When Jane wants to pay John, she sends her funds to a multi-signature address. This will require two signatures/ private keys from the group; Jane, John and the Arbitrator to redeem the money.
If Jane and John disagree on who should get the money meaning Jane wants a refund, while Bob believes he fulfilled his obligations and demands the payment, they can appeal to the arbitrator.
The Arbitrator will grant his second private key/signature to Alice or Bob based on their previously agreed terms and therefore one of them will end up redeeming the funds fairly based on the arbitrator’s judging. For the service provided, the arbitrator will charge a service fee.
In order to contract regularly, one needs to have a certain level of trust that the system will enforce your rights under the deal. If you can’t trust the other party, you can trust the arbitrator also known as the dispute resolution mechanism or trusted third party.
Arbitration will really help during the use of smart contracts.
The bitcoin network have firms such as Hedgy that use multi-signature technology.
The Ethereum Blockchain has an arbitration firm known as Kleros.
Kleros involves the use of smart contracts to lock funds and those funds are only distributed right after the end of the initially agreed contract between the two peers.
Finally, the newly launched EOS.IO Blockchain will also have an arbitration process. The exact process is yet to be clearly stated.
Overall, arbitration is an opportunity for existing lawyers to tap into by learning how to apply their existing legal skills in the Blockchain protocol.
Recently, a text from a local telecommunications company inquired whether its subscribers knew that they could now enroll their voice so they could access various services securely and conveniently. This added a further dynamic to the on-going debate in several quarters on the accelerated adoption of biometrics in Kenya. Does Kenya have the necessary framework in place to safeguard the privacy and security of its citizens? The reality is, innovators will not wait for an optimal legal environment; with agile technologies, time is of the essence. But what are biometrics anyway? Whether it is voice or facial recognition, our researcher Francis Monyango has developed some engaging infographics to help a) demystify biometrics and b) trace the history of biometrics in Kenya. This accompanies our policy brief on forthcoming research and which our partner Privacy International published on their blog here.
On the eve of the fresh presidential elections in Kenya, Internet users reported slow Internet speeds while accessing social media and streaming platforms.1 Network performance fluctuates, especially when more subscribers come online, for example during major events. That ISPs have the capability to discretely throttle their users’ bandwidth is no secret, justified as de-congesting the network or for pressing clients towards more expensive plans, a major contention of the net neutrality principle. Throttling has also been used to control information during political processes. There are documented instances of throttling being used to limit the exchange of multimedia over social media during protests across the world.2 In Kenya, if the claims made on the eve of elections were to be confirmed, they would amount to limitations of freedom of speech online, a right entrenched in Article 33 of the Constitution.