Driverless Cars in Kenya: Anticipations for IT Law

*A guest post by Lucy Wyndham

Kenya’s traffic situation is dire with deaths due to road traffic crashes estimated between 3,000 to 13,000 each year. Based on 2017 stats of the National Transport & Safety Authority (NTSA), pedestrians are the most vulnerable groups representing 39% of fatalities. Another 22% of victims are passengers, 12% are drivers while casualties due to motorbikes reached 18%.  The reasons for these are many including poor driving behavior such as speeding, breaking traffic rules including talking on mobile phones or driving under the influence of alcohol or drugs. Overloading vehicles, not wearing seatbelts, poorly maintained vehicles and bad surface roads contribute to the rise in road traffic accidents.

Driverless Cars Can Benefit Kenya

In his study of road accidents in Kenya, Odero concludes that 85% of road mishaps was caused by human errors. Collisions between vehicles and pedestrians were the worse. Utility vehicles and buses were involved in 62% of accidents that lead to injuries. Faulty or poorly-maintained vehicles were also to blame. The costs of these accidents are estimated at Sh300 billion or $2.9 billion a year according to the 2015 NTSA report.

The introduction of driverless cars can significantly reduce the rate of accidents in the country. But before these autonomous cars could be driven on Kenyan streets, extensive testing needs to be done. Moreover, once on the road, there are other factors that play before deployment can even be considered. One of these is the IT law.

Driverless cars are dependent on the development of autonomous driving technologies. The biggest issue that crops up once an autonomous vehicle is driven is: who is responsible for the car and its actions? Is it the owner of the vehicle, the manufacturer or the creator of the autonomous driving system?

Autonomous Vehicles Can Save Lives

Before we can tackle the question, let us look at how testing of AVs has evolved. Without a doubt, driverless cars are big business. That is why automakers and technology giants are scrambling to get a big piece of the action. The likes of Waymo, Uber, Tesla and Apple have invested heavily in developing autonomous vehicles that are ready for deployment on the road.

In an ideal world, these vehicles are safer. Autonomous vehicles (AVs) are fitted with 360 degree cameras that allow them to see from all angles. They can use LIDAR technology which is a detection system using laser enabling them to see better and further.  AVs can plot their course based on real time information so they can also change their routes and adjust their speed. In short, they can see better than the human eye.

Safe Testing Is Critical

The Uber test vehicle that killed a pedestrian in March this year suggested that the technology is not fully developed. According to the police report, the Uber car failed to identify the victim as a pedestrian and did nothing to avoid hitting her. The human operator who was inside the AV was also apparently watching a video before the crash occurred. In another incident, a Tesla Model X SUV crashed into a road barrier and killed its driver. It was on auto pilot mode. These accidents tell us that more safe testing needs to be done before the technology can be considered roadworthy.

There is also no existing legal framework that puts people or entities liable for accidents and deaths that may occur due to failures of AVs. While some countries are in the process of putting laws and regulations in place before driverless vehicles are put in circulation, there are still many snags that need to be untangled.  For now, safe road testing is a top priority along with legislation, local zoning and stringent testing requirements.

Implications for the Kenya’s Road and Traffic

Chaotic Kenyan roads are even more of a challenge for AV testing. Not only are there more humans on the road, there are also cyclists, motor bikers and even animals. Driverless cars will have to learn to navigate around so many obstacles. Perhaps, this is also where they might make the biggest difference as hectic cities are places where the most collisions happen claiming more lives.

There are many benefits of autonomous vehicles for humans and the environment. However, safe testing of their capability on roads should be further enhanced. In addition, regulatory measures and a legal framework must be in place before they circulate in traffic.

Is Browsing Copyrighted Material Online Legal? The Case of: PRCA v NLA (2013)

The Internet has fundamentally altered the manner in which copyrighted
works are created, distributed and accessed. The on-demand access to and transmission of works online has introduced novel methods of exploitation of copyright works not hitherto envisaged by the law. Copyright laws world wide are evolving to address the legal issues arising from this rapid technological development. For example, the European Union’s Information Society Directive (InfoSoc) 2001 was enacted within this context, to offer a high level of copyright protection to authors in the EU.

Unfortunately, Kenya’s Copyright regime has not yet caught up with these rapid technological developments and their attendant legal issues. For example, the Copyright Act does not provide an exception from copyright infringement in the case of  reproduction that is temporary, transient or part of a technological process, as is seen in  use of cookies & cache storage, both which are vital to the Internet’s operation.  

Hyperlinks, which are online network components that redirect users to another website  when they click, tap or hover on it, came under scrutiny in the European Union in the case; Public Relations Consultants Association Limited (PRCA) v Newspaper Licensing Agency (NLA) C 360/13 (2013).

The PRCA, an association of public relations professionals, used a media monitoring service provided by Meltwater Limited to monitor online press reports concerning or relating to their clients. The NLA, representing the interests of newspapers i.e. the copyright holders of the published reports, took the view that the PRCA was required to obtain authorisation from the copyright holders for receiving the online media monitoring service offered by Meltwater. After both the High Court and Court of Appeal of England & Wales ruled in favour of the NLA, the PRCA instituted an appeal in the United Kingdom’s Supreme Court, which referred the case to the Court of Justice of the European Union (CJEU).

The main issue for consideration before the CJEU was whether the copies of the copyrighted material on the user’s computer screen and the copies in the internet ‘cache’ fell under the conditions of Article 5(1) of the InfoSoc Directive. This Article provides that an act of reproduction is exempted from the reproduction right provided for in Article 2 of the InfoSoc Directive, on condition that:

– it is temporary;

– it is transient or incidental;

– it is an integral and essential part of a technological process.

Central to the determination of this issue was not merely if onscreen displays and Internet cache copies are transient or temporary, but if the end user (e.g. PRCA) infringes on copyright by making of temporary copies that allows them to view the copyrighted material.

With respect to the first criterion of Article 5(1) of the InfoSoc Directive, the Court held that onscreen and cached copies of copyrighted works were temporary as the former were automatically deleted when the user exited from the website that they were viewing and the latter were often automatically replaced by other content depending on the cache’s capacity and the extent of the users internet use. It also found that the second criterion applied as onscreen and cached copies of copyrighted works were transient as the former is automatically deleted by the computer when the user exits the website and thus terminates the technological process used to view that site, and the latter were incidental as internet users could not create cached copies independently of their visit to a particular website or beyond the technological process used to view the site.

The third criterion of Article 5(1) however has direct implications on the functionality of the Internet and the court’s decision in this regard is particularly important. The Court held that on-screen and cached copies are created and deleted solely as a result of the technological process used to access websites. The reproduction as such is as such crucial in enabling users to access websites and subsequently use the Internet as a whole. Furthermore, the Court recognized the fact that the Internet would be unable to function without the creation of cached copies due to the huge volume of data transmitted online. As such, the reproduction is an integral part of the technological process as stipulated by Article 5(1) and it would be as such unjust to require the copyright holder’s authorization when browsing and viewing articles online.

The Court in PRCA v NLA (2013) also noted that the mere viewing or reading of an article in its physical form had hitherto never been an infringement in either English or EU Law. It would therefore not make sense to prohibit the mere viewing of articles online as online content is more often than not copyrighted and Internet users would become infringers if they required licenses to view content which they would inadvertently come across online. Copyright law should therefore not be used as a tool to impede Internet users’ right to browse content online freely.

Ultimately, on screen displays are transient and incidental and are an integral part of the process of browsing the Internet. Had NLA’s argument for the requirement of a license so that they could charge browsers to read content online prevailed, there would have been far reaching negative consequences as to the accessibility to the Internet by EU citizens.

While the legality of linking ‘free’ copyrighted material online, has not yet been explored in Kenyan courts, it is likely that  the courts shall recognise that transient and incidental ‘copying’ that occurs in the operation of the Internet does not infringe on copyright holders’ exclusive reproduction right under section 35 of the Copyright Act (cap 130).  

Copyright law should allow development and operation of new technologies while striking fair balance between copyright holders’ and the technologies’ users’ rights. Kenyan courts’ also have a duty to strike this balance. PRCA v NLA (2013) would in such cases be instrumental not only in its central finding but also in its compelling illustration of the fact that the operation of copyright online is inextricably tied to the accessibility of the Internet. This case also underscores the need for a review of the Copyright Act (Cap 130), in response to the unique challenges wrought by the operation of copyright in the digital age.  

CIPIT at the African Commission on Human and Peoples’ Rights NGO forum

Lessons from the Forum on the participation of NGO’s in the 62nd ordinary session of the ACHPR at the Royal Suites Hotel, Nouakchott.

CIPIT was invited to the ACHPR NGO forum to present their biometrics research findings to a side event that was taking place during the African Charter for Human and Peoples Rights 62nd Ordinary Session and to lobby for the inclusion of the right to privacy to the ACHPR (Banjul Charter).

For this mission we teamed up with the Legal Research Centre (LRC) from South Africa and Privacy International from London. Based on his experience in previous ACHPR events, LRC’S Tsanga Mukumba advised us to advocate for the right to privacy to be included to the mandate of Rapporteur to the right of freedom of expression. He added that asking for the inclusion of the right to privacy, while still the end goal to the Banjul Charter, might be difficult at this stage. A sad truth that we discovered through our interactions with the other forum attendees.

Since we were organising a side event as well, we attended other organizations side events to advertise our event.

While interacting with other human rights advocates who had convened at the event, we faced a challenge of convincing them on our digital right agenda. Many felt that there far more important and grave human rights atrocities in the continent such as the death penalty, torture and slavery. We decided to show the participants how digital rights such right to privacy affect their work on other human rights issues. We brought up issues of government surveillance on civil society and instances where telecom corporates work with law enforcement to crackdown on human rights defenders. This argument helped us gain momentum in our interactions and many saw the relevance of our cause.

At the end of the NGO forum, Tsanga submitted a resolution to the forum, which sought inclusion of the right to privacy to the mandate of the Rapporteur to the right of freedom of expression.

Legal Resources Centre Recommended Resolutions to the NGO Forum April 2018  

  •  That human dignity, as contained in Art. 5 of the African Charter on Human and People’s Rights is the core right and value which underpins the need for the respect, recognition and promotion of the right to privacy of all people in Africa;
  • To accept that effective respect and promotion of this right is necessary for the enjoyment of a range of human rights, including freedom of expression, access to information, association and peaceful assembly;
  • That the above recognition of the importance and validity of the right to privacy ought to inform and embedded within the process of the revision of the Declaration of the Principles of Freedom of Expression in Africa flowing from African Commission Resolution 362;
  • That the mandate of the Special Rapporteur on Freedom of Expression and Access to Information should include privacy and digital rights concerns where these impinge on the ability to communicate and receive opinions freely. Specifically including:
    • Unlawful, disproportionate or unnecessary state surveillance and the private enterprises which enable this through the provision of technological solutions;
    • The role of the private sector in conducting unlawful collection and processing of their customers personally identifiable information;
    • Regulation of the costs of access to the internet, and content and platform neutrality online;
    • The prevalence of ‘internet shutdowns’ in African States, particularly during periods of social protest and elections; 
    • Regulation of the processing of personal data, which can directly or indirectly identify individuals, by public and private bodies, and in particular the need for the processing of sensitive personal data such as biometrics to be subject to higher safeguards.

The LRC is a member of the International Network of Civil Liberties Organizations (INCLO). INCLO is a network of 13 independent, national human rights organizations from the global South and North working to promote fundamental rights and freedoms.

‘Big Brother is Watching’: The Implications of the Proposed collection of DNA Data in the Registration of Persons

Shutterstock ID 150725585

By Phillis Njoroge**

The Statute Law (Miscellaneous Amendment) Bill, 2018 seeks to amend a number of Acts and among them the Registration of Persons Act (Cap 107). This bill proposes the establishment of a National Integrated Identity Management System as well as the capture of biometric data and geographical data (GPS) during the registrations of persons in Kenya. This essentially means that one will be required to provide their biometric information before being issued with a National Identity card. Biometric information  in this context includes, fingerprint, hand geometry, earlobe geometry, retina and iris patterns, voice waves and Deoxyribonucleic Acid (DNA) in digital form.

It is foreseeable that this law will have positive and negative implications in various fields. A number of advantages that might come as a result of the collection and digitisation of biometric data include: identification accuracy, establishing accountability in the civil registry as each transaction shall be accurately documented by the individual associated with it, thus reducing the possibility of system misuse and fraud. Similarly, the risk of identity theft shall be reduced consequently leading to an improved return on investments due to the enhanced accuracy, accountability and reduced opportunities for misuse.

As much as this system comes with a number of advantages the collection and storage of DNA data in Kenya’s registry of persons raises a number of legal and ethical concerns. The grimmest of these is the potential contravention of Kenyans’ right to privacy, as provided for under Article 31 of the Constitution, particularly, the guarantee to not have information relating to one’s family or private affairs unnecessarily required or revealed.

DNA data is sensitive. It is not only a unique identifier of an individual, it also can be used to determine an individual’s entire genetic history including their propensity towards certain diseases. This brings it within the ambit of ‘family or private affairs’ as stipulated under Article 31 of the Constitution. The Government of Kenya has not provided sufficient justification for the collection of this data nor has it demonstrated that it shall institute the required stringent security measures within the National Integrated Identity Management System, for the protection of this data. This measure, if adopted, shall transform Kenya into an Orwellian ‘Big Brother State’.

Similar concerns were raised by Britons in their vote against a national data registry and identity cards in 2010. This registry would have required the collection of fingerprint, iris or palm-print data. Their biggest concern was that the collection and storage of up to 50 different kinds of information on one person, would amount to a sort of ‘big brother’ approach. They also felt that it was unclear how secure this data would be from manipulation.

The security of this data is thus under scrutiny.  Unlike passwords, biometric data such as DNA fingerprints and the like cannot be easily changed. This means that in the event of a data breach, one cannot easily reset their biometric details. The potential loss in the event of a breach is astronomical as a offender with a sample of the biometric data in question would obtain indefinite access to a database that is secured by the biometric data.

Moreover, the establishment of a DNA database in the absence of a comprehensive data protection legislation further puts the security of such data at risk. It is unclear whether Kenya will be able to afford the necessary encryption technologies and/or adopt the information security and privacy best practices like intrusion detection, breach reporting and having a risk management programs.

The collection of DNA data in a national registry of persons also raises the following ethical questions:

Firstly, who owns the collected DNA data? Given that DNA is unique to a particular individual it is appropriate to assume that DNA is owned by the individual whom it identifies. It is for this reason that the European General Data Protection Regulation (GDPR) in Article 4(5) requires that all organizations, bodies or persons seeking to collect DNA information (pseudo-anonymised data) from anyone to first have consent from that person.

The proposed law in Kenya does not however give people the opportunity to opt in or out of giving their DNA; it makes it a requirement for all Kenyans in order for them to be granted identification as citizens. The implication of refusal to provide such data is the deprivation of national identification documents and potentially one’s citizenship, contrary to Article 14 of the Constitution. As DNA is owned by the individual that it identifies, it is improper for the government or any other entity to collect such data without the explicit consent of the subject.

Given Kenya’s history with ethnic discrimination in both the public and private sector it is important to take into consideration the potential implications of the collection of DNA data, on a national level, on this issue. As DNA data can be used to identify the ethnicity of the subject, there is a risk of such data being abused to discriminate individuals based on their ethnicity. This is compounded by the fact that the Bill is silent as to the specific measures that shall be used to prevent the abuse of the National Integrated Identity Management System.

Additionally, the Ministry of Interior will also require GPS satellite details of Citizens’ homes. While the government can access mobile phones’ GPS data with  a court order, they typically have to follow certain procedures to obtain such data from Mobile Networks. However, the collection and storage of both GPS and DNA data as proposed by the Bill is without any oversight, and risks making Kenya a Police State.

One cannot therefore ignore the security risk in collecting DNA data in the absence of elaborate data protection laws. These privacy and surveillance reservations are valid given the Cambridge Analytica (CA) scandal where 50 million facebook users’ data was collected and shared with CA, which built ‘psychographic’ profiles of facebook users. These profiles were then used in targeted political messaging during the United States’ 2016 election. Similarly, research carried out by CIPIT into the privacy implications of the use of biometrics in Kenya’s 2017 general elections established that Kenyans received unsolicited political campaign messages which contained accurate data on their names and in some cases polling stations.  In light of the manipulation of personal data for profiling and other nefarious purposes, it is imperative that personal data, more so DNA data, is kept secure and only accessed by authorised personnel when absolutely necessary.

That said, keeping in mind the advantages of a National Integrated Identity Management System, is the risk of putting our DNA in the hands of our government worth it?

** Phillis Njoroge is a 4th Year Bachelor of Laws student at the Strathmore University.

Zero Rating of the Internet and its Impact on Net Neutrality

Mobile phone penetration in the Kenya has increased tremendously over the years. The Communication Authority of Kenya (CA), in its first quarter 2017/2018 financial year report placed mobile and Internet subscriptions in the country at 41 and 51 million subscriptions respectively. In spite of this increased mobile and Internet penetration, the high cost of accessing the Internet continues to be a constant hindrance to a majority of mobile users in Kenya.

Private companies, in response to this issue, have attempted to provide ‘free’ or subsidised Internet through what has come to be known as zero-rating of the Internet. In this practice, providers of zero-rated Internet, partner with Internet service providers (typically mobile networks) to subsidise access to the Internet. Access to the Internet under such programs is however limited to the zero-rated Internet providers’ website. Examples of such services include: Free Basics by Facebook and Wikipedia’s Zero.

These services are however extremely controversial due to concerns about their impact on net neutrality and effectiveness as a long-term policy for improving Internet access.

Proponents of zero-rated Internet claim that such services connect people who previously did not have access to the Internet especially in emerging markets in Africa and Asia. While connectivity may increase, the fact remains that Internet service providers and companies that engage in this service derive immense financial benefits from such services. For example, mobile Internet providers use free access to the Internet as an on-boarding strategy. Secondly, access to the Internet under this practice is limited to one or a few popular sites depending on the zero-rated Internet service in question. This calls to question the supposed ‘benevolence’ of such services especially in light of their detrimental impact on net neutrality, which holds that all content and users be treated equally so as to ensure free flow of information online.

While zero-rating can be viewed as beneficial to consumers as they do not incur data charges when visiting zero rated websites, it is detrimental as it in a sense changes the “face of the Internet” by limiting the number of websites which users can access. It effectively operates as an information control principally in the event that such services become ubiquitous and to the extent that they are the first point of entry to the Internet for millions and potentially billions of people.

Furthermore, zero-rating of the Internet jeopardizes freedom of expression online. The forums on which Internet users can freely develop and express their opinions are limited and to a great extent controlled by the parties that subsidize access to the Internet. The ideological underpinnings of the internet, and its role as a medium for advocacy on the protection of civil rights, is at danger of being obfuscated in this paradigm.

Moreover, zero-rating greatly reduces the incentive for content creators who do not have the required financial muscle to continue producing content. It is therefore no surprise that companies like Microsoft and other tech giants are at the forefront of championing zero rating. This is however highly ironic seeing that companies such as Wikipedia and Facebook would not have been able to transcend the ‘start-up’ stage had the Internet at their time of inception been limited through zero-rating. Again, the undermining of the right of Internet users to freedom of expression and uninhibited access to the Internet cuts to the core of this issue.

The impact of zero rated Internet is best gleaned through an analysis of the areas where it is widely offered as illustrated below.

Binge On™, is a video streaming service provided by T-Mobile, a mobile telecommunications company. Binge On™ provides zero-rated streaming for specific content providers while limiting the capacity of “non zero-rated” content providers from streaming its platform. “T-Mobile’s Binge On Violates Key Net Neutrality Principles” a report done by Stanford Law School found that T-Mobile, through its zero-rated service, stifled innovation by barring content creators who did not meet its substantial technical requirements. This exposes the fallacy of the perceived ‘altruism’ behind such services i.e. through the commercialization of information and innovation by extension. This further underscores the importance of maintaining ‘diversity of expression’, in the current knowledge economy, where large tracts of information are generated and disseminated online.

Proponents of this practice argue that zero rating is necessary if we are to achieve universal connectivity. The discussion above however, pokes serious holes into this argument. While universal connectivity is necessary to bolster communication, such hopes shall be relegated to a pipe dream as companies that cannot afford to zero rate their services are unable to fairly compete and reach consumers.

It is with this in mind that a need for a comprehensive legal and policy framework to address zero rating arises. Zero-rating should not be used as a substitute for Internet access. Openness, which is a central tenet of the Internet, must be legally protected. While, there are no country specific laws that deal with the effects of zero rating on freedom of expression, article 33(1a) of the Constitution of Kenya provides for the freedom to seek, receive and impart ideas. Internationally, article 19(2) of the International Covenant on Civil and Political Rights (ICCPR) provides for the freedom of expression.

The Internet is and should remain a bastion of freedom of expression. Kenya is thus bound to enact laws and policies that specifically protect this right ‘out of the normal context of speech’ seeing as Internet based modes of protection are protected under the ICCPR.

** Mercy King’ori is a 4th Year Bachelor of Laws student at the Strathmore University.

What can we learn from Zimbabwe’s 2013-election DDOS attack ahead of the 2018 Poll?

In the weeks leading up to and following Zimbabwe’s disputed 2013 election, Zimbabweans were hit by significant Internet-based attacks. Because the incident was not widely reported, it did not gain traction at all in the Internet Freedom Community. Yet the incident was one of a kind to be documented during an African election. It adversely affected Zimbabweans’ rights to stay informed including by accessing first-hand information on the elections to inform civic action and response to the election irregularities. This also had repercussions on the transparency and outcome of the election since those who were monitoring them on online platforms were deprived of necessary information to base their reports on. As part of the project Sub Saharan Africa Cyber Threat Modelling, I propose that as Zimbabwe prepares for the 2018 elections, civil society actors in Zimbabwe and those who support their digital security and integrity projects should use the 2013 incident to undertake a proper threat model that takes account of DDOS attacks. This will coincide with the Zimbabwe CSOs’ launch of the2018 Election Situation Room on 27 June 2018 – an initiative that seeks to coordinate their activities & enhance citizen monitoring & participation in electoral processes. Unlike other attack vectors that only affect information confidentiality and integrity, a DDOS goes after the availability of a system or a network. The nature of its attack is like having your home flooded – without warning; attackers can upend the availability of information during an election. When it hits a network, a long time can pass before detection and mitigation. In an ever-expanding field of adversaries and other attack vectors, DDOS is still often difficult to attribute as it can often be orchestrated remotely.

Around July 30, 2013, while working for the Zimbabwe Human Rights Forum, I woke up to realise that most of the real-time content of the website I managed had been compromised through deliberate defacement and selective data erasure. As I tried to locate the content, the site went offline. I fiddled with the network until a U.S. Congress Researcher, who had been following our blogs, alerted me to the DDOS attack directed at our web host Greennet and web hosts of other critical websites such as and Nehanda Radio.

The incident included two massive distributed denial of service (DDoS) on Greennet to disrupt the Forum’s activities, which in turn caused collateral damage to other sites like that of Privacy International. Despite the difficulty of the attack source attribution, experts believed that either a government entity or a private organisation was responsible for the attack given both its nature and magnitude: 100Gbps attack that used DNS reflection rather than an unsophisticated botnet to attempt to overwhelm its servers.

What is a DDOS attack?

Confidentiality, integrity, and availability are the fundamentals of information assurance. Organisations often rely on the so-called CIA (Confidentiality, Integrity, and Availability) triad to benchmark and evaluate their information security. For instance, the data defacement and erasure on the web pages of the Zimbabwe Human Rights Forum affected the integrity of the data and therefore its reliability. However, a DDoS does not go after the confidentiality or integrity of the CIA model. It’s meant to go after the ‘A’, the availability of a system or a network.

A Distributed Denial of Service (DDoS) attack is an attempt made to take a website or online service offline. Attackers use a variety of ways to do this, but they all are designed to overwhelm the site with traffic from multiple sources.

In a DDoS attack, the traffic flooding the site can come from hundreds or thousands of sources, which makes it near-impossible to stop the attack simply by blocking a single IP address. They can be distributed by infected computers via botnets or coordinated. Sites also struggle to differentiate between a legitimate user and attack traffic.

A DDoS attack differs from a Denial of Service (DoS) attack, which typically uses a single computer and connection to flood a system or site.

Zimbabwe experienced a Domain Name System (DNS) reflection attack. This kind of attack spoofs the target’s IP address in DNS requests, causing DNS servers to amplify the volume of data focused on the data centre under attack.

Unlike a malware in the class of worms, a DDOS could generally be classified in the virus category in its mode of attack. Like a DDOS, a virus generally refers to a malicious program that self-replicates but requires some user interaction to be initiated. In this case, the virus/bot has a malicious payload (instruction) that it is meant to execute.

Here is an example by my friend Jonathan Weismann at Rochester Institute of Technology:

If Harry the hacker sends ten, one hundred or even one thousand pictures to an important web server, nothing will happen.

However, if Harry the hacker puts a program on ten thousand user machines and they each are instructed to place programs on thousands of other machines, when the time comes, Harry the hacker will give the kill signal and all machines known as zombies in this botnet, robot network, will be sending traffic to a poor victim’s server that will come to a grinding halt.

Attribution challenge and Recurrence

Cyber-attacks similar to the Zimbabwean one are difficult to attribute to any particular adversary unless such adversaries leave forensic footprints. We cannot predict recurrence during the 2018 election or in future with any degree of certainty because information controls are often applied in highly dynamic ways often responding to events on the ground displaying wide-ranging motives.

There has been an accelerated, dynamic and complex pace of events in Zimbabwe since the November 2017 power transfer. The country’s diversified international business partners potentially open up and diversify the vendors in the market for computer espionage and surveillance in addition to the so-called Huawei problem. Whereas China, also a major investor in Zimbabwe, continues to top the charts with its nation-sponsored surveillance activity, aspects of lesser-known nation-states and benign entities give cause for concern as they can hide in the darker parts of the internet. A good example was the hacking into the Zimbabwe Government websites. The attack vectors are expanding to include the use of social media to influence the opinions and actions of large populations.


The Zimbabwe case study and other recent attacks such as on the DNS Company Dyn shed a few lessons.

DDOS attacks happen very fast and are hard to detect, yet their consequence can be devastating. There can be a long time lapse between an attack, detection and mitigation. One needs a faster, more immediate means of threat detection to prevent severe damage. There’s little an organisation can do to prevent threats which may be the result of larger geopolitical forces but one can substantially reduce the likelihood of the adversaries’ chances to succeed by reducing their own vulnerability, and in turn, their own risk. This may include taking technical measures but also a holistic approach. For example, albeit on a different subject, Citizen Lab Research on targeted malware attacks reveal that the technical sophistication of [attacks] may be fairly low, with more effort placed on social engineering.

In our case the following non-prescriptive steps could have helped mitigate the impact of the DDOS attack:

  • Web content back up, including hosting a blog hosted on a separate platform where we could re-direct our readers.
  • Improving our firewall and password combinations as it appears the adversary gained entry onto our website dashboard to wipe out content.
  • Closely paying attention to the tell-tale signs such as the increase in the number of partisan subscribers.
  • Establishing a good relationship with the web-host and sharing concerns during key political events to enable their technical team to be prepared.
  • Draft an organisational DDOS attack playbook. This document sets out the systematic procedure to be followed in case of a DDOS attack. It helps ensure that organisational staff responds to the attack in an organised manner.

Why We Need Lawyers / Arbitrators In The Blockchain Space

*An article by Akram Mathu first published on medium.

Cryptocurrencies have really changed the way people transact. In this new age and time, one no longer needs a defined financial intermediary to send money. People have been given the power to transact at a peer to peer level. With new ways of transacting, comes challenges. This post will focus on arbitration using smart contracts.

An arbitrator is a person officially appointed to solve a dispute.

Currently, if Jane has some project work she’d like to outsource, she would post it on a freelancing website. Once the website helps Jane to look for a contractor, she eventually is able to find John.

Jane tells John that she will pay him using bitcoin instead of local currency. Jane negotiates that she will only pay once the job is done well. They both end up agreeing that Jane would send half the fee immediately and remaining half once the task is completed and reviewed for satisfaction. Their ownership of ether is associated with digital addresses.

Digital addresses are long strings of numbers that have two components; a public key that functions as an address and a private key that gives the owner exclusive access to any coins associated with that address.

Back to Jane and John. John then decides after getting half the payment, that he will not do the job. Jane becomes helpless because she can’t do anything to John because of her inability to detect John’s whereabouts. Jane, therefore, wouldn’t be able to go to court for a breach of contract. Even if John had a profile on the freelance website, he can still refuse or disappear from the platform.

In order to be able to transact using contracts, you need to be able to trust a dispute resolution mechanism or a trusted third party. Lately, multi-signature has been created in order to counter such incidences.

Multi-signature or ‘multi-sig’ is a form of technology that adds more than one layer of security for cryptocurrency transactions. This means that private keys are not one, they are two or more.

Multi-signature technology allows every contract to have private keys shared with both the peers and the arbitrator in case of any dispute or conflict arising.

Private key 1 – To help all parties (the two peers and arbitrator) see that the bitcoin to be sent to the other peer is first deposited in the escrow account/multi-signature address. But the bitcoin can’t be moved or withdrawn.

Private Key 2 – Is only accessible to the arbitrator and this key allows him/her to send the bitcoin to the party they think rightfully deserves the money if there’s a dispute or not.

When Jane wants to pay John, she sends her funds to a multi-signature address. This will require two signatures/ private keys from the group; Jane, John and the Arbitrator to redeem the money.

If Jane and John disagree on who should get the money meaning Jane wants a refund, while Bob believes he fulfilled his obligations and demands the payment, they can appeal to the arbitrator. 

The Arbitrator will grant his second private key/signature to Alice or Bob based on their previously agreed terms and therefore one of them will end up redeeming the funds fairly based on the arbitrator’s judging. For the service provided, the arbitrator will charge a service fee.

In order to contract regularly, one needs to have a certain level of trust that the system will enforce your rights under the deal. If you can’t trust the other party, you can trust the arbitrator also known as the dispute resolution mechanism or trusted third party.

Arbitration will really help during the use of smart contracts.

The bitcoin network have firms such as Hedgy that use multi-signature technology.

The Ethereum Blockchain has an arbitration firm known as Kleros.

Kleros involves the use of smart contracts to lock funds and those funds are only distributed right after the end of the initially agreed contract between the two peers.
Finally, the newly launched EOS.IO Blockchain will also have an arbitration process. The exact process is yet to be clearly stated.

Overall, arbitration is an opportunity for existing lawyers to tap into by learning how to apply their existing legal skills in the Blockchain protocol.

Tobacco Regulations, 2014: Balancing the Protection of Trade Secrets and the Right to Privacy.

By Mercy King’ori**

The Tobacco Regulations of 2014, which were created to protect the health of smokers and “second hand smokers”, have been criticized for a lack of regard for the right to privacy for manufacturers’ trade secrets consequently stifling the rights of corporations engaging in otherwise legal business. This regulations came under scrutiny in the case of British American Tobacco Ltd v Cabinet Secretary for the Ministry of Health & 5 others [2017] eKLR where the appellants called for their annulment arguing that regulations 12-14, which require disclosure of key product information, violated their constitutional right to privacy and and may infringe on their intellectual property rights.

Part III of the regulations provides that the tobacco industry must provide the following information about their products:

  1. List of ingredients in tobacco products and tobacco product components;
  2. Reasons for including the ingredients;
  • All the toxicological data available to the manufacturer about the ingredients of the tobacco products and their effects on health and information on the characteristics of the leaves i.e. their type, percentage, percentage when expanded and changes made about tobacco product ingredients.

These requirements are a replica 2009 US law that granted the Food and Drug Administration (FDA) powers to direct tobacco companies to disclose ingredients in new products and changes to existing products. They also adhere to article 9 and 10 of the WHO Framework Convention on Tobacco Control (FCTC).

Whether the information that tobacco companies want to protect qualifies to be trade secrets is disputable. The law of confidence which is rooted in equity and legislated under article 39 of the Agreement on Trade- Related Aspects of Intellectual Property Rights (TRIPS) to which Kenya is a signatory to protects trade secrets. Article 39 of the Agreement stipulates that the following requirements must be met for information to be regarded as trade secrets: secrecy, commercial value and reasonable efforts to maintain secrecy.

The information held must be of a secretive nature though not absolutely secret. Employees, business partners and other persons can know the particulars, provided they keep them secret. Besides, ordinary and mundane information can be the subject of confidence so long as the information is private to the compiler. This was illustrated in Coco v AN Clark (Engineers) Ltd [1969] where the Court found that information that is common knowledge to a group of persons (in this case tobacco manufacturers) is part of the public domain and is not confidential. Therefore information regarding ingredients must be confidential to qualify as a trade secret.

Secondly, the information must have commercial value i.e. there must be some utility obtained from the information being secret. The manufacturer must be able to use it to acquire a business advantage over other manufacturer(s) in the same industry. Therefore, the information must only be known to the manufacturer to have commercial value. Disputably, players in the tobacco industry could argue that the information they guard has commercial value to them as it is what gives one company an edge over a competitor that uses different ingredients and manufacturing processes

Lastly, the owners of the secrets must carry out steps to ensure that the information is well secured. According to WIPO, some of the reasonable steps that can be taken to secure trade secrets include: non-disclosure agreements, training and capacity building with employees, instituting an information protection team, having a trade secret SWAT team, establishing due diligence and continuous third-party management procedures among others.

Kenya, as a signatory to TRIPS, is obligated to protect trade secrets. These regulations do not however protect trade secrets and business ‘know-how’ once it is revealed; meaning once revealed it loses its secrecy. This leaves trade secrets and business ‘know-how’, such as the list of ingredients and percentage of leaves expanded, vulnerable to appropriation.

In taking the role of devil’s advocate, it is worth considering whether the information that the tobacco industry is required to reveal under Part III really falls within the scope of trade secrets. Let us go back in history to understand the situation as it was that caused the emergence of such requirements. In 1998, 35 million pages of what was considered confidential information were revealed as a result of the Minnesota’s Tobacco Trial in the US. This information was on the harmful ingredients that tobacco companies used in the products. In what was considered the Master Settlement Agreement, the U.S. agreed not to sue the corporations in exchange of the corporations revealing all documents considered to be confidential to the public. It is important to note that one of the companies involved in the Supreme Court application to throw out the regulations was implicated in this law suit for failing to reveal to consumers harmful ingredients contained in their tobacco products.

Moreover, research carried out between 1937 and 2001 of tobacco companies, some of which operate in Kenya, revealed that tobacco ingredients are not secret rather the companies simply reverse engineer their competitor’s brands to create their own. This report argues that since the reverse engineering process is done routinely, it does not meet the threshold of secrecy for information to be a trade secret. The report implicates some multinationals that operate in Kenya. If this is anything to go by, then it negates the fact that the information in question has commercial value and is secret.

It is thus important to strike a balance between consumer protection measures and the protection of corporations’ intellectual property. Overzealous consumer protection regulations result in laws that infringe on corporations right to privacy and violate their intellectual property rights, to the detriment of their revenue and the country’s economy as a whole. Since the appeal was dismissed at the Supreme Court, it will be interesting to see whether the companies shall abide by the regulations.

** Mercy King’ori is a 3rd Year Bachelor of Laws student at the Strathmore University.


By Christopher Rosana**

Strange! That a man who has wit enough to write a satire should have folly enough to publish it.” These words by Benjamin Franklin ring in my head every moment I have to analyse defamation claims and the nuances of media in the digital age. The requirements for libel have not fundamentally changed for centuries; its principles have happily held sway. Those whose reputations have suffered walk away with their assigned damages – a solatium to their injured reputation. Principles may have remained unchanged, modified to new situations even, but there are corresponding misapprehensions on the meaning of ‘publication’ that have crept into the public mind.

For a successful defamation claim the following conditions must be present (1) the statement must be made to a third party – published; and (2) the statement must lower the claimant in the estimation of right-thinking members of society. In the second condition, it may be sufficient if the statement exposes the claimant to hatred, ridicule, contempt, or to be shunned.
What amounts to a ‘publication’? On this question rests all the blame for the massive amounts of damages that defendants have to pay. The rise of alternative forms of disseminating information, for instance Twitter, Facebook and their ilk, seems to have altered the understanding of what qualifies as a ‘publication’. In our minds we still picture an old dingy printing press churning away pieces of propaganda but never do we feel convinced that our tweets, blog posts, screenshots are actually ‘publications’.

As a legal term of art, ‘to publish’ is simply to make something known to a third party. To publish is not limited to paper and ink. Whatever form a person utilizes to communicate libelous information would not absolve them in a defamation claim. The libelous information must refer to a living client as you cannot defame the deceased.
The misapprehension leads to defences in the line of ‘It is not us saying it, we are just quoting x’. In Nicholas Biwott v Clays Limited & 5 Others, Bookpoint was held to be responsible for defaming the plaintiff even though they were merely selling a book which it did not author. Therefore, meaning of publication implicates the person even when they are not, technically speaking, the person ‘saying’ what is libelous in the circumstances. In the eyes of the law, if statements are libelous and one disseminates them to another, one must prove the truth of those statements. In the spread of libelous information, the question before the court is not whether the words were actually said but whether the words said are provable as true. When one spreads defamatory information, they are taken to have adopted and endorsed those words as their own.

Thus, sharing a defamatory tweet is publication in the selfsame way a printed newspaper would be. It is curious how we easily describe an online article as ‘published’ but we do not extend this to tweets, and Facebook posts. A common pitfall is when a newspaper publishes the revelations of an anonymous user that are ‘juicy’ but also happen to be defamatory to the person in reference. The defamed claimant would sue the newspaper since those words are taken as its own and since the original source has anonymised their online account, the newspaper will be at pains to prove the claims. In a similar instance with the same facts, you may share the defamatory claims on your Twitter or Facebook thinking that it is not a ‘publication’. There is no safety in numbers as the aggrieved party can choose to sue any one of the defaming defendants as shown in Nicholas Biwott v Clays Limited.

Christopher Rosana is a Legal Assistant at Nation Media Group (Legal Department)

What have we learnt from studying 5 years of Internet Disruptions in Africa?


, ,

On 5 October 2016, the Ethiopian railway corporation launched a 750 KM rail-line connecting the landlocked country from its capital, Addis Ababa, to Djibouti, its strategic economic link to global commerce. A few hours later, the communication ministry completely shut down all Internet connectivity across the country, with the stated aim of quelling protests in parts of the country. Spending millions of dollars to connect a country to the world through a railway, while intentionally shutting down the country’s Internet connectivity on the same day is a quite a paradox. To consider a whole city, or even a country, intentionally disconnected off the Internet for days by their government, may sound quite abstract, but more than fifty incidences like these were recorded globally in 2017, of which for every two of these, one was happening in Africa.

The effects of these intentional Internet disruptions have ranged from increased citizenry backlash, economic losses, and eroded international reputation. What is interesting though, as seen from the Ethiopian vignette above, is how disrupting the Internet contradicts the very economic plans of such countries. On the one side, countries are investing heavily on communication and transport infrastructure for economic connectivity yet easily reversing the marginal gains made by their intentional Internet disconnections.

Today we are releasing findings from our continuing research on Internet disruptions, together with the associated data-sets. .

Some of our findings include:

  1. Ten countries in Africa account for 60% of all Internet disruptions experienced in the last five years.
  2. All countries that have had an Internet disruption have had the current ruling party being in power for 18.9 years on average.
  3. Countries with less than 20% Internet Penetration rates are more likely to disrupt the Internet during protests than those with higher rates.
  4. Liberal countries are less prone to Internet disruptions, especially where sufficient oversight exists over the executive arm of Government.
  5. Detection and attribution of Internet disruptions is improving but regional disruptions remain a daunting task. 

We were also interested in estimating economic impact of intentional disruptions in African countries. The report shows that by incorporating ‘shadow economy’ in assessing impact of Internet disruptions, there is an average of as high as 30% jump in economic costs from previous estimate models. The ‘shadow economy’ is understood here as economic activities and the income derived that circumvents or otherwise avoids government regulation, taxation or observation (Schneider 2013). This includes what we are calling the ‘WhatsApp Economy‘, that involves individuals or small businesses using messengers (especially WhatsApp and Telegram) and social media platforms (especially Facebook, Instagram, and Twitter) to market their wares or services, aided by mobile money and boda boda (motorbike couriers) to complete transactions without any registered business or additional tax responsibilities.

The first section conducts an audit of how Internet disruptions have been defined, detected, attributed, costed and responded to. Section two looks into how to quantify effects of Internet disruptions in Africa. Section three presents the findings from the quantification exercise and section four discusses some cases from the findings and section five presents research and policy recommendations.

Download the report here.